or Connect
AppleInsider › Forums › Software › Mac OS X › Apple's iPhone, Safari on Mac exploited at annual hacking contest
New Posts  All Forums:Forum Nav:

Apple's iPhone, Safari on Mac exploited at annual hacking contest - Page 3

post #81 of 130
Quote:
Originally Posted by isaidso View Post

Not that I care, or use Photoshop; but doesn't the demo still expire after the clock runs out without activation?

I don't know, but I found a valid serial online and used that during the install. Maybe the demo key sets off a timer or something.
post #82 of 130
Quote:
Originally Posted by isaidso View Post

Sorry thought this part of my post loosely addressed that: "(and I read all about it every year)"
My question is why do the media (and commenters) not address these questions about the competition, whose absence make the results meaningless?

Sorry I missed your point the first time. They did have people trying hacks against Chrome but I don't think the results are in yet foir those attempts or they will be done tomorrow. I know that they did not even include Ubuntu this year because it was not compromised the last 3 years.......
Checkout the bottom of the article here for the latest updates and the rest of the lineup....
Hope this helps...
http://dvlabs.tippingpoint.com/blog/...5/pwn2own-2010

Tallest Skil:


"Eventually Google will have their Afghanistan with Oracle and collapse"

"The future is Apple, Google, and a third company that hasn't yet been created."


 


 

Reply

Tallest Skil:


"Eventually Google will have their Afghanistan with Oracle and collapse"

"The future is Apple, Google, and a third company that hasn't yet been created."


 


 

Reply
post #83 of 130
Quote:
Originally Posted by Tofino View Post

no - it means that charlie miller was well prepared. IIRC - in the past he had found vulnerabilities in open source contributions to the mac os and didn't report them so he could get himself a macbook air.

Not true.... yes he was prepared to hack the Mac BUT the last 2 years that he hacked the Mac was through an exploit he reported to Apple that went unpatched. Now he does not want to just report exploits to the software vendors but teach/instruct them on how to do their own exploit findings...

Tallest Skil:


"Eventually Google will have their Afghanistan with Oracle and collapse"

"The future is Apple, Google, and a third company that hasn't yet been created."


 


 

Reply

Tallest Skil:


"Eventually Google will have their Afghanistan with Oracle and collapse"

"The future is Apple, Google, and a third company that hasn't yet been created."


 


 

Reply
post #84 of 130
Quote:
Originally Posted by TheShepherd View Post

What is the #1 reason then?

job security of windows certified technicians of course.
post #85 of 130
Quote:
Originally Posted by Quadra 610 View Post

For this hack to work in the real world, you would need to physically click a link to the malicious site somehow (in an email maybe, or a link via IM or whatever). Social Engineering. It relies on the ignorance of the computer user to do the hacker's job for him, because he can't do it himself.

Can your Mac get hacked remotely? No.

Will the hacker drive to your house and personally point your web browser to his site to infect your Mac? Not likely.

Ha ha ha ha ha, seriously dude grow up. Real users in the real world click on "links" as part of the "internet experience", can that possible happen????? are you serious??? (how do you think PC users get hacked???) . Its not just PC that get hacked or are at risk, its just a % game.

Now that Macs are doing better and better in sales, the risk of security will increase. Sure put your head in the sand and keep mumbling to yourself Apple is the best, apple is the best! As apple gets bigger and bigger more hackers will target them, the days of being complacent and arrogant and counting down.

I cannot believe that you are labelling users as ignorant if they get exploited, lame, last i checked Apple did not send out manual of approved sites to visit, and as people like yourself keep telling users how wonderful and secure Os X /macs are, and now mac do not get viruses etc, some poor chump out there that is not computer literate is going to get hacked/exploited cause of the BS fanboys dribble, and this so called chump gets labelled as ignorant.. ppffffft!

No matter what system you are on, you have to take security seriously. And be vigilant at all times.
post #86 of 130
Quote:
Originally Posted by Tofino View Post

job security of windows certified technicians of course.

LOL so you know this first hand? I am on a committee evaluating iPhone for our corporate environment. We are also directed by a SVP to evaluate the iPad. No business reason was given just the the SVP thought it was "cool" so we should see if we can find a place for the hardware in our business space......... I would LOVE to be able to have a MBP for my work laptop. I would LOVE to have the company pay for my iphone to use at work!!!
Apple does not have the business needs in place to make their product work in a eneterprise enviroment....... they make no bones about this fact either....they target their products as "entertainment devices". their target audience in the average home user....

Tallest Skil:


"Eventually Google will have their Afghanistan with Oracle and collapse"

"The future is Apple, Google, and a third company that hasn't yet been created."


 


 

Reply

Tallest Skil:


"Eventually Google will have their Afghanistan with Oracle and collapse"

"The future is Apple, Google, and a third company that hasn't yet been created."


 


 

Reply
post #87 of 130
Quote:
Originally Posted by geekdad View Post

Not true.... yes he was prepared to hack the Mac BUT the last 2 years that he hacked the Mac was through an exploit he reported to Apple that went unpatched. Now he does not want to just report exploits to the software vendors but teach/instruct them on how to do their own exploit findings...

maybe this year was different, but i remember his first spectacular takeover was orchestrated through a bug in webkit, and only worked after the organizers relaxed the rules. my point was that it wasn't a hack written on the spot, but well prepared. that's why it took him under two minutes.

and yes, apple should not be dragging their heels when it comes to plugging security holes.

but you would have to agree that the sensational headlines of a hacked mac are just as meaningless as 'the windows is more secure if you run win7 and IE8/9' argument, as long as there are still hundreds of thousands of IE6 users running on unpatched XP boxes out there.
post #88 of 130
Quote:
Originally Posted by Tofino View Post

maybe this year was different, but i remember his first spectacular takeover was orchestrated through a bug in webkit, and only worked after the organizers relaxed the rules. my point was that it wasn't a hack written on the spot, but well prepared. that's why it took him under two minutes.

and yes, apple should not be dragging their heels when it comes to plugging security holes.

but you would have to agree that the sensational headlines of a hacked mac are just as meaningless as 'the windows is more secure if you run win7 and IE8/9' argument, as long as there are still hundreds of thousands of IE6 users running on unpatched XP boxes out there.

You do have a point about the Mac getting more headlines......
I will give you that concession but I think its is also a "shock value" headline as well.... the assumption being that Macs are always more secure than Windows...when any system can get hacked.......

Tallest Skil:


"Eventually Google will have their Afghanistan with Oracle and collapse"

"The future is Apple, Google, and a third company that hasn't yet been created."


 


 

Reply

Tallest Skil:


"Eventually Google will have their Afghanistan with Oracle and collapse"

"The future is Apple, Google, and a third company that hasn't yet been created."


 


 

Reply
post #89 of 130
People are really missing the point.

All these hacks need is just 1 click by an ignorant oblivious user to be raped by malicious code. Having the biggest marketshare Windows is under constant attack by hackers. Apple has the luxury of being a smaller premium market and less attacks are made against the user base simply because of that.

OS X isn't some fortress of impenetrability, so you can kill that thinking off. Is it safer to use OS X? Yes it is, but it's not more secure, OS X users are vulnerable as well.
post #90 of 130
Quote:
Originally Posted by geekdad View Post

You do have a point about the Mac getting more headlines......
I will give you that concession but I think its is also a "shock value" headline as well.... the assumption being that Macs are always more secure than Windows...when any system can get hacked.......

I'll say! Just do a google for "pwn2own first" and see what comes up.

Take note; this is the list from CanSecWest of everything that fell on day 1

Here are the results, in order:
\t1.\tPWNED! Vincenzo Iozzo and Ralf Philipp Weinmann - iPhone
\t2.\tPWNED! Charlie Miller - Safari
\t3.\tNils - Safari (prize claimed)
\t4.\tPWNED! Peter Vreugdenhil - Internet Explorer 8
\t5.\tMemACCT - Internet Explorer 8 (prize claimed)
\t6.\tAnonymous - Nokia
\t7.\tAnonymous - iPhone (prize claimed)
\t8.\tPWNED! Nils - Firefox

http://www.youtube.com/watch?v=gHZaPec0_I8

And the reason they are in that counting order is because that is the order that was pulled from the drawing. (the iPhone hacking guys went first. Charlie Miller went second, etc)

But my point is that, in the media, it gets played-up like the iPhone was the first thing down because it was the weakest thing out there.
(that may actually be the case; but that's not why it was the first thing to fall )
post #91 of 130
Quote:
Originally Posted by MH01 View Post


Now that Macs are doing better and better in sales, the risk of security will increase. Sure put your head in the sand and keep mumbling to yourself Apple is the best, apple is the best! As apple gets bigger and bigger more hackers will target them, the days of being complacent and arrogant and counting down.

We heard the same story after every pwn2own circus act. Macs are doing better in sales, but the natural limits of the Premium end of the market puts a stopper on Macs spreading too far, too fast. We can start with the $1000 entry-fee, unless we're talking Mac Minis. Windows will always command the lion's share of the consumer market, due in part to Microsoft whoring out their OS to all takers. Mac users are no more vulnerable now than they were five years ago. You can still turn off every single security feature in OS X (save for what your router provides) and surf even questionable sites with impunity.

That massive wave of Mac malware just won't happen. Now that Apple is gradually transitioning to the iPad platform (which is closer to a Mac than any other Apple handheld), there will be even less focus on Macs. By controlling the Premium end Apple has once and for all shielded itself from the nastiness that affects the rest of the computer-using population, regardless of how good Unix is. In fact, using the same logic that Windows-sufferers use (low market share), the more popular Windows is, the better Macs will fare when it comes to malware.

You can't use the security via obscurity argument and the "Macs are doing better in sales" argument at the same time. Macs will never, ever enjoy strong enough sales to deflect hackers' attention from Windows - which, by the way, is using another argument often employed by Windows-sufferers: it isn't worth hackers' time to target OS X. Even Apple's record Mac sales are nothing compared to all the junkboxes sold with Windows. Hey, fair enough. We're quite comfortable and sitting quite pretty with between 50-70 million OS X users. We don't need more to keep enjoying OS X and Macs, and besides, it doesn't look like waves upon waves of average users are about to miraculously enter into higher income brackets anytime soon, no matter hoe many more consumers are buying Macs in a recession. Either way, Mac users win.
post #92 of 130
Quote:
Originally Posted by extremeskater View Post

Quadra is safe because he doesn't actually do any real work. The entire time I have been here the best I can figure out is the guy loves his iPhone and the most technical thing he does is iWorks.com.

I mean I guess someone could hack his system and steal his Steve Jobs screen saver.

I'm not sure what you mean by this. Many people do "real work" in Numbers (or Excel) or iWork (Pages, for example.) Entire books are written with word processors. 200+ page PhD dissertations are written with Pages. Or Word. Or even OpenOffice.

Nor am i sure what any of this has to do with OS security.

I'm safe because I use a platform that is well-designed and doesn't run 99.99999% of malware out there. Nor will it ever come close to doing so.
post #93 of 130
Quote:
Originally Posted by Quadra 610 View Post

Anyway, if a hacker has physical access to the machine, all bets are off.

As soon as one of these exploits happens without physical access to the machine, or with physical access to a properly secured machine, I'll be impressed.
post #94 of 130
Quote:
Originally Posted by geekdad View Post

LOL so you know this first hand? I am on a committee evaluating iPhone for our corporate environment. We are also directed by a SVP to evaluate the iPad. No business reason was given just the the SVP thought it was "cool" so we should see if we can find a place for the hardware in our business space......... I would LOVE to be able to have a MBP for my work laptop. I would LOVE to have the company pay for my iphone to use at work!!!
Apple does not have the business needs in place to make their product work in a eneterprise enviroment....... they make no bones about this fact either....they target their products as "entertainment devices". their target audience in the average home user....

you are absolutely right about apple going after the home market and more or less ignoring the enterprise. i have however experienced the sneering drivel of ignorant IT departments that have dismissed macs as toys for even the most basic business tasks for decades.

kudos for your company for having actually explored the possibility, but i'm sure you have run into the type of people i'm talking about. it's entirely possible that macs don't fit into certain environments primarily because past IT managers have locked the entire infrastructure into microsoft's 'solutions' that have been hobbled to not fully support other platforms. just compare entourage to outlook.
post #95 of 130
Quote:
Originally Posted by mstone View Post

I think there is a lot of misinformation in this thread. Please do a little research. I know there is not a lot of info available for this year's contest. There is no blow by blow account like an Apple Keynote, but this is sort of how it works:.

Okay perhaps there is but what I stated in MY post while likely NOT 100% accurate is for the most part true... Perhaps with a bit of over zealous comments thrown in here or there.

Are you saying Apple is NOT a HUGE target and extra attention is often devoted to hacking them to simply put them in their place? I don't think this is a big secret... The hacker community want's to prove their point that NO SYSTEM IS SAFE and any 'preconceived notion that Macs were SAFTER is far from the truth and they are 100% focused on reminding the public year after year.

*I* get it! And I think **MOST OF US** get it. Apple is NOT bullet proof sure, fine! I'd still pick OS X if I were forced to chose OSX, Windows or Linux as my primary system...

It it also not true that hacking a Microsoft product is not consider as great a feat as hacking an Apple branded product? The press simply got bored of reporting every instance a Microsoft system was compromised. It would be like reporting ever instance someone was stung by a bee in the middle of summer... Simply NOT news worthy...

It is it just coincidence that Apple seems to be the BIG NEWS year after year when this conference kicks off and little press is ever made of hackers defeating Microsoft products year after year. Perhaps I'm looking at this fact thru some rose colored glasses since I don't even attempt to claim I visit a ton of Windows centric news sites. And even IF windows exploits DID make the normal/traditional news sites I'd likely skip it over (or found it buried on page 32) because its simply not real news and lets face it in todays work if Steve farts it would likely make page 2 at the minimum and certainly front page on a slower news day.

Lastly the other main point I was getting across what the lack DESPITE this CLEARLY FALLIBLE and QUICKLY HACKABLE nature of OS X (as demonstrated year after year - something that I'm not disputing) still to this day why has nothing has ever come of it in the form on a REAL WORLD virus or worm, trojan, etc?

Are these point all totally incorrect?!
Apple Fanboy: Anyone who started liking Apple before I did!
Reply
Apple Fanboy: Anyone who started liking Apple before I did!
Reply
post #96 of 130
Quote:
Originally Posted by Quadra 610 View Post

But notice that nowhere does Apple say that OS X is the most secure.

Don't gotta sell me... I've always been of the opinion that OS X was just as prone to attack as any other system and with OS X the 'favored' way of entry is thru safari... Kids today LOVE overloading the browser -- like it was some kind of new idea.... These issues are 'almost' as old as the browser itself .. well to be more accurate (I think) be to say 'as old as Javascript ... err ECMA Script... '

Anyway... there doesn't YET exist a lock that can't be picked...

And based on current readings I had though quantum based systems would possibly be an answer but nope they too suffer from similar hacking methods used on todays normal systems.

Maybe I was thing about quantum entanglement based systems... or who knows.. but even if a military designed/contracted (?) 'unhackable' chip costing $70k a pop (hey its only the taxpayers they can afford it!) can't even live up to ITS name (too 6 weeks to hack... all but it with some very expensive equipment and certain caveats that were detailed in the report then how is just about ANYTHING ever hope to be 'secure'.

Which brings us full circle... and back to the basic premiss that you should do what you feel is most necessary to ensure your security but know full well that if someone wasn't to get at it THEY will and in the end nothing can prevent them from doing so.

Perhaps if everyone was reminded of this we would be more conscious and cautious of where we chose to PUT our data personal/private data and scattering it across lots of different services might not be the best approach.

Then again is putting it all in one basket any better?
Apple Fanboy: Anyone who started liking Apple before I did!
Reply
Apple Fanboy: Anyone who started liking Apple before I did!
Reply
post #97 of 130
Quote:
Originally Posted by Gigawire View Post

A true test of what exactly? The point of this is that it can be hacked; not how long it takes. The event is called pwn2own, not pwnfast2own.

Keep the blinders on, it's safe under there.

Really?

The point of this is that the Mac isn't really hacked at all it's using social engineering to activate the exploits, i.e. getting people to visit malicious sites.

All of the Mac hacks had to be worked on BEFORE the contest started whereas Windows could be hacked onsite on the day.

Windows has a 20 minute life on the Internet before it gets hit by hackers and the like and yet there is no recorded case of a Mac being hacked in the wild except for people visiting sites of ill repute.

The biggest case in point was the iWork and Photoshop incidents that involved files being illegally downloaded off bit torrent sites. However it required people to download and install the software.

Windows doesn't need that. Simply opening an e-mail can kick off a virus and considering Outlook is set as default to open e-mails using the Preview Pane then you can understand the problem.

So no it's not really a true test of how insecure Mac OS X or the iPhone really is. It might be a test of how insecure Safari is because that's always what's used in these events.

While it is a grey area whether or not social engineering is really hacking this flaw can easily be thwarted through education. Not so much Windows attacks.

Now, if the contest rules stated that all work had to be done onsite within a certain time without any extra software or hardware being bought in then we'll see how good the security of the system is.
post #98 of 130
Quote:
Originally Posted by MH01 View Post

Now that Macs are doing better and better in sales, the risk of security will increase. Sure put your head in the sand and keep mumbling to yourself Apple is the best, apple is the best! As apple gets bigger and bigger more hackers will target them, the days of being complacent and arrogant and counting down.

Wishful thinking by windows fanboys since 2002. OS Xno anti-virusno problem!
post #99 of 130
Quote:
Originally Posted by lowededwookie View Post

Really?

The point of this is that the Mac isn't really hacked at all it's using social engineering to activate the exploits, i.e. getting people to visit malicious sites.

All of the Mac hacks had to be worked on BEFORE the contest started whereas Windows could be hacked onsite on the day.

Windows has a 20 minute life on the Internet before it gets hit by hackers and the like and yet there is no recorded case of a Mac being hacked in the wild except for people visiting sites of ill repute.

The biggest case in point was the iWork and Photoshop incidents that involved files being illegally downloaded off bit torrent sites. However it required people to download and install the software.

Windows doesn't need that. Simply opening an e-mail can kick off a virus and considering Outlook is set as default to open e-mails using the Preview Pane then you can understand the problem.

So no it's not really a true test of how insecure Mac OS X or the iPhone really is. It might be a test of how insecure Safari is because that's always what's used in these events.

While it is a grey area whether or not social engineering is really hacking this flaw can easily be thwarted through education. Not so much Windows attacks.

Now, if the contest rules stated that all work had to be done onsite within a certain time without any extra software or hardware being bought in then we'll see how good the security of the system is.

So much nonsense in this post. You are either deliberately posting FUD, or are woefully uninformed. You give Apple fans a bad name.

First off, being infected with malware by by visiting a website is hardly "social engineering". Pretty much all malware infections on the Windows platform occur this way, often through compromised banner adverts, served by advertising companies. These sometimes get onto reputable websites.

I also wish people would stop spouting the "20 minutes" to infect a Windows PC story as well. This is only true if your PC is connected directly to the internet (not through a router) and if Windows XP is being used without any security updates. Any software firewall (on by default since SP1) would also mitigate the threat. There has not been a worm (*no* user interaction required) which will infect a home user of Vista or 7; all infections require (to your definition) "social engineering".

Your claim that the Windows exploits were written on the day is completely wrong. With ASLR and DEP in Windows Vista/7 the exploits took a lot more effort than Safari on the Mac.

Lots of other inaccuracies in your post, but the effort barely seems worth it.

*sigh*
post #100 of 130
2001

Quote:
Originally Posted by MH01 View Post

As apple gets bigger and bigger more hackers will target them, the days of being complacent and arrogant and counting down.

2002

Quote:
Originally Posted by MH01 View Post

As apple gets bigger and bigger more hackers will target them, the days of being complacent and arrogant and counting down.

2003

Quote:
Originally Posted by MH01 View Post

As apple gets bigger and bigger more hackers will target them, the days of being complacent and arrogant and counting down.

2004

Quote:
Originally Posted by MH01 View Post

As apple gets bigger and bigger more hackers will target them, the days of being complacent and arrogant and counting down.

2005

Quote:
Originally Posted by MH01 View Post

As apple gets bigger and bigger more hackers will target them, the days of being complacent and arrogant and counting down.

2006

Quote:
Originally Posted by MH01 View Post

As apple gets bigger and bigger more hackers will target them, the days of being complacent and arrogant and counting down.

2007

Quote:
Originally Posted by MH01 View Post

As apple gets bigger and bigger more hackers will target them, the days of being complacent and arrogant and counting down.

2008

Quote:
Originally Posted by MH01 View Post

As apple gets bigger and bigger more hackers will target them, the days of being complacent and arrogant and counting down.

2009

Quote:
Originally Posted by MH01 View Post

As apple gets bigger and bigger more hackers will target them, the days of being complacent and arrogant and counting down.

2010

Quote:
Originally Posted by MH01 View Post

As apple gets bigger and bigger more hackers will target them, the days of being complacent and arrogant and counting down.

So where's the beef?

*continues to surf the web in a complacent and arrogant manner.*
post #101 of 130
Stunning how many uninformed comments get posted here both for and against Apple products. I could spend an hour going post by post pointing out how wrong people are and it would not matter, they would not believe anything I say, because everyone seems to have their mind made up and closed. All I will say is that I manage a team of security analysts for security firm. We regularly assess corporate network environments, servers, and workstations. We have experts in Windows, Linux, and OSX, and some of them use Windows laptops, some OSX laptops, and some prefer Linux. I have seen all of them hacked in minutes. The biggest security problem for computers are the people who use them. You visit a malicious website and and don't block scripts, popups and ads, you get what you deserve. I would say the scariest vulnerabilities out there are actually websites themselves. With cross-site scripting, SQL injection, and other tricks websites that store your personal information, or take your credit card information from you can be compromised pretty easily. And there are tools and well published hacks out in the wild that make this easy for people who don't really have a deep knowledge of computers, code, and security. A computer is only as safe as the person using it.

If you want to know what vulnerabilities your computer might have, here are good places to start:

http://web.nvd.nist.gov/view/vuln/search
http://www.us-cert.gov/

Here is simple explanation how CVSS scoring works:
http://www.networkworld.com/community/node/21105

At the NIST site search for vulnerabilities for "Apple". Charlie Miller's hacks are the newest ones for OS X posted, but they are not explained because they are so new. But browse down the list and educate yourself.

I use both Macs and Windows machines regularly at work and home and sometimes use Linux as well. Keep your systems patches up to date, use pop-up blockers and tools that warn you when you are visiting malicious websites. I have a virus scanner on my Mac, but don't keep it on all the time, but do scan my machine once a month. It never finds anything, but it is good to check. And use a malware checker/removal tool.
post #102 of 130
In addition to MSIMPSON's links, here is the NSA's link to security guides for various flavours of OS X, Windows, et al.
http://www.nsa.gov/ia/guidance/secur..._systems.shtml

These OS X Security Guides are also available directly from Apple here:
http://www.apple.com/support/security/guides/


Unfortunately, the OS X 10.6 Guide is still not available. According to a November 2009 Apple Mailing List, the guide is in internal and regulatory approval status. To harden 10.6, posts suggest to use the 10.5 Guide but they note that not all documented steps will match the UI.
http://lists.apple.com/archives/fed-.../msg00094.html
post #103 of 130
Quote:
Originally Posted by extremeskater View Post

Your reading gets more and more selective.


"Unsurprisingly, Charlie Miller, principal security analyst with Independent Security Evaluators, took home the $10,000 prize after he hacked Safari on a MacBook Pro without having access to the machine"

This would be called hacking via remote access.



'There are two lessons for businesses to learn about security here, right off the bat. First, using Apple hardware and software is not an adequate defense, in and of itself. Despite the common perception that the Mac OS X operating system is just inherently more secure than Windows, the reality is that the primary reason Macs aren't attacked and compromised more often is that the platform with 92 percent market share promises malware developers a significantly higher return on investment than the platform with 5 percent market share."

Let's lay this down, and geekdad you can chime in as needed. First and foremost, Charlie Miller spends most of the year running exploits against various platforms well in advance of the contest - he has stated as much previous to successful attempts other years. So the time it takes for him to do this as reported by the organizers doesn't reflect the actual effort to accomplish it. He's an accomplished security expert, and I think he's doing the right thing by not turning over the fuzzing vunerabilities but instead the process by which he was able to fuzz out the exploits.

Second. I am a technology manager and to say that this scenario in any way reflects actual vulnerability in the corporate setting is silly and ignorant of the dedicated efforts of many teams protecting our environments. Everything from proxy controls to edge guardianship and plain old log-checking and packet sniffing and significantly more than that. Our security and vulnerabilities teams are constantly checking known attack vectors as well as doing general patrol for suspicious activity. We are more threatened by some internal idiot laptop packer who decides to download a cool "free" app than anything else. And we have controls on that as well.

Third. Stop already with the security by obscurity myth. While the presence of a mere 40 or so million Macs currently in operation world-wide is a small population compared to the combined consumer and business population dependent on Windows, it is still 40 or so million pristine, virginal platforms to compromise - a potential 'bot army which if properly compromised would dwarf any of the existing Windows 'bot armies out in the wild. The reality of the situation is simply this. If you go back to pre 2001, Mac OS 9 had as many virus issues and vulnerabilities as the Windows platform with only 1-2% of the PC market. In fact Apple regularly bundled Norton with the Macs during that period, and consistently directed purchasers to get anti-virus software and install it. However with the on-boarding of the NeXT dev team and the introduction of the mach kernel into the MacOS, the scenario changed considerably. With the complete rewrite of the MacOS as MacOS X (10) around the mach kernel Apple took a huge gamble. They risked alienating their diminuitive user base by doing this, but didn't have a lot to lose at that point. Released in 2001, MacOS X marked the point at which the OS vulnerability became signifcantly reduced due to this bottom-up rewrite of the OS. As Apple slowly phased out the old OS9 classic environment from MacOS X, the security increased.

Microsoft is not in a position to do something this radical with Windows. They are constrained by their ownership of the corporate environments and their OEM partnerships. In fact our company has dedicated Microsoft consultants onsite in several places to keep the considerable footprint of the Windows environments up and running. Microsoft can only keep working away at checking the millions of lines of code it has in the Windows OS and watch closely for any surprises out in the wild. Apple, while in slightly better shape still has a lot of open source code it uses and which causes potential vulnerabilities to crop up. There is no such thing as virus or hacker proof, unless it is locked away and never touched.

I've been in the technology segment for nearly 40 years, I'm older than DOS and silicon microprocessors, Microsoft certified, coded in more languages than most of the young engineers I have to shepherd around my org know exist, and have advised on the engineering council for my company. I am not only an eye-witness to the entire development of Microsoft and Apple, and all the rest, I have been an active participant as well.
post #104 of 130
Quote:
Originally Posted by allblue View Post

Firefox plus AdBlock; FlashBlock and NoScript, on a a Mac.

Quote:
Originally Posted by msimpson View Post

You visit a malicious website and and don't block scripts, popups and ads, you get what you deserve. I would say the scariest vulnerabilities out there are actually websites themselves. With cross-site scripting, SQL injection, and other tricks websites that store your personal information, or take your credit card information from you can be compromised pretty easily.

I am encouraged that my approach appears to be vindicated by the posters who know what they are talking about here. I only moved to FireFox because until a few months ago I was still running 10.3.9, hence could not get past Safari 1.x, but it is the add-ons that have kept me on FF (3.6.2*) since finally arriving at 10.6.2. These provide some useful if non-essential additional functionality, but it is the security aspect that keeps FF as my default. I know there is Safari Ad-blocker and ClickToFlash, but there doesn't appear to be an equivalent of GhostScript. If you don't know about this stuff, you would probably be surprised how many scripts are waiting at a site - often it is twelve or more, and they will all start running without your knowledge. I'm talking about legitimate sites here, not the darker recesses of the naughty net, and there is no reason to presume they are malicious, but it is good to have that degree of control over what runs in your browser. Of course as always there is a compromise, an additional step to go through, in this case have to go into GhostScript to allow scripts you want to run (e.g. here at AI the embedded Vimeo vids are blocked by default, so you have to give permission for that script to run to view it), but even though I know that it is unnecessary as regards security 99.9% of the time, that extra level of security is worth it in my view.

So my point here is that Apple should allow/encourage or even provide similar add-on functionality for Safari, particularly as it is so easily do-able.

* If you are using FF, and do not have automatic update on, and have missed the news of a few days ago that a serious security flaw was found in 3.6.1, I suggest you update immediately.
Believe nothing, no matter where you heard it, not even if I have said it, if it does not agree with your own reason and your own common sense.
Buddha
Reply
Believe nothing, no matter where you heard it, not even if I have said it, if it does not agree with your own reason and your own common sense.
Buddha
Reply
post #105 of 130
Quote:
Originally Posted by extremeskater View Post

The main reason its safer not safe is mainly because of Apple lack of market share. Its real simple anything can be hacked. Its kind of like having a lock on your front door it keeps the honest people out but anyone that really wants to get in will be able too.

This yearly contest is interesting to see what people can hack and what hacks they come up with but it certainly isn't a shocker to know anything can be hacked.

However don't fool yourself if someone really wants to take the time to write a virus for OSX is certainly can be done.

Market share again? It was proved more than once that market share is not an issue, because if it was there would be no difference for hackers what machine yoiu're running? Right?

The best part is that every year all these hacks for Safari relied on user ignorance or stupidity to hack OS and etc., The fact that every browser was hacked only says one thing - that browser security could be better, that doesn't say much about OS security. As you know hakcing OS and hacking some app is to different things. If I wrote bad app security wise which connects to internet it's possible to get full control of computer through this app? Right?


By the way those time takers are taking a lot of time like 9 years and counting There is a reason for this, which sounds something like this: IT"S NOT THAT EASY TO DO, BECAUSE IF IT WOULD IT WOULD BE DONE ALREADY IN THE BEGINING WHEN OS WASN'T MATURE.


There are operating systems with even smaller marketshare (tens of times) with at least proof of concept viruses like for Linux there are few.

So either you are troll or you have no idea what you are talking about + troll.

Which of us is the fisherman and which the trout?

Reply

Which of us is the fisherman and which the trout?

Reply
post #106 of 130
Whilst the fact that the machines get hacked at all is relevant, the speed with which they are hacked kind of isn't.

Charlie Miller obviously does his homework, prepares well and when it's time to go he has the hack execution down to a fine art - it's called preparation.

Where machines are not hacked as quickly what can we assume? Either the other guys weren't prepared as well as Charlie OR they really did succeed in hacking the machines, sight unseen on the day, which would actually make them less secure than a machine that was hacked in seconds by someone who prepped well.

This contest is as much about the guys doing the hacking as the platforms and should not be taken as a reliable measure of security. In fact Miller seems to understand what many do not, even though he hacked the Mac in seconds, he still recommends the platform as more secure in practice.

Apparently millions of exploits automatically occurring per day is actually a better indicator than a one off hacking contest per year.
post #107 of 130
So what is the future of web browsing? This sort of competition that is giving competitors 10s of thousands of dollars for relatively little effort. While these people are quite talented I think this will bring even more people to the ready knowing that browser exploits are available.

Because browsers are getting very standardized and have all increased speeds tremendously in recent years (heck, even IE9 is showing JS speeds that are worthy of the big boys) I think the next browser war will focus a lot more on security.


Quote:
Originally Posted by skingers View Post

Whilst the fact that the machines get hacked at all is relevant, the speed with which they are hacked kind of isn't.

Charlie Miller obviously does his homework, prepares well and when it's time to go he has the hack execution down to a fine art - it's called preparation.

Where machines are not hacked as quickly what can we assume? Either the other guys weren't prepared as well as Charlie OR they really did succeed in hacking the machines, sight unseen on the day, which would actually make them less secure than a machine that was hacked in seconds by someone who prepped well.

This contest is as much about the guys doing the hacking as the platforms and should not be taken as a reliable measure of security. In fact Miller seems to understand what many do not, even though he hacked the Mac in seconds, he still recommends the platform as more secure in practice.

Apparently millions of exploits automatically occurring per day is actually a better indicator than a one off hacking contest per year.

Great post, Skingers.
Dick Applebaum on whether the iPad is a personal computer: "BTW, I am posting this from my iPad pc while sitting on the throne... personal enough for you?"
Reply
Dick Applebaum on whether the iPad is a personal computer: "BTW, I am posting this from my iPad pc while sitting on the throne... personal enough for you?"
Reply
post #108 of 130
...for the great post!

Quote:
Originally Posted by masternav View Post

Let's lay this down, and geekdad you can chime in as needed. First and foremost, Charlie Miller spends most of the year running exploits against various platforms well in advance of the contest - he has stated as much previous to successful attempts other years. So the time it takes for him to do this as reported by the organizers doesn't reflect the actual effort to accomplish it. He's an accomplished security expert, and I think he's doing the right thing by not turning over the fuzzing vunerabilities but instead the process by which he was able to fuzz out the exploits.

Second. I am a technology manager and to say that this scenario in any way reflects actual vulnerability in the corporate setting is silly and ignorant of the dedicated efforts of many teams protecting our environments. Everything from proxy controls to edge guardianship and plain old log-checking and packet sniffing and significantly more than that. Our security and vulnerabilities teams are constantly checking known attack vectors as well as doing general patrol for suspicious activity. We are more threatened by some internal idiot laptop packer who decides to download a cool "free" app than anything else. And we have controls on that as well.

Third. Stop already with the security by obscurity myth. While the presence of a mere 40 or so million Macs currently in operation world-wide is a small population compared to the combined consumer and business population dependent on Windows, it is still 40 or so million pristine, virginal platforms to compromise - a potential 'bot army which if properly compromised would dwarf any of the existing Windows 'bot armies out in the wild. The reality of the situation is simply this. If you go back to pre 2001, Mac OS 9 had as many virus issues and vulnerabilities as the Windows platform with only 1-2% of the PC market. In fact Apple regularly bundled Norton with the Macs during that period, and consistently directed purchasers to get anti-virus software and install it. However with the on-boarding of the NeXT dev team and the introduction of the mach kernel into the MacOS, the scenario changed considerably. With the complete rewrite of the MacOS as MacOS X (10) around the mach kernel Apple took a huge gamble. They risked alienating their diminuitive user base by doing this, but didn't have a lot to lose at that point. Released in 2001, MacOS X marked the point at which the OS vulnerability became signifcantly reduced due to this bottom-up rewrite of the OS. As Apple slowly phased out the old OS9 classic environment from MacOS X, the security increased.

Microsoft is not in a position to do something this radical with Windows. They are constrained by their ownership of the corporate environments and their OEM partnerships. In fact our company has dedicated Microsoft consultants onsite in several places to keep the considerable footprint of the Windows environments up and running. Microsoft can only keep working away at checking the millions of lines of code it has in the Windows OS and watch closely for any surprises out in the wild. Apple, while in slightly better shape still has a lot of open source code it uses and which causes potential vulnerabilities to crop up. There is no such thing as virus or hacker proof, unless it is locked away and never touched.

I've been in the technology segment for nearly 40 years, I'm older than DOS and silicon microprocessors, Microsoft certified, coded in more languages than most of the young engineers I have to shepherd around my org know exist, and have advised on the engineering council for my company. I am not only an eye-witness to the entire development of Microsoft and Apple, and all the rest, I have been an active participant as well.
Knowing what you are talking about would help you understand why you are so wrong. By "Realistic" - AI Forum Member
Reply
Knowing what you are talking about would help you understand why you are so wrong. By "Realistic" - AI Forum Member
Reply
post #109 of 130
Quote:
Originally Posted by Quadra 610 View Post

2001



2002



2003



2004



2005



2006



2007



2008



2009



2010



So where's the beef?

*continues to surf the web in a complacent and arrogant manner.*

Wow 2001 onwards.... he he he Kiss you Ipod and Iphone mate, and adjust your dates

Well, to be honest your safe as, between www.macrumors.com . www.appleinsider.com and www.apple.com where you probably spend 99.999999999% of you time, and is the web for you, I too would agree that your very safe.

Ummm heard of the iphone right??? What was it 22 sec to hack the sms database? I was including the iphone in my statement mate.
post #110 of 130
Quote:
Originally Posted by Quadra 610 View Post

I'm not sure what you mean by this. Many people do "real work" in Numbers (or Excel) or iWork (Pages, for example.) Entire books are written with word processors. 200+ page PhD dissertations are written with Pages. Or Word. Or even OpenOffice.

Nor am i sure what any of this has to do with OS security.

I'm safe because I use a platform that is well-designed and doesn't run 99.99999% of malware out there. Nor will it ever come close to doing so.

Mate, he was being sarcastic Comeon he said you used iWork, you not seriously telling us that you use iWork as your first choice????
post #111 of 130
Geez Apple why not hire this guy Charlie Miller. The $200k/year or whatever he would make would be worth it just for the reduced embarrassment.
post #112 of 130
Quote:
Originally Posted by MH01 View Post

Mate, he was being sarcastic Comeon he said you used iWork, you not seriously telling us that you use iWork as your first choice????

What's the problem with that? iWork is more than enough to get the job done.

Which of us is the fisherman and which the trout?

Reply

Which of us is the fisherman and which the trout?

Reply
post #113 of 130
Quote:
Originally Posted by MH01 View Post

Well, to be honest your safe as, between www.macrumors.com . www.appleinsider.com and www.apple.com where you probably spend 99.999999999% of you time, and is the web for you, I too would agree that your very safe.

Ummm heard of the iphone right??? What was it 22 sec to hack the sms database? I was including the iphone in my statement mate.

I'm not sure an SMS hack is going to lead to widespread viruses on the iPhone. Plus, as masternav points out, Apple had viruses BEFORE Mac OS X came on the scene.

In 1990 Apple sold 1.3 million Macs
In 2000 Apple sold 3.8 million Macs
In 2010 Apple is likely to sell more then 1.3 million Macs in at least one month and more than 3.8 million Macs in a quarter.

So, your previous statement, "As apple gets bigger and bigger more hackers will target them, the days of being complacent and arrogant and counting down", has so far worked in the opposite direction.

Then there is the elephants in the room, the historical fact that Mac users tend to have more disposable income so their machines could be a better score than from the average $400 PC user -AND- the millions of servers running Linux and Unix that maintain your CC info on file somewhere. Are these simply not worthy to be accessed or is there something innate to their core design that makes them inherently more secure?
Dick Applebaum on whether the iPad is a personal computer: "BTW, I am posting this from my iPad pc while sitting on the throne... personal enough for you?"
Reply
Dick Applebaum on whether the iPad is a personal computer: "BTW, I am posting this from my iPad pc while sitting on the throne... personal enough for you?"
Reply
post #114 of 130
Love the way people see this as an attack on Apple and that Apple we're some how at a disadvantage. It's not, it's completely fair between all the different browsers and platforms.

It doesn't matter what you use Windows, Mac, IE, Safari, Firefox. They will all be able to be hacked in some sort of way, it's not surprising its just the way it is.

Add to that, is it even that important? If you want to access peoples stuff then it's much easier just to publish an iPhone app the require's a registration (or anything that required registration) and thats it. 90% of people are likely to register with the same password as they have for there webmail account as well as providing you with their email to log in with as well. Now you have access to all the other sites they ever registered on, and there completely oblivious.
post #115 of 130
Just to put my 2 cents in here... I'm sick of hearing this "obscurity" BS! At the moment there's not a company on the planet who's every move is not scrutinized, publicized, blogged and reported to death more than Apple's.

With 40-70 million machines out there, belonging to the "so-called" money-loose and stupidest "fanboy idiots" of all time... are just standing there ripe for the picking... what hacker "wouldn't" pick the Mac as a target?! That is if it was so easy, and we as users are so dumb, and since our Credit Card limits and bank accounts actually have money on them?!

It would be HEADLINE news for weeks, if an actual virus, Trojan, or malware screwed up our little "Fanboy-Logo-Purchasing-Paradise", wouldn't it?

Send me a Mac virus! Make me do the ->

BTW: Look... the Bad Guys are even offering money!

Malware affiliate bounty: Infect a Mac, earn 43 cents
ZDNet | September 25th, 2009 | Ryan Naraine

GENEVA In a sign that cyber-criminals are investing more time and resources into attacks against Apples Mac users, a new malware affiliate program has been discovered offering 43c for every infected Mac machine.

During an eye-opening presentation at the VB Conference 2009 conference here, Sophos Labs researcher Dmitry Samosseikko provided a glimpse into the Partnerka, a Russian network of spam and malware affiliates that have turned their attention to the Mac platform using social engineering tricks to load fake codecs and scareware programs.

(Excerpt) Read more at blogs.zdnet.com ...
Knowing what you are talking about would help you understand why you are so wrong. By "Realistic" - AI Forum Member
Reply
Knowing what you are talking about would help you understand why you are so wrong. By "Realistic" - AI Forum Member
Reply
post #116 of 130
Quote:
Originally Posted by MH01 View Post

Wow 2001 onwards.... he he he Kiss you Ipod and Iphone mate, and adjust your dates

OS X was released in 2001. Server was released in 1999.

You can surf anywhere on the net with OS X. You'll be just fine.
post #117 of 130
Quote:
Originally Posted by Quadra 610 View Post

OS X was released in 2001. Server was released in 1999.

You can surf anywhere on the net with OS X. You'll be just fine.


Unless, of course, you happen to come a compromised site which (ab)uses security flaw in Safari. Otherwise you'll be fine. Oh, and did you know that Windows is the most secure OS on the planet as long as you stay away from applications and sites which can compromise its security?
post #118 of 130
Quote:
Originally Posted by Erunno View Post

Oh, and did you know that Windows is the most secure OS on the planet as long as you stay away from applications and sites which can compromise its security?

Which is nearly half the web.

But I'm sure that sticking to CNN and Disney will keep you perfectly safe.

I can't off the top of my head think of any site that will compromise OS X, or that is even remotely a threat. There's a good chance that none even exist at this point, which would be par for the course when it comes to OS X.
post #119 of 130
It is stupid to say that the Mac OS is slow to dent in the corporate world due to security. By that measure, Windows should never be used.

This contest is good. This initiative is good. It puts pressure on the vendors to deliver more secure products.
Most of us employ the Internet not to seek the best information, but rather to select information that confirms our prejudices. - Nicholas D. Kristof
Reply
Most of us employ the Internet not to seek the best information, but rather to select information that confirms our prejudices. - Nicholas D. Kristof
Reply
post #120 of 130
Quote:
Originally Posted by Quadra 610 View Post

I can't off the top of my head think of any site that will compromise OS X...

...yet. That's the point isn't it? Nothing out there at this time, probably won't be for a while, maybe even ever, but you never know. There is also the issue of a wider responsibility. Firstly by not becoming an unwitting carrier for the poor souls on the other side, but also if something nasty does emerge on the Mac side, the fewer compromised machines the easier it would be to contain. Yes we can surf with confidence, but that doesn't justify complacency in my opinion.
Believe nothing, no matter where you heard it, not even if I have said it, if it does not agree with your own reason and your own common sense.
Buddha
Reply
Believe nothing, no matter where you heard it, not even if I have said it, if it does not agree with your own reason and your own common sense.
Buddha
Reply
New Posts  All Forums:Forum Nav:
  Return Home
  Back to Forum: Mac OS X
AppleInsider › Forums › Software › Mac OS X › Apple's iPhone, Safari on Mac exploited at annual hacking contest