The point of this is that the Mac isn't really hacked at all it's using social engineering to activate the exploits, i.e. getting people to visit malicious sites.
All of the Mac hacks had to be worked on BEFORE the contest started whereas Windows could be hacked onsite on the day.
Windows has a 20 minute life on the Internet before it gets hit by hackers and the like and yet there is no recorded case of a Mac being hacked in the wild except for people visiting sites of ill repute.
The biggest case in point was the iWork and Photoshop incidents that involved files being illegally downloaded off bit torrent sites. However it required people to download and install the software.
Windows doesn't need that. Simply opening an e-mail can kick off a virus and considering Outlook is set as default to open e-mails using the Preview Pane then you can understand the problem.
So no it's not really a true test of how insecure Mac OS X or the iPhone really is. It might be a test of how insecure Safari is because that's always what's used in these events.
While it is a grey area whether or not social engineering is really hacking this flaw can easily be thwarted through education. Not so much Windows attacks.
Now, if the contest rules stated that all work had to be done onsite within a certain time without any extra software or hardware being bought in then we'll see how good the security of the system is.
So much nonsense in this post. You are either deliberately posting FUD, or are woefully uninformed. You give Apple fans a bad name.
First off, being infected with malware by by visiting a website is hardly "social engineering". Pretty much all malware infections on the Windows platform occur this way, often through compromised banner adverts, served by advertising companies. These sometimes get onto reputable websites.
I also wish people would stop spouting the "20 minutes" to infect a Windows PC story as well. This is only true if your PC is connected directly to the internet (not through a router) and if Windows XP is being used without any security updates. Any software firewall (on by default since SP1) would also mitigate the threat. There has not been a worm (*no* user interaction required) which will infect a home user of Vista or 7; all infections require (to your definition) "social engineering".
Your claim that the Windows exploits were written on the day is completely wrong. With ASLR and DEP in Windows Vista/7 the exploits took a lot more effort than Safari on the Mac.
Lots of other inaccuracies in your post, but the effort barely seems worth it.
I'm safe because I use a platform that is well-designed and doesn't run 99.99999% of malware out there. Nor will it ever come close to doing so.
The main reason its safer not safe is mainly because of Apple lack of market share. Its real simple anything can be hacked. Its kind of like having a lock on your front door it keeps the honest people out but anyone that really wants to get in will be able too.
This yearly contest is interesting to see what people can hack and what hacks they come up with but it certainly isn't a shocker to know anything can be hacked.
However don't fool yourself if someone really wants to take the time to write a virus for OSX is certainly can be done.
Stunning how many uninformed comments get posted here both for and against Apple products. I could spend an hour going post by post pointing out how wrong people are and it would not matter, they would not believe anything I say, because everyone seems to have their mind made up and closed. All I will say is that I manage a team of security analysts for security firm. We regularly assess corporate network environments, servers, and workstations. We have experts in Windows, Linux, and OSX, and some of them use Windows laptops, some OSX laptops, and some prefer Linux. I have seen all of them hacked in minutes. The biggest security problem for computers are the people who use them. You visit a malicious website and and don't block scripts, popups and ads, you get what you deserve. I would say the scariest vulnerabilities out there are actually websites themselves. With cross-site scripting, SQL injection, and other tricks websites that store your personal information, or take your credit card information from you can be compromised pretty easily. And there are tools and well published hacks out in the wild that make this easy for people who don't really have a deep knowledge of computers, code, and security. A computer is only as safe as the person using it.
If you want to know what vulnerabilities your computer might have, here are good places to start:
At the NIST site search for vulnerabilities for "Apple". Charlie Miller's hacks are the newest ones for OS X posted, but they are not explained because they are so new. But browse down the list and educate yourself.
I use both Macs and Windows machines regularly at work and home and sometimes use Linux as well. Keep your systems patches up to date, use pop-up blockers and tools that warn you when you are visiting malicious websites. I have a virus scanner on my Mac, but don't keep it on all the time, but do scan my machine once a month. It never finds anything, but it is good to check. And use a malware checker/removal tool.
Unfortunately, the OS X 10.6 Guide is still not available. According to a November 2009 Apple Mailing List, the guide is in internal and regulatory approval status. To harden 10.6, posts suggest to use the 10.5 Guide but they note that not all documented steps will match the UI.
"Unsurprisingly, Charlie Miller, principal security analyst with Independent Security Evaluators, took home the $10,000 prize after he hacked Safari on a MacBook Pro without having access to the machine"
This would be called hacking via remote access.
'There are two lessons for businesses to learn about security here, right off the bat. First, using Apple hardware and software is not an adequate defense, in and of itself. Despite the common perception that the Mac OS X operating system is just inherently more secure than Windows, the reality is that the primary reason Macs aren't attacked and compromised more often is that the platform with 92 percent market share promises malware developers a significantly higher return on investment than the platform with 5 percent market share."
Let's lay this down, and geekdad you can chime in as needed. First and foremost, Charlie Miller spends most of the year running exploits against various platforms well in advance of the contest - he has stated as much previous to successful attempts other years. So the time it takes for him to do this as reported by the organizers doesn't reflect the actual effort to accomplish it. He's an accomplished security expert, and I think he's doing the right thing by not turning over the fuzzing vunerabilities but instead the process by which he was able to fuzz out the exploits.
Second. I am a technology manager and to say that this scenario in any way reflects actual vulnerability in the corporate setting is silly and ignorant of the dedicated efforts of many teams protecting our environments. Everything from proxy controls to edge guardianship and plain old log-checking and packet sniffing and significantly more than that. Our security and vulnerabilities teams are constantly checking known attack vectors as well as doing general patrol for suspicious activity. We are more threatened by some internal idiot laptop packer who decides to download a cool "free" app than anything else. And we have controls on that as well.
Third. Stop already with the security by obscurity myth. While the presence of a mere 40 or so million Macs currently in operation world-wide is a small population compared to the combined consumer and business population dependent on Windows, it is still 40 or so million pristine, virginal platforms to compromise - a potential 'bot army which if properly compromised would dwarf any of the existing Windows 'bot armies out in the wild. The reality of the situation is simply this. If you go back to pre 2001, Mac OS 9 had as many virus issues and vulnerabilities as the Windows platform with only 1-2% of the PC market. In fact Apple regularly bundled Norton with the Macs during that period, and consistently directed purchasers to get anti-virus software and install it. However with the on-boarding of the NeXT dev team and the introduction of the mach kernel into the MacOS, the scenario changed considerably. With the complete rewrite of the MacOS as MacOS X (10) around the mach kernel Apple took a huge gamble. They risked alienating their diminuitive user base by doing this, but didn't have a lot to lose at that point. Released in 2001, MacOS X marked the point at which the OS vulnerability became signifcantly reduced due to this bottom-up rewrite of the OS. As Apple slowly phased out the old OS9 classic environment from MacOS X, the security increased.
Microsoft is not in a position to do something this radical with Windows. They are constrained by their ownership of the corporate environments and their OEM partnerships. In fact our company has dedicated Microsoft consultants onsite in several places to keep the considerable footprint of the Windows environments up and running. Microsoft can only keep working away at checking the millions of lines of code it has in the Windows OS and watch closely for any surprises out in the wild. Apple, while in slightly better shape still has a lot of open source code it uses and which causes potential vulnerabilities to crop up. There is no such thing as virus or hacker proof, unless it is locked away and never touched.
I've been in the technology segment for nearly 40 years, I'm older than DOS and silicon microprocessors, Microsoft certified, coded in more languages than most of the young engineers I have to shepherd around my org know exist, and have advised on the engineering council for my company. I am not only an eye-witness to the entire development of Microsoft and Apple, and all the rest, I have been an active participant as well.
Firefox plus AdBlock; FlashBlock and NoScript, on a a Mac.
Quote:
Originally Posted by msimpson
You visit a malicious website and and don't block scripts, popups and ads, you get what you deserve. I would say the scariest vulnerabilities out there are actually websites themselves. With cross-site scripting, SQL injection, and other tricks websites that store your personal information, or take your credit card information from you can be compromised pretty easily.
I am encouraged that my approach appears to be vindicated by the posters who know what they are talking about here. I only moved to FireFox because until a few months ago I was still running 10.3.9, hence could not get past Safari 1.x, but it is the add-ons that have kept me on FF (3.6.2*) since finally arriving at 10.6.2. These provide some useful if non-essential additional functionality, but it is the security aspect that keeps FF as my default. I know there is Safari Ad-blocker and ClickToFlash, but there doesn't appear to be an equivalent of GhostScript. If you don't know about this stuff, you would probably be surprised how many scripts are waiting at a site - often it is twelve or more, and they will all start running without your knowledge. I'm talking about legitimate sites here, not the darker recesses of the naughty net, and there is no reason to presume they are malicious, but it is good to have that degree of control over what runs in your browser. Of course as always there is a compromise, an additional step to go through, in this case have to go into GhostScript to allow scripts you want to run (e.g. here at AI the embedded Vimeo vids are blocked by default, so you have to give permission for that script to run to view it), but even though I know that it is unnecessary as regards security 99.9% of the time, that extra level of security is worth it in my view.
So my point here is that Apple should allow/encourage or even provide similar add-on functionality for Safari, particularly as it is so easily do-able.
* If you are using FF, and do not have automatic update on, and have missed the news of a few days ago that a serious security flaw was found in 3.6.1, I suggest you update immediately.
The main reason its safer not safe is mainly because of Apple lack of market share. Its real simple anything can be hacked. Its kind of like having a lock on your front door it keeps the honest people out but anyone that really wants to get in will be able too.
This yearly contest is interesting to see what people can hack and what hacks they come up with but it certainly isn't a shocker to know anything can be hacked.
However don't fool yourself if someone really wants to take the time to write a virus for OSX is certainly can be done.
Market share again? It was proved more than once that market share is not an issue, because if it was there would be no difference for hackers what machine yoiu're running? Right?
The best part is that every year all these hacks for Safari relied on user ignorance or stupidity to hack OS and etc., The fact that every browser was hacked only says one thing - that browser security could be better, that doesn't say much about OS security. As you know hakcing OS and hacking some app is to different things. If I wrote bad app security wise which connects to internet it's possible to get full control of computer through this app? Right?
By the way those time takers are taking a lot of time like 9 years and counting There is a reason for this, which sounds something like this: IT"S NOT THAT EASY TO DO, BECAUSE IF IT WOULD IT WOULD BE DONE ALREADY IN THE BEGINING WHEN OS WASN'T MATURE.
There are operating systems with even smaller marketshare (tens of times) with at least proof of concept viruses like for Linux there are few.
So either you are troll or you have no idea what you are talking about + troll.
Whilst the fact that the machines get hacked at all is relevant, the speed with which they are hacked kind of isn't.
Charlie Miller obviously does his homework, prepares well and when it's time to go he has the hack execution down to a fine art - it's called preparation.
Where machines are not hacked as quickly what can we assume? Either the other guys weren't prepared as well as Charlie OR they really did succeed in hacking the machines, sight unseen on the day, which would actually make them less secure than a machine that was hacked in seconds by someone who prepped well.
This contest is as much about the guys doing the hacking as the platforms and should not be taken as a reliable measure of security. In fact Miller seems to understand what many do not, even though he hacked the Mac in seconds, he still recommends the platform as more secure in practice.
Apparently millions of exploits automatically occurring per day is actually a better indicator than a one off hacking contest per year.
So what is the future of web browsing? This sort of competition that is giving competitors 10s of thousands of dollars for relatively little effort. While these people are quite talented I think this will bring even more people to the ready knowing that browser exploits are available.
Because browsers are getting very standardized and have all increased speeds tremendously in recent years (heck, even IE9 is showing JS speeds that are worthy of the big boys) I think the next browser war will focus a lot more on security.
Quote:
Originally Posted by skingers
Whilst the fact that the machines get hacked at all is relevant, the speed with which they are hacked kind of isn't.
Charlie Miller obviously does his homework, prepares well and when it's time to go he has the hack execution down to a fine art - it's called preparation.
Where machines are not hacked as quickly what can we assume? Either the other guys weren't prepared as well as Charlie OR they really did succeed in hacking the machines, sight unseen on the day, which would actually make them less secure than a machine that was hacked in seconds by someone who prepped well.
This contest is as much about the guys doing the hacking as the platforms and should not be taken as a reliable measure of security. In fact Miller seems to understand what many do not, even though he hacked the Mac in seconds, he still recommends the platform as more secure in practice.
Apparently millions of exploits automatically occurring per day is actually a better indicator than a one off hacking contest per year.
Let's lay this down, and geekdad you can chime in as needed. First and foremost, Charlie Miller spends most of the year running exploits against various platforms well in advance of the contest - he has stated as much previous to successful attempts other years. So the time it takes for him to do this as reported by the organizers doesn't reflect the actual effort to accomplish it. He's an accomplished security expert, and I think he's doing the right thing by not turning over the fuzzing vunerabilities but instead the process by which he was able to fuzz out the exploits.
Second. I am a technology manager and to say that this scenario in any way reflects actual vulnerability in the corporate setting is silly and ignorant of the dedicated efforts of many teams protecting our environments. Everything from proxy controls to edge guardianship and plain old log-checking and packet sniffing and significantly more than that. Our security and vulnerabilities teams are constantly checking known attack vectors as well as doing general patrol for suspicious activity. We are more threatened by some internal idiot laptop packer who decides to download a cool "free" app than anything else. And we have controls on that as well.
Third. Stop already with the security by obscurity myth. While the presence of a mere 40 or so million Macs currently in operation world-wide is a small population compared to the combined consumer and business population dependent on Windows, it is still 40 or so million pristine, virginal platforms to compromise - a potential 'bot army which if properly compromised would dwarf any of the existing Windows 'bot armies out in the wild. The reality of the situation is simply this. If you go back to pre 2001, Mac OS 9 had as many virus issues and vulnerabilities as the Windows platform with only 1-2% of the PC market. In fact Apple regularly bundled Norton with the Macs during that period, and consistently directed purchasers to get anti-virus software and install it. However with the on-boarding of the NeXT dev team and the introduction of the mach kernel into the MacOS, the scenario changed considerably. With the complete rewrite of the MacOS as MacOS X (10) around the mach kernel Apple took a huge gamble. They risked alienating their diminuitive user base by doing this, but didn't have a lot to lose at that point. Released in 2001, MacOS X marked the point at which the OS vulnerability became signifcantly reduced due to this bottom-up rewrite of the OS. As Apple slowly phased out the old OS9 classic environment from MacOS X, the security increased.
Microsoft is not in a position to do something this radical with Windows. They are constrained by their ownership of the corporate environments and their OEM partnerships. In fact our company has dedicated Microsoft consultants onsite in several places to keep the considerable footprint of the Windows environments up and running. Microsoft can only keep working away at checking the millions of lines of code it has in the Windows OS and watch closely for any surprises out in the wild. Apple, while in slightly better shape still has a lot of open source code it uses and which causes potential vulnerabilities to crop up. There is no such thing as virus or hacker proof, unless it is locked away and never touched.
I've been in the technology segment for nearly 40 years, I'm older than DOS and silicon microprocessors, Microsoft certified, coded in more languages than most of the young engineers I have to shepherd around my org know exist, and have advised on the engineering council for my company. I am not only an eye-witness to the entire development of Microsoft and Apple, and all the rest, I have been an active participant as well.
*continues to surf the web in a complacent and arrogant manner.*
Wow 2001 onwards.... he he he Kiss you Ipod and Iphone mate, and adjust your dates
Well, to be honest your safe as, between www.macrumors.com . www.appleinsider.com and www.apple.com where you probably spend 99.999999999% of you time, and is the web for you, I too would agree that your very safe.
Ummm heard of the iphone right??? What was it 22 sec to hack the sms database? I was including the iphone in my statement mate.
I'm not sure what you mean by this. Many people do "real work" in Numbers (or Excel) or iWork (Pages, for example.) Entire books are written with word processors. 200+ page PhD dissertations are written with Pages. Or Word. Or even OpenOffice.
Nor am i sure what any of this has to do with OS security.
I'm safe because I use a platform that is well-designed and doesn't run 99.99999% of malware out there. Nor will it ever come close to doing so.
Mate, he was being sarcastic Comeon he said you used iWork, you not seriously telling us that you use iWork as your first choice????
Well, to be honest your safe as, between www.macrumors.com . www.appleinsider.com and www.apple.com where you probably spend 99.999999999% of you time, and is the web for you, I too would agree that your very safe.
Ummm heard of the iphone right??? What was it 22 sec to hack the sms database? I was including the iphone in my statement mate.
I'm not sure an SMS hack is going to lead to widespread viruses on the iPhone. Plus, as masternav points out, Apple had viruses BEFORE Mac OS X came on the scene.
In 1990 Apple sold 1.3 million Macs
In 2000 Apple sold 3.8 million Macs
In 2010 Apple is likely to sell more then 1.3 million Macs in at least one month and more than 3.8 million Macs in a quarter.
So, your previous statement, "As apple gets bigger and bigger more hackers will target them, the days of being complacent and arrogant and counting down", has so far worked in the opposite direction.
Then there is the elephants in the room, the historical fact that Mac users tend to have more disposable income so their machines could be a better score than from the average $400 PC user -AND- the millions of servers running Linux and Unix that maintain your CC info on file somewhere. Are these simply not worthy to be accessed or is there something innate to their core design that makes them inherently more secure?
Love the way people see this as an attack on Apple and that Apple we're some how at a disadvantage. It's not, it's completely fair between all the different browsers and platforms.
It doesn't matter what you use Windows, Mac, IE, Safari, Firefox. They will all be able to be hacked in some sort of way, it's not surprising its just the way it is.
Add to that, is it even that important? If you want to access peoples stuff then it's much easier just to publish an iPhone app the require's a registration (or anything that required registration) and thats it. 90% of people are likely to register with the same password as they have for there webmail account as well as providing you with their email to log in with as well. Now you have access to all the other sites they ever registered on, and there completely oblivious.
Just to put my 2 cents in here... I'm sick of hearing this "obscurity" BS! At the moment there's not a company on the planet who's every move is not scrutinized, publicized, blogged and reported to death more than Apple's.
With 40-70 million machines out there, belonging to the "so-called" money-loose and stupidest "fanboy idiots" of all time... are just standing there ripe for the picking... what hacker "wouldn't" pick the Mac as a target?! That is if it was so easy, and we as users are so dumb, and since our Credit Card limits and bank accounts actually have money on them?!
It would be HEADLINE news for weeks, if an actual virus, Trojan, or malware screwed up our little "Fanboy-Logo-Purchasing-Paradise", wouldn't it?
Send me a Mac virus! Make me do the ->
BTW: Look... the Bad Guys are even offering money!
Malware affiliate bounty: Infect a Mac, earn 43 cents
ZDNet | September 25th, 2009 | Ryan Naraine
GENEVA ? In a sign that cyber-criminals are investing more time and resources into attacks against Apple?s Mac users, a new malware affiliate program has been discovered offering 43c for every infected Mac machine.
During an eye-opening presentation at the VB Conference 2009 conference here, Sophos Labs researcher Dmitry Samosseikko provided a glimpse into the ?Partnerka,? a Russian network of spam and malware affiliates that have turned their attention to the Mac platform ? using social engineering tricks to load fake codecs and scareware programs.
Comments
Really?
The point of this is that the Mac isn't really hacked at all it's using social engineering to activate the exploits, i.e. getting people to visit malicious sites.
All of the Mac hacks had to be worked on BEFORE the contest started whereas Windows could be hacked onsite on the day.
Windows has a 20 minute life on the Internet before it gets hit by hackers and the like and yet there is no recorded case of a Mac being hacked in the wild except for people visiting sites of ill repute.
The biggest case in point was the iWork and Photoshop incidents that involved files being illegally downloaded off bit torrent sites. However it required people to download and install the software.
Windows doesn't need that. Simply opening an e-mail can kick off a virus and considering Outlook is set as default to open e-mails using the Preview Pane then you can understand the problem.
So no it's not really a true test of how insecure Mac OS X or the iPhone really is. It might be a test of how insecure Safari is because that's always what's used in these events.
While it is a grey area whether or not social engineering is really hacking this flaw can easily be thwarted through education. Not so much Windows attacks.
Now, if the contest rules stated that all work had to be done onsite within a certain time without any extra software or hardware being bought in then we'll see how good the security of the system is.
So much nonsense in this post. You are either deliberately posting FUD, or are woefully uninformed. You give Apple fans a bad name.
First off, being infected with malware by by visiting a website is hardly "social engineering". Pretty much all malware infections on the Windows platform occur this way, often through compromised banner adverts, served by advertising companies. These sometimes get onto reputable websites.
I also wish people would stop spouting the "20 minutes" to infect a Windows PC story as well. This is only true if your PC is connected directly to the internet (not through a router) and if Windows XP is being used without any security updates. Any software firewall (on by default since SP1) would also mitigate the threat. There has not been a worm (*no* user interaction required) which will infect a home user of Vista or 7; all infections require (to your definition) "social engineering".
Your claim that the Windows exploits were written on the day is completely wrong. With ASLR and DEP in Windows Vista/7 the exploits took a lot more effort than Safari on the Mac.
Lots of other inaccuracies in your post, but the effort barely seems worth it.
*sigh*
As apple gets bigger and bigger more hackers will target them, the days of being complacent and arrogant and counting down.
2002
As apple gets bigger and bigger more hackers will target them, the days of being complacent and arrogant and counting down.
2003
As apple gets bigger and bigger more hackers will target them, the days of being complacent and arrogant and counting down.
2004
As apple gets bigger and bigger more hackers will target them, the days of being complacent and arrogant and counting down.
2005
As apple gets bigger and bigger more hackers will target them, the days of being complacent and arrogant and counting down.
2006
As apple gets bigger and bigger more hackers will target them, the days of being complacent and arrogant and counting down.
2007
As apple gets bigger and bigger more hackers will target them, the days of being complacent and arrogant and counting down.
2008
As apple gets bigger and bigger more hackers will target them, the days of being complacent and arrogant and counting down.
2009
As apple gets bigger and bigger more hackers will target them, the days of being complacent and arrogant and counting down.
2010
As apple gets bigger and bigger more hackers will target them, the days of being complacent and arrogant and counting down.
So where's the beef?
*continues to surf the web in a complacent and arrogant manner.*
I'm safe because I use a platform that is well-designed and doesn't run 99.99999% of malware out there. Nor will it ever come close to doing so.
The main reason its safer not safe is mainly because of Apple lack of market share. Its real simple anything can be hacked. Its kind of like having a lock on your front door it keeps the honest people out but anyone that really wants to get in will be able too.
This yearly contest is interesting to see what people can hack and what hacks they come up with but it certainly isn't a shocker to know anything can be hacked.
However don't fool yourself if someone really wants to take the time to write a virus for OSX is certainly can be done.
2001
2002
2003
2004
2005
2006
2007
2008
2009
2010
So where's the beef?
*continues to surf the web in a complacent and arrogant manner.*
Quadra, Apple really hasn't gotten that much bigger when it comes to their OS market share.
A few percentage points means very little.
If you want to know what vulnerabilities your computer might have, here are good places to start:
http://web.nvd.nist.gov/view/vuln/search
http://www.us-cert.gov/
Here is simple explanation how CVSS scoring works:
http://www.networkworld.com/community/node/21105
At the NIST site search for vulnerabilities for "Apple". Charlie Miller's hacks are the newest ones for OS X posted, but they are not explained because they are so new. But browse down the list and educate yourself.
I use both Macs and Windows machines regularly at work and home and sometimes use Linux as well. Keep your systems patches up to date, use pop-up blockers and tools that warn you when you are visiting malicious websites. I have a virus scanner on my Mac, but don't keep it on all the time, but do scan my machine once a month. It never finds anything, but it is good to check. And use a malware checker/removal tool.
http://www.nsa.gov/ia/guidance/secur..._systems.shtml
These OS X Security Guides are also available directly from Apple here:
http://www.apple.com/support/security/guides/
Unfortunately, the OS X 10.6 Guide is still not available. According to a November 2009 Apple Mailing List, the guide is in internal and regulatory approval status. To harden 10.6, posts suggest to use the 10.5 Guide but they note that not all documented steps will match the UI.
http://lists.apple.com/archives/fed-.../msg00094.html
Your reading gets more and more selective.
"Unsurprisingly, Charlie Miller, principal security analyst with Independent Security Evaluators, took home the $10,000 prize after he hacked Safari on a MacBook Pro without having access to the machine"
This would be called hacking via remote access.
'There are two lessons for businesses to learn about security here, right off the bat. First, using Apple hardware and software is not an adequate defense, in and of itself. Despite the common perception that the Mac OS X operating system is just inherently more secure than Windows, the reality is that the primary reason Macs aren't attacked and compromised more often is that the platform with 92 percent market share promises malware developers a significantly higher return on investment than the platform with 5 percent market share."
Let's lay this down, and geekdad you can chime in as needed. First and foremost, Charlie Miller spends most of the year running exploits against various platforms well in advance of the contest - he has stated as much previous to successful attempts other years. So the time it takes for him to do this as reported by the organizers doesn't reflect the actual effort to accomplish it. He's an accomplished security expert, and I think he's doing the right thing by not turning over the fuzzing vunerabilities but instead the process by which he was able to fuzz out the exploits.
Second. I am a technology manager and to say that this scenario in any way reflects actual vulnerability in the corporate setting is silly and ignorant of the dedicated efforts of many teams protecting our environments. Everything from proxy controls to edge guardianship and plain old log-checking and packet sniffing and significantly more than that. Our security and vulnerabilities teams are constantly checking known attack vectors as well as doing general patrol for suspicious activity. We are more threatened by some internal idiot laptop packer who decides to download a cool "free" app than anything else. And we have controls on that as well.
Third. Stop already with the security by obscurity myth. While the presence of a mere 40 or so million Macs currently in operation world-wide is a small population compared to the combined consumer and business population dependent on Windows, it is still 40 or so million pristine, virginal platforms to compromise - a potential 'bot army which if properly compromised would dwarf any of the existing Windows 'bot armies out in the wild. The reality of the situation is simply this. If you go back to pre 2001, Mac OS 9 had as many virus issues and vulnerabilities as the Windows platform with only 1-2% of the PC market. In fact Apple regularly bundled Norton with the Macs during that period, and consistently directed purchasers to get anti-virus software and install it. However with the on-boarding of the NeXT dev team and the introduction of the mach kernel into the MacOS, the scenario changed considerably. With the complete rewrite of the MacOS as MacOS X (10) around the mach kernel Apple took a huge gamble. They risked alienating their diminuitive user base by doing this, but didn't have a lot to lose at that point. Released in 2001, MacOS X marked the point at which the OS vulnerability became signifcantly reduced due to this bottom-up rewrite of the OS. As Apple slowly phased out the old OS9 classic environment from MacOS X, the security increased.
Microsoft is not in a position to do something this radical with Windows. They are constrained by their ownership of the corporate environments and their OEM partnerships. In fact our company has dedicated Microsoft consultants onsite in several places to keep the considerable footprint of the Windows environments up and running. Microsoft can only keep working away at checking the millions of lines of code it has in the Windows OS and watch closely for any surprises out in the wild. Apple, while in slightly better shape still has a lot of open source code it uses and which causes potential vulnerabilities to crop up. There is no such thing as virus or hacker proof, unless it is locked away and never touched.
I've been in the technology segment for nearly 40 years, I'm older than DOS and silicon microprocessors, Microsoft certified, coded in more languages than most of the young engineers I have to shepherd around my org know exist, and have advised on the engineering council for my company. I am not only an eye-witness to the entire development of Microsoft and Apple, and all the rest, I have been an active participant as well.
Firefox plus AdBlock; FlashBlock and NoScript, on a a Mac.
You visit a malicious website and and don't block scripts, popups and ads, you get what you deserve. I would say the scariest vulnerabilities out there are actually websites themselves. With cross-site scripting, SQL injection, and other tricks websites that store your personal information, or take your credit card information from you can be compromised pretty easily.
I am encouraged that my approach appears to be vindicated by the posters who know what they are talking about here. I only moved to FireFox because until a few months ago I was still running 10.3.9, hence could not get past Safari 1.x, but it is the add-ons that have kept me on FF (3.6.2*) since finally arriving at 10.6.2. These provide some useful if non-essential additional functionality, but it is the security aspect that keeps FF as my default. I know there is Safari Ad-blocker and ClickToFlash, but there doesn't appear to be an equivalent of GhostScript. If you don't know about this stuff, you would probably be surprised how many scripts are waiting at a site - often it is twelve or more, and they will all start running without your knowledge. I'm talking about legitimate sites here, not the darker recesses of the naughty net, and there is no reason to presume they are malicious, but it is good to have that degree of control over what runs in your browser. Of course as always there is a compromise, an additional step to go through, in this case have to go into GhostScript to allow scripts you want to run (e.g. here at AI the embedded Vimeo vids are blocked by default, so you have to give permission for that script to run to view it), but even though I know that it is unnecessary as regards security 99.9% of the time, that extra level of security is worth it in my view.
So my point here is that Apple should allow/encourage or even provide similar add-on functionality for Safari, particularly as it is so easily do-able.
* If you are using FF, and do not have automatic update on, and have missed the news of a few days ago that a serious security flaw was found in 3.6.1, I suggest you update immediately.
The main reason its safer not safe is mainly because of Apple lack of market share. Its real simple anything can be hacked. Its kind of like having a lock on your front door it keeps the honest people out but anyone that really wants to get in will be able too.
This yearly contest is interesting to see what people can hack and what hacks they come up with but it certainly isn't a shocker to know anything can be hacked.
However don't fool yourself if someone really wants to take the time to write a virus for OSX is certainly can be done.
Market share again? It was proved more than once that market share is not an issue, because if it was there would be no difference for hackers what machine yoiu're running? Right?
The best part is that every year all these hacks for Safari relied on user ignorance or stupidity to hack OS and etc., The fact that every browser was hacked only says one thing - that browser security could be better, that doesn't say much about OS security. As you know hakcing OS and hacking some app is to different things. If I wrote bad app security wise which connects to internet it's possible to get full control of computer through this app? Right?
By the way those time takers are taking a lot of time like 9 years and counting There is a reason for this, which sounds something like this: IT"S NOT THAT EASY TO DO, BECAUSE IF IT WOULD IT WOULD BE DONE ALREADY IN THE BEGINING WHEN OS WASN'T MATURE.
There are operating systems with even smaller marketshare (tens of times) with at least proof of concept viruses like for Linux there are few.
So either you are troll or you have no idea what you are talking about + troll.
Charlie Miller obviously does his homework, prepares well and when it's time to go he has the hack execution down to a fine art - it's called preparation.
Where machines are not hacked as quickly what can we assume? Either the other guys weren't prepared as well as Charlie OR they really did succeed in hacking the machines, sight unseen on the day, which would actually make them less secure than a machine that was hacked in seconds by someone who prepped well.
This contest is as much about the guys doing the hacking as the platforms and should not be taken as a reliable measure of security. In fact Miller seems to understand what many do not, even though he hacked the Mac in seconds, he still recommends the platform as more secure in practice.
Apparently millions of exploits automatically occurring per day is actually a better indicator than a one off hacking contest per year.
Because browsers are getting very standardized and have all increased speeds tremendously in recent years (heck, even IE9 is showing JS speeds that are worthy of the big boys) I think the next browser war will focus a lot more on security.
Whilst the fact that the machines get hacked at all is relevant, the speed with which they are hacked kind of isn't.
Charlie Miller obviously does his homework, prepares well and when it's time to go he has the hack execution down to a fine art - it's called preparation.
Where machines are not hacked as quickly what can we assume? Either the other guys weren't prepared as well as Charlie OR they really did succeed in hacking the machines, sight unseen on the day, which would actually make them less secure than a machine that was hacked in seconds by someone who prepped well.
This contest is as much about the guys doing the hacking as the platforms and should not be taken as a reliable measure of security. In fact Miller seems to understand what many do not, even though he hacked the Mac in seconds, he still recommends the platform as more secure in practice.
Apparently millions of exploits automatically occurring per day is actually a better indicator than a one off hacking contest per year.
Great post, Skingers.
Let's lay this down, and geekdad you can chime in as needed. First and foremost, Charlie Miller spends most of the year running exploits against various platforms well in advance of the contest - he has stated as much previous to successful attempts other years. So the time it takes for him to do this as reported by the organizers doesn't reflect the actual effort to accomplish it. He's an accomplished security expert, and I think he's doing the right thing by not turning over the fuzzing vunerabilities but instead the process by which he was able to fuzz out the exploits.
Second. I am a technology manager and to say that this scenario in any way reflects actual vulnerability in the corporate setting is silly and ignorant of the dedicated efforts of many teams protecting our environments. Everything from proxy controls to edge guardianship and plain old log-checking and packet sniffing and significantly more than that. Our security and vulnerabilities teams are constantly checking known attack vectors as well as doing general patrol for suspicious activity. We are more threatened by some internal idiot laptop packer who decides to download a cool "free" app than anything else. And we have controls on that as well.
Third. Stop already with the security by obscurity myth. While the presence of a mere 40 or so million Macs currently in operation world-wide is a small population compared to the combined consumer and business population dependent on Windows, it is still 40 or so million pristine, virginal platforms to compromise - a potential 'bot army which if properly compromised would dwarf any of the existing Windows 'bot armies out in the wild. The reality of the situation is simply this. If you go back to pre 2001, Mac OS 9 had as many virus issues and vulnerabilities as the Windows platform with only 1-2% of the PC market. In fact Apple regularly bundled Norton with the Macs during that period, and consistently directed purchasers to get anti-virus software and install it. However with the on-boarding of the NeXT dev team and the introduction of the mach kernel into the MacOS, the scenario changed considerably. With the complete rewrite of the MacOS as MacOS X (10) around the mach kernel Apple took a huge gamble. They risked alienating their diminuitive user base by doing this, but didn't have a lot to lose at that point. Released in 2001, MacOS X marked the point at which the OS vulnerability became signifcantly reduced due to this bottom-up rewrite of the OS. As Apple slowly phased out the old OS9 classic environment from MacOS X, the security increased.
Microsoft is not in a position to do something this radical with Windows. They are constrained by their ownership of the corporate environments and their OEM partnerships. In fact our company has dedicated Microsoft consultants onsite in several places to keep the considerable footprint of the Windows environments up and running. Microsoft can only keep working away at checking the millions of lines of code it has in the Windows OS and watch closely for any surprises out in the wild. Apple, while in slightly better shape still has a lot of open source code it uses and which causes potential vulnerabilities to crop up. There is no such thing as virus or hacker proof, unless it is locked away and never touched.
I've been in the technology segment for nearly 40 years, I'm older than DOS and silicon microprocessors, Microsoft certified, coded in more languages than most of the young engineers I have to shepherd around my org know exist, and have advised on the engineering council for my company. I am not only an eye-witness to the entire development of Microsoft and Apple, and all the rest, I have been an active participant as well.
2001
2002
2003
2004
2005
2006
2007
2008
2009
2010
So where's the beef?
*continues to surf the web in a complacent and arrogant manner.*
Wow 2001 onwards.... he he he Kiss you Ipod and Iphone mate, and adjust your dates
Well, to be honest your safe as, between www.macrumors.com . www.appleinsider.com and www.apple.com where you probably spend 99.999999999% of you time, and is the web for you, I too would agree that your very safe.
Ummm heard of the iphone right??? What was it 22 sec to hack the sms database? I was including the iphone in my statement mate.
I'm not sure what you mean by this. Many people do "real work" in Numbers (or Excel) or iWork (Pages, for example.) Entire books are written with word processors. 200+ page PhD dissertations are written with Pages. Or Word. Or even OpenOffice.
Nor am i sure what any of this has to do with OS security.
I'm safe because I use a platform that is well-designed and doesn't run 99.99999% of malware out there. Nor will it ever come close to doing so.
Mate, he was being sarcastic Comeon he said you used iWork, you not seriously telling us that you use iWork as your first choice????
Mate, he was being sarcastic Comeon he said you used iWork, you not seriously telling us that you use iWork as your first choice????
What's the problem with that? iWork is more than enough to get the job done.
Well, to be honest your safe as, between www.macrumors.com . www.appleinsider.com and www.apple.com where you probably spend 99.999999999% of you time, and is the web for you, I too would agree that your very safe.
Ummm heard of the iphone right??? What was it 22 sec to hack the sms database? I was including the iphone in my statement mate.
I'm not sure an SMS hack is going to lead to widespread viruses on the iPhone. Plus, as masternav points out, Apple had viruses BEFORE Mac OS X came on the scene.
In 1990 Apple sold 1.3 million Macs
In 2000 Apple sold 3.8 million Macs
In 2010 Apple is likely to sell more then 1.3 million Macs in at least one month and more than 3.8 million Macs in a quarter.
So, your previous statement, "As apple gets bigger and bigger more hackers will target them, the days of being complacent and arrogant and counting down", has so far worked in the opposite direction.
Then there is the elephants in the room, the historical fact that Mac users tend to have more disposable income so their machines could be a better score than from the average $400 PC user -AND- the millions of servers running Linux and Unix that maintain your CC info on file somewhere. Are these simply not worthy to be accessed or is there something innate to their core design that makes them inherently more secure?
It doesn't matter what you use Windows, Mac, IE, Safari, Firefox. They will all be able to be hacked in some sort of way, it's not surprising its just the way it is.
Add to that, is it even that important? If you want to access peoples stuff then it's much easier just to publish an iPhone app the require's a registration (or anything that required registration) and thats it. 90% of people are likely to register with the same password as they have for there webmail account as well as providing you with their email to log in with as well. Now you have access to all the other sites they ever registered on, and there completely oblivious.
With 40-70 million machines out there, belonging to the "so-called" money-loose and stupidest "fanboy idiots" of all time... are just standing there ripe for the picking... what hacker "wouldn't" pick the Mac as a target?! That is if it was so easy, and we as users are so dumb, and since our Credit Card limits and bank accounts actually have money on them?!
It would be HEADLINE news for weeks, if an actual virus, Trojan, or malware screwed up our little "Fanboy-Logo-Purchasing-Paradise", wouldn't it?
Send me a Mac virus! Make me do the ->
BTW: Look... the Bad Guys are even offering money!
Malware affiliate bounty: Infect a Mac, earn 43 cents
ZDNet | September 25th, 2009 | Ryan Naraine
GENEVA ? In a sign that cyber-criminals are investing more time and resources into attacks against Apple?s Mac users, a new malware affiliate program has been discovered offering 43c for every infected Mac machine.
During an eye-opening presentation at the VB Conference 2009 conference here, Sophos Labs researcher Dmitry Samosseikko provided a glimpse into the ?Partnerka,? a Russian network of spam and malware affiliates that have turned their attention to the Mac platform ? using social engineering tricks to load fake codecs and scareware programs.
(Excerpt) Read more at blogs.zdnet.com ...
Wow 2001 onwards.... he he he Kiss you Ipod and Iphone mate, and adjust your dates
OS X was released in 2001. Server was released in 1999.
You can surf anywhere on the net with OS X. You'll be just fine.