"In a separate interview, Miller estimated that a researcher with an exploitable Windows vulnerability "could easily get $50,000 for that vulnerability. I?d say $50,000 is a low-end price point." The huge difference in vulnerability valuations between the Mac and Windows reflect the fact that there is no demand for creating malware on the Mac."
So this low-life son-of-a-bitch finally admits that "researchers" sell exploits to the bad guys. So much for the so-called altruistic motives of these slimy worms. If it can be proven that someone like Miller offered his exploit for sale he should be prosecuted and thrown in jail. He's no different than an arms dealer selling guns to the Mexican drug cartels.
Before you run after Miller with a pitchfork, keep in mind that spammers and virus writers are not the only market offering money for Windows exploits. There are also security companies who want exploits so they can offer fixes for vulnerabilities, or companies that want to develop their own security and need to know what bugs they must address, and so on.
so Miller did not get root access with his attack, even though the Mac was running in Admin mode. he is right of course that he could still steal information, spoof emails, and invade/erase a user's files. but that is not turning the Mac into a bot like the Cornflicker worm does to PC's with no individual effort needed. it's a focused one-at-at-time attack that is labor intensive and slow to reward. the NSA might do it to spy on you, but for a crook phishing is a lot easier way to steal someone's bank account info quick (i get about one sophisticated phish email a month).
no doubt with more effort on that individual Mac he could then crack the password(s) that would finally give him total root control of the computer and install any programs and do anything (most consumers use relatively simple pw's). but crooks aren't going to go through that much extra work with a single random consumer just to set up a single bot unit or look for financial info hit-and-miss (although business computers with lots and lots of money in their accounts to access are a whole other matter ...).
all of which adds up to the Mac's practical security advantage. it's not just the market share, it is the inefficient (for the crook) extra trouble it takes. we'll see in a few months what Snow Leopard does for its improved technical security. and next wednesday we'll see what the Cornflicker bots do to everyone else.
Yeah its a bit bunk so they can get into a single machine if you visit a porn site big deal it can't install anything and spread. I thought he needed root access to win oh wait OS X is to secure for that because I need enter a password to install something but I can open system preferences without a password Paul Thurott.
I know there were some viruses for the classic Max OS, but never used
AV software and never got hit by a virus.
Now I am working as a locked down user.
Rarely using the administrator account, and when I use the admin account
I don't use teh Intarweb.
I remember years ago using a free Classic Mac OS virus software I think was called Disinfect. It never found a single virus on any of my work Macs since 1986.
I've been following this Pwn2Own contest for awhile now, and this article about Charlie Miller is being very selective of the facts they bring up. He also made statements that hacking in to a Mac is so easy, it's like child's play. The Safari vulnerabilities were so big that and easy to exploit, that he had the machine hacked in minutes. He also went on to say that he didn't bother trying to go after the Firefox or IE8 hack in Windows because it was just too difficult and not worth the effort.
Nils, who cracked all three (Safari, Firefox, and IE8) even made the decision to go after Firefox on the Mac because it was significantly easier than on Windows.
He even says that if a hacker wanted to target a Mac, it would be a lot easier for them. They say that they can hack in to these systems with relative ease, and that the only thing keeping Mac users safe is obscurity, and that hackers just aren't targeting Mac users yet. That doesn't make me safe. Just because I live in a nice neighborhood with no crime, it doesn't mean that I don't want a lock on my door.
So sadly, the Mac's success and larger market share is actually a security downside to us, who now have to worry about potential threats.
And as for selling these bugs for $50,000, Charlie Miller was referring to selling them back to Microsoft or Apple. His point was that these companies pay people to find these bugs, and find exploits for them, so why should he put in all this work to do the same thing and then just give that knowledge away?
I remember years ago using a free Classic Mac OS virus software I think was called Disinfect. It never found a single virus on any of my work Macs since 1986.
I suppose that either means Mac viruses were still rare, even back then, or Disinfect wasn't very good.
I remember years ago using a free Classic Mac OS virus software I think was called Disinfect. It never found a single virus on any of my work Macs since 1986.
Any way you slice it, in terms of security, Macs have ALWAYS been the safer bet. This has been true historically, and still true today, whatever the reasons are.
I've surfed the net unimpeded for years now.
No antivirus/anti-malware/anti-spyware software required
No maintenance required
No slowdowns
More stability
. . . which all translates to more time just using the OS to get things done rather than tinkering with it and keeping an eye on it.
Well worth Ballmer's "$500 Apple-tax" . . . if that figure is even accurate.
I have to laugh at all the poor Windows users on Neowin, for example, constantly inquiring about "the best" antivirus software for Windows 7. Oh well, they'll never learn. They seem to enjoy Conficker cream pie. All just to run Crysis with whatever current hot-shit videocard is out there. Until of course, they outgrow games. And then just play with fine-tuning the antivirus And Windows itself just to keep things running.
I've been following this Pwn2Own contest for awhile now, and this article about Charlie Miller is being very selective of the facts they bring up. He also made statements that hacking in to a Mac is so easy, it's like child's play. The Safari vulnerabilities were so big that and easy to exploit, that he had the machine hacked in minutes. He also went on to say that he didn't bother trying to go after the Firefox or IE8 hack in Windows because it was just too difficult and not worth the effort.
Nils, who cracked all three (Safari, Firefox, and IE8) even made the decision to go after Firefox on the Mac because it was significantly easier than on Windows.
He even says that if a hacker wanted to target a Mac, it would be a lot easier for them. They say that they can hack in to these systems with relative ease, and that the only thing keeping Mac users safe is obscurity, and that hackers just aren't targeting Mac users yet. That doesn't make me safe. Just because I live in a nice neighborhood with no crime, it doesn't mean that I don't want a lock on my door.
So sadly, the Mac's success and larger market share is actually a security downside to us, who now have to worry about potential threats.
And as for selling these bugs for $50,000, Charlie Miller was referring to selling them back to Microsoft or Apple. His point was that these companies pay people to find these bugs, and find exploits for them, so why should he put in all this work to do the same thing and then just give that knowledge away?
It's been over 7 years now. Where's the beef? Alfter all these Pwn2Own contests and proof-of-concept lab experiments, we're still as safe as we were years ago. According to critics OS X should have been brought to its knees (a la Windows) years ago. But still nothing . . .
Although he says Mac are safer because people choose not to target them, there is more of a worry when it comes to a targeted attack. Marketshare aside, if they are easier to exploit, they are less secure. This could have implications for PCs too because someone doing a targeted attack on an organization may find it easier to break into the Mac and subsequently gain access to other machines meaning that organizations may trust them less on their internal networks.
One thing that not being a target does is make Apple's developers complacent when it comes to security issues and that's not a good thing. The concern is not so much over viruses and malware but things that can do much more serious damage to an individual. For example, if a scammer on ebay sends you a link that allows them to compromise your machine and monitor passwords to bank accounts. I consider this to be a much more serious issue than computer slowdown, popups etc.
Hopefully Apple will address security flaws in Snow Leopard and use more techniques to prevent such attacks from happening. It's a constant battle so a system will never become impenetrable but despite not being a target doesn't mean Apple shouldn't use the latest security techniques and it's clear that given how Vista implements measures Leopard doesn't, they are lagging behind in this area.
"Why Safari? Why didn?t you go after IE or Safari?
It?s really simple. Safari on the Mac is easier to exploit. The things that Windows do to make it harder (for an exploit to work), Macs don?t do. Hacking into Macs is so much easier. You don?t have to jump through hoops and deal with all the anti-exploit mitigations you?d find in Windows.
It?s more about the operating system than the (target) program. Firefox on Mac is pretty easy too. The underlying OS doesn?t have anti-exploit stuff built into it."
Now as Im thinking its been a year since I had my new macbook and it still runs as fast as I first opened it. It just blows my mind, because none of my friends who have PCs can say that. They constantly have to ask, fix and think about their computer getting slow or smthg.
Now as Im thinking its been a year since I had my new macbook and it still runs as fast as I first opened it. It just blows my mind, because none of my friends who have PCs can say that. They constantly have to ask, fix and think about their computer getting slow or smthg.
My experience with friends and family, non-geek division, suggests that the PC using public just has a totally different idea about computer ownership: you buy them dirt cheap, they work for a couple of years max, and you basically just throw them away and buy a new one.
It's not that they actually break, they just become unusable due to cruft, and for most folks it's easier to just buy another $400 box then it is to clean things out.
Now as Im thinking its been a year since I had my new macbook and it still runs as fast as I first opened it. It just blows my mind, because none of my friends who have PCs can say that. They constantly have to ask, fix and think about their computer getting slow or smthg.
My PowerBook was born?err, made in December of 2004 and I can say the same, too. The only thing really making me want to upgrade right now is the gradually increasing number of apps and (especially) games that are Intel-only.
Now as Im thinking its been a year since I had my new macbook and it still runs as fast as I first opened it. It just blows my mind, because none of my friends who have PCs can say that. They constantly have to ask, fix and think about their computer getting slow or smthg.
Snow Leopard will make you happy as my benchmarks already show a worthwhile boost in performance.
to understand what happens in the real world, you have to think like a crook, not a hacker.
- there are 10's of millions of PC's running XP around the world, and many are not updated with all the security patches. those are easy targets.
- there are 10's of millions of PC's running pirated XP (and Vista?) around the world. those cannot be easily updated with all security patches and so are even easier targets.
- you can use automated attack programs to get full root control of these PC's - you don't have to attack them one at a time manually. so you can get control of hundreds or even thousands in a short period of time to create your bot net.
- whereas the Macs you do have to attack manually to get root control one at a time if you want to create a bot. that takes much longer.
-you're doing all this for money - millions - not glory. and time is money.
so what are you going to do? Duh. goodbye Macs, hello Cornflicker.
there is another group of crooks taking a different approach, which is to attack individual business networks one at a time in order to get to their financial accounts and move money, steal credit card info, or perhaps economic espionage. this is all about servers, encryption, and the rest. we don't hear much about this. but a lot of smaller businesses are potentially vulnerable.
That article also stated that macs are easier to hack into.
The reason macs are safer is because there are less exploits for them. I hope Apple is reading that article and working to make their system harder to hack into.
The most troubling in all this is that Apple in fact has ignored several reported vulnerabilities, some of them for years!
The other problem is that Apple has done things to the underlying Unix that have caused vulnerabilities all their own. Sometimes only to adapt unix to the old Mac "way". A second problem is the extra time it takes Apple to update opensource packages, because their software engineers have to adapt every one to the tweaked unix Apple uses. All a "bad guy" has to do is check to see which packages are not updated, and expoit that.
My greatest fear is that someone will one day expoit some of those holes in the system and do irreparable damage to Apple's reputation as a safe platform.
I don't think an operating system should bet on obscurity as a method of security. But neither should Apple adopt the Vista approach of popping up a dialog box to confirm absolutely EVERY task the user wants to perform.
I think Apple currently has the edge because they release new OS versions quite rapidly compared to Microsoft. So if the current slow pace of Mac vulnerability research/development continues, Apple will always be a step ahead. But if it increases pace, that could be cause for concern.
I don't think an operating system should bet on obscurity as a method of security. But neither should Apple adopt the Vista approach of popping up a dialog box to confirm absolutely EVERY task the user wants to perform.
What exactly do you mean EVERY task? I am curious to know...
Do you mean using programs such as Office 2003, Outlook, Windows Media Center, Windows Media Player, Windows Live Photo, Beyond TV (to watch tv), Winamp, PowerDVD, Notepad, MATLAB, Mathematica, Solidworks, ProE, Adobe Acrobat Reader 9, Photoshop CS3/4, IsoBuster, ImgBurn, Nero, Internet Explorer, Firefox, Chrome, Safari, iTunes, VMWare Workstation, VirtualBox, Fallout 3, CoD, The Sims, SPORE, copying files to the desktop & user's locations, etc.........all require a confirmation?
The only time you should get a UAC is:
* Installing an admin-privileged program (you can install Google Chrome without UAC, for example)
* Changing system-wide settings like Device Manager, installing drivers, etc.
* Older programs that absolutely require admin privilege, even when it's not needed
* Copying/creating/changing files & folders to protected locations
* Copying/creating/changing files & folders that DON'T belong to you (permission issues)
Comments
"In a separate interview, Miller estimated that a researcher with an exploitable Windows vulnerability "could easily get $50,000 for that vulnerability. I?d say $50,000 is a low-end price point." The huge difference in vulnerability valuations between the Mac and Windows reflect the fact that there is no demand for creating malware on the Mac."
So this low-life son-of-a-bitch finally admits that "researchers" sell exploits to the bad guys. So much for the so-called altruistic motives of these slimy worms. If it can be proven that someone like Miller offered his exploit for sale he should be prosecuted and thrown in jail. He's no different than an arms dealer selling guns to the Mexican drug cartels.
Before you run after Miller with a pitchfork, keep in mind that spammers and virus writers are not the only market offering money for Windows exploits. There are also security companies who want exploits so they can offer fixes for vulnerabilities, or companies that want to develop their own security and need to know what bugs they must address, and so on.
so Miller did not get root access with his attack, even though the Mac was running in Admin mode. he is right of course that he could still steal information, spoof emails, and invade/erase a user's files. but that is not turning the Mac into a bot like the Cornflicker worm does to PC's with no individual effort needed. it's a focused one-at-at-time attack that is labor intensive and slow to reward. the NSA might do it to spy on you, but for a crook phishing is a lot easier way to steal someone's bank account info quick (i get about one sophisticated phish email a month).
no doubt with more effort on that individual Mac he could then crack the password(s) that would finally give him total root control of the computer and install any programs and do anything (most consumers use relatively simple pw's). but crooks aren't going to go through that much extra work with a single random consumer just to set up a single bot unit or look for financial info hit-and-miss (although business computers with lots and lots of money in their accounts to access are a whole other matter ...).
all of which adds up to the Mac's practical security advantage. it's not just the market share, it is the inefficient (for the crook) extra trouble it takes. we'll see in a few months what Snow Leopard does for its improved technical security. and next wednesday we'll see what the Cornflicker bots do to everyone else.
Yeah its a bit bunk so they can get into a single machine if you visit a porn site big deal it can't install anything and spread. I thought he needed root access to win oh wait OS X is to secure for that because I need enter a password to install something but I can open system preferences without a password Paul Thurott.
No viruses, no spyware - 20 years - no problems.
I know there were some viruses for the classic Max OS, but never used
AV software and never got hit by a virus.
Now I am working as a locked down user.
Rarely using the administrator account, and when I use the admin account
I don't use teh Intarweb.
I remember years ago using a free Classic Mac OS virus software I think was called Disinfect. It never found a single virus on any of my work Macs since 1986.
Nils, who cracked all three (Safari, Firefox, and IE8) even made the decision to go after Firefox on the Mac because it was significantly easier than on Windows.
He even says that if a hacker wanted to target a Mac, it would be a lot easier for them. They say that they can hack in to these systems with relative ease, and that the only thing keeping Mac users safe is obscurity, and that hackers just aren't targeting Mac users yet. That doesn't make me safe. Just because I live in a nice neighborhood with no crime, it doesn't mean that I don't want a lock on my door.
So sadly, the Mac's success and larger market share is actually a security downside to us, who now have to worry about potential threats.
And as for selling these bugs for $50,000, Charlie Miller was referring to selling them back to Microsoft or Apple. His point was that these companies pay people to find these bugs, and find exploits for them, so why should he put in all this work to do the same thing and then just give that knowledge away?
I remember years ago using a free Classic Mac OS virus software I think was called Disinfect. It never found a single virus on any of my work Macs since 1986.
I suppose that either means Mac viruses were still rare, even back then, or Disinfect wasn't very good.
I remember years ago using a free Classic Mac OS virus software I think was called Disinfect. It never found a single virus on any of my work Macs since 1986.
Any way you slice it, in terms of security, Macs have ALWAYS been the safer bet. This has been true historically, and still true today, whatever the reasons are.
I've surfed the net unimpeded for years now.
No antivirus/anti-malware/anti-spyware software required
No maintenance required
No slowdowns
More stability
. . . which all translates to more time just using the OS to get things done rather than tinkering with it and keeping an eye on it.
Well worth Ballmer's "$500 Apple-tax" . . . if that figure is even accurate.
I have to laugh at all the poor Windows users on Neowin, for example, constantly inquiring about "the best" antivirus software for Windows 7. Oh well, they'll never learn. They seem to enjoy Conficker cream pie. All just to run Crysis with whatever current hot-shit videocard is out there. Until of course, they outgrow games. And then just play with fine-tuning the antivirus And Windows itself just to keep things running.
I've been following this Pwn2Own contest for awhile now, and this article about Charlie Miller is being very selective of the facts they bring up. He also made statements that hacking in to a Mac is so easy, it's like child's play. The Safari vulnerabilities were so big that and easy to exploit, that he had the machine hacked in minutes. He also went on to say that he didn't bother trying to go after the Firefox or IE8 hack in Windows because it was just too difficult and not worth the effort.
Nils, who cracked all three (Safari, Firefox, and IE8) even made the decision to go after Firefox on the Mac because it was significantly easier than on Windows.
He even says that if a hacker wanted to target a Mac, it would be a lot easier for them. They say that they can hack in to these systems with relative ease, and that the only thing keeping Mac users safe is obscurity, and that hackers just aren't targeting Mac users yet. That doesn't make me safe. Just because I live in a nice neighborhood with no crime, it doesn't mean that I don't want a lock on my door.
So sadly, the Mac's success and larger market share is actually a security downside to us, who now have to worry about potential threats.
And as for selling these bugs for $50,000, Charlie Miller was referring to selling them back to Microsoft or Apple. His point was that these companies pay people to find these bugs, and find exploits for them, so why should he put in all this work to do the same thing and then just give that knowledge away?
It's been over 7 years now. Where's the beef? Alfter all these Pwn2Own contests and proof-of-concept lab experiments, we're still as safe as we were years ago. According to critics OS X should have been brought to its knees (a la Windows) years ago. But still nothing . . .
One thing that not being a target does is make Apple's developers complacent when it comes to security issues and that's not a good thing. The concern is not so much over viruses and malware but things that can do much more serious damage to an individual. For example, if a scammer on ebay sends you a link that allows them to compromise your machine and monitor passwords to bank accounts. I consider this to be a much more serious issue than computer slowdown, popups etc.
Hopefully Apple will address security flaws in Snow Leopard and use more techniques to prevent such attacks from happening. It's a constant battle so a system will never become impenetrable but despite not being a target doesn't mean Apple shouldn't use the latest security techniques and it's clear that given how Vista implements measures Leopard doesn't, they are lagging behind in this area.
http://blogs.zdnet.com/security/?p=2941
"Why Safari? Why didn?t you go after IE or Safari?
It?s really simple. Safari on the Mac is easier to exploit. The things that Windows do to make it harder (for an exploit to work), Macs don?t do. Hacking into Macs is so much easier. You don?t have to jump through hoops and deal with all the anti-exploit mitigations you?d find in Windows.
It?s more about the operating system than the (target) program. Firefox on Mac is pretty easy too. The underlying OS doesn?t have anti-exploit stuff built into it."
Worm copy-pasters simply can't afford a Mac. That's the most powerful antivirus tool.
Now as Im thinking its been a year since I had my new macbook and it still runs as fast as I first opened it. It just blows my mind, because none of my friends who have PCs can say that. They constantly have to ask, fix and think about their computer getting slow or smthg.
My experience with friends and family, non-geek division, suggests that the PC using public just has a totally different idea about computer ownership: you buy them dirt cheap, they work for a couple of years max, and you basically just throw them away and buy a new one.
It's not that they actually break, they just become unusable due to cruft, and for most folks it's easier to just buy another $400 box then it is to clean things out.
Now as Im thinking its been a year since I had my new macbook and it still runs as fast as I first opened it. It just blows my mind, because none of my friends who have PCs can say that. They constantly have to ask, fix and think about their computer getting slow or smthg.
My PowerBook was born?err, made in December of 2004 and I can say the same, too.
Now as Im thinking its been a year since I had my new macbook and it still runs as fast as I first opened it. It just blows my mind, because none of my friends who have PCs can say that. They constantly have to ask, fix and think about their computer getting slow or smthg.
Snow Leopard will make you happy as my benchmarks already show a worthwhile boost in performance.
- there are 10's of millions of PC's running XP around the world, and many are not updated with all the security patches. those are easy targets.
- there are 10's of millions of PC's running pirated XP (and Vista?) around the world. those cannot be easily updated with all security patches and so are even easier targets.
- you can use automated attack programs to get full root control of these PC's - you don't have to attack them one at a time manually. so you can get control of hundreds or even thousands in a short period of time to create your bot net.
- whereas the Macs you do have to attack manually to get root control one at a time if you want to create a bot. that takes much longer.
-you're doing all this for money - millions - not glory. and time is money.
so what are you going to do? Duh. goodbye Macs, hello Cornflicker.
there is another group of crooks taking a different approach, which is to attack individual business networks one at a time in order to get to their financial accounts and move money, steal credit card info, or perhaps economic espionage. this is all about servers, encryption, and the rest. we don't hear much about this. but a lot of smaller businesses are potentially vulnerable.
so what are you going to do? Duh. goodbye Macs, hello Cornflicker.
FYI, it's conficker.
The reason macs are safer is because there are less exploits for them. I hope Apple is reading that article and working to make their system harder to hack into.
The other problem is that Apple has done things to the underlying Unix that have caused vulnerabilities all their own. Sometimes only to adapt unix to the old Mac "way". A second problem is the extra time it takes Apple to update opensource packages, because their software engineers have to adapt every one to the tweaked unix Apple uses. All a "bad guy" has to do is check to see which packages are not updated, and expoit that.
My greatest fear is that someone will one day expoit some of those holes in the system and do irreparable damage to Apple's reputation as a safe platform.
I think Apple currently has the edge because they release new OS versions quite rapidly compared to Microsoft. So if the current slow pace of Mac vulnerability research/development continues, Apple will always be a step ahead. But if it increases pace, that could be cause for concern.
I don't think an operating system should bet on obscurity as a method of security. But neither should Apple adopt the Vista approach of popping up a dialog box to confirm absolutely EVERY task the user wants to perform.
What exactly do you mean EVERY task? I am curious to know...
Do you mean using programs such as Office 2003, Outlook, Windows Media Center, Windows Media Player, Windows Live Photo, Beyond TV (to watch tv), Winamp, PowerDVD, Notepad, MATLAB, Mathematica, Solidworks, ProE, Adobe Acrobat Reader 9, Photoshop CS3/4, IsoBuster, ImgBurn, Nero, Internet Explorer, Firefox, Chrome, Safari, iTunes, VMWare Workstation, VirtualBox, Fallout 3, CoD, The Sims, SPORE, copying files to the desktop & user's locations, etc.........all require a confirmation?
The only time you should get a UAC is:
* Installing an admin-privileged program (you can install Google Chrome without UAC, for example)
* Changing system-wide settings like Device Manager, installing drivers, etc.
* Older programs that absolutely require admin privilege, even when it's not needed
* Copying/creating/changing files & folders to protected locations
* Copying/creating/changing files & folders that DON'T belong to you (permission issues)