I call it first!
Flame war on! w00t!!!
A brand-new MacBook Air running a fully patched version of Leopard was the first to fall in a contest that pitted the security of machines running OS X, Vista and Linux. The exploit took less than two minutes to pull off. Charlie Miller, who was the first security researcher to remotely exploit the iPhone, felled the Mac by …
It's misleading to report that it took him 2 minutes when all the reports are that he worked on this exploit for weeks beforehand. Sure it took him a couple of minutes to execute it - so what?
If we really want to legitimately test the security of these 3 different OS'es - put them on the internet and increase the prize money to compete with what certain government agencies are prepared to pay for this sort of stuff.
They would ALL be knocked over within seconds.
All this comp tells me is someone who spends his time looking for and reporting vuln's found one and waited until this conference to report it.
If you agree with me, add a pointless comment below bitching about how great your choice of OS is over someone elses.
.......mine is the one with woolen mittens hanging out of the sleeves by a piece of wool.
This is about the only report I've seen today which bothers to mention the fact that this was day two of the contest. And it's not often I remark on high-quality Register reporting these days. Kudos.
As for the contest, I'm gonna come right out and say that this is a popularity contest, not a security contest. Not to belittle the vulnerability - which obviously is pretty serious - but I guarantee that all shipping browsers have vulnerabilities this serious in them, both discovered and undiscovered. It makes sense that the most desirable machine will be most attacked, and therefore likely fall first. A pretty sweet prize.
I too await the Phreakmaster's arrival with bated breath.
If anything, this contest confirms that no OS is any safer than the others. It's the same basic education system that goes into making up the coders, whether it's Apple, Windows, Linux. Unless universities change fundamentally how coders learn about what good security coding is, and static analysis tools are used to find security flaws, etc. software such as browsers with enough complexity is always going to have lots of holes.
It was a known exploit as per the contest rules, and it having been a known exploit would have been worked on for a long time beforehand, just an opportunity arose to use that research.
As well as this was in a controlled environment as to allow the rules to be followed, it's true in real-world situations, that such rules don't exist, but this was a contest to determine which platform could be compromised via *known* exploits, if you were to perform this contest on the internet, people would use unknown exploits no doubt, therefore invalidating the contest.
Overall, this contest is a good display at how proactive the different platforms are in creating patches for *individual* *known* exploits.
"All this comp tells me is someone who spends his time looking for and reporting vuln's found one and waited until this conference to report it."
I was just about to post the exact same comment, but you've hit the nail on the head. Apple hacker turns up to the event with an exploit he has worked for months to discover and craft, as does Windows hacker, as does Ubuntu hacker. But Apple hacker is first in the queue, he gets his machine set up 5 minutes earlier and his exploit takes 2 minutes instead of 3.
You don't think comparable exploits can be discovered for the other OSs? You're living in la-la land.
I'll be sticking with my Mac because using OS X doesn't cause me to suffer internal haemorrhaging, unlike using XP.
Now that a Mac has been so publicly pwned I find it brilliant how the Mac fans have changed their tune from: "it's impossible to hack a Mac" to: "the Mac only got hacked first because it's more desirable".
With idiots like you prepared to blindly perpetuate the Apple myth it's easy to see why Steve Jobs is laughing all the way to the bank. You are an Apple marketing executive's wet dream.
Windows XP, you cant compare that to OSX, its been replced buddy boy. And thus far its proved far more secure than OSX. So secure the latest SP even secures it against its desktop user lol.
But come on, those people that use OSX which think its safe, or safer than Linux or fully patched Vista are the kind of people that drive a french car becuase it cam with alloy wheels, or drive an Audi becuase they pals at the graphic design shop think their chic lol
I'm primarily a Windows user because most people I know use Windows and i like to play many games online which the other o/s' can't offer me. But that doesnt mean I do not like OSX or Ubuntu, I regularly switch o/s' on my laptop and we have several macbooks at work that I dabble on.
As previously said, all operating systems have security flaws, Windows tends to have more out there because it's used the most by the masses, but as Linux and OSX become more popular they are getting more attention by the hacking scene to devote their efforts on it.
I think this competition was a bit flawed in that rightly as others have said people could have been sat on an exploit for weeks and put it to work on the day to claim the prize, but on the other hand we need more of these types of encouragement for security devs to find out these bugs to help make the o/s' more secure (prize money is an incentive to nearly all people!)
Paris icon? Because she could do with some lessons in keeping her personal data more secure.
"But Apple hacker is first in the queue, he gets his machine set up 5 minutes earlier and his exploit takes 2 minutes instead of 3."
Did you miss the part where the article says that the Windows and Linux boxes are still standing at time of writing, or is the RDF in full effect this time of the morning?
Given the "timely" nature of most Reg articles, I'd be astonished if this was published in the 60 seconds between the Mac being hacked and the other two...
"All this comp tells me is someone who spends his time looking for and reporting vuln's found one and waited until this conference to report it."
Sorry, are we meant to bow our heads to the superior intellect of Mac hackers over their slow-witted PC/Linux brothers?
Yes, this probably is something he found and sat on but then the PC/Linux boys were almost sure to be doing the same thing...they just didn't have as much ease/luck finding a hole as the Mac guy.
If you would care to read TFA, you would have read that the Mac was hacked 2 minutes into dat 2, while the Windows and Linux machines were tried and tried again for the rest of the day without result.
Are you really serious they did a bad job at trying to hack the other machines, and weren't interested in the $10,000? Come on.... All machines got even attention, the Mac failed miserably (the user just had to click on a link on a webpage).
Get out of your false sense of security NOW!
Eat this, fanbois;
The *Microsoft* and Ubuntu boxes were still standing over *five* hours after the Mac was hacked at 12:38 local time. Fact.
Mmm, let's just say that again, The *MICROSOFT* box was unhacked *FIVE* hours after the Mac was busted WIIIIIIIIIIDE open.
You can't seriously be suggesting that none of the other contestants didn't work on finding vulnerabilities for weeks before the contest either can you?
Paris, because she knows what it's like to be busted wide open and exploited.
I'm a Mac user, and I'm not pretending this is even remotely OK. It's not.
Are there mitigating circumstances? Perhaps.
Is Mac OS X a more tempting target because of how Apple promotes its security record? Maybe.
Was the MacBook Air targeted because it was a more desirable machine? ehhhhhh unlikely...
What *has* been conveniently glossed over is that this exploit is not a straightforward remote attack, but relies on a bit of social engineering to get someone to click on a link, which then opens the machine to attack.
Once again, just to calm down all the idiots on here who are already at the vinegar strokes over the fact that a Mac got hacked, I'm not saying this is OK.
And Apple need to improve their attitude to security response and patch times.
But this doesn't somehow absolve Microsoft from their shocking record of insecure software. Trying to pretend otherwise is like making someone stand in front of you on a train track and thinking that, because the train will hit them first, it somehow means you'll be safe...
Anyone know of any Mac's that are part of a botnet? What about one with a virus? A keylogger or a trojan anyone?
Its good news that Microsoft have improved their security, shame that this has made little difference in the real world. The fact remains that I would be happy to put my Mac outside a firewall with no virus protection, can the users of Windows say the same?
Of course these kind of incidents are useful, and teach us not to be complacent, hopefully Apple will take note and improve things.
I never understand why people get so cross at a computer platforms.
As usual the rabid zealot mac bashing fanbois come out en-mass to spurt their jism over the web over any even minor flaw which comes up in OS X, conveniently forgetting their own platforms history, and missing the obvious in that Mac OS X is software, and that there is not a piece of software on the market, anywhere in the world, which does not contain some kind of flaw, even after bug fixes and security patches.
To all those saying how the Vista and Ubuntu are still running, just remember they still likely have exploits, just that by the rules of the competition you can't use known ones (and in the interests of balance, OS-X has known exploits too...). I think what we should be taking away from this, rather than a "My penis is longer than yours" debate, is that things like firewalls are a good thing. That as IT professionals, we should not rely on the security of any single piece of kit (this includes firewalls), but take a holistic approach.
Don't fall into the Mac fanboi trap of claiming your unhackable, just limit your exposure.
For the record, I'm an OS/X, Windows (XP), Linux (Fedora/Lineo), Solaris (2.8/10), irix (6.2 iirc) and NeXTStep (And in the past VMS, RT11 and NetBSD) user at home... And I don't trust any of them to be secure... I don't trust my firewalls either (hardware and software), but I believe I've done what I can, which is what we all should do. Anyone who believes the inbuilt security on their OS is enough is an idiot (IMHO).
This post has been deleted by its author
"Trying to pretend otherwise is like making someone stand in front of you on a train track and thinking that, because the train will hit them first, it somehow means you'll be safe..."
no but it does mean you'll be "safer" because the train would hit the guy infront at a greater speed than it will it you (assuming of course that the driver has applied his breaks before he hit the guy in front and the breaks remain on whilst the train is coming for you). Also the fact that the guy infront is probably still plastered infront of the train, it should provide adequate cusioning should you get hit as well :)
Flame: Let the apple BURN!!!!
Yes the exploit required someone to click a link but the same rules applied to the other two machines which withstood the attack.
As to promoting security in my opinion it is the apple fanboys who have been promoting that a lot more than apple have. Probably because given an even installation base they would be found to be a buggy on the security front as windows and "Please buy our machines because the more of you that do the less secure they become" is not that good as a selling point.
"Eat this, fanbois; The *Microsoft* and Ubuntu boxes were still standing over *five* hours after the Mac was hacked at 12:38 local time. Fact."
It's also the case that the hack used on the Mac isn't allowed to be tried on the other platforms, and the winner can't submit any other hacks once he's won a laptop.
He's a Mac guy, and says he hasn't tested the exploit on other platforms, so we don't yet know if his exploit is generic. He did one of the first iPhone cracks too, I believe - handy guy.
OSX - favourite platform for talented crackers (er, security researchers) and having dtrace is only going to have helped...
It goes some way to explaining how come Solaris, AIX, HP-UX systems don't get cracked so much - no desktop apps that any significant numbers of people use. I'm still not going back to my SunRay though.
As for the gloaters, and those teaching all the silly/fashion-victim/stupid/arrogant/deluded Mac users a lesson - fair play, but I do have to imagine your mum standing over you, reading your posts and rolling her eyes while you rant and wag your fingers at the imaginary fanboi hordes you've just sussed up (and sussed up a treat, too).
"Why would anyone want to bother hacking the others when the prize has already been won?"
1: I can't be 100% certain as I can't see it written in as many words, but from the prize rules: http://dvlabs.tippingpoint.com/blog/2008/03/19/cansecwest-pwn-to-own-2008 it looks like the prize money is per machine, not overall. So you still get $10,000 even if another machine has been hacked first.
2: Even if you don't get the cash, you still appear to get the laptop.
4: Why not?
"...Windows tends to have more out there because it's used the most by the masses..."
Oh p-l-e-a-s-e... not that argument again. If you think the unwashed masses somehow dirty the Windows code you're beyond hope.
The number of bugs per line of code has no correlation whatsoever to how many times the compiled code is copied/sold. This is in contrast to the direct correlation between bugs/LoC and eyes/LoC.
Just read it again, it does say
"The first winner of each laptop gets to keep it (one laptop per vulnerability entry) as well as a cash prize sponsored by ZDI. Once a laptop is won however, no more exploits may be submitted. Therefore there are a maximum of three cash prizes, one per laptop."
So there's no reason _not_ to keep going after one has been hacked
The attacker actually does not open a session. It's Safari that opens a telnet on a remote host. Eventually the remote host can execute code but is on the remote host not on the Mac. Somebody calls this a flaw because via the terminal window you could run a script that asks for password but this has more to do with the moronity of the user than the platform itself.
I can see why Apple is not considering this a critical patch.
Next year I think I will take the effort to participate to the contest: it seems they have money to give away.
Paris because all I can hope is to "execute" with her remotely.
I've stated my opinion on this forum before - Mac and Linux users are a risk to security simply because they believe they are unhackable. Windows users (who are constantly being told how insecure their system is) don't believe any such nonsense.
Will this make a difference? No. We can already see the Mac fanbois lining up with their excuses. Not a bloody single one of them will change their habits (or their OS) because of this and they'll still spout their crap about how wonderful and secure their OS is even though there is evidence to the contrary.
I honestly hope that Windows survives longer than the Ubuntu box (though I doubt it will to be honest but it would be a bloody good laugh).
... I'm not so stupid as to think that it is 100% secure and completely invulnerable. For example, I can't examine the precise firewall rules currently enforced without dropping to the shell. The Mac is perceived as more secure because there are fewer viruses, worms, vulnerabilities reported. This is simply because the Mac is a relative minority in the big scheme of things.
Think of it like a Ferrari if you will. Lots of effort on presentation, performance, slickness but boy they still break down.
OK, 'nuff said, time to go Back To My Mac
(Paris, because she'd choose a Mac based on style)
No one even entered the contest on Day1 where the OS, Drivers or Networks Stack were up for being hacked, so why the flame war over OS X ?
The hack was targeted at the safari browser, a browser that I haven't used on my mac for a good few years due to the superior Firefox browser. In fact I don't use IE on XP or Vista for exactly the same reason.
IE = better than Safari.
Firefox = better than IE.
Firefox = best browser (cue second flame war!!!!)
"Anyone know of any Mac's that are part of a botnet? What about one with a virus? A keylogger or a trojan anyone?"
It would be a pretty fruitless task, who cares about a handful more apple machines in a botnet when theres already millions of windows machines to exploit. Most of those are down to clueless users running any old crap they come across via email or on the 'net.
"The number of bugs per line of code has no correlation whatsoever to how many times the compiled code is copied/sold. This is in contrast to the direct correlation between bugs/LoC and eyes/LoC."
That's not what he said. He was talking about the number of KNOWN vulnerabilities. In this case there certainly is a correlation between the number of people using code and the number of discovered bugs.
If there weren't, then beta testing could be done by one guy on his own just as effectively as 200 people testing simultaneously.
I am a Mac user, so I suppose that does make me a fanboy, but not a rabid one.
OS X does have its faults, as do all OSs and as many have already noted.
BUT, in an attempt to get some rationality into this debate, consider this:
1. Mac OS 10.5.2 comes, by default, with the Firewall switched off, as has been the case with all previous versions of OSX.
2. From the competitions web site:
[Question] Anonymous commented on 2008-03-27 @ 19:26
"Are the OS installs left in default configurations, or are some settings turned on or off by the organizers?"
[Answer] ZDI commented on 2008-03-27 @ 19:54
"All platforms are left in their default configuration, as if a normal desktop user were operating it."
3. (Miller) said he chose Apple over the other machines because "I thought of the three it was the easiest."
Well who wouldn't think that a machine with a disabled firewall was the easiest target for a remote telnet exploit!!? The easiest $10k possible, plus a free Airbook to boot!
4. Why in God's name Apple does not make the Firewall default "On" has always baffled me.
Meanwhile, it seems that the competition is fundamentally flawed, if the Vista and Linux machines have their firewalls on by default.
"no but it does mean you'll be 'safer' "
A fine example of faulty logic. In the same way that saying the guy the train hits first will be 'more dead' than you. The end result is quantifiably the same.
It is impossible to claim (and idiotic to try and claim) that one platform is absolutely more secure than another, because it is impossible to accurately measure.
Only if every computer user had a Windows machine, a Mac OS X machine and a Linux machine side by side at all times, and only if every hacker dedicated an equal amount of time to hacking attempts on all 3 platforms, would we be able to make any judgements of absolute security. In the real world, one can only judge the *effective* security of a given platform, which is, of course, influenced by many factors including, but not limited to, installed user base.
The fact that there are many, many more Windows users does not change the empirical FACT that there are many, many fewer security vulnerabilities, viruses etc. on the Mac OS X platform. The platform is EFFECTIVELY more secure. I am statistically LESS LIKELY to suffer a remote attack on a Mac OS X machine, than on a Windows one.
Claims that I would at just as much risk if there were as many Macs and PCs is meaningless drivel, when that is patently not the reality in which we live.
Obviously, as the Mac OS X platform gains market share, it follows logically that it is likely to suffer more attacks (successful or not). What will be interesting is whether the number of attacks grows *proportionately* to its market share. Currently, that is not the case. Regardless of where you peg the Mac's market share (dependent of territory, demographic, direction of wind etc.) it cannot be denied that its level of actively exploited security flaws DOES NOT correlate to its market share. This may well change in the future.
It does not change the fact that, right here and right now, I am safer using a Mac than I am using a Windows PC. It may well be that I would be safer still using a Linux PC, for exactly the same reasons.
as a long time mac user (and other Os's daily), i am glad this has finally happened and levelled the playing field.
Now people might wake up to the fact that all OS's have security holes.
The only thing all computers have in common is the dumbo at the keyboard, effectively, the 'nut holding the wheel'
Apple needed this wake up call.
And users need to be educated more then ever.
I got a call the other day from a client telling me that a virus got past my filtering and going mad. Turns out an email with a link came in and someone click the 'Free Porn' link. I am still amazed that this happens. surely all employees are told first day : "DONT DO THIS."??
oh, and windows users suck !!! LOL
I use a Mac too, but I'm not kidding myself that this is in any way unfair. They absolutely should use default setttings on all machines, That's the whole point. How secure the machine is out-of-the-box without having to tweak anything. Without the user having to have any knowledge of security.
It was hacked first because it was the easiest.
Trust that with $10,000 on the line, anyone would hack a linux or windows machine. Its friggin $10,000 dollars. People tried all day I'm sure.
The point is OS X users think they are invulnerable and are using some sort of 'super' computer. The truth is with a 3% market share (what 4% maybe?) who cares about them. As a hacker I would attack the two most common machines on the internet. Windows and Linux.
I would primarily hack linux hosting boxes considering they are more likely to have high-speed connections and not slow ass cable or DSL connections. They will reside online 24/7 and never be restarted.
I also know that the term "Root Kit" doesn't come from gaining "Administrative" privileges on a Windows computer - considering 'root' doesn't even exist on the O/S.
Also to give people an idea of how well this mac exploit would work:
1. Setup fake links
2. Tail your Apache log file
3. Telnet to any machine that has clicked your farm of links.
4. Execute code freely.
That sounds even easier then forcing someone to download and install a peice of shitty shareware filled with spyware.
This post has been deleted by its author
you go on and on and on
and yet when dear old bill gates beats you (its happended before lol) you cant take it.
OSX this day is more insecure than Windows and Linux.
Its not hard to get your head around.
For all that c**P about picking OSX becuase he wanted the mac or something, for god sake hed get $10k no matter which machine he get into.
And if I wanted to win, I'd pick the easiest box to break!
But having a user click on a link to a web site is hacking? From the original article, I was under the impression that these three laptops were sitting there - with no user intervention - and the attacker walks up to the table, connects with a patch cord, and has to come up with an attack RIGHT THEN AND THERE. What gives?
I suppose if the generic definition of (computer software/OS) hacking is deemed to be "gaining unauthorized access or perimssions within an OS through a flaw in the OS or a process running within it", then this would meet the definition.... but geesh. I was expecting something better than "exploiting" a user's idiocy. I mean, what's the challenge?
@ Ian Davies:
"Claims that I would at just as much risk if there were as many Macs and PCs is meaningless drivel, when that is patently not the reality in which we live."... "it cannot be denied that its level of actively exploited security flaws DOES NOT correlate to its market share. THIS MAY WELL CHANGE IN THE FUTURE." [Emphasis added]
I appreciate your attempt at a balanced argument, but you wipe away that the credibility for the basis for your own argument at the end, there. At no time before has such connectivity been applied to so many computers running an OS with MS' market share. There is simply no logical or historical comparison of any kind for any data to make a logical assertion.
Any and all arguments based on market share as a factor of "exploitability" or security have no way of comparing any two (or more) flavors of OS with any validity, though it does provide an intellectual "thumb and blankie" to all advocated (both for and against) so they sleep better at night.
..In the interest of good journalism.
Are we sure that ANY kind of code was executed on the Mac?
I smell a rat here and not because I am any Mac Fan but because my idea on how telnet works would have to change radically.
Has anyone gone looking what this exploit actually does?
As I mentioned before: by looking at the specific exploit it does not seem to open any possibility to execute any code on the Mac itself.
I am still not convinced. Anybody?
@Paul Buxton - What? Out of all the idiots here, you're the best ...
I'm a Gentoo user, I don't think it's perfectly secure. And unless you are quite delusional I don't think many Linux users believe that. Just MORE secure (even if it is just due to less people trying). Okay, most confess I don't run a S/W firewall, I don't use any mainstream desktop so I couldn't find an easy way of setting one up in the past. It does seem to be a failing of many *nix packages. It only works with this major desktop, or that one. How about starting generic and then polishing?
The biggest issue isn't with what bugs are found, it is how long it takes for the exploit to be stopped. Unfound bugs aren't a problem, bugs found and patched in a couple of days are a very little problem, bugs left open for a long time are near criminal. The average user? Well, the OSs own security issues pale in comparisson.
Webster is a *Linux* fanboi, it's admitted it itself, and I can assure you that there are *bigger* holes in Linux coming and they will be exposed as Linux gains popularity as a desktop through the growth of Ubuntu. I can see it happening now: I'm trying to build a couple of non-standard systems for specific purposes using Ubuntu and the problems that I'm having are being responded to by people who really don't know what they're talking about and on one occasion actually almost disabled a machine because the piece of software I was using, which is in the standard Ubuntu distribution, started producing logs that got to 32Gb in size by the time I worked out how to stop them.
Don't get me wrong: I love the freedom and innovation of FOSS, and I'm shortly going to be equipping a Dell XP1330 with Ubuntu for use as my business laptop because as much as I equally love OS X's usability it's getting too proprietary for my liking, and turning 'just works, with the power of Unix under the hood' to 'just works, with the power of the bits of Unix that we want you to use under the hood'. The only piece of OS X software that I would miss in every day use is Unison, and I'm working on that. However, the rushing featurism that seems to be a result of Ubuntu's growing feature set seems to be making things less stable and secure as opposed improving stability and security. This is my personal feeling after being a Linux user for 15 years or so and an enterprise Solaris engineer for 12 so don't call me on it, by the way. I also believe that Iif and when Linux crosses that magical line of having a measurable percentage of desktop users, it too will have to make enough concessions to usability to make it more open to security breaches.
When I get home tonight and boot my laptop there will be some updates to download as it's been switched off for a week. It's reassuring that problems are discovered and responded to quickly of course, but to suggest in any way that half of the issues aren't buffer overruns and the like that *could* become security problems would be deluding yourself. A brief trawl through the CERT lists would confirm this.
Oh... and by the way, if the exploit was through Safari, then it was mostly likely through Webkit, which is of course an open source project, running on an operating system which does, after all, share the same codebase for about 80% of it's functionality as, cor blimey, *BSD, which is also a number of FOSS projects. What exactly were we railing against, again?
I first thought this was a damning indictment of Safari, a non-battlehardened browser, then I realized that the ability to reverse telenet into a PC wasn't browser-based, but OS-based.
So OS X allows remote telenets from TCP-IP sessions it has established without further verification of the other party, eh? No additional log-ins needed?
That is a gaping hole, a whole lot of hole, if that is truely the case.
Bad flaw Apple...very bad flaw.
I can't believe the apple fan-bois trying to defend an indefensible position here. Your machine got hacked first and the reason given is "that its more desirable". Bullshit. Your machine got hacked first because it was the easiest to hack. Apple is worse than Microsoft at patching security problems, and Microsoft isn't what you would call good. Linux is full of security holes - I've seen friends who are top notch Linux experts still get their servers rooted. All Mac-OSX is is a crippled and badly patched version of Linux, so no surprise they got rooted first.
Of course, I'm expecting the fan-bois to come on and argue vehemently that black is white. Sorry to burst your bubble, but Apples are nothing more than crippleware on expensive hardware. The expensive hardware helps a little with stability, but the software certainly doesn't.
Get a life and stop blindly worshipping at the temple of jobs.
Hello ! With all the attacks on the Mac OS, did no one perhaps notice that the OS was not cracked ? Criticize Apple if you will, they deserve it, for leaving the hole in Safari but if you bother to read the article, none of the machines were cracked on Day 1, the day that the rules said you have to crack the OS. None of the OS's were cracked.
Now Windows users might not realize this since MS demanded to integrate it with the OS, but a browser is not part of an OS, it's an application ! If ya gonna rant, rant at the right target.
From the reporting side, I would have loved to know:
a) what happens is Safari is installed on Windows ?
b) what happens if both OS's are set at the same security level (both firewall's on or both off) ?
"I'm a Gentoo user, I don't think it's perfectly secure. And unless you are quite delusional I don't think many Linux users believe that."
How could my rationality (or delusion if you prefer) influence your opinion on what Linux users think?
Re-read your sentence and then decide who's the biggest idiot. And when you actually learn how to string a coherent sentence together then, by all means, feel free to post back here to apologise.
We already have Mac fanbois claiming all sorts of things to try to dilute the results (but they've already had their kick in the teeth so that's understandable). This is another reason I hope that the Windows box outlasts the Linux box - I'd just love to hear your excuses on how the test was flawed Edward.
Any running daemon can be telnetted to and will probably return some kind of response, and *something* probably has a stack overflow issue that has been exploited in this case, although I strongly doubt that it's telnet itself. The bigger concern is probably that something that creates an open port that can be exploited can be launched by clicking on a link in Safari - if that is a reasonable analysis of the exploit.
"There is simply no logical or historical comparison of any kind for any data to make a logical assertion."
Where did I make any assertion as to the relevance of historical activity? The only phrases I used were "right here, right now" and "in the future". Also, why does a lack of historical data automatically preclude a logical evaluation of the current situation?
Your points only strengthen the argument I was making, not weaken it. So what if there have never been so many Windows machines connected to the 'net as there are now? Should a platform's relative security still not be reflected proportionally in the number of active exploits on that platform? Because that is not the case.
Yes, I can think of many reasons *why* that might not the case, and no, I'm not saying that all of those reasons are related to OS X's theoretically greater inherent security. But none of that detracts from the simple premise that for the majority of people, their experience = their reality. My reality is that I am using a platform that has zero in-the-wild viruses (yes, I still run ClamX AV) and has almost no security holes that can be exploited without me doing something stupid like clicking links on an untrusted website, or downloading (and executing) applications from an untrusted source.
Bickering over which OS is better.......they are simply a means to an end.
Which ones better.....the one I can support which gives me the biggest wage packet.
Remember this 'Without problems you would not need solutions'. This can be translated to 'Without broken OS's and PEBKACs issues I and many more people would be unemployed'
PEBKAC = Problem Exists Between Keyboard and Chair
Paris cause I would like to give her a good crack
Any computer, regardless of OS, is as secure as the user/administrator makes it. Given the time I'm sure a regular Windows/OSX/Linux admin could make their chosen OS installation as secure as admins of either of the other two could do.
FFS lighten up, I use all three OSs regularly (albeit mainly Windows XP, not Vista, and OSX) and they all have their merits and flaws, they all have their place, this simply demonstrates that the default configuration of the Mac is dumb. Apple should use this wake-up call to harden up the default configuration somewhat.
POETS day - I'mm off now, hence the jacket.
I do all my work with a pen on a pad of paper and then put all my notes in my briefcase which I carry in my hand. Sometimes when I feel a little nervous I attach a handcuff to my wrist and the other to the briefcase handle.
Oh and that intonet thing, I go to the library instead.
It's the safer way.
I don't like OS X, don't care for Macs. Disclaimer done. But...
Very few seem to have read the article with care (and all I can go by is what's in the article, so this might be wrong), judging by the very few comments mentioning that:
*No OS was cracked in the first day.*
What is the logical conclusion from that? To me, it seems like: **even without a firewall** OS X still did not get broken into. The other two didn't either, of course, but they had an extra layer of security.
So, all three OSs withstood a day of attack. Applications, that's a whole other world. So it seems like Safari sucks mightily, that's the only thing we can say for certain here.
Quote from article:
[Not a single attendee entered the contest on day one, when all vulnerabilities had to reside in the machine's operating system, drivers or network stack.]
...and again, incase you missed it:
[Not a single attendee entered the contest on day one...]
...then, just once more for luck:
[Not a single attendee...]
So, who did you say hasn't read the article with care?
Ah, reading this thread is amusing: First I read this:
"All Mac-OSX is is a crippled and badly patched version of Linux, so no surprise they got rooted first."
and then someone points out the obvious:
"OSX is NOT Linux based! It is *BSD based. A mutilated, crippled BSD, but BSD nonetheless."
Funny thing being that OSX amongst the average joe is seen as "Linux with a pretty UI", as the *BSD's are not known beyond the IT spheres of influence.
IIRC, there are a lot of rabid *BSD fans out there, maybe that attitude permeated to the Mac crowd with OSX? .... no, that would discredit Jobs' reality distortion field ;) Not that the *BSD's don't have a Jobs-like poster, just search for the "Linux is a half-assed patched-up hack job" article from one of the *BSD folks.
If the MS box didn't have any 3rd party virus/security apps then it would get owned pretty quick.
Safari wouldn't have been running as root so you shouldn't be able to pwn the OS.
If folk don't know how to use a FW then it's their own problem if something happens.
Still I run Firefox and this problem will be fixed so until I hear otherwise I'm not concerned. It's hardly going to make me sell my white box and buy a grey/silver one.
You don't run a software firewall, because you couldn't find a generic one?
Have you perhaps heard of IPTABLES?
Its part of your linux kernel - high configurable, good performance and with the right settings very secure.
Ok if you have a complicated setup it may take you a day to learn how to use it properly, but then network skills are useful especially if you work in IT.
There are hundreds of pre written scripts that will run basic firewalls for you, usually with a couple of insert here variables at the top.
Anyone not capable of using those should be allowed to connect a PC to a network, regardless of the OS.
The type of exploit use on OSX really goes to prove this.
Even assuming that the telnet session connected into the mac and had root privileges, it still required a user to click on a link without having verified it, and not having their machine behind a firewall. Both of these are user errors, admittedly compounded by what the browser allowed to happen (a very IE5 level of stupidity)
Oh and someone above suggested that root kits were named so because they exploit unix not windows more... that is true as far as it goes - but the reason as that these root kits were around before windows was available!
I'd rather see this competition rerun, but with the specification quite different: each box to be set up to run a specified collection of services and security hardened by an experienced admin, only its own inbuilt firewall, or 3rd party firewall running on the box to be allowed - no external hardware.
The boxes should then be scored on:
Performance/Cost (including admin time to set up - we assume ongoing time is minimal for any competent admin)
Do all services function as specified
How long to hack each box:
via a patch cable on day 1,
Local terminal day 2
Allow access to bios enabled usb ports and CD drive day 3 (no access to boot order, boot from usb/cd, or case internals - any child can hack a box with that level of access)
This was inevitable. Apple has been stumbling in the dark for 10-15 years in the OS/Desktop/laptop dept. Apple should focus on iTunes and the iPhone. The current "macs" are pc's with a port of BSD ho-hum.
Microsoft owns it is the least secure OS of the bunch and makes an effort to correct it. Its for sure a lot more Windoze will get hacked, only beacasue there are so many more windoze systems compared to Macs and MacTards....
The competition is made up of three computers that are as close to factory defaults as possible? Doesn't anyone realise that a very large percentage of security holes on computers come from software that users voluntarily install?
And in my opinion, even with computers that are at factory default, having a user click a link doesn't really count as hacking per-se. Let's face it; the typical person is going to be connected through one of:
1) wireless networks with no port forwarding by default;
2) other routed networks with no port forwarding by default;
3) GPRS/EDGE/3G/HSDPA networks with no port forwarding by default;
4) a firewall.
In this case, what does it matter if a port is opened here or there? There aren't really that many standard modems in use anymore where you are completely externally exposed, and if you are stupid enough to be using one without a firewall, or if you are stupid enough to permanently have your router/gateway set to DMZ, you are asking for trouble. If you are stupid enough to allow a hacker onto your LAN, ...
If a hacking competition is based on the idea that someone is going to have to physically walk up to your computer and stick a crossover cable in the side of it to do any real harm, then the competition is sorta flawed. In that case, I would be more concerned about someone breaking into my house rather than "hacking" my computer.
Similarly, a competition where people have had the time to orchestrate their attack and just execute it when they get there is equally flawed.
I'm a Mac user day-to-day. I don't believe that the system is completely secure, which is why I keep my firewall up, regularly install updates and security patches and don't set myself up for trouble. At the same time, I don't expect everything I install to be completely secure. I have had previous Windows computers that have been infected with viruses before my first logon after a fresh reformat and reinstall (just by being connected to a LAN during setup). But at the same time, I've also had Windows installs in the past that have been flawless for as long as they have been in use. Computers are inherently insecure, regardless of your operating system.
Okay, yeah. So the MacBook got beaten first, and now this has happened, the playing field is leveled a bit. The moral of the story is "use your firewall, install your updates and don't click links you don't trust". Now will the Windows or anti-Mac zealots please stop with the "take this, fanboys!" attitude? Your operating system is not perfect either, yet I do not waste my time bashing your system. Get back to me when it is and then I might be less tempted to gouge out your eyes with a screwdriver.
It seems the word "hacking" is vastly misunderstood these days.
the article doesn't say how far into the contest on the second day that the exploit was revealed... it sounds to me more like the exploit takes two minutes to execute, rather than the contest was was over in two minutes... so it's hard to say if the guy already knew of the hack or not...
Mac have always been the whorst computer anyone could buy., It is pricy, low quality (lots of lawsuit from ex apple consumer), it is only one thing: VAPOR. Apple sell hype and a lot of mindless drone buy into that.
The " i am better then you because i own a mac" syndrom is widspread among Mac users. But the reality is Mac are as buggy as any other platform. But if i am a maleware pusher i will go for Windows because there is more peoples on it, Simple logic. And no, a poor quality clone of FREE BSD is not a real OS and never will.
Mac is a inferior machine OS wise and as more mindless drone start using it (thank to the totally un-deserve iPod success) the more hacker will discover how easy it is the hack that over price piece of junk,
Fact: Most Mindless drone who own a Mac use Mac OS in front of they friends, but as soon as their alone... it Bootcamp time...
Ian: Hehe, I had this five page statistical analysis laid out for vulnerabilities between Microsoft and Apple (OS, etc) from (http://www.kb.cert.org/vuls/bypublished) and a point-by-point rebuttal to your arguments. Likewise, there was a comparison to the number of vulnerabilities vs. the relative age of each (MS, Apple, Linux) and showing how as each matured, they gained vulnerabilities and what the proportions were for each (NOTE: it is _not_ directly proportional). Good thing I'm not at work or anything... <whistles innocently /> :-)
Instead, I wish to state (explicitly this time) that I *do* agree with you - there can be no argument *either way* because of lack of data and control values (hence, impossibility of comparing). I was _trying_ to strengthen your argument. The point I was making was that _you_ weakened your argument, and I wanted to strengthen it because it _is_ valid. That aside, when you talk about "here and now" and "in the future", you implied extrapolation, which must be based off of historical fact or observation. That was why I took that approach to strengthen your argument.
I must apologize, but after all I did I can't just sit on these numbers for 2007 from CERT, above with marketshare from (http://marketshare.hitslink.com/report.aspx?qprid=8):
Microsoft vulnerabilities: 61/366 = 16.7% for 91.58% marketshare.
Apple vulnerabilities: 45/366 = 12.3% for 7.46% marketshare.
"Okay, yeah. So the MacBook got beaten first, and now this has happened, the playing field is leveled a bit. The moral of the story is "use your firewall, install your updates and don't click links you don't trust". "
That's very good advice - read above to find the moron who will happily put his Mac on the internet outside of a firewall and the other moron who doesn't use a S/W firewall but never specified whether or not he's behind a H/W firewall. Well maybe they'll listen to you - I just got flamed. :D
"Now will the Windows or anti-Mac zealots please stop with the "take this, fanboys!" attitude? Your operating system is not perfect either, yet I do not waste my time bashing your system. Get back to me when it is and then I might be less tempted to gouge out your eyes with a screwdriver."
Um... the thing about this is... um... NO! We've had to put up with shit from Mac and Linux users for years - the elitist bastards think they're untouchable. Well here's the reality check, live with it. Windows users never claim that their system is more secure than other comparable OSes, they'd be flamed to hell by the Mac fanbois so it's not worth doing even though it's now sort of been proven to be true(ish). It's time to eat humble pie and not time to attack people with screwdrivers.
the bloke said "I thought of the three it was the easiest".
he did not say "I thought of the three it was the most desirable"
Good point - but - he's a mac specialist.
I'm a specialist on double-decker buses so I'm damned if I'm going to try to drive an Airbus 380 when I think the bus is so much easier.
Are you old enough to post here? How can you possibly claim to know what people do when there alone? Grow up. Oh, and for the record, BSD, it stands for Berkley Software Distribution, it's a flavour of unix see (not a distribution)... like System V. Is it free... well some versions of it are, but not all, SunOS was BSD, and commercial, as was NeXTStep, etc, so apple are hardly new there in charging for a BSD based OS. Might as well say that Windows users are dumb for paying when they could use reactos. In fact they pay considerably more than these Mac users you like to slag off for their OS, 200+quid saved on the OS cost.. based on prices today on amazon.co.uk ...
Mac not perfect. Windows not perfect. Linux not perfect (seeing a patern here?). Be responsible, make sure you use firewalls (hardware and software), think before you click/download, etc.
One final point... Think on this: they guy that won... he was a smart guy. Hacked the iPhone as well according to the blurb. Is a respected security expert. What else does it say about him in the article: "As a Mac user, he added, he felt...". Oh, he's a smart guy, a security expert, probably knows a hell of a lot more than most of the posters here on the subject of security, and what computer does he choose to use...
Mr Greenwood makes a couple of comments I wish to take issue with...
He's using Unbuntu and he let a log file get to 32GB before he could figure out how to turn it off? BWAH HAH HA HA!
And he'd miss unison, a piece of Apple's crippleware? I've been phishing about with 'nix boxes for a long time --- Now it seems Apple are backdating a claim on a standard 'nix package that's older than some of Job's sales pitches.
Oh and for the Apple fan boys: In yer faeces! lol
Gate's for sainthood, obviously, for once he didn't let the side down.
I believe Mr Greenwood was referring to Panic Unison (http://www.panic.com/unison/), which is not made by Apple (hence not Apple's crippleware, Panic's crippleware perhaps, but not Apple's). Actually, I think it's not a bad newsreader, I certainly would describe it as crippleware (but I'm not even sure I know what that is, I'd have to guess by the name...). Never seen Apple claiming it was theirs. Much like Windows, where other developers (aside from MicroSoft) are allowed to produce and sell software for the OS, the same is true of OSX. If you insist of judging the OS by the quality (or lack of) of 3rd party software, you need to wait till day 3 of the competition ;)
I wonder, as a Mac user he went after the Mac cos it was an airbook, I wonder what the especs of teh other machines were?
I dont remember. But I bet they werent as "sweet" as the mac.
The comments are interesting, I got bored after teh first few, I do notice the venom of the windows crowd, I wonder if thats just jealous that they ahve such horrible boxes and horrible OS, vista is the Joke.
come on MS can do so much better, but they have no need to cos you keep bying their crud, make Windows better by making MS actual develier decent software
OK, agreement noted :)
However, I still don't think anything I said implied a need for historical data; I only said *may* change in the future. That something will change over time is a fairly safe probability. I didn't make any guess as to *how* it would change, or how quickly. I have my own opinions, but they're just that.
The figures you give are interesting; I'll be the first to admit that I'm surprised by the percentages (in both cases), but there appears to be no data on how often (or even if at all) the vulnerability has been exploited, and I *was* specific about the number of *actively* used flaws on each platform. Looking at the severity metric on the CERT site, for example, I have to go to the 4th page before I find a single Apple flaw (Quicktime) and there are only 4 in total out of the 210 most severe vulnerabilities listed.
I would still maintain to anyone who thinks they 'know' about the superiority of one platform's security over another, that you can't ignore the fact that in practical everyday use, a Mac is far less likely to be compromised.
I should also say that I agree wholeheartedly with your original assertion that this competition didn't seem to be about any real hacking, and needing someone to click a link is pretty lame.
Forgive me but last time I read the rules (when they were announced about 2 weeks ago and reported here on El Reg) they clearly stated that the exploits had to be NEW and previously unreported. This is clearly contrary to people claiming this was a known exploit.
Face it Apple products are shite and Apple users are gullible sheep.
....would be to see if the same exploit worked on the other systems using the same browser. Or a different browser with the same engine (WebKit) or a different browser with a different engine. THAT would be more instructive regardless of the outcome of such tests.
To answer another guys question, the 'hacker' was able to access files on the Macbook Air, not execute code. Although we don't know what 'access' files means - does it mean get a file list, open a file, or something more? We don't know how critical these files were that he could access or whether any other actions could be taken such as changing permissions, deleting, moving, renaming, altering, overwriting or copying files nor who owned the files. Was it the system files or did he get right into the user accounts?
As to the suggestion that the guy went for the 'prettiest' laptop I think is quite silly - $10K is sweet no matter what hardware you nab, although the Air would have been icing on the cake. So next time have three Macs laptops so we can dispense with this silly 'pretty' argument.
The fact remains that there is an entire community pouring over the code of Darwin (the actual OS part of OS X) and WebKit (the core of Safari) being open source software and there is only one company looking at the code of the close source Windows - for everyone else it's secret sauce, or perhaps that should be spaghetti sauce.
As a result flaws are being found, reported and generally fixed quickly for open source and the only exploits we find out about in Windows and other Microsoft proprietary software are the ones that hit the headlines, not the stuff that Microsoft finds but keeps secret.
It still doesn't alter the fact that there are no exploits in the wild affecting OS X, no viruses, no spyware, no adware or any of those other annoyances and real world destructive nasties which exist and cause dramas day in, day out for Windows.
But perhaps this will teach Apple a lesson - firewall on by default. I'd also recommend AV software (such as clamXav), just in case and perhaps set up to run in stealth mode by default.
I was hoping Mac would bite the dust first. I really don't think this whole thing is too valid, but it does have some use, and really exposes the idiocy of the Mac fans. (I plan on showing this to a friend just to bug him. =P)
Anyway.. The argument about user base is crap. The majority of web servers run some flavor of Linux, yet it's the Windows server ones that are more vulnerable. (There are still Linux flaws, anyone who says otherwise is deluded; check out that kernel hack recently, and I've read things about compromised Linux servers in botnets.) An argument about user stupidity might be better than user base, as many Windows users can't tell a USB port from a Mic port, and a proper move to Linux would hopefully educate some users a bit. (Everyone go install Gentoo now! Good luck compiling your kernel.)
Thanks other El Reg readers for an amusing read through of the comments!
My OS is not the best, or the most secure...
and I'm not telling you what it is either because I don't care and I'm not so sad as to have an "OS ego".
Everything will be cracked eventually, as security is only an illusion.
There's nothing on this system worth stealing, and I don't "click-on" or open any emails from retards.
...parker jacket, with big holes under the arms
okay, i signed up to post this...
"It seems the word "hacking" is vastly misunderstood these days."
sure is... hacking is just writing code, and code, to be executed on a computer. "cracking" is the act of wiritng malicious code (criminal hacking... hence cracking)
Also, to try and make this vulnerabilty seem less valid owing to the fact it requires a user to click a hyperlink is also fairly naive, all it takes is one reatrd and a "hot babes here" in underlined blue. That retard could be sitting infront of any of the three boxes in fairness, although given the fact that there's at least one retard out there who hapily states "The fact remains that I would be happy to put my Mac outside a firewall with no virus protection" makes me start to loose faith in the human race. Along with making me think the Mac might just be that more susceptible to attc, due to user-error.
Oh, and while i'm at it (pauses for breath) did i just read that os x disables firewall by default? I've been accused of overconfidence before, but that seems like inviting trouble for me. especially wiht above mentioned "I don't need a firewall" type users out there. In vista not only does it turn on your firewall by defualt, it bitches if you turn it off, or neglect to install virus protection. Cue arguments about this being becuse microsoft know their OS is open to attck. well i say, i'd rather spend days installing layers of security, and never need it, over proudly proclaiming that my OS is free of hacks whilst having my card details slyly read but some sly b*****d who decided to test that theory.
Oh, and what's all this more desirable spew too? I've used macs, and as far as i can tell you pay for a pretty box and some pretty software. Seems you pay twice the price for half the spec too.
annnnnnnnd (pauses again for breath) where's that guy who was aying that market share has nothing to do with how many security flaws there are... Well, i suppose market share doesn't affect how many exist in the code, but it will definately affect how many are found. a cracker is going to spend more time looking for holes in a system used by 90 odd percent of users, as it's going to be of more use to them. This is the reaosn you don't find Macs in botnets... quite simply why bother designing a botnet for such a limited audience? a botnet is supposed to be huge.
I really hope that this report knocks some of those mac users off their pedestals. Quite simply, the majority of you seem to be under the delusion your OS has some kind of super shield. Well it hasn't. Less viruses exist for it becuase people aren't as interested in wirting viruses for your OS. viruses are supposed to take down huge businesses. not just their art departments.
Oh, and finally, for the record, i use both Gentoo and Windows, i am under no delusion as to their security, both are virus protected and behind a software and hardware firewall, and I never click links for free pron no matter how tempting the offer may seem. And I don't hate OS X. I believe it has its positives, along with its negatives. It just angers me that for so long Windows users ahve had to put up with flac from users of other OSes... point in fact, PCs are cheaper than Macs, and Windows is more user-friendly than Linux. so in my opinion it's no surprise Microsoft comandeers such a large market percentage.
"I really hope that this report knocks some of those mac users off their pedestals."
You appear to be one of the people who a) didn't actually read the article, and/or b) didn't comprehend what you read.
The rules of the contest were that no PREVIOUSLY KNOWN exploits were to be employed. Considering Windows storied history of being pwned in every way imaginable, that doesn't leave many options to the contest participants.
Secondly, the guy who cracked OSX did so using an exploit he'd been working on for several weeks prior to the contest.
I don't think it's surprising that there would be a vulnerability in some of the software on OSX, but the crowing about this by the Windows drones is stupid. When someone actually finds a real virus or malware for OSX in the wild, then I'll consider getting off the pedestal. Until then, I'll continue enjoying my far superior, and more secure, OS.
"That's not what he said. He was talking about the number of KNOWN vulnerabilities. In this case there certainly is a correlation between the number of people using code and the number of discovered bugs.
"If there weren't, then beta testing could be done by one guy on his own just as effectively as 200 people testing simultaneously."
That's exactly the faulty argument I was trying to highlight.
1. Users don't find vulnerabilities - developers do. It doesn't matter if you've got a customer base of 1M+ if all they do is restart the program every time it crashes.
2. One beta tester with one fuzzer can crash an application just as fast as 200 testers. Finding crashes is just a *small* part of Beta testing (that should've been fixed in Alpha testing q-: ). The real reason for large-scale beta testing is to see how idiot-proof the software is from a usability/functionality PoV.
"Considering Windows storied history of being pwned in every way imaginable, that doesn't leave many options to the contest participants."
so the fact that vulnerabilities have been found, and corrected, somewhow lessens the fact that the OS X box fell first. Oh, and from further reading, the Ubuntu box failed to fall completely.
"When someone actually finds a real virus or malware for OSX in the wild, then I'll consider getting off the pedestal."
http://vil.nai.com/vil/content/v_138578.htm there's one. (particularly humourous imo that the pictures being offered aren't naked celebs, as with pc users, but images of the next OS X release :D - that's gotta say something about mac users)
and in response to both, the argument your OS is safer because hardly anyone has bothered to make use of exploits is fairly redundant. It mearly means less people have bothered exploiting the flaws, becuase there's no point attacking a 4% market share.
In fact, what will happen is in a few years time, this "better than tho" attitude will bite you in the ass. somebody WILL release a virus, and all the "i don't need virus protection" crowd will fall flat on their faces as their unprotected systems go belly up.