OSNews

Had "in hand" implies that the hacker had something already tested and waiting. It's saying he cheated.

Has in mind means he had some idea where to look and what to look for, as they all should've, being hackers.

*Edit* I was trying to reply to the maim article. Drat !

Edited 2008-03-30 22:36 UTC

Mac OS X uses the sudo concept just like Ubuntu does, if I'm correct. On OS X, I 'turn that off' and use a limited account (because I'm able to remember two passwords in stead of just one ), but it's the same default as Ubuntu's.

I tend to keep sudo, but use a limited account with no sudo rights. Getting root access involves sudo adminUser (adminuser password), sudo -i (addminuser password). I get the benefits of having no root password as given by sudo, while running as what I'd actually consider a limited user.

Edited 2008-03-30 21:53 UTC

Back on the Topic securing it is easy, falling for this hack would be hard

Yup that confounded me a little at first too. As the first time I tried to sudo from a non-admin account I was given a terse security warning. Then I thought it through and had to nest one sudo inside of another. Well in the end I find few reasons (outside of work -- where I am the Mac systems admin for all north American Macs for a publishing co.) Outside of banging on some naughty or inefficient code that I wrote I find very little practical reason to drop to the CLI

And also aside from reputable installers from respectable vendors I am very rarely asked to enter my admin name and password.

So If I am at a web page and it asks me to enter my local admin name AND then my password. AND then I enter it was I really hacked?

Social engineering is a useful tool in the world of crackers. So yes, you were hacked, but in this case it literally was *YOU* who was hacked.

I think its worth pointing out that on Ubuntu only the first user account created is, by default, a sudoer and this privillage can easily be removed and added to another account.

System->Administration->Users and Groups, Select user and click properties, Click the user privilages tab and add/remove "Administer the system". You can of course just edit the sudoers file as well.

The CD-ROM attack vector? Totally sealed off.

Nonsense. I would much rather have a Vaio than the a Macbook Air. Despite design undoubtly being a major selling point of Macbook Air, I'm not even sure if it looks better than Vaio? Besides, MacBook Air lacks many features that I would like my laptop to have.

Edited 2008-03-30 21:54 UTC

Nonsense. I would much rather have a Vaio than the a Macbook Air. Despite design undoubtly being a major selling point of Macbook Air, I'm not even sure if it looks better than Vaio? Besides, MacBook Air lacks many features that I would like my laptop to have.

Me too, really. MacBook Air looks good but the Vaio just suits me a whole lot better Had I had the skills to hack my way into the Vaio machine it would already be mine

That's assuming Mac OS X would be a big deciding factor for the individual. One can want a Viao laptop and not feel even in the slightest a loss of freedom by not being able to run OS X. Contra to the hype out there, not everyone is tripping over themselves to get a machine running OS X.

What about 10,000$? (the other part of the prize)

Edited 2008-03-30 22:42 UTC

Same. I'd pick the Vaio over any mac. I like the design of the macs but I don't like to be locked to one particular piece of hardware. But I've always had a soft-spot for Sony gear.

Edited 2008-03-30 23:21 UTC

The facts that each of the 3 machines was accompanied by its own cash prize, that the contest continued after the Mac was cracked but neither of the other 2 machines was compromised on the second day, and that $10,000 buys you 5 MacBook Airs, pretty much invalidates any argument that the Mac was only cracked so fast because the laptop was such an aluring target.

At least he's not a troll. Well, most of the time. Whereas I have a hard time remembering an article by Thom which wasn't biased to the gills. Why do you think he feels the need to constantly remind us "I'm not being payed by anybody to say this stuff!"

Oh the hell with it. I had just come back to OSNews after a month, read the news for a few days, then suddenly I'm being reminded why I stopped coming here and deleted it from the newsreader. I guess I was asking for it.

But since I'm here now, I'd like to point out how Thom ebarasses himself.

1. simply because the Apple user base is still too small to be of significant use to malware creators

That's not what Daniel said (and Thom uses this argument not once, but twice). He never mentioned the size of the user base as a factor. He said "Once discovered, Mac exploits are patched within a few weeks". That's why such an exploit is only of theoretical value, not because of the size of anybody's dick.

2. If you look at the original announcement of the winner, you will see that no such claim is being made

Yeah, 'cause that's what people around the world will be reading, an obscure blog entry. Want me to remind you what links were given right here on OSNews and what most people read? Techworld, IDG, Computerworld. And it's no secret Microsoft has been publishing FUD in its pet rags to discredit any real competition. Excuse Daniel to saying that it looks as if CanSecWest was doing the same.

3. the contest's rules page clearly states the brand and types of laptops used

Again, the magazine articles do not.

4. Of course he had it in mind!

"In hand". Not mind, hand. "In mind" means something he'd have to try and see if it worked. "In hand" means he knew exactly what he was doing and how it was gonna go. This wasn't a random thing an off-the-street hacker might try. It was a security expert going for the kill.

5. Roughly Drafted goes on and says the Vista laptop "only reflects the state of Vista for users who have elected to install SP1", and not of users throughout 2007. So, where is the cut-off point?

The real cut-off point is out there, in the wild. And out there, SP1 didn't make it very far as of yet. That's where exploits like the one that didn't work for that guy WILL work. And given the large user base you so fondly mention so often, it will have a much larger practical impact than a bug in a Safari lib which was already patched by now AND will be deployed to most users very soon.

You're so bent on proving your points (like a good troll that you are) that you ignore the bigger points Daniel makes, and that damages OSNews. He goes on to mention that the security model and ecosystem of Windows are deeply flawed, unlike Linux or OS X. But do you care about the bigger picture? No, you want petty victories over obsessive little points.

6. If Apple fails here, it is Apple's fault.

Yes, granted. But they fix their mistakes (within days). And they have a deployment model that actually takes those fixes to the users. No software is perfect. It will have bugs. It's in how the maker handles the bugs where you get to see how good they are.

7. they grossly misquote the original IDG article

No, he quoted it perfectly, word for word. The interpretation, however, is his. Can you tell the difference between a quote and a comment?

8. This is a very valid remark, but also an utterly irrelevant one in this specific context. Windows Vista does not ship with WebKit.

He was talking about Flash. Pay attention. Very often a vulnerability in a cross-platform application is used by trolls (such as yourself) in order to use against Linux or OS X. They use anything they can find. Doesn't matter if they're web applications, web servers or multi-platform browser plugins that could just as well be used on any platform (hence the "cross-platform" term), right?

9. Linux developers make FOSS look bad all the time.

No, they make it look GOOD. Reporting bugs and fixing them is GOOD. Hiding bugs and selling them to an underworld market which is flourishing because Windows security stinks is BAD.

Furthermore, for a person who contributes to FOSS, joining a contest such as this for money is beneath them. When you do things that you like with other likeminded people and you fix bugs routinely because you want the software you like to be better and because that's what good security is, well, becoming a sensationalist whore kinda starts to lose its appeal, you know?

10. The reason researchers like Miller can use open source software as an attack vector is not because of the inclusion of open source software in and of itself, but because Apple lags behind when it comes to integrating patches from open source software projects back into Mac OS X.

Woosh. The point went right over your head. It being that since it's open source, one can look right at the code and find bugs. Again, no software is perfect.

Apple may lag when integrating patches from outside projects (duh, they have to check it thoroughly otherwise someone will bitch how bad their products are), but that's not what the point was. You completely turned it around on its head (good troll! have a cookie.) It's not about how often or quick Apple fixes the code. It's about the code being exposed. My offer to draw a picture still stands.

That's it. The hell with this. I must've been cracked in the head to come back voluntarily to Thom's trolling when there's 50 decent news sites out there I can read.

Thanks for the clear-headedness.

Where are these news sites that cover multiple OSes?

I have found many that are worse than OSNews, with poor reporting, lack of facts and lots of mis-quotes.

I have found a few that are as interesting to read as OSNews, usually however they only cover one type of OS (Linux, Mac, Haiku).

I have never seen seen any that have better reporting than OSNews without them also trying to blog me down with Ads, Ads, Ads.

And again outside the single OS news sites, I never learn as much from the comments as I learn here.

Please tell who these so-called better sites are, because I can't seem to find them.

ArsTechnica?

You have to be kidding!

Slow, I am still waiting for the home page as I type this.

Ads, not too bad as they are on the side like OSNews.

But articles are spread in short sections across multiple pages which are far smaller than found on OSNews.

And I see no lack of fan-boys in the forums either.

How is it better?

I didn't want to go quite as far, but this comment reflects a lot of what I was thinking.

First of all, why is OSNews, read by tons of people, "lowering" itself to the level of some Apple fanboy site? This article shouldn't be more than a comment on the crappy site it's reporting on (and if they don't allow comments, it's not worth responding to anyway).

Second, it is true that the contest has arbitrary enough rules that it's not a real demonstration of system security, it's simply an interesting and almost useless data point (this coming from a HUGE Linux geek, whose favorite OS "won" the contest).

Third, it takes a very special kind of site for the comments to be more even handed and intelligent than the "articles" themselves, esp. in a world with YouTube and MySpace . Congratulations OSNews! At least there are occasional links to useful content (and it's rarely annoying enough to make me want to actually respond like today).

- Andrew (who uses a Mac, but only really loves Linux. who will also be leaving OSNews in his RSS reader for some time)

"You're so bent on proving your points (like a good troll that you are) that you ignore the bigger points Daniel makes, and that damages OSNews. He goes on to mention that the security model and ecosystem of Windows are deeply flawed, unlike Linux or OS X. But do you care about the bigger picture? No, you want petty victories over obsessive little points."

Agree. Often when Thom writes these kinds of pieces, he will claim that some argument is wrong, and then attack some obscure, non-critical phrase or point made in the argument, completely butchering the larger idea. Even in cases like this where I have no strong opinion on the subject matter, it's still really really frustrating to see.

http://en.wikipedia.org/wiki/Argument_from_fallacy

Edited 2008-03-31 03:34 UTC

I'm usually not a fan of these type of anti-Thom comments, (if they aren't trolling they're not far off) but I have to say, well put.
I'm a fan of Linux as much as I'm a fan of OS X, but honestly, "hacking the Mac" is headline news whereas "exploit for some piece of software on Linux which will be patched in under 30 minutes" isn't, and that's the driving force behind this whole kind of security event.

Otherwise known as "being hosted by one's own petard."

Yes, no question whatsoever that some sinister motive is at play.

I mean, it's not as if Google returns 32 pages of results for "shill site:osnews.com".

While I use to read OSNews very often, I'm replying to this post only because Apple fanboys get very nervous when their faith gets skratched. While someone can obiouvsly be a fanboy of whatever he/she wants, keeping an objective point of view helps in life...

Should that be a valid argument? Thom wrote that CanSecWest didn't claim what RD reported and I'm glad that you agree about this. Then people write what they wish and headlines gets written to capture readers' attention. But anyway, how's that different from what really happened? If rules are fair, they got accepted and they're valid for all systems, you can say MacOS was the weakest of three systems. The "whys" and "wheres" matter for Apple fanboys to tell to each other how much the World hates them...


That's a laughable reply to a solid argument. Again, World hates Macs because they're... uh? Please...


LOL! Poor Macs getting exploited by people determined to hack them! Only unexperienced guys should try to hack a Mac... if you're an expert, hell, focus on Windows!

Laughable! EVERYBODY who signed up to that contest had something in their hands to think they could hack those systems! "Hey, I never hacked a computer, I don't know anything about hacking but hey, I will sign up to that HACKING contest and then maybe... uh... I don't know... if I think hard... maybe..."... c'me on! Every guy there had WORKING exploits which they tried. You don't discover anything in 3 days... you just tweak your code to check if you can break into those systems too...


Pratical impact... in the wild... large user base... blablablabla. Rules were simple: latest patches applied. It was valid for Vista and OS X too. But you're so blind in defending your faith that even simple things look hard to understand to you. Next time Apples could sign to a competition where rules are "latest patches only if Macs prevail... if not, let's get back to one unpatched level for other systems. If Macs can't prevail yet, repeat until that conditions is true..." yeah fair! ;-)

I won't even discuss the idea of a contest where rules state that systems should be applied only "most used patches"... that's clearly a boutade.



Oh sure... CanSecWest knew that Apple was going to fix that hole soon so they hurried to make their contest earlier in order to put Apple under a bad shadow... lol... New rules:"We can hold a contest only when all exploits have already been patched. You cannot set it to an arbitrary date because, after a few days, holes would have been fixed so...".


Laughable and unrelevant. While SOME cross-platform holes exist, you cannot claim your hole is not relevant because it's cross platform. That would be equal to say that if a Ford car explodes they could claim that's not a problem because also Ferraris could explode as well. Right, but I didn't buy a Ferrari, I bought a Ford. Users don't care if there could be holes in systems THEY DIDN'T BUY. They care about holes in ones they bought and if re-using code makes you more insecure, just don't do that. I never heard Microsoft tell that an hole in their systems wasn't that bad because there could holes in other systems. Typical fanboy argument.


Yeah, everybody hates MacOS. Laughable and typical fanboy argument.


Except that Ubuntu, which wildly use OS software, didn't get hacked. So decision to use OS software in MacOS was bad? Wasn't that a selling point? Typical fanboy: one day using OSS is a great NEWS (innovative! WOAH!), the other day is source of problems (but it's OSS fault, not Apple's!).


I hope next Apple fanboy will have more solid arguments than "Everybody hates us" and "it's not Apple's fault!". It wasn't even funny because your trollish ability is not that good... ;-)

Nothing personal... we love apples...

So you're responding to a very small percentage of users whose own ignorance will cause them trouble some day. Meanwhile, coming off as being as big of a fanboy/egoist as those you claim to be responding against.

The emperor has no clothes.

So what if Apple has a little pie in the face because of this? They will fix it and be stronger because of it. The user base will let Apple know they're unhappy and Apple will have to respond. Heck, how long did it take Microsoft to take security seriously? It's great news for everybody that Vista is more secure than its predecessors. It's no laughing matter.

The real news that everybody seems to be glossing over is that webkit is open source and I haven't read anything as to whether this "hole" is vulnerable across platforms.

I think you'll find Microsoft patches are generally released more quickly than Apples and that Microsoft has to ensure that they don't introduce any new incompatibilities for far more software titles spanning a far greater length of time. They could easily have a hundred shims for compatibility.

You'll find that Microsoft's Security Life Cycle is second to none, that their processes are well known so not only do you know that their patches are reliable for software titles spanning decades - likely 2 orders of magnitude greater than Apple has to worry about - but also they are more predictable since you know exactly what processes are followed before being released. You'll also know how they rank the severity of the bug because the criteria is openly documented.

When it comes to making security a central part of software development, infact building it into every part of the business Apple is a 5 years behind Microsoft and only started to take it seriously last year. They had better hope they get their act together quickly or they are in for a rough ride.

Lastly you will note that the bug that allowed compromising the Mac system was an Apple bug and that the bug that compromised the Vista machine was an Adobe bug. Both have recently shown us how sloppy they can be recently by not even bothering to read their EULA's before shipping software - Photoshop express EULA gave Adobe full control of the images you upload and Apple's Windows updater not only tried to install Safari 3.1 in incomptabile OS's (Windows 2000) its EULA stated that it could only be installed on an Apple machine.

Very embarrassing, sloppiness is not a trait you want in company that is supposed to be providing secure afotware.

Lastly the Adobe bug could easily have been used against the Mac or any operating system running their software.

Edited 2008-03-31 20:43 UTC

I think with the adoption of the iPhone, Apple is going to come under quite a bit more fire. Hopefully Apple will put more resources into its security process. While this hack requires some bit of user interaction, I don't think it would be too trivial to catch people, especially when many people I know will connect to Wireless Access Points with no discretion.

I completely agree, this is a good deconstruction of the Roughly Drafted article. Thom Holwerda did an excellent job. While RD sometimes has good insights and info, it is also prone to blind zealotry. This is one of the later; and the RDF is a bit too much.

Moreover, Thom's rebuttal is tough but fair to Apple. A few writers/bloggers are confusing the OS with the default install, but Thom is very clear on this.

As he points out, the bottom line is that it's Apple's responsibilty. Until they do, I think I'll be using FF.

This was a competition. It does not show which OS is more secure and I do not think CanSecWest ever implied that this was the case. The purpose of the competition was to get some exploits reported and fixed.

All it means is that someone had a flaw ready for Safari and Adobe Flash but not for anything on the default install of Ubuntu. No more, no less.

The blogosphere really isn't all that better then the MSM when it comes to sensationalistic BS.

As a Linux fan, this reminds me a bit of the time that Mindcraft handed us a lemon. We railed. We denied. We debunked. We demanded a rematch.

But in the end... our heroes, the kernel devs, made lemonade.

Perhaps the moral of the story is that it is counterproductive to take the incident too personally. Concerned Apple fans might do best to "make applesauce" and express their security concerns to Apple, help beta test new software releases, and see how things turn out next time.

What are you referring to? I don't get the reference.

Is this the reference? Read the first paragraph.

http://www.mindcraft.com/whitepapers/openbench1.html

Apparently, Windows NT4 beat the crap out of Linux in some benchmarks and fanboys cried in denial. Eventually, the kernel was upgraded and everything was fine again.

Yup these things happen on all platforms. But it seems that unfounded paranoia occurs more often mac users(or is reported more often).

Windows probably has the least, mostly because it can't really inspire the passion of its users. That leaves mac and linux users. There are a lot fanatics using linux but on the whole I believe that linux users are more enlightened (I'm biased tho so take it with a grain of salt).

Mindcraft was sort of our Pearl Harbor. Microsoft secretly funded some "independent research" conducted by a "company" called Mindcraft. They put together an unlikely combination of hardware, including 4 100mbit nics (rather than the usual single 100mbit or single 1000mbit interface) and proceeded to prove that Linux performance was really bad based upon a static web page serving benchmark. The scenario was completely unrelated to anything anyone would want to do in the real world. And it turned out that "independent" Mindcraft didn't actually have a lab at all. Microsoft loaned them theirs and paid for the "study" behind the scenes. (BTW, that's not a black helicopter assertion. Some clever people tracked down the evidence and Mindcraft, which as it turned out had only one "employee", fessed up.)

However, none of that shadiness changed the fact that Linux *did* perform very poorly in this scenario, due to lack of parallelism in the network and filesytem subsystems. (This was back in the 2.2.x days.) You can imagine the denial that triggered. For weeks there was at least one lengthy new rebuttal presented per day. Mindcraft set up a rematch in which Linux experts were able to properly tune the Linux box. And we still lost this particular benchmark.

Mindcraft was the impetus that led to kernel 2.4. It would have happened anyway. 2.2 laid the infrastructure that 2.4 utilized to parallelize a number of subsystems. It was really the plan all the time. But Mindcraft gave extra incentive to really make that top priority.

In the end, all the rebuttals were far less valuable than the work that the kernel devs did to fix the actual problem.

The analogy with the current topic only goes so far. I certainly do not imply that there was anything improper about the hacking contest. But the overall principle is really the same. Turn a current defeat into a future victory by learning from it instead of denying and rebutting it.

Edited 2008-03-31 14:33 UTC

Give me a break yourself... (Besides, that comment was made by me and not by Kokopelli.) If you could just sit back and calm down a bit, and read my whole comment, you could see that I was actually saying that "I have no doubt that Apple's Mac OS X platform wouldn't be rather secure already or that it couldn't provide even better security." So in no way I was saying that Apple would have done nothing to improve security. Were did you get that from? At least not from my text.

Apple has done a lot to improve the Mac OS X security - like others have done too to improve the security of their operating systems - but Mac OS X is still no OpenBSD. I was just saying that they could do even more, so that we could have even better and even more secure OS X in the future.

Edited 2008-03-31 09:43 UTC