Linked by Thom Holwerda on Sun 30th Mar 2008 20:35 UTC
Privacy, Security, Encryption As you surely know by now, the CanSecWest conference was the stage for a contest, PWN to OWN. Three laptops were set up; laptops running Windows Vista, Ubuntu Linux, and Mac OS X. The goal was to hack the computer and read the contents of a file located on each of the machines, using a 0day code execution vulnerability. During the first day, you can only attack the machine over the network, without physical access. On the second day, user interaction comes into play (visiting a website, opening an email). On the third and final day, third-party applications are added to the mix. Each machine had the same cash prize on its head. As you all know, the Mac was hacked first, on day two. The user only had to visit a website, and the Mac was hacked. Vista got hacked on the third day using a security hole in Adobe's Flash, and the Ubuntu machine did not get hacked at all. Update: Roughly Drafted responds.
Order by: Score:
Again
by Buck on Sun 30th Mar 2008 21:15 UTC
Buck
Member since:
2005-06-29

It's all just a load of hot air after all. So yeah, some vulnerability has been found. They find them every day, in Linux, in Windows, in OSX. Just read any change log. Let's talk when there's some actual harm being done to Mac users. If we ever get to that point of course. He's right in saying that Windows has been a plague for the whole computing world and he's also right in saying the media really wants you to believe that somehow down is the new up.
Surely you can have a sterile environment that compares Vista to Mac OSX, but in reality there are way too many users who still use unpatched Windows XP/2000/98 installations and that still counts. While on the other hand Mac users tend to migrate to newer versions of the OS quite faster. It's what happens in the real world that matters. The fact that somebody has found a vulnerability won't change anything.

Reply Score: 3

had "in hand" vs had "in mind"
by mikesum32 on Sun 30th Mar 2008 22:20 UTC in reply to "Again"
mikesum32 Member since:
2005-10-22

Had "in hand" implies that the hacker had something already tested and waiting. It's saying he cheated.

Has in mind means he had some idea where to look and what to look for, as they all should've, being hackers.

*Edit* I was trying to reply to the maim article. Drat !

Edited 2008-03-30 22:36 UTC

Reply Score: 4

v RE: had "in hand" vs had "in mind"
by stestagg on Sun 30th Mar 2008 23:02 UTC in reply to "had "in hand" vs had "in mind""
OOooh Oooh Me first?
by kaelodest on Sun 30th Mar 2008 21:17 UTC
kaelodest
Member since:
2006-02-12

O.K. First things first. I was not supposed to use a computer this weekend, But I got an call that required an email. And while I was here...

The most effective and pure *simple* technique to secure OS X, is to not be logged in as an admin, or even any member of the 'admin group'. I own my Mac, I use the BSD Style 'ladmin' account and then a complex password. And then I avoid using that account for just about anything.

The Behavior is EXACTLY the same as when I need 'admin' access I type up both my admin name and password.

It is not common practice on a Mac, but I sincerely hope that we in the Mac community start to act right. It is hard to imagine a day when we are as bad off on OS X as we are 'generally' in Win XP but that doen not mean that I need to be logged in for admin purposes

Reply Score: 5

RE: OOooh Oooh Me first?
by h3rman on Sun 30th Mar 2008 21:45 UTC in reply to "OOooh Oooh Me first?"
h3rman Member since:
2006-08-09

Mac OS X uses the sudo concept just like Ubuntu does, if I'm correct. On OS X, I 'turn that off' and use a limited account (because I'm able to remember two passwords in stead of just one ;) ), but it's the same default as Ubuntu's.

Reply Score: 2

RE[2]: OOooh Oooh Me first?
by MamiyaOtaru on Sun 30th Mar 2008 21:52 UTC in reply to "RE: OOooh Oooh Me first?"
MamiyaOtaru Member since:
2005-11-11

I tend to keep sudo, but use a limited account with no sudo rights. Getting root access involves sudo adminUser (adminuser password), sudo -i (addminuser password). I get the benefits of having no root password as given by sudo, while running as what I'd actually consider a limited user.

Edited 2008-03-30 21:53 UTC

Reply Score: 3

RE[3]: OOooh Oooh Me first?
by kaelodest on Sun 30th Mar 2008 22:30 UTC in reply to "RE[2]: OOooh Oooh Me first?"
kaelodest Member since:
2006-02-12

Back on the Topic securing it is easy, falling for this hack would be hard

Yup that confounded me a little at first too. As the first time I tried to sudo from a non-admin account I was given a terse security warning. Then I thought it through and had to nest one sudo inside of another. Well in the end I find few reasons (outside of work -- where I am the Mac systems admin for all north American Macs for a publishing co.) Outside of banging on some naughty or inefficient code that I wrote I find very little practical reason to drop to the CLI

And also aside from reputable installers from respectable vendors I am very rarely asked to enter my admin name and password.

So If I am at a web page and it asks me to enter my local admin name AND then my password. AND then I enter it was I really hacked?

Reply Score: 2

Earl Colby pottinger Member since:
2005-07-06

Social engineering is a useful tool in the world of crackers. So yes, you were hacked, but in this case it literally was *YOU* who was hacked.

Reply Score: 2

RE[2]: OOooh Oooh Me first?
by voidlogic on Mon 31st Mar 2008 01:56 UTC in reply to "RE: OOooh Oooh Me first?"
voidlogic Member since:
2005-09-03

I think its worth pointing out that on Ubuntu only the first user account created is, by default, a sudoer and this privillage can easily be removed and added to another account.

System->Administration->Users and Groups, Select user and click properties, Click the user privilages tab and add/remove "Administer the system". You can of course just edit the sudoers file as well.

Reply Score: 3

Sodki
Member since:
2005-11-10

If I'm not mistaken, the cracker keeps the computer, right? If that is so, the MacBook Air was the first computer to be compromised because everyone wanted it. Nobody is interested in a VAIO VGN-TZ37CN. :-)

Reply Score: 7

jadeshade Member since:
2007-07-10

The CD-ROM attack vector? Totally sealed off.

Reply Score: 5

irbis Member since:
2005-07-08

the MacBook Air was the first computer to be compromised because everyone wanted it. Nobody is interested in a VAIO VGN-TZ37CN. :-)

Nonsense. I would much rather have a Vaio than the a Macbook Air. Despite design undoubtly being a major selling point of Macbook Air, I'm not even sure if it looks better than Vaio? Besides, MacBook Air lacks many features that I would like my laptop to have.

Edited 2008-03-30 21:54 UTC

Reply Score: 12

WereCatf Member since:
2006-02-15

Nonsense. I would much rather have a Vaio than the a Macbook Air. Despite design undoubtly being a major selling point of Macbook Air, I'm not even sure if it looks better than Vaio? Besides, MacBook Air lacks many features that I would like my laptop to have.

Me too, really. MacBook Air looks good but the Vaio just suits me a whole lot better ;) Had I had the skills to hack my way into the Vaio machine it would already be mine ;)

Reply Score: 7

RE[4]: Stuck with Windows
by kaiwai on Sun 30th Mar 2008 23:59 UTC in reply to "RE[3]: Stuck with Windows"
kaiwai Member since:
2005-07-06

So, it's a Viao. You're still stuck with an OS-limited machine that can only Windows or Linux, NOT Mac OS X.

A MacBook Air can run pretty much any Intel-compatible OS.


That's assuming Mac OS X would be a big deciding factor for the individual. One can want a Viao laptop and not feel even in the slightest a loss of freedom by not being able to run OS X. Contra to the hype out there, not everyone is tripping over themselves to get a machine running OS X.

Reply Score: 11

google_ninja Member since:
2006-02-05

If I'm not mistaken, the cracker keeps the computer, right? If that is so, the MacBook Air was the first computer to be compromised because everyone wanted it. Nobody is interested in a VAIO VGN-TZ37CN. :-)



What about 10,000$? (the other part of the prize)

Edited 2008-03-30 22:42 UTC

Reply Score: 9

infekt Member since:
2008-03-30

Same. I'd pick the Vaio over any mac. I like the design of the macs but I don't like to be locked to one particular piece of hardware. But I've always had a soft-spot for Sony gear.

Edited 2008-03-30 23:21 UTC

Reply Score: 2

pxa270 Member since:
2006-01-08

If I'm not mistaken, the cracker keeps the computer, right? If that is so, the MacBook Air was the first computer to be compromised because everyone wanted it. Nobody is interested in a VAIO VGN-TZ37CN. :-)

The facts that each of the 3 machines was accompanied by its own cash prize, that the contest continued after the Mac was cracked but neither of the other 2 machines was compromised on the second day, and that $10,000 buys you 5 MacBook Airs, pretty much invalidates any argument that the Mac was only cracked so fast because the laptop was such an aluring target.

Reply Score: 12

Artie
by PowerMacX on Sun 30th Mar 2008 21:27 UTC
PowerMacX
Member since:
2005-11-06

Usually I ignore articles like this, but when they contain easily rebuttable misinformation and slander, I see it as my obligation to counter them, especially seeing how many in Mac-centric circles refer to Roughly Drafted as a reputable source.


I know Artie MacStrawman considers Roughly Drafted as a reputable source but I don't know anyone else who does ;-)

Reply Score: 6

RE: Artie
by wirespot on Sun 30th Mar 2008 23:21 UTC in reply to "Artie"
wirespot Member since:
2006-06-21

At least he's not a troll. Well, most of the time. Whereas I have a hard time remembering an article by Thom which wasn't biased to the gills. Why do you think he feels the need to constantly remind us "I'm not being payed by anybody to say this stuff!"

Oh the hell with it. I had just come back to OSNews after a month, read the news for a few days, then suddenly I'm being reminded why I stopped coming here and deleted it from the newsreader. I guess I was asking for it.

But since I'm here now, I'd like to point out how Thom ebarasses himself.

1. simply because the Apple user base is still too small to be of significant use to malware creators

That's not what Daniel said (and Thom uses this argument not once, but twice). He never mentioned the size of the user base as a factor. He said "Once discovered, Mac exploits are patched within a few weeks". That's why such an exploit is only of theoretical value, not because of the size of anybody's dick.

2. If you look at the original announcement of the winner, you will see that no such claim is being made

Yeah, 'cause that's what people around the world will be reading, an obscure blog entry. Want me to remind you what links were given right here on OSNews and what most people read? Techworld, IDG, Computerworld. And it's no secret Microsoft has been publishing FUD in its pet rags to discredit any real competition. Excuse Daniel to saying that it looks as if CanSecWest was doing the same.

3. the contest's rules page clearly states the brand and types of laptops used

Again, the magazine articles do not.

4. Of course he had it in mind!

"In hand". Not mind, hand. "In mind" means something he'd have to try and see if it worked. "In hand" means he knew exactly what he was doing and how it was gonna go. This wasn't a random thing an off-the-street hacker might try. It was a security expert going for the kill.

5. Roughly Drafted goes on and says the Vista laptop "only reflects the state of Vista for users who have elected to install SP1", and not of users throughout 2007. So, where is the cut-off point?

The real cut-off point is out there, in the wild. And out there, SP1 didn't make it very far as of yet. That's where exploits like the one that didn't work for that guy WILL work. And given the large user base you so fondly mention so often, it will have a much larger practical impact than a bug in a Safari lib which was already patched by now AND will be deployed to most users very soon.

You're so bent on proving your points (like a good troll that you are) that you ignore the bigger points Daniel makes, and that damages OSNews. He goes on to mention that the security model and ecosystem of Windows are deeply flawed, unlike Linux or OS X. But do you care about the bigger picture? No, you want petty victories over obsessive little points.

6. If Apple fails here, it is Apple's fault.

Yes, granted. But they fix their mistakes (within days). And they have a deployment model that actually takes those fixes to the users. No software is perfect. It will have bugs. It's in how the maker handles the bugs where you get to see how good they are.

7. they grossly misquote the original IDG article

No, he quoted it perfectly, word for word. The interpretation, however, is his. Can you tell the difference between a quote and a comment?

8. This is a very valid remark, but also an utterly irrelevant one in this specific context. Windows Vista does not ship with WebKit.

He was talking about Flash. Pay attention. Very often a vulnerability in a cross-platform application is used by trolls (such as yourself) in order to use against Linux or OS X. They use anything they can find. Doesn't matter if they're web applications, web servers or multi-platform browser plugins that could just as well be used on any platform (hence the "cross-platform" term), right?

9. Linux developers make FOSS look bad all the time.

No, they make it look GOOD. Reporting bugs and fixing them is GOOD. Hiding bugs and selling them to an underworld market which is flourishing because Windows security stinks is BAD.

Furthermore, for a person who contributes to FOSS, joining a contest such as this for money is beneath them. When you do things that you like with other likeminded people and you fix bugs routinely because you want the software you like to be better and because that's what good security is, well, becoming a sensationalist whore kinda starts to lose its appeal, you know?

10. The reason researchers like Miller can use open source software as an attack vector is not because of the inclusion of open source software in and of itself, but because Apple lags behind when it comes to integrating patches from open source software projects back into Mac OS X.

Woosh. The point went right over your head. It being that since it's open source, one can look right at the code and find bugs. Again, no software is perfect.

Apple may lag when integrating patches from outside projects (duh, they have to check it thoroughly otherwise someone will bitch how bad their products are), but that's not what the point was. You completely turned it around on its head (good troll! have a cookie.) It's not about how often or quick Apple fixes the code. It's about the code being exposed. My offer to draw a picture still stands.

That's it. The hell with this. I must've been cracked in the head to come back voluntarily to Thom's trolling when there's 50 decent news sites out there I can read.

Reply Score: 3

RE[2]: Excellent points!
by Mr-Reeee on Sun 30th Mar 2008 23:28 UTC in reply to "RE: Artie"
Mr-Reeee Member since:
2008-03-30

Thanks for the clear-headedness.

Reply Score: 2

RE[2]: Artie
by Earl Colby pottinger on Mon 31st Mar 2008 00:30 UTC in reply to "RE: Artie"
Earl Colby pottinger Member since:
2005-07-06

Where are these news sites that cover multiple OSes?

I have found many that are worse than OSNews, with poor reporting, lack of facts and lots of mis-quotes.

I have found a few that are as interesting to read as OSNews, usually however they only cover one type of OS (Linux, Mac, Haiku).

I have never seen seen any that have better reporting than OSNews without them also trying to blog me down with Ads, Ads, Ads.

And again outside the single OS news sites, I never learn as much from the comments as I learn here.

Please tell who these so-called better sites are, because I can't seem to find them.

Reply Score: 8

RE[3]: Artie
by StephenBeDoper on Mon 31st Mar 2008 08:24 UTC in reply to "RE[2]: Artie"
StephenBeDoper Member since:
2005-07-06

Please tell who these so-called better sites are, because I can't seem to find them.


ArsTechnica?

Reply Score: 5

RE[4]: Artie
by Earl Colby pottinger on Mon 31st Mar 2008 12:14 UTC in reply to "RE[3]: Artie"
Earl Colby pottinger Member since:
2005-07-06

You have to be kidding!

Slow, I am still waiting for the home page as I type this.

Ads, not too bad as they are on the side like OSNews.

But articles are spread in short sections across multiple pages which are far smaller than found on OSNews.

And I see no lack of fan-boys in the forums either.

How is it better?

Reply Score: 6

RE[5]: Artie
by evangs on Mon 31st Mar 2008 12:24 UTC in reply to "RE[4]: Artie"
evangs Member since:
2005-07-07

The quality of the articles are definitely a lot better. They have much better original content, stuff by Jon Siracusa, Jon "Hannibal" Stokes, et al are just far better than anything that has appeared on OSNews. Unlike OSNews, they do not just link to articles that others have written, they write their own.

I read arstechnica for the content while I usually browse OSNews for the drama. ;)

Reply Score: 3

RE[5]: Artie
by StephenBeDoper on Mon 31st Mar 2008 17:41 UTC in reply to "RE[4]: Artie"
StephenBeDoper Member since:
2005-07-06

But articles are spread in short sections across multiple pages which are far smaller than found on OSNews.


Under the "Full Story" link for pretty much any of the Ars frontpage articles, there's usually another 4-800 words.

How is it better?


Depth of the articles, knowledge level of the editors, general quality of the writing, etc.

Don't get me wrong - I like OSNews for the breadth of content that's posted here, and it is more of a news aggregate than an new site per-se (while Ars is more of a news aggregate-with-commentary. Generally, I head to OSNews to get an overview of the headlines - but I prefer Ars when it comes to analysis of particular topics.

Reply Score: 2

RE[6]: Artie
by Thom_Holwerda on Mon 31st Mar 2008 17:48 UTC in reply to "RE[5]: Artie"
Thom_Holwerda Member since:
2005-06-29

Generally, I head to OSNews to get an overview of the headlines - but I prefer Ars when it comes to analysis of particular topics.


I actually agree with this one. I'd love OSNews to go into the same depth as Ars generally does, but sadly, this is simply not possible for now (time constraints, mostly).

Reply Score: 2

RE[7]: Artie
by StephenBeDoper on Tue 1st Apr 2008 01:00 UTC in reply to "RE[6]: Artie"
StephenBeDoper Member since:
2005-07-06

I'd love OSNews to go into the same depth as Ars generally does, but sadly, this is simply not possible for now (time constraints, mostly).


Oh yeah - Ars needs 8-10 regular editors to get that kind of content. I imagine the OSNews updates are time-consuming enough as is.

Reply Score: 2

RE[2]: Artie
by AndrewDubya on Mon 31st Mar 2008 00:33 UTC in reply to "RE: Artie"
AndrewDubya Member since:
2006-10-15

I didn't want to go quite as far, but this comment reflects a lot of what I was thinking.

First of all, why is OSNews, read by tons of people, "lowering" itself to the level of some Apple fanboy site? This article shouldn't be more than a comment on the crappy site it's reporting on (and if they don't allow comments, it's not worth responding to anyway).

Second, it is true that the contest has arbitrary enough rules that it's not a real demonstration of system security, it's simply an interesting and almost useless data point (this coming from a HUGE Linux geek, whose favorite OS "won" the contest).

Third, it takes a very special kind of site for the comments to be more even handed and intelligent than the "articles" themselves, esp. in a world with YouTube and MySpace ;) . Congratulations OSNews! At least there are occasional links to useful content (and it's rarely annoying enough to make me want to actually respond like today).

- Andrew (who uses a Mac, but only really loves Linux. who will also be leaving OSNews in his RSS reader for some time)

Reply Score: 3

RE[2]: Artie
by Alex Forster on Mon 31st Mar 2008 03:27 UTC in reply to "RE: Artie"
Alex Forster Member since:
2005-08-12

"You're so bent on proving your points (like a good troll that you are) that you ignore the bigger points Daniel makes, and that damages OSNews. He goes on to mention that the security model and ecosystem of Windows are deeply flawed, unlike Linux or OS X. But do you care about the bigger picture? No, you want petty victories over obsessive little points."

Agree. Often when Thom writes these kinds of pieces, he will claim that some argument is wrong, and then attack some obscure, non-critical phrase or point made in the argument, completely butchering the larger idea. Even in cases like this where I have no strong opinion on the subject matter, it's still really really frustrating to see.

http://en.wikipedia.org/wiki/Argument_from_fallacy

Edited 2008-03-31 03:34 UTC

Reply Score: 7

RE[2]: Artie
by senornoodle on Mon 31st Mar 2008 05:25 UTC in reply to "RE: Artie"
senornoodle Member since:
2005-07-12

I'm usually not a fan of these type of anti-Thom comments, (if they aren't trolling they're not far off) but I have to say, well put.
I'm a fan of Linux as much as I'm a fan of OS X, but honestly, "hacking the Mac" is headline news whereas "exploit for some piece of software on Linux which will be patched in under 30 minutes" isn't, and that's the driving force behind this whole kind of security event.

Reply Score: 0

RE[3]: Artie
by StephenBeDoper on Mon 31st Mar 2008 09:02 UTC in reply to "RE[2]: Artie"
StephenBeDoper Member since:
2005-07-06

I'm a fan of Linux as much as I'm a fan of OS X, but honestly, "hacking the Mac" is headline news whereas "exploit for some piece of software on Linux which will be patched in under 30 minutes" isn't


Otherwise known as "being hosted by one's own petard."

Reply Score: 2

RE[2]: Artie
by StephenBeDoper on Mon 31st Mar 2008 07:56 UTC in reply to "RE: Artie"
StephenBeDoper Member since:
2005-07-06

Why do you think he feels the need to constantly remind us "I'm not being payed by anybody to say this stuff!"


Yes, no question whatsoever that some sinister motive is at play.

I mean, it's not as if Google returns 32 pages of results for "shill site:osnews.com".

Reply Score: 3

RE[2]: Artie
by TBPrince on Mon 31st Mar 2008 11:33 UTC in reply to "RE: Artie"
TBPrince Member since:
2005-07-06

While I use to read OSNews very often, I'm replying to this post only because Apple fanboys get very nervous when their faith gets skratched. While someone can obiouvsly be a fanboy of whatever he/she wants, keeping an objective point of view helps in life...


2. If you look at the original announcement of the winner, you will see that no such claim is being made Yeah, 'cause that's what people around the world will be reading, an obscure blog entry. Want me to remind you what links were given right here on OSNews and what most people read? Techworld, IDG,[...]

Should that be a valid argument? Thom wrote that CanSecWest didn't claim what RD reported and I'm glad that you agree about this. Then people write what they wish and headlines gets written to capture readers' attention. But anyway, how's that different from what really happened? If rules are fair, they got accepted and they're valid for all systems, you can say MacOS was the weakest of three systems. The "whys" and "wheres" matter for Apple fanboys to tell to each other how much the World hates them...


3. the contest's rules page clearly states the brand and types of laptops used Again, the magazine articles do not.

That's a laughable reply to a solid argument. Again, World hates Macs because they're... uh? Please...


4. Of course he had it in mind! "In hand". Not mind, hand. "In mind" means something he'd have to try and see if it worked. "In hand" means he knew exactly what he was doing and how it was gonna go. This wasn't a random thing an off-the-street hacker might try. It was a security expert going for the kill.

LOL! Poor Macs getting exploited by people determined to hack them! Only unexperienced guys should try to hack a Mac... if you're an expert, hell, focus on Windows!

Laughable! EVERYBODY who signed up to that contest had something in their hands to think they could hack those systems! "Hey, I never hacked a computer, I don't know anything about hacking but hey, I will sign up to that HACKING contest and then maybe... uh... I don't know... if I think hard... maybe..."... c'me on! Every guy there had WORKING exploits which they tried. You don't discover anything in 3 days... you just tweak your code to check if you can break into those systems too...


5. Roughly Drafted goes on and says the Vista laptop "only reflects the state of Vista for users who have elected to install SP1", and not of users throughout 2007. So, where is the cut-off point? The real cut-off point is out there, in the wild. And out there, SP1 didn't make it very far as of yet. That's where exploits like the one that didn't work for that guy WILL work. And given the large user base you so fondly mention so often, it will have a much larger practical impact than a bug in a Safari lib which was already patched by now AND will be deployed to most users very soon. You're so bent on proving your points (like a good troll that you are) that you ignore the bigger points Daniel makes, and that damages OSNews. He goes on to mention that the security model and ecosystem of Windows are deeply flawed, unlike Linux or OS X. But do you care about the bigger picture? No, you want petty victories over obsessive little points.

Pratical impact... in the wild... large user base... blablablabla. Rules were simple: latest patches applied. It was valid for Vista and OS X too. But you're so blind in defending your faith that even simple things look hard to understand to you. Next time Apples could sign to a competition where rules are "latest patches only if Macs prevail... if not, let's get back to one unpatched level for other systems. If Macs can't prevail yet, repeat until that conditions is true..." yeah fair! ;-)

I won't even discuss the idea of a contest where rules state that systems should be applied only "most used patches"... that's clearly a boutade.



6. If Apple fails here, it is Apple's fault. Yes, granted. But they fix their mistakes (within days). And they have a deployment model that actually takes those fixes to the users. No software is perfect. It will have bugs. It's in how the maker handles the bugs where you get to see how good they are.

Oh sure... CanSecWest knew that Apple was going to fix that hole soon so they hurried to make their contest earlier in order to put Apple under a bad shadow... lol... New rules:"We can hold a contest only when all exploits have already been patched. You cannot set it to an arbitrary date because, after a few days, holes would have been fixed so...".


8. This is a very valid remark, but also an utterly irrelevant one in this specific context. Windows Vista does not ship with WebKit. He was talking about Flash. Pay attention. Very often a vulnerability in a cross-platform application is used by trolls (such as yourself) in order to use against Linux or OS X. They use anything they can find. Doesn't matter if they're web applications, web servers or multi-platform browser plugins that could just as well be used on any platform (hence the "cross-platform" term), right?

Laughable and unrelevant. While SOME cross-platform holes exist, you cannot claim your hole is not relevant because it's cross platform. That would be equal to say that if a Ford car explodes they could claim that's not a problem because also Ferraris could explode as well. Right, but I didn't buy a Ferrari, I bought a Ford. Users don't care if there could be holes in systems THEY DIDN'T BUY. They care about holes in ones they bought and if re-using code makes you more insecure, just don't do that. I never heard Microsoft tell that an hole in their systems wasn't that bad because there could holes in other systems. Typical fanboy argument.


9. Linux developers make FOSS look bad all the time. No, they make it look GOOD. Reporting bugs and [...]bugs routinely because you want the software you like to be better and because that's what good security is, well, becoming a sensationalist whore kinda starts to lose its appeal, you know?

Yeah, everybody hates MacOS. Laughable and typical fanboy argument.


10. The reason researchers like Miller can use open source software as an attack vector is not because of the inclusion of open source software in and of itself, but because Apple lags behind when it comes to integrating patches from open source software projects back into Mac OS X. Woosh. The point went right over your head. It being that since it's open source, one can look right at the code and find bugs. Again, no software is perfect. Apple may lag when integrating patches from outside projects (duh, they have to check it thoroughly otherwise someone will bitch how bad their products are), but that's not what the point was. You completely turned it around on its head (good troll! have a cookie.) It's not about how often or quick Apple fixes the code. It's about the code being exposed.

Except that Ubuntu, which wildly use OS software, didn't get hacked. So decision to use OS software in MacOS was bad? Wasn't that a selling point? Typical fanboy: one day using OSS is a great NEWS (innovative! WOAH!), the other day is source of problems (but it's OSS fault, not Apple's!).

My offer to draw a picture still stands. That's it. The hell with this. I must've been cracked in the head to come back voluntarily to Thom's trolling when there's 50 decent news sites out there I can read.

I hope next Apple fanboy will have more solid arguments than "Everybody hates us" and "it's not Apple's fault!". It wasn't even funny because your trollish ability is not that good... ;-)

Nothing personal... we love apples...

Reply Score: 10

RE[3]: Artie
by macUser on Mon 31st Mar 2008 17:35 UTC in reply to "RE[2]: Artie"
macUser Member since:
2006-12-15

While I use to read OSNews very often, I'm replying to this post only because Apple fanboys get very nervous when their faith gets skratched. While someone can obiouvsly be a fanboy of whatever he/she wants, keeping an objective point of view helps in life...


So you're responding to a very small percentage of users whose own ignorance will cause them trouble some day. Meanwhile, coming off as being as big of a fanboy/egoist as those you claim to be responding against.

The emperor has no clothes.

So what if Apple has a little pie in the face because of this? They will fix it and be stronger because of it. The user base will let Apple know they're unhappy and Apple will have to respond. Heck, how long did it take Microsoft to take security seriously? It's great news for everybody that Vista is more secure than its predecessors. It's no laughing matter.

The real news that everybody seems to be glossing over is that webkit is open source and I haven't read anything as to whether this "hole" is vulnerable across platforms.

Reply Score: 0

RE[2]: Artie
by andrewg on Mon 31st Mar 2008 20:33 UTC in reply to "RE: Artie"
andrewg Member since:
2005-07-06

I think you'll find Microsoft patches are generally released more quickly than Apples and that Microsoft has to ensure that they don't introduce any new incompatibilities for far more software titles spanning a far greater length of time. They could easily have a hundred shims for compatibility.

You'll find that Microsoft's Security Life Cycle is second to none, that their processes are well known so not only do you know that their patches are reliable for software titles spanning decades - likely 2 orders of magnitude greater than Apple has to worry about - but also they are more predictable since you know exactly what processes are followed before being released. You'll also know how they rank the severity of the bug because the criteria is openly documented.

When it comes to making security a central part of software development, infact building it into every part of the business Apple is a 5 years behind Microsoft and only started to take it seriously last year. They had better hope they get their act together quickly or they are in for a rough ride.

Lastly you will note that the bug that allowed compromising the Mac system was an Apple bug and that the bug that compromised the Vista machine was an Adobe bug. Both have recently shown us how sloppy they can be recently by not even bothering to read their EULA's before shipping software - Photoshop express EULA gave Adobe full control of the images you upload and Apple's Windows updater not only tried to install Safari 3.1 in incomptabile OS's (Windows 2000) its EULA stated that it could only be installed on an Apple machine.

Very embarrassing, sloppiness is not a trait you want in company that is supposed to be providing secure afotware.

Lastly the Adobe bug could easily have been used against the Mac or any operating system running their software.

Edited 2008-03-31 20:43 UTC

Reply Score: 2

RE[3]: Artie
by macUser on Mon 31st Mar 2008 21:56 UTC in reply to "RE[2]: Artie"
macUser Member since:
2006-12-15

When it comes to making security a central part of software development, infact building it into every part of the business Apple is a 5 years behind Microsoft and only started to take it seriously last year. They had better hope they get their act together quickly or they are in for a rough ride.


I think with the adoption of the iPhone, Apple is going to come under quite a bit more fire. Hopefully Apple will put more resources into its security process. While this hack requires some bit of user interaction, I don't think it would be too trivial to catch people, especially when many people I know will connect to Wireless Access Points with no discretion.

Reply Score: 1

Good rebuttal
by irbis on Sun 30th Mar 2008 21:44 UTC
irbis
Member since:
2005-07-08

The first step in solving problems is to acknowledge the problems. The often unrealistic and fanatic fanboy attitude tends to be, however, to close one's eyes from seeing the faults in one's own camp or blame others for them. That kind of arrogance and hubris is not only foolish but often also dangerous.

I have no doubt that Apple's Mac OS X platform wouldn't be rather secure already or that it couldn't provide even better security. But like the saying goes: security is a process, not a product. A lot of Apple's resources and efforts seem to have concentrated on developing usability, GUI and such stuff, not so much on security, so far. They might perhaps even be technology leaders in GUI related things. But an advanced and good looking GUI doesn't certainly yet mean that an OS would have good security too.

It is now only a good time at Apple to start to pay more attention to security too so that we could have even better Mac OS X in the future.

Reply Score: 9

Me Too!!
by marcos2000 on Sun 30th Mar 2008 22:23 UTC in reply to "Good rebuttal"
marcos2000 Member since:
2008-03-30

I completely agree, this is a good deconstruction of the Roughly Drafted article. Thom Holwerda did an excellent job. While RD sometimes has good insights and info, it is also prone to blind zealotry. This is one of the later; and the RDF is a bit too much.

Moreover, Thom's rebuttal is tough but fair to Apple. A few writers/bloggers are confusing the OS with the default install, but Thom is very clear on this.

As he points out, the bottom line is that it's Apple's responsibilty. Until they do, I think I'll be using FF.

Reply Score: 5

OS X exploit
by Kokopelli on Sun 30th Mar 2008 22:16 UTC
Kokopelli
Member since:
2005-07-06

I have a lot of respect for John Gruber. He defends OS X a little too blindly for my tastes sometimes but he is generally a very good and reasoned writer. That said he was mistaken or over simplified the nature of the exploit used against webkit.

http://trac.webkit.org/projects/webkit/changeset/31388
is the patch in question in case anyone would like to review it.

For those who do not want to look at the patch or are not familiar enough with C++ coding I will provide some highlights.

First and foremost the patch and flaw are not in the PCRE API as John suggests, but in the adapter code specific to webkit. Even the most basic of checking would have shown the PCRE is a C API (w/ a C++ wrapper) and that the patched code was the C++ code used as an adapter for PCRE in the Javascript module of Webkit and was specific to Webkit.

Now that we have that out of the way... What is occurring is that Webkit would have a regex expression and would estimate the size of the resulting compiled expression. As long as the estimate was not under it did not have to be precise (line 1992-1993 original). The flaw came in the factor that Webkit engine did not take into account a maximum pattern size for the expression allowing for very large regexes using repeats to be underestimated and causing an overflow.

the original, vulnerable check (2148 original) was replaced with code that checks not only for an overflow specifically within the repeat section, but also checks for exceeding the maximum pattern size in the overall regex. (2433-2444 new code) Further if the max size is exceeded it throws an exception (whereas before it would continue).

So what we see here is a library that had a flaw in how it estimated the size of an object, allowing for a overflow. This is not in any way the fault of the core PCRE.

You could still say it was a flaw in a Opensource application, but it was one released and maintained by Apple, not a 3d party API.

Reply Score: 11

A competition is not a study.
by Michael on Sun 30th Mar 2008 22:42 UTC
Michael
Member since:
2005-07-01

The problem with this whole contest is in the way it gets reported. I'm not sure what it's designed to achieve, but all it should do is highlight the importance of security. It is by no means guaranteed to accurately reflect the state of security in each of the three OSs.

The order of victories is certainly interesting and reflects a factor of computer security. Trouble is, the press report it like it's the definition of security. And if they don't, the fanboys will. Cue blogwar.

I still say no article with "Top X" (for any value of X), in the title is of any importance and the people who read them only have themselves to blame.

Reply Score: 2

RE: A competition is not a study.
by Kokopelli on Sun 30th Mar 2008 22:56 UTC in reply to "A competition is not a study."
Kokopelli Member since:
2005-07-06

This was a competition. It does not show which OS is more secure and I do not think CanSecWest ever implied that this was the case. The purpose of the competition was to get some exploits reported and fixed.

All it means is that someone had a flaw ready for Safari and Adobe Flash but not for anything on the default install of Ubuntu. No more, no less.

Reply Score: 4

google_ninja Member since:
2006-02-05

The blogosphere really isn't all that better then the MSM when it comes to sensationalistic BS.

Reply Score: 3

Feeling insecure?
by SirYes on Mon 31st Mar 2008 00:16 UTC
SirYes
Member since:
2007-03-12

So the Mac laptop has been pwned. Do you Mac guys feel insecure because of it? Well then, "Welcome to the real world", baby. It happens everywhere. It's the game: either the bad guys are faster or the good guys. Nothing else. I'd say this will just improve the overall security of Mac OS, which is surely a good thing.

So the Vista box has been cracked into because of issues with Adobe Flash. Does this scare me? Yes, it does. This proves that the widely used closed software is harder to review and the potential disasters are greater. Claims (even if unsupported) that this hack may be multi-platform makes me feel really uncomfortable. I'm waiting for a quick update of Flash Player from the ever-slow-moving Adobe. (but I'm not holding my breath)

So the Ubuntu box hasn't been cracked. Does this make me feel more secure? Not at all. Since I have been following the development of many free and open source projects, I know what problems they may have. It's the speed of publishing the patches/updates that matter. On every operating system, and by every vendor.

So the first successful person "had it in mind" or rather "in hand". I'd rather say he did his homework well to maximize his chances. I'm sure the rules for competition has been published sooner, so everyone was able to do the same. He did it and he won the gadget and some money. This time he was faster than the vendor. Next year this may very well be reversed. (shrug)

Overall the contest has been a fun to follow and read about. So can we now go back to our usual work? Pretty please?

Edited 2008-03-31 00:21 UTC

Reply Score: 1

license_2_blather
Member since:
2006-02-05

If the Mac (and the Vista box as well) were running Safari (Flash on Vista) as the root/admin user, this is not big news. Apps not built for security and doing non-trivial processing of data coming in over a network have holes, period (though I agree with the assertion that Apple is ultimately responsible for the Safari code, since it is a bundled app and the default browser).

Now, if the objective was to get root/admin, and if the Mac was running Safari as a non-privileged account, or Vista was running Flash that way, that is not only an application hole, it's an OS privilege escalation. And that's much more interesting...and scary.

Reply Score: 1

Apple persecution complex again?
by _txf_ on Mon 31st Mar 2008 01:25 UTC
_txf_
Member since:
2008-03-17

Apparently another example of some apple users reading too much against their holy platform again. I really hate fanatics.

Then again with so many factual errors it does not make the writer seem very credible, even among mac users...Yup, from the comments on that site it would appear to be the case.

Reply Score: 1

sbergman27 Member since:
2005-07-24

As a Linux fan, this reminds me a bit of the time that Mindcraft handed us a lemon. We railed. We denied. We debunked. We demanded a rematch.

But in the end... our heroes, the kernel devs, made lemonade.

Perhaps the moral of the story is that it is counterproductive to take the incident too personally. Concerned Apple fans might do best to "make applesauce" and express their security concerns to Apple, help beta test new software releases, and see how things turn out next time.

Reply Score: 6

PlatformAgnostic Member since:
2006-01-02

What are you referring to? I don't get the reference.

Reply Score: 2

sakeniwefu Member since:
2008-02-26

Is this the reference? Read the first paragraph.

http://www.mindcraft.com/whitepapers/openbench1.html

Apparently, Windows NT4 beat the crap out of Linux in some benchmarks and fanboys cried in denial. Eventually, the kernel was upgraded and everything was fine again.

Reply Score: 1

_txf_ Member since:
2008-03-17

Yup these things happen on all platforms. But it seems that unfounded paranoia occurs more often mac users(or is reported more often).

Windows probably has the least, mostly because it can't really inspire the passion of its users. That leaves mac and linux users. There are a lot fanatics using linux but on the whole I believe that linux users are more enlightened (I'm biased tho so take it with a grain of salt).

Reply Score: 1

macUser Member since:
2006-12-15

There are a lot fanatics using linux but on the whole I believe that linux users are more enlightened (I'm biased tho so take it with a grain of salt).


What the hell is that supposed to mean? I know many linux users. The majority of them are hardly enlightened by any sense of the word. In fact I would be very hard pressed to want to describe any user base as enlightened.

Here's a clue... Most people just want to get through their day with as little hassle as possible. For some, the PC is the best option. For others, it's the Mac. And still others, it's linux, etc... What the hell does that have to do with your level of "enlightenment?" Quite frankly, I would have to say anybody who is that concerned over the platform choice of their peers has got a strong case of megalomania going and is hardly enlightened. Perhaps you should admit that your bias requires more than a grain of salt, but a block.

You platform guys are far worse than rednecks who fight over which truck brand is better.

Reply Score: 1

sbergman27 Member since:
2005-07-24

What the hell is that supposed to mean? I know many linux users. The majority of them are hardly enlightened...

Here's a clue...

What the hell does that have to do with...

anybody who is that concerned over the platform choice of their peers has got a strong case of megalomania going...

You platform guys are far worse than rednecks...

Gee, macUser. (Do you mind if I call you macUser? That is your OSNews user name, after all.) I suggest you take your own advice and chill. I really don't know what else to say in response to such a post.

Edited 2008-03-31 18:47 UTC

Reply Score: 2

_txf_ Member since:
2008-03-17

I was hardly being serious (semi serious). Relax!

That is why I said take it with a grain of salt. Its a biased opinion based on observation. Since I am one person I can't give a completely fair account and my observations will be tainted bias.

As for the enlightenment, I am reffering to it in the context of knowledge not in terms of superiority of the platform. Linux users will use it out of choice. Mac and Windows users use what is given to them (not to say it is bad, I *like* osx) but the sheer fact that it takes some conscious decision to use (learn to use) Linux versus more popular operating systems will mean that Linux users will know more or understand the failings of other operating systems, (not always willing to accept failings in their own tho) as opposed to users from the other 2 main oses.

I meant no offence, it's just an opinion, you're welcome to spew angry vitriol at me again if it makes you happy.

P.S. I also use the enlightenment de from time to time ;)

Edited 2008-03-31 20:46 UTC

Reply Score: 1

sbergman27 Member since:
2005-07-24

Mindcraft was sort of our Pearl Harbor. Microsoft secretly funded some "independent research" conducted by a "company" called Mindcraft. They put together an unlikely combination of hardware, including 4 100mbit nics (rather than the usual single 100mbit or single 1000mbit interface) and proceeded to prove that Linux performance was really bad based upon a static web page serving benchmark. The scenario was completely unrelated to anything anyone would want to do in the real world. And it turned out that "independent" Mindcraft didn't actually have a lab at all. Microsoft loaned them theirs and paid for the "study" behind the scenes. (BTW, that's not a black helicopter assertion. Some clever people tracked down the evidence and Mindcraft, which as it turned out had only one "employee", fessed up.)

However, none of that shadiness changed the fact that Linux *did* perform very poorly in this scenario, due to lack of parallelism in the network and filesytem subsystems. (This was back in the 2.2.x days.) You can imagine the denial that triggered. For weeks there was at least one lengthy new rebuttal presented per day. Mindcraft set up a rematch in which Linux experts were able to properly tune the Linux box. And we still lost this particular benchmark.

Mindcraft was the impetus that led to kernel 2.4. It would have happened anyway. 2.2 laid the infrastructure that 2.4 utilized to parallelize a number of subsystems. It was really the plan all the time. But Mindcraft gave extra incentive to really make that top priority.

In the end, all the rebuttals were far less valuable than the work that the kernel devs did to fix the actual problem.

The analogy with the current topic only goes so far. I certainly do not imply that there was anything improper about the hacking contest. But the overall principle is really the same. Turn a current defeat into a future victory by learning from it instead of denying and rebutting it.

Edited 2008-03-31 14:33 UTC

Reply Score: 3

yeah but
by urbanlung on Mon 31st Mar 2008 03:05 UTC
urbanlung
Member since:
2008-03-31

If I remember correctly the rules of the comp were that no known weakness could be exploited. In other words Vista may have numerous vulnerabilities, all but one in a hundred known, and this one vector would be the way in. OS X has comparitivly few vulnerabilities but matey knows of one that does exist an d can then employ it to great effect in the comp. In other words nothing of any meaning has been proven at all.

Reply Score: 0

RD response
by smitty on Mon 31st Mar 2008 06:39 UTC
smitty
Member since:
2005-10-13

So the RD response was basically a bunch of whining about how Apple doesn't get treated fairly by the press, who are hyping up this failure in order to make money.

Umm, newsflash! That's what the press does. If Vista had been hacked first, do you think there wouldn't have been headlines like "MS Vista Still Insecure"? Do you think they wouldn't have had a field day pointing out a Linux loss and that both commercial competitors had beaten it?

On top of that, the press is always adoring Apple. Look at how much positive press they get compared to their competitors, and it seems a bit hypocritical to complain so much about the occasional bad story.

Reply Score: 5

I read a few reports on the event
by Googol on Mon 31st Mar 2008 06:42 UTC
Googol
Member since:
2006-11-24

... and I did not feel misinformed by any of these. It was relayed everywhere what would happen on day 1, 2 and 3.

Reply Score: 2

kragil
Member since:
2006-01-04

.. just like a lot of fanatics.

Why is it so hard to admit that _right now_ Apples security is not as good as Vistas or Linux. Things can change in a week. Security is a process.
And people, just dont use vendor provided browsers .. it was a bad idea in 98 and it is still a bad idea.

Reply Score: 3

What?
by Hakime on Mon 31st Mar 2008 08:22 UTC
Hakime
Member since:
2005-11-16

@Kokopelli

What , what are you talking about?

yes the code is in webkit, but that does not change the fact that the original code is an open source code coming from PCRE.

In the source file pcre_compile.cpp, it is clearly stated this:

"
This is JavaScriptCore's variant of the PCRE library. While this library
2 started out as a copy of PCRE, many of the features of PCRE have been
3 removed. This library now supports only the regular expression features
4 required by the JavaScript language specification, and has only the functions
5 needed by JavaScriptCore and the rest of WebKit.
6
7 Originally written by Philip Hazel
8 Copyright (c) 1997-2006 University of Cambridge
9 Copyright (C) 2002, 2004, 2006, 2007 Apple Inc. All rights reserved.
10 Copyright (C) 2007 Eric Seidel <eric@webkit.org>
11
"

So clearly the code is derived from the original PCRE code, you can't state that it is not. Grubber says something correct, he says that the exploit uses a overflow bug in the in the PCRE regex library used by webkit, which is the case, the bug is in the PCRE regex library.

The issue was not specific to webkit per se, as a similar issue has been found in PCRE prior to the version 7.6. I bet that Miller could find something similar in webkit and that he of course knew the PCRE issue exposed a few weeks ago.

And on the PCRE web site it is said:

"PCRE was originally written for the Exim MTA, but is now used by many high-profile open source projects, including Apache, PHP, KDE, Postfix, Analog, and Nmap. PCRE has also found its way into some well known commercial products, like Apple Safari."

just in case if you still think that PCRE has nothing to do with webkit....

"You could still say it was a flaw in a Opensource application, but it was one released and maintained by Apple, not a 3d party API."

That's funny. When people talk about webkit, they usually come up and say youm ah no apple has nothong to do with webkit, this is a pure open source project, Apple does not do anything for it, bla, bla, but when a security issue is found they blame Apple and magically it becomes a code "maintained" by Apple. Strange, strange....

"It is now only a good time at Apple to start to pay more attention to security too so that we could have even better Mac OS X in the future."

Give me a break!

In Leopard, Apple has introduced important security features like Mandatory access controls, downloaded file tagging, Library randomization , Execute Disable, Sandboxing, and Application signing. But, you tell us that Apple is doing nothing? Come on, just don't talk about things that you don't know...

Reply Score: 1

RE: What?
by irbis on Mon 31st Mar 2008 09:29 UTC in reply to "What?"
irbis Member since:
2005-07-08

"It is now only a good time at Apple to start to pay more attention to security too so that we could have even better Mac OS X in the future."

Give me a break! In Leopard, Apple has introduced important security features like Mandatory access controls, downloaded file tagging, Library randomization , Execute Disable, Sandboxing, and Application signing. But, you tell us that Apple is doing nothing? Come on, just don't talk about things that you don't know...

Give me a break yourself... (Besides, that comment was made by me and not by Kokopelli.) If you could just sit back and calm down a bit, and read my whole comment, you could see that I was actually saying that "I have no doubt that Apple's Mac OS X platform wouldn't be rather secure already or that it couldn't provide even better security." So in no way I was saying that Apple would have done nothing to improve security. Were did you get that from? At least not from my text.

Apple has done a lot to improve the Mac OS X security - like others have done too to improve the security of their operating systems - but Mac OS X is still no OpenBSD. I was just saying that they could do even more, so that we could have even better and even more secure OS X in the future.

Edited 2008-03-31 09:43 UTC

Reply Score: 4

RE: What?
by Kokopelli on Mon 31st Mar 2008 19:54 UTC in reply to "What?"
Kokopelli Member since:
2005-07-06

@Kokopelli

What , what are you talking about?

yes the code is in webkit, but that does not change the fact that the original code is an open source code coming from PCRE.

In the source file pcre_compile.cpp, it is clearly stated this:

"
This is JavaScriptCore's variant of the PCRE library. While this library
2 started out as a copy of PCRE, many of the features of PCRE have been
3 removed. This library now supports only the regular expression features
4 required by the JavaScript language specification, and has only the functions
5 needed by JavaScriptCore and the rest of WebKit.
6
7 Originally written by Philip Hazel
8 Copyright (c) 1997-2006 University of Cambridge
9 Copyright (C) 2002, 2004, 2006, 2007 Apple Inc. All rights reserved.
10 Copyright (C) 2007 Eric Seidel
11
"

So clearly the code is derived from the original PCRE code, you can't state that it is not. Grubber says something correct, he says that the exploit uses a overflow bug in the in the PCRE regex library used by webkit, which is the case, the bug is in the PCRE regex library.


I suggest you check the sources, as I did.
1) PCRE is a C library, not C++.
2) the C++ file in question seems to be loosely based on the C file pcre_compile.c
3) as far back as the Sept 2007 release of 7.4 (I also checked 7.5 and 7.6) there is not a function calculateCompiledPatternLength.
4) calculateCompiledPatternLength seems to be based on a section of the c code which is determining pointer length adds for groups (which does check for max size and really is not the same as determining the overall length of a compiled regex as is here.)

The issue was not specific to webkit per se, as a similar issue has been found in PCRE prior to the version 7.6. I bet that Miller could find something similar in webkit and that he of course knew the PCRE issue exposed a few weeks ago.


It is quite possible a similar flaw has been in PCRE, I will continue to point out though that the function at hand has not existed in PCRE as far back as 7.4. If it did exist it was in C and so the Webkit code was a port at best.

And on the PCRE web site it is said:

"PCRE was originally written for the Exim MTA, but is now used by many high-profile open source projects, including Apache, PHP, KDE, Postfix, Analog, and Nmap. PCRE has also found its way into some well known commercial products, like Apple Safari."

just in case if you still think that PCRE has nothing to do with webkit....


I did not say webkit ad nothing to do with PCRE. I said the particular flaw does not have anything to do with the PCRE core. The code in question is not in PCRE or from PCRE. At best it is a derivative based on an older version of C code ported to C++ with the flawed function in question added. The basis for the flawed function may have been PCRE but a derivative function of a port is hardly in PCRE or a potential vulnerability of PCRE.

"You could still say it was a flaw in a Opensource application, but it was one released and maintained by Apple, not a 3d party API."

That's funny. When people talk about webkit, they usually come up and say youm ah no apple has nothong to do with webkit, this is a pure open source project, Apple does not do anything for it, bla, bla, but when a security issue is found they blame Apple and magically it becomes a code "maintained" by Apple. Strange, strange....


I did not, nor have I ever said that webkit has nothing to do with Apple. As far as I am concerned Webkit is a derivitive product that Apple has taken and improved from KHTML. It is most definitely from Apple, supported by Apple, and since most of the code can not be back ported to the original it is distinct from KHTML (and in the case of this C++ class PCRE).

"It is now only a good time at Apple to start to pay more attention to security too so that we could have even better Mac OS X in the future."

Give me a break!

In Leopard, Apple has introduced important security features like Mandatory access controls, downloaded file tagging, Library randomization , Execute Disable, Sandboxing, and Application signing. But, you tell us that Apple is doing nothing? Come on, just don't talk about things that you don't know...



Personally I find Apple's orientation and methodology for security and patches to be quite acceptable. Again these are not my words nor my opinion. There are things Apple could be doing better, but it is a compromise towards making the user experience better. There are things Microsoft, Ubuntu, Red Hat, and just about everyone else could be doing better. That does not mean I find their current direction and attention to security unacceptable.

So again. The flaw is not part of PCRE, is not in the PCRE core, and thus not a vulnerability shared with PCRE. PCRE does have bugs and security issues that need to be dealt with upon occasion, as do all applications. This bug is just not one of them.

Reply Score: 2

Poor Thom!!!
by Hakime on Mon 31st Mar 2008 08:23 UTC
Hakime
Member since:
2005-11-16

I am the person who submitted the link of the article on Roughly Drafted to os news. My motivation was that the article has a point, and that people may be interested to read and discuss it. But i did not think that Thom will jump on it and wrote again what i call "the Thom BS". Here you go again Thom, you could not resist to do your usual bashing, didn't you?

So lest start shall we....

1. It is not rocked science, but still you get it all wrong. Any hacker who wish to make money can have a lot interest on Apple platform. You don't need to have millions of computers out there, several thousand computers having malwares or botnets would make a hacker more than happy. Apple is by itself an interesting target because those people could make a lot of money if they could deploy their malwares, but they don't, think why?? This argument of market share is stupid and translates the poor understanding that you have of the thing.

2. Well first CanSecWest is sponsored by Microsoft.....and please don't embarrass yourself, you know that if wanted, Linux and Windows would have been compromised in the same time as the mac. No way that no of those so called security researchers don't have an exploit for firefox or IE. Come one you can't believe that.... this game was targeted to Apple, Apple had to fail first, period.

Miller has several times stated that it is easier to hack the mac, which basically says that the mac is less secure than the windows, he stated the same thing during the context. Are you denying he did so? I don't think so.

3. It was the case, look at the press announcing the context, the mac book air brand name is referred all the time, which came largely from the context focusing on the term mac book air.

It is a relevant remark as many people out there are thinking that Miller magically hacked the mac in two minutes. Maybe not you, but it was reported as this in many places. Miller knew about the issue and that means that the same could have been done for Linux, but it was not, think about it.

5. You don't get the point at all. What he is saying is that a particular security update done before or after such context can make a lot of changes in the context results. And he is basically right, it is difficult to contradict that unless you are dishonest, and you actually are.... It is amazing to see that you construct your point on things that it is not said by the original author and you come to us saying that he is wrong.

6. Well then admit that a linux distribution would be equally affected to if running KDE. The all point here is that there is no winner in that context because it does not say anything about the real state of security of these systems. And no, the first big security threats of xp is that it allows people to run with full privileges very easily, which other os don't.

The fact remains that Miller has defected an open source code and this fact does not say anything about the security level of Linux, Windows and OS X. Read carefully what it is written, the author is not saying that Apple is not responsible of the code it ships, it says that the context is nothing more than defecting open source code that will anyway very quickly be fixed. Why are you always changing what the authors is really saying?

7. But it has been clearly observed that there was no will of developing exploit code for Linux. And don't embarrass yourself again, you know that if they really wanted, they would have compromised Linux too.

8. You don't get the point, do you? His point was to say that a given open source project which is shipped in other products can not be used as a measure of the security of a given os. He is saying that applying a FOSS vulnerability can not be used against Apple to give any judgement about Mac' s security. You can't even clearly admit the fact that being used in KDE, the flaw exposed in webkit also treats many Linux distributions out there. And consequently, the argument of Linux fanboys which says that Linux is more secure than OS X does not hold water.

9. Irrelevant argument....

10. That's not his point. His point is to say that bug found in open source code can be used against Apple. And this what Miller is doing but in the same time he states that Apple is less secure. Concerning the fact that Apple lags behind when it comes to patch bugs discovered in open source code, that is arguable as Apple needs time to test the fix and so on, but the fact remains that people like Miller can use FOSS bugs against Apple.

And i find strange that you call Miller a smart guy....

Apple does not include open source code because that save them people to hire. BS, you are pathetic. First of all Apple decides to include many open source project that it still can decide not to include, perl, php, ruby, and so on are project that Apple decides to include and that are not developed for Apple specially anyway. Including a lot of open source software is a lot of work for Apple as it needs no only to keep them up to date but also to integrate them in order that they work as expected in OS X, you are missing completely the reality of the big effort that it is.

Lastly Apple does not include open software without their own contribution in order that it makes sense in OS X. Making sound that Apple is just using magically open source code shows how stupid you can be....


"The reason I decided to write this rebuttal was not to discredit Apple, or because I have been paid by Canonical or Microsoft."

Don't worry, Microsoft or Canonical does not give a shit on what you may do for them. Come back to Earth.....

You dare saying that people are doing misinformation but the fact is that you are doing it yourself. You are trying to argue against things that people did not even say due to the poor understanding of yours.

You could not resist to jump on the story without taking the time to think about what you will write and that make sure that you understand what people are saying. What should i say, well, i guess you better just continue to post links that people send to you and don't try to be smarter than you are....

Reply Score: 0

Childish...
by Darkelve on Mon 31st Mar 2008 10:35 UTC
Darkelve
Member since:
2006-02-06

Can we please stop the childishness and get back to the regular Tech Reporting?

Edited 2008-03-31 10:35 UTC

Reply Score: 2

Kelly we hardly knew you
by alcibiades on Mon 31st Mar 2008 13:22 UTC
alcibiades
Member since:
2005-10-12

Connaisseurs of MacMania have been greatly regretting that the Manager of Team Apple unaccountably decided to substitute Kelly McNeil at the top of the second quarter, when he was playing so well. But we now see that the Manager knew his players better than us, and in Daniel Eran Dilger he has truly found a worthy substitute. One who, in some ways, is even better in the position than the previous occupant.

So its cheers for DED as he sprints onto the pitch, and a small word of advice: the madder the argument, the more forcefully you must make it. Always mount personal attacks on anyone who so much as refers to an opposing point of view. Above all bear in mind the doctrine of insufficient praise. The worst kind of attacks on The Cause come from those who are basically positive about it, but conceal in this some barbs of invented flaws. These are the truly dangerous ones. These are the ones you have to go for.

In parting, one final word. It is always important to make sure, when one kicks the ball hard, that one is facing the opponent's goal. Your predecessor in this position sometimes appeared to get confused about this and kicked out wildly in all directions, all too frequently scoring for the other side rather than his own. Often he gave away damaging penalties by playing the man rather than the ball in these furious bursts of kicking. You too have shown similar tendencies in the past on matters such as market share. You will have to watch this, as otherwise you too will be substituted after a very short time on the pitch, and we will lose a great deal of innocent amusement.

Reply Score: 2

Open Source or Apple Open Source
by jack_perry on Mon 31st Mar 2008 17:32 UTC
jack_perry
Member since:
2005-07-06

Genuine technical question here, no trolling. Honest!

I use Mac OSX & Linux. Since the weakness has been tied to open source code that is widely used in a variety of contexts, is (or was) it possible to use this exploit to hack a Linux machine running the library in question? (Konqueror maybe, on account of webkit/khtml relationship?) Or is it certain that this exploit could only have been done on someone using Safari?

Reply Score: 2

Kokopelli Member since:
2005-07-06

Genuine technical question here, no trolling. Honest!

I use Mac OSX & Linux. Since the weakness has been tied to open source code that is widely used in a variety of contexts, is (or was) it possible to use this exploit to hack a Linux machine running the library in question? (Konqueror maybe, on account of webkit/khtml relationship?) Or is it certain that this exploit could only have been done on someone using Safari?


Anything based on Webkit, regardless of OS, can potentially fall prey to this flaw. This would include some of the Webkit based plasmoids in KDE4 as well as webkit based browsers on Linux.

I did a bit of research but stopped short of downloading the source for KHTML. I think, though I am not certain, that the JS engine including the PCRE issue is unique to Webkit. So I am pretty sure this particular flaw would not carry over to Konqueror, though again I am not certain.

Reply Score: 2

ricegf Member since:
2007-04-25

Ubuntu doesn't install Konquerer as a native app, so if the library poses a risk for Linux, Ubuntu wouldn't have been exposed until the third day.

If the contest had included a machine running a KDE-based (by default) distribution such as Kubuntu, Mandriva or Suse, then it might have been cracked on day 2 along with the Mac.

None of this says squat about the relative security of any operating system, of course, but I still breathed a sigh of relief when Ubuntu survived. The trade press is always better at misleading headlines than technical analysis. :-(

Reply Score: 1

Losers
by microFawad on Mon 31st Mar 2008 19:14 UTC
microFawad
Member since:
2005-12-09

Tich tich tich...
Don't cry Apple fans. Its useless to give reasons now. The competition is over and Linux wins! Thats it.
Oh yeah, by the way the truth is that vulnerabilities on Apple side had increased even more than Windows.
So the Apple set high prices for these crap products and they always advertise against PC.
Tich tich tich...
Losers!

Reply Score: 1

All Over But the Crying...
by tomcat on Mon 31st Mar 2008 19:53 UTC
tomcat
Member since:
2006-01-06

I'll be the first to admit that contests such as these shouldn't be treated as the only metric that people use to assess the overall security of a platform; HOWEVER, that said, these contests can be useful as a way of "taking the pulse" of general platform security from time to time. Regardless of whether you like the results, the results were FAIR.

1. The rules were fair and evenly applied to each of the platforms and contestants.

2. There were no surprises. All of the contestants knew the rules in advance, knew the platforms, and knew that the platforms would have the latest patches applied for all software installed.

3. All of the contestants were respected security researchers. Whether they had or have a particular bias against a given platform was irrelevant to the contest. Frankly, whether they were motivated by money or ideology or notoriety doesn't have any bearing on the results.

4. There were equal incentives ($$$, hardware) to attack each of the platforms. $10K buys about 5 MacBook Airs so, clearly, the choice of which platform to hack wasn't a financial or tech-drool one.

5. Market share of the platforms was irrelevant to the findings.

6. Value of the vulnerabilities on the black hat spammer/malware market was irrelevant to the findings.

7. Availability of source code was irrelevant to the findings. Security through obscurity has been shown to be ineffective time after time. Apple lost, some say due to its use of OSS code, but that is directly contradicted by the fact that Linux won, and it uses OSS code.

8. The sponsors of the event (Google, Microsoft, Juniper Networks, Cisco, Adobe, etc) had no bearing on the outcome. To believe otherwise is to believe that competitors Google, Microsoft, and Adobe "had it in" for Apple"; which, quite frankly, is ridiculous on its face. Not only that, but Adobe (one of the primary sponsors) received a slap in the face when Flash was a high-profile target.

What I care about MORE than anything is what we've all LEARNED from this exercise. We know that remote exploits are harder than ever to pull off (that's a good thing) and none of the platforms have unnecessary/exploitable ports open, that application weakness is the next line of attack, and that general assumptions about Mac security have been shaken badly. I would argue that this isn't a bad thing. Apple, Adobe, Microsoft, Google, and others can take that knowledge back to their offices, and start addressing the types of problems that were discovered; and, in the end, it will yield more secure software. Which is what we all want.

Reply Score: 4

Wow
by jadeshade on Tue 1st Apr 2008 01:01 UTC
jadeshade
Member since:
2007-07-10

"Of course, one can’t write slander (it’s called libel), but his serious accusations failed to refute any of the points I raised, and really betray his effort to smear me rather than correct any facts I presented."

this comment doesn't even need writing.

Reply Score: 1

Intrinsic test validity vs real world
by Doxxic on Tue 1st Apr 2008 10:35 UTC
Doxxic
Member since:
2008-04-01

Reading the OS News blog versus Roughly Drafted, it occurs to me that the principle difference is the perspective that's being taken.

OS News focuses on the technical qualities of the OSes and the intrinsic fairness of the testing procedures.

RD focuses on the real world security of the OSes and, in relation to that, the unfairness of how the testing outcomes will affect the OSes reputations.

Like a real tech geek, Holwerda seems to remain blind to Eran's perspective, countering Eran's arguments with arguments that underline the test's intrinsic qualities, while missing the point of Eran's comments, which is that the test outcomes suggest that the Mac is less secure than the PC while in practice the opposite is the case.

Eran, on his turn, can't imagine that Holwerda's is enough of a naive tech geek to be blind to that, and suspects that the test has been set up the way it has deliberately in order to generate a newsworthy outcome, resulting in extra pagehits for OSNews.com.

Personally, I think Holwerda's motives contain a bit of both.
I think his geeky curiosity for the intrinsic security of the various OSes is sincere. It fits with the nature of OSNews.com in general.
But I don't think he's truly totally unaware of the way he contributes to a false perception of the various OSes' securities and the extra pagehits OS News gets this way. I suspect Holwerda just tries not to think about it.

Edited 2008-04-01 10:52 UTC

Reply Score: 1