OSNews:

OSNews: http://www.osnews.com/story/19541/Apple_Is_Loser_in_Three-Way_Hacking_Contest Exploring the Future of Computing en-us Copyright 2001-2009, David Adams adam+nospam@osnews.com Sun, 08 Nov 2009 20:58:50 GMT http://www.osnews.com/images/osnews.gif OSNews.com http://www.osnews.com LMFAO http://osnews.com/thread?307047 http://osnews.com/thread?307047 LMFAO THIS IS HILARIOUS....

OSX the first to go down in flames, Vista and Linux standing strong thats just funny with all of OSX's flogging that its so safe and secure.

The real challenge will be to see if vista or linux gets hit next Fri, 28 Mar 2008 20:50:00 GMT donotreply@osnews.com (cchance) Comments Hmm http://osnews.com/thread?307048 http://osnews.com/thread?307048 It will be interesting to see which laptop gets pwned next.

It would be nice if Ubuntu holds it's ground. That said, Ubuntu isn't the most secure distribution out-of-the-box, since AppArmor or SELinux aren't configured by default.

Fedora or RHEL would have been better contenders because they have more security defense mechanisms by default. Fri, 28 Mar 2008 21:02:00 GMT donotreply@osnews.com (Xaero_Vincent) Comments RE: LMFAO http://osnews.com/thread?307050 http://osnews.com/thread?307050

OSX the first to go down in flames, Vista and Linux standing strong thats just funny with all of OSX's flogging that its so safe and secure.

It's worth remembering that when it came to attacks based directly at the platform rather than applications running on it, there were no contenders which bodes well for the default security posture of all three platforms.

Was this a case of OSX really going down, or was it related entirely to the flaw in Safari that opened the system to remote access?

I think it's an important distinction because this is the direction the blackhats are moving in. The days of open ports in Windows are over, even Microsoft has taken to a more responsible security design. Linux and OSX already had a natural advantage in this area. So attacks will no longer be against the platform, necessarily, but more against the applications running on top of them. Browsers, plugins, media players etc. will all be the focus of blackhat activity, and that is disconcerting because it means that vulnerabilities in an application on one platform could be easily transferable to other platforms. A flaw in firefox is often a flaw in firefox Win/OSX/*nix. The flaw in Safari that broke OSX could easily apply to the Windows version as well, hard to know without disclosure yet.

It's good that we have a choice of secure platforms to use, but now there is the whole issue of needing ISV's to take the same security approach that the OS vendors have often been forced to take, otherwise it will all be for naught. The platform can certainly help minimize the damage a rogue app exploit can occur in a cross-platform app, but it's still an issue that will need to be addressed.

As much as I'm tempted to giggle at bit at the fact that OSX was the first to go down, I don't think it's Apple the OSX vendor that should be blushing. It's Apple the software company that should be concerned, but that could just as easily have been Adobe or someone else. In fact, I was kind of expecting it to be Adobe with all of the flash issues they've had lately.

Anyways, will be interesting to watch and see what happens over the rest of the contest. Fri, 28 Mar 2008 21:04:00 GMT donotreply@osnews.com (elsewhere) Comments RE: Hmm http://osnews.com/thread?307051 http://osnews.com/thread?307051

Fedora or RHEL would have been better contenders because they have more security defense mechanisms by default.

I think the goal is to use common, default setups. And let's face it, Ubuntu is the common distro at this point. In other words, I think it makes sense to settle for Ubuntu. Fri, 28 Mar 2008 21:05:00 GMT donotreply@osnews.com (Thom_Holwerda) Comments RE[2]: LMFAO http://osnews.com/thread?307054 http://osnews.com/thread?307054 From the Register:

"Charlie Miller, who was the first security researcher to remotely exploit the iPhone, felled the Mac by tapping a security bug in Safari. The exploit involved getting an end user to click on a link, which opened up a port that he was then able to telnet into. Once connected, he was able to remotely run code of his choosing. "

http://www.channelregister.co.uk/2008/03/28/mac_hack/ Fri, 28 Mar 2008 21:26:00 GMT donotreply@osnews.com (pxa270) Comments Rules of the game http://osnews.com/thread?307057 http://osnews.com/thread?307057 Here's a nice summary of the rules of the game in the Arstechnica forums:
http://tinyurl.com/26spyy

The important part (and most damning for Safari/OS X) is that each of the three machines had their own $10,000 cash prize, and the attacks on the Vista and Ubuntu machine continued after the Mac was down, but nobody succeeded in exploiting the other two. Which pretty much silences any objection that somehow the Mac was a more attractive target (well, apart from being easier to crack).

Oh, and if you followed my link, you would have been susceptible to these sorts of attacks

Fri, 28 Mar 2008 21:35:00 GMT donotreply@osnews.com (pxa270) Comments I knew this would happen http://osnews.com/thread?307058 http://osnews.com/thread?307058 At the 24C3 ( hacker congress in Berlin ) lots of people had 0day exploits for MacOSX laying around. But at the moment nobody is buying them ( MS does buy Windows exploits, Apple does not buy OSX exploits ).

Hackers have to eat

( BTW they would/will sell to botnet people if MS does not pay )

Exploits are a big business nowadays. Fri, 28 Mar 2008 21:51:00 GMT donotreply@osnews.com (kragil) Comments Finally... http://osnews.com/thread?307059 http://osnews.com/thread?307059 ...Apple is being unmasked in front of everyone. Good. This will teach them not to make false claims about their oh-so secure and infallible O.S. I'm glad that for all the criticism, Vista was able to hold its ground (hey, UAC does work after all, who knew?). So what do y'all have to say now, Apple fanboys? I guess the best thing to do here is to admit that you've been 0wned. :-P

Linux I expected to do well, since it has its roots from Unix and likewise is designed to be secure by default. No O.S. this side of the Universe will beat OpenBSD in security though, and I would've liked to see that amazing O.S. included in this test as well. Fri, 28 Mar 2008 22:09:00 GMT donotreply@osnews.com (1c3d0g) Comments RE: LMFAO http://osnews.com/thread?307060 http://osnews.com/thread?307060 Standing strong? Nobody TRIED to hack them. Fri, 28 Mar 2008 22:10:00 GMT donotreply@osnews.com (sigzero) Comments RE: Finally... http://osnews.com/thread?307061 http://osnews.com/thread?307061 Nobody has said the Mac is invulnerable. The biggest claim is in the virus related arena. As a Mac user, I am glad that the exploit was found. Now it can be fixed. That is good. Fri, 28 Mar 2008 22:11:00 GMT donotreply@osnews.com (sigzero) Comments ....... http://osnews.com/thread?307063 http://osnews.com/thread?307063 Flame War! Fri, 28 Mar 2008 22:19:00 GMT donotreply@osnews.com (Mellin) Comments well http://osnews.com/thread?307064 http://osnews.com/thread?307064 no one wants windows vista

Fri, 28 Mar 2008 22:21:00 GMT donotreply@osnews.com (Mellin) Comments RE[3]: LMFAO http://osnews.com/thread?307065 http://osnews.com/thread?307065

From the Register:

"Charlie Miller, who was the first security researcher to remotely exploit the iPhone, felled the Mac by tapping a security bug in Safari. The exploit involved getting an end user to click on a link, which opened up a port that he was then able to telnet into. Once connected, he was able to remotely run code of his choosing. "

http://www.channelregister.co.uk/2008/03/28/mac_hack/

Do I understand this correctly? An interaction of the user has been required to achieve the goal of hacking?

From the description above: "Nobody was able to hack into the systems on the first day of the contest when contestants were only allowed to attack the computers over the network, but yesterday the rules were relaxed so that attackers could direct contest organisers using the computers to do things like visit websites or open email messages." - Is this still hacking? Relying on user interaction can help you to compromize any system. I always thought this is nothing spectacular because nearly anyone can do such "easy" stuff (faked maintenance websites, faked system alerts etc.). The same techniques could have been used to hack into the Linux and "Vista" boxes as well, just if the user replies to a mail like "Dear Bob, please send me your root password back. thanks!" :-) Fri, 28 Mar 2008 22:21:00 GMT donotreply@osnews.com (Doc Pain) Comments RE: Finally... http://osnews.com/thread?307066 http://osnews.com/thread?307066 Do you even hear yourself? OS X is BSD, as opposed to Linux. And it's not even OS X that has a problem, it's Safari. Fri, 28 Mar 2008 22:22:00 GMT donotreply@osnews.com (wirespot) Comments RE[2]: LMFAO http://osnews.com/thread?307067 http://osnews.com/thread?307067 You'll see that they were, on each day they relax the rules if they can't hack them. It's kind of like trying to shoot a target at shorter and short range. Fri, 28 Mar 2008 22:23:00 GMT donotreply@osnews.com (SlackerJack) Comments RE[4]: LMFAO http://osnews.com/thread?307068 http://osnews.com/thread?307068 I believe that the user had simply to visit the site with the exploit. That site might as well have been a Google search result.

Apple is already working on a fix, as they always do when these things come out so publicly.

"I'm a MAC"

"I'm, a PC"

"And I'm a cracker. Bang! Bang! You're dead!" Fri, 28 Mar 2008 22:29:00 GMT donotreply@osnews.com (sbergman27) Comments RE: LMFAO http://osnews.com/thread?307070 http://osnews.com/thread?307070 Yup, OSX sucks hard!

Let's see how quickly I get modded down for this

Fri, 28 Mar 2008 22:46:00 GMT donotreply@osnews.com (Isolationist) Comments RE[4]: LMFAO http://osnews.com/thread?307071 http://osnews.com/thread?307071

Do I understand this correctly? An interaction of the user has been required to achieve the goal of hacking?

Also from the description above: "Nobody was able to hack into the systems on the first day of the contest when contestants were only allowed to attack the computers over the network, but yesterday the rules were relaxed so that attackers could direct contest organisers using the computers to do things like visit websites or open email messages."

From the same link: "Not a single attendee entered the contest on day one, when all vulnerabilities had to reside in the machine's operating system, drivers or network stack."
Nobody even tried under 1st day rules, because exploits are were very unlikely. As Elseware already mentioned, the days of zero user interaction remote exploits are pretty much over. Even XP-SP2 can withstand that.

Is this still hacking? Relying on user interaction can help you to compromize any system.

Yes it is. Because visiting an unknown website or opening an email is not supposed to be able to execute arbitrary commands on your computer.

I always thought this is nothing spectacular because nearly anyone can do such "easy" stuff (faked maintenance websites, faked system alerts etc.). The same techniques could have been used to hack into the Linux and "Vista" boxes as well, just if the user replies to a mail like "Dear Bob, please send me your root password back. thanks!" :-)

You though wrong, because the Ubuntu and Vista laptops were still being attacked under the same rules when the Mac was down (each had their own cash prizes), but they withstood the rest of the day. Fri, 28 Mar 2008 22:46:00 GMT donotreply@osnews.com (pxa270) Comments Comment by hhas http://osnews.com/thread?307072 http://osnews.com/thread?307072 Unfortunately, this sort of thing is going to continue until consumer OSes approach system security the same way as they treat stability, and enforce it at the per-process - or even per-object - level.

The current 'fortress wall' security model may be fine for server OSes, where experienced sysadmins are expected to earn their pay constantly manning the outer defences against any hostile intrusion. It's utterly inadequate for end-user systems, however, where (like it or not) most anything goes. Compromised processes are inevitable in such uncontrolled environments; the only question is whether or not they take the rest of the system down when they go.

Apple and Microsoft dealt with the inherent stability problems of OS9 and Win98 by introducing true per-process memory protection. It's about time they applied the same approach to security as well. Fri, 28 Mar 2008 22:58:00 GMT donotreply@osnews.com (hhas) Comments RE[2]: Hmm http://osnews.com/thread?307073 http://osnews.com/thread?307073 "And let's face it, Ubuntu is the common distro at this point."

Why don't you face reality , there is no common distribution. Your comment amount to another person saying that Toyota are the only cars because they are the most common on is street where they live and the most shown on there TV channels ...

It's as if you declared Music to be only Celine Dion because she sales more records locally and worldwide then other's ...

WII are the console market as they are the most numerous sold , Xbox and PS3 don't exist.

GNU/Linux as many distribution with millions of user's worldwide.

BTW Ubuntu sabotaged by Dell offer is around half a million sales. Asus EEE PC have sold 10 millions worldwide , they come with Xandros. So your common argument is invalid by sales.

If the most common argument was to be used Apple would not be there as they only have 22 million user's/clients worldwide. There are many GNU/Linux distribution with far more user's then that.

Your argumentation is false , and flaud. Fri, 28 Mar 2008 23:07:00 GMT donotreply@osnews.com (Moulinneuf) Comments RE[2]: LMFAO http://osnews.com/thread?307074 http://osnews.com/thread?307074 Latest update, from the third day:

"2:30pm PST Update: Its been two hours so far, and both Vista and Ubuntu laptops are still standing. Stay tuned..."

Check for more updates here:

http://dvlabs.tippingpoint.com/blog/2008/03/28/pwn-to-own-final-day... Fri, 28 Mar 2008 23:11:00 GMT donotreply@osnews.com (linumax) Comments RE[3]: Hmm http://osnews.com/thread?307075 http://osnews.com/thread?307075

Why don't you face reality , there is no common distribution. Your comment amount to another person saying that Toyota are the only cars because they are the most common on is street where they live and the most shown on there TV channels ...

Get over yourself. They only have one computer to equip with Linux, and only one distribution to run on it. Ubuntu is the most popular, whether you like it or not. Fri, 28 Mar 2008 23:14:00 GMT donotreply@osnews.com (Thom_Holwerda) Comments RE: Finally... http://osnews.com/thread?307076 http://osnews.com/thread?307076 OpenBSD is indeed very secure by default, but once you install stuff on it, it is vulnerable like anything else. Fri, 28 Mar 2008 23:15:00 GMT donotreply@osnews.com (Clinton) Comments RE[2]: Finally... http://osnews.com/thread?307077 http://osnews.com/thread?307077 actually it is not if you install software from OBSD ports. Fri, 28 Mar 2008 23:18:00 GMT donotreply@osnews.com (broch) Comments RE[3]: Finally... http://osnews.com/thread?307083 http://osnews.com/thread?307083 Please, what a load of non-sense. Anything in ports is just as insecure as it is on any other operating system. Sat, 29 Mar 2008 00:20:00 GMT donotreply@osnews.com (JMcCarthy) Comments Safari? http://osnews.com/thread?307084 http://osnews.com/thread?307084 What percentage of Mac users use Safari rather than something else? Does anyone have an estimate? Sat, 29 Mar 2008 00:20:00 GMT donotreply@osnews.com (Quag7) Comments RE[2]: Finally... http://osnews.com/thread?307086 http://osnews.com/thread?307086

Do you even hear yourself? OS X is BSD, as opposed to Linux. And it's not even OS X that has a problem, it's Safari.

Wrong. If OS X ships with a particular piece of software, it's OS X, by definition. Sat, 29 Mar 2008 01:09:00 GMT donotreply@osnews.com (tomcat) Comments RE[2]: Finally... http://osnews.com/thread?307087 http://osnews.com/thread?307087

Nobody has said the Mac is invulnerable.

C'mon, the Mac vs PC commercials imply as much. Mac users live in glass houses, and they really shouldn't be throwing stones.Edited 2008-03-29 01:15 UTC Sat, 29 Mar 2008 01:11:00 GMT donotreply@osnews.com (tomcat) Comments RE: Safari? http://osnews.com/thread?307088 http://osnews.com/thread?307088 What percentage of Windows users use Internet Explorer rather than something else?

They're probably around the same mark. Although some might argue that the average Mac user is more likely to know about other browsers than the average Windows user.

Meh, clutching at straws. Apple's attitude to security is lax... almost complacent, and Microsoft, while they have a poor record in the past, they have at least learned from it.

Posted from Mac OS X, using Safari. Sat, 29 Mar 2008 01:12:00 GMT donotreply@osnews.com (gjames) Comments RE[2]: LMFAO http://osnews.com/thread?307089 http://osnews.com/thread?307089

So attacks will no longer be against the platform, necessarily, but more against the applications running on top of them. Browsers, plugins, media players etc. will all be the focus of blackhat activity, and that is disconcerting because it means that vulnerabilities in an application on one platform could be easily transferable to other platforms. A flaw in firefox is often a flaw in firefox Win/OSX/*nix. The flaw in Safari that broke OSX could easily apply to the Windows version as well, hard to know without disclosure yet.

Yeah, I agree, and this is a worse threat, in my opinion, because few applications have the scrutiny that the OSes have. Sat, 29 Mar 2008 01:17:00 GMT donotreply@osnews.com (tomcat) Comments RE: Finally... http://osnews.com/thread?307090 http://osnews.com/thread?307090 Agreed...

It'd be good to see all of the BSDs included, really. It'd make for some interesting comparisons.
- latte Sat, 29 Mar 2008 01:31:00 GMT donotreply@osnews.com (latte) Comments OS X security http://osnews.com/thread?307091 http://osnews.com/thread?307091 Hurrah! OS X has achieved what Windows did many years ago.

My 13-year old son did the same thing last weekend while testing XP via VMWare on Linux. The Windows system was totally hosed within an hour via Internet Explorer.

I've known some, a very small group, of users who've ran their Windows boxes without being breeched. The same is for Linux, BSD and OS X users who are safe online. Sat, 29 Mar 2008 01:31:00 GMT donotreply@osnews.com (mind!dagger) Comments A little shocked http://osnews.com/thread?307092 http://osnews.com/thread?307092 I must say I'm a little shocked that OSX went down before Windows. Perhaps it will cause the Apple people to take security a little more seriously. Now I'm not really interested in the Flame war between OSX and Windows, I'm just a happy Linux & Free BSD user sitting on the side lines of the proprietary battle, but now that OSX is hitting its stride they need to secure their Apps as well as the Unix base does for the OS. Sat, 29 Mar 2008 01:43:00 GMT donotreply@osnews.com (tweakedenigma) Comments This of course assumes http://osnews.com/thread?307093 http://osnews.com/thread?307093 they can get me to click the link. Sorry, but an e-mail saying "We at Bank Of America need to update your account information, please click here" just isn't going to get my click.

That, and I use Firefox.Edited 2008-03-29 01:55 UTC Sat, 29 Mar 2008 01:54:00 GMT donotreply@osnews.com (yakirz) Comments RE[2]: Hmm http://osnews.com/thread?307094 http://osnews.com/thread?307094 If the deciding factor for most appropriate distro to represent Linux was "most vocally present group" then Ubuntu might have been the correct choice. Meanwhile, back in the real world, Redhat has been around far far longer than Ubuntu, is installed in the enterprise around the world and used by thousands daily for real world computing not just the "lookit ma I can install Linux now too" crowd. Sat, 29 Mar 2008 02:32:00 GMT donotreply@osnews.com (mzilikazi) Comments RE[3]: Hmm http://osnews.com/thread?307095 http://osnews.com/thread?307095 Yes. It is a well known fact that Ubuntu cannot be used in the enterprise, or for real world computing. Just ask Google.

Normally I won't call somebody an idiot until they've posted at least twice, but you can only be so flagrantly wrong before you deserve it. Sat, 29 Mar 2008 02:38:00 GMT donotreply@osnews.com (6c1452) Comments What were the security settings? http://osnews.com/thread?307099 http://osnews.com/thread?307099 Just curious what the security settings were on all three platforms (especially the Mac)... Looking forward to all the details of the exploit.

I do find it funny how elated the Mac haters are. Their's must be a pretty small world if Apple's advertising campaigns stick in their craw so deeply.

Personally I think it's great that chinks are being found in the armor. Apps like Safari and Quicktime have gotten a free pass for too long.

Question... Is there a similar competition where all three OS's have been hardened? Sat, 29 Mar 2008 03:22:00 GMT donotreply@osnews.com (macUser) Comments RE: A little shocked http://osnews.com/thread?307100 http://osnews.com/thread?307100 I think Apple takes security pretty seriously when it comes to the OS, but there is definitely work to be done with Safari and Quicktime. Sat, 29 Mar 2008 03:24:00 GMT donotreply@osnews.com (macUser) Comments Ubuntu wins http://osnews.com/thread?307101 http://osnews.com/thread?307101 According to

http://dvlabs.tippingpoint.com/blog/2008/03/28/pwn-to-own-final-day...

the Vista laptop was eventually hacked after the Adobe Flash plugin was installed.

I've got to be honest, I'm surprised and *very* impressed that both Vista lasted this long, and that the eventual downfall of the Vista machine was caused by non-MS code. I'm even more impressed that Ubuntu (which doesn't run a firewall by default, and doesn't use SELinux) is still going.

Combine taht with the embarrassing result for Apple and the whole thing is really eye-opening. Sat, 29 Mar 2008 03:26:00 GMT donotreply@osnews.com (tristan) Comments Oh no! http://osnews.com/thread?307102 http://osnews.com/thread?307102 Once again, OS X had been PROVEN UNDOUBTEDLY to be the most insecure OS ever created.
I'd better update my Mac anti-virus and spyware removal software. Sat, 29 Mar 2008 03:55:00 GMT donotreply@osnews.com (senornoodle) Comments Awesome http://osnews.com/thread?307103 http://osnews.com/thread?307103 Great news for Microsoft - now that people know Vista is secure I'm sure they will overlook all the other things they hate about it...

The contest really doesn't expose holes in any of these OSes though. It wasn't the operating system that was compromised it was a piece of software running on the operating system - regardless of it being bundled software. Web browsers are commonly used and therefore viewed as game for the hackers. How many other apps now interact with the 'net in some way though? Who is to say that any of the apps bundled with any of these OSes don't have flaws that could be exploited. Its great that the Safari flaw has been exposed - Apple can now fix it. So if that flaw is fixed and they redo it where does that leave the argument of all the near orgasmic frenzied Windows fanboys? Totally moot? How many flaws have been found in IE over the years - or Firefox - or [insert your browser of choice for whatever platform]?

The guy who won this obviously went along to the contest with the knowledge already in hand, which once again raises the argument about these people just wanting their 5 minutes of fame. Maybe Mummy and Daddy didn't pay him enough attention when he was little? Who knows? The responsible thing to do with any such knowledge would be to inform the company in question. It seems though that these guys are really only interested in the kudos and making money from it. In some fields it would border on extortion - but when its software they get publicized and win rewards. Go figure.

And for the record, I use all three OSes - well, actually, I don't use Vista 'cause, well, sorry but I gave it a week and then reinstalled XP Pro. And that was after the Service Pack. Secure or not it's not for me. I never have issues with XP (after it was properly secured) or Linux (which I really only use on some servers) or OSX. Like everyone these days I regularly run utilities on all of them to check for rootkits, viruses, spyware, etc. And if I had browsed to the web page in question on one of my OSX boxes Little Snitch would have popped a dialog to ask me if I wanted to allow the connection - so my Mac would still be running along nice and secure.

I'd be interested to see what would happen if the hackers were allowed to give them a CD to insert... Sat, 29 Mar 2008 04:39:00 GMT donotreply@osnews.com (mrhasbean) Comments RE[2]: Finally... http://osnews.com/thread?307104 http://osnews.com/thread?307104 And it's not even OS X that has a problem, it's Safari.

I don't know about that, if a user application exposes a back door into the core OS, isn't that the OS's fault for having a back door? Seems that an OS should have a failsafe core design that prevents a compromise in the case of a problem on the user's end. Sat, 29 Mar 2008 04:44:00 GMT donotreply@osnews.com (sb56637) Comments RE: Awesome http://osnews.com/thread?307105 http://osnews.com/thread?307105

The guy who won this obviously went along to the contest with the knowledge already in hand, which once again raises the argument about these people just wanting their 5 minutes of fame. Maybe Mummy and Daddy didn't pay him enough attention when he was little? Who knows?

The guidelines state:

To claim a laptop as your own, you will need to read the contents of a designated file on each system through exploitation of a 0day code execution vulnerability (ie: no directory traversal style bugs).

Nothing about having to discover and figure out how to exploit a vulnerability during the contest. Everybody else had the same opportunity.

The responsible thing to do with any such knowledge would be to inform the company in question. It seems though that these guys are really only interested in the kudos and making money from it. In some fields it would border on extortion - but when its software they get publicized and win rewards. Go figure.

The guidelines state:

[...] once the vendor patches the issue. Until then, the actual vulnerability will be kept quiet from the public. This is a required condition of entry into the contest; all entrants must agree to the responsible disclosure handling of their vulnerability/exploit through the ZDI.
[...]
Any vulnerability that the Zero Day Initiative awards a cash prize for, becomes the property of the ZDI, and therefore the winner can not discuss or disclose details of the 0day until the affected vendor has successfully patched the issue. Any discussion of the bug prior to the public disclosure of a ZDI advisory will result in forfeiting of the prize. TippingPoint is collaborating with the vendors to ensure that their response teams will be ready and waiting to receive any and all 0day that comes out of this contest.

Hard to get more responsible than that.Edited 2008-03-29 05:17 UTC Sat, 29 Mar 2008 05:12:00 GMT donotreply@osnews.com (6c1452) Comments Comment by apoclypse http://osnews.com/thread?307107 http://osnews.com/thread?307107 Well the real issue here is that this is not the first time that here has been a comprimising exploit for safari. Anyone here remember the exploit used to jailbreak the iphone? At the end of the day the OS may be as safe as possible. If the applications aren't written with security in mind then the OS doesn't matter at that point.

I rarely use safari on my mac. I use firefox because I don't like the way safari automatically mounts all of your downloaded content which i think is a huge security risk.

What I want to know is if this is an issue with webkit or if the problem soley rests on safari.

Btw, I'm also very pleased to see ubuntu still hanging in there. Considering that security hasn't really been a priority for the distro its really surprising. Regardless of how much a pain in the ass Vista is Mas learned their lesson and the OS les seem far more secure than its predecessor. Thsrcis good to see as well eventhough I'm not windows user at homeEdited 2008-03-29 05:54 UTC Sat, 29 Mar 2008 05:47:00 GMT donotreply@osnews.com (apoclypse) Comments Here you go!1 http://osnews.com/thread?307109 http://osnews.com/thread?307109 "Once again, OS X had been PROVEN UNDOUBTEDLY to be the most insecure OS ever created. "

Really? How it comes that you conclude that?

What i see is just that a given security researcher made his job, that is, looking for security holes. Miller has been doing that for several months in order to find problems with Safari (thanks for his work!) and i find it no surprising that he came up with an exploit.
I mean, come on, who here can believe that he came just like that and pull out an exploit magically. He prepared that exploit well before, he knew about it, and he was just waiting the moment that they relax the exploit methods to show up. No way that i can believe that he was not targeting the mac well before the context begins.

And no way that i can believe that the same thing could not gave been done for linux or windows. I mean there are a lot of researchers looking for exploits in Linux and associated softwares, so i can't believe that no one could not use one exploit and make it work if he/she would really wants it. The point is that the mac was the primarily target during this context, that's a matter of fact. Lets face it, that sounds well more sexy to say that the mac was hacked than to say it for linux or windows.

This context does not prove anything, he just shows that security researchers make their job and that they got more exited when hacking the mac.

"Apps like Safari and Quicktime have gotten a free pass for too long"

Well if i look at secunia data, Safari does actually better than Firefox.....

http://secunia.com/product/12434/?task=statistics

http://secunia.com/product/5289/?task=statistics

"As Elseware already mentioned, the days of zero user interaction remote exploits are pretty much over. Even XP-SP2 can withstand that. "

Oh really, so tell me how to you call then what happened to Graduate School of Arts and Sciences last month?

http://www.devicepedia.com/security/harvard-site-hacked-and-then-le...

Their web site got just hacked and student data were stolen and then exposed to Bittorrent. And guess which system they are running? Oh, oh.... So please don't come up with nonsense.

"Well the real issue here is that this is not the first time that here has been a comprimising exploit for safari. Anyone here remember the exploit used to jailbreak the iphone?"

That's nothing do do with the case now. Even during context, he could get to the mac but he can't do a lot of things beside of course accessing your data, but putting down the system will be difficult, he is not in root or does not have a admin password.

"I rarely use safari on my mac. I use firefox because I don't like the way safari automatically mounts all of your downloaded content which i think is a huge security risk. "

You can deactivate this in the preference. Also in Leopard, files downloaded using Safari, Mail, and iChat are automatically tagged
with metadata indicating that they are downloaded files and referring to the URL, date, and time of the download. The first time you try to run an application that has been downloaded, you are prompted by a warning asking whether you want to run the application and displaying the information on the date, time, and location of the download.

"I don't know about that, if a user application exposes a back door into the core OS, isn't that the OS's fault for having a back door? Seems that an OS should have a failsafe core design that prevents a compromise in the case of a problem on the user's end."

Well Leopard does that as it supports Mandatory access controls and applications sandboxing. But well yes its a pity that Safari is not sandboxed yet, that would have made the exploit much more difficult to apply.

Hey Apple please sandbox Safari, Quicktime, and Java..... Sat, 29 Mar 2008 06:19:00 GMT donotreply@osnews.com (Hakime) Comments RE: Comment by apoclypse http://osnews.com/thread?307110 http://osnews.com/thread?307110

I rarely use safari on my mac. I use firefox because I don't like the way safari automatically mounts all of your downloaded content which i think is a huge security risk.

The opening of safe content is a preference that can be turned off. I think it should be off by default and don't like the fact that it isn't. I'm wondering if this attack exploited this default setting, or if the attack was based on some other crack in the code.

Should be real interesting when the exploit is announced. Sat, 29 Mar 2008 06:21:00 GMT donotreply@osnews.com (macUser) Comments RE[4]: LMFAO http://osnews.com/thread?307111 http://osnews.com/thread?307111 Of course it is still classed at hacking. How do you think a Trojan horse operates ? Exactly like the Trojan horse of legend. It would just sit there doing nothing until the people of Troy interacted with it, in their case, pulled it inside their town.

A computer Trojan horse is useless unless the user allows that into the system. Sat, 29 Mar 2008 07:51:00 GMT donotreply@osnews.com (raver31) Comments RE[4]: Finally... http://osnews.com/thread?307112 http://osnews.com/thread?307112 Clearly you have had no experience with a BSD system then. Sat, 29 Mar 2008 07:55:00 GMT donotreply@osnews.com (raver31) Comments RE: LMFAO http://osnews.com/thread?307113 http://osnews.com/thread?307113 Well - according to the site the next one was Vista. They used a 0day exploit in adobe flash and cracked Vista.

Ubuntu was the surviver of the contest as far as I understood.

Seems Linux still is the most safe OS - at least in this contest. Too bad they did not included the BSD flavors and things like Solaris, but I am very pleased with this outcome... Sat, 29 Mar 2008 07:57:00 GMT donotreply@osnews.com (Jokel) Comments RE: well http://osnews.com/thread?307114 http://osnews.com/thread?307114 At work, I speak to a lot of average users every day. Some of the with their "Very First PC (tm)".

These people might not know a lot about computers, but the ones who have used computers at their friends house or workplace all complain that they HAD to take the machine with Vista and that it was a pile of poo.

The other people with no actual computing experience cannot believe how much hassle their systems are, as they believed the advertising that Vista is amazing. etc etc

So, in MY experience, you are correct. No-one wants Vista. Sat, 29 Mar 2008 07:59:00 GMT donotreply@osnews.com (raver31) Comments RE[5]: Finally... http://osnews.com/thread?307115 http://osnews.com/thread?307115 >Clearly you have had no experience with a BSD system then.
... Are you trying to be silly? Are _BSD developers maintaining super-duper secure forks of everyones favourite *nix programs that the rest of us aren't aware of? I don't think so. At best there are a custom patches for compatibility purposes. Sat, 29 Mar 2008 08:35:00 GMT donotreply@osnews.com (JMcCarthy) Comments RE: Here you go!1 http://osnews.com/thread?307117 http://osnews.com/thread?307117

Oh really, so tell me how to you call then what happened to Graduate School of Arts and Sciences last month?

http://www.devicepedia.com/security/harvard-site-hacked-and-then-le.....

Ok, why don't you tell me how exactly it got hacked, since you seem to know so well?

Their web site got just hacked and student data were stolen and then exposed to Bittorrent. And guess which system they are running? Oh, oh.... So please don't come up with nonsense.

So they were running a webserver on XP, which got hacked? Was it Apache or IIS? Hacked trough a software vulnerability or a leaked password? Not that it matters, since a default XP install does not run any webserver, so this would be an impossible attack angle in this contest anyway.

I guess I should have qualified my statement: non-user interaction exploits are pretty much over for the default setup of end user desktop systems. Vista and XP-SP2 run a firewall by default, OS X and Linux run few to no net exposed servers. How are you going to exploit them? Of course it's possible that you discover a hole in the Windows firewall and a vulnerability in one of the services behind the firewall, but that probability is pretty low. That should be pretty clear from this contest: nobody even made an attempt on the first day. Even XP-SP2 in its default setup would probably do just as well.

Of course, it's an entirely different matter if you're talking about systems running servers exposed to the network, which are course much riskier. Claiming that non user interaction exploits or over in that scenario is of course foolish, since vulnerabilities in permanent running net exposed software (not just webservers, but also things like skype and instant messengers) are discovered all the time. But in that scenario it isn't clear at all that OS X or Ubuntu with Apache would fare much better than, say Vista with IIS.

But that was not the point of the first day contest, where you're asked to remotely compromise a default setup without user interaction. Pretty much all modern systems are hardened enough for that. Sat, 29 Mar 2008 09:03:00 GMT donotreply@osnews.com (pxa270) Comments RE[5]: Finally... http://osnews.com/thread?307118 http://osnews.com/thread?307118 What he said is mostly correct, though. Just go to http://www.openbsd.org/ports.html and read the big red text if you don't believe that. Sat, 29 Mar 2008 09:13:00 GMT donotreply@osnews.com (pxa270) Comments RE: Here you go!1 http://osnews.com/thread?307119 http://osnews.com/thread?307119

I mean, come on, who here can believe that he came just like that and pull out an exploit magically. He prepared that exploit well before, he knew about it, and he was just waiting the moment that they relax the exploit methods to show up. No way that i can believe that he was not targeting the mac well before the context begins.

Nobody is asking you to believe that. Miller stated in his interview afterwards that it took him about 3 weeks to prepare the exploit. All teams were informed of the rules well in advance for all system. The whole point of the contest was to encourage researchers to find previously unknown or undisclosed holes. Miller found one in OS X. No other team found any in Vista or Ubuntu.

And no way that i can believe that the same thing could not gave been done for linux or windows. I mean there are a lot of researchers looking for exploits in Linux and associated softwares, so i can't believe that no one could not use one exploit and make it work if he/she would really wants it. The point is that the mac was the primarily target during this context, that's a matter of fact. Lets face it, that sounds well more sexy to say that the mac was hacked than to say it for linux or windows.

You should read the rules of the contest that others have conveniently summarized. All 3 systems were equally attacked. The contest wasn't over after the Mac went down, it continued for the rest of the day on the Vista and Ubuntu under the same rules, both had their own cash prizes to win, and both survived the day. So you can choose to believe that the teams attacking Vista and Ubuntu weren't interested in $10,000 and a free laptop or were plain incompenent (although one of the Vista attackers exploited the Mac through Quicktime last year, oops). Or you can stop trying to find excuses and just accept that OS X + Safari was just easier to crack than Vista + IE7 or Ubuntu + Firefox.

This context does not prove anything, he just shows that security researchers make their job and that they got more exited when hacking the mac.

Well, it also proves that some people will engage in silly rationalizations when reality clashes with their preconceived notions.

The rules were fair. The Mac lost. It's just that simple. Sat, 29 Mar 2008 09:36:00 GMT donotreply@osnews.com (pxa270) Comments RE: OS X security http://osnews.com/thread?307120 http://osnews.com/thread?307120 Your comment just shows a total misunderstanding of the article and the state of security in modern desktop operating systems.
XP can be hosed within seconds by simply exploiting its default security holes and open ports.
No wonder your kid hosed your machine, it was simply by letting it onto the net.

Whereas the article stated that none of the machines was compromised remotely, the first one being compromised over the net was the mac due to an unpatched safari security hole.

I agree with others that Vistas approach makes the most sense, they simply sandbox the browser which is probably the best approach you can do, every application which goes into the internet should be sandboxed, period! Sat, 29 Mar 2008 10:27:00 GMT donotreply@osnews.com (werpu) Comments QuickTime http://osnews.com/thread?307121 http://osnews.com/thread?307121 If anyone remembers, last years vulnerability was in QuickTime. Sat, 29 Mar 2008 10:53:00 GMT donotreply@osnews.com (sumone) Comments RE[2]: Here you go!1 http://osnews.com/thread?307122 http://osnews.com/thread?307122

Or you can stop trying to find excuses and just accept that OS X + Safari was just easier to crack than Vista + IE7 or Ubuntu + Firefox.

Please stop trying to iHurt people's iReligious iFeelings. Sat, 29 Mar 2008 13:05:00 GMT donotreply@osnews.com (h3rman) Comments RE: Here you go!1 http://osnews.com/thread?307123 http://osnews.com/thread?307123 Did you read the part of my post saying I'd have to update my "Mac antivirus and spyware removal software"?
I wasn't being entirely serious, my point being, who cares about a few obscure security holes no one uses when no one exploits them, and even if they did, wouldn't work too well anyway? Sat, 29 Mar 2008 13:09:00 GMT donotreply@osnews.com (senornoodle) Comments There's no invincible OS http://osnews.com/thread?307124 http://osnews.com/thread?307124 You can code all you want, and put in as many bundled security features as the day is long. But at the end of the day, if the user is stupid, and doesn't exact some sort of logical thinking while using a PC, the point of failure resides soley on them. You can't patch a user.

That goes for any OS in the wild. Sat, 29 Mar 2008 13:13:00 GMT donotreply@osnews.com (Phloptical) Comments RE[2]: Here you go!1 http://osnews.com/thread?307126 http://osnews.com/thread?307126 I wasn't being entirely serious, my point being, who cares about a few obscure security holes no one uses when no one exploits them, and even if they did, wouldn't work too well anyway?

If you care about files on your computer then you should care about security holes.. Even if the bug didn't allow the attacker to modify any system files, he/she would still be able to read any of your files or delete them. Besides..You don't know if anyone exploits those holes before you are hosed already. Sat, 29 Mar 2008 13:42:00 GMT donotreply@osnews.com (WereCatf) Comments RE: There's no invincible OS http://osnews.com/thread?307127 http://osnews.com/thread?307127 Gotta agree there, at this point in the game the fault is normally a problem caused by the users not taking due care in what they are doing.

Windows, Mac, Linux, BSD, Unix, Solaris are all able to be hurt by people that don't know how to take care of themselves online. Sat, 29 Mar 2008 14:09:00 GMT donotreply@osnews.com (tweakedenigma) Comments RE: Comment by apoclypse http://osnews.com/thread?307132 http://osnews.com/thread?307132 Considering that security hasn't really been a priority for the distro its really surprising.

I don't agree. Just have a look at the release notes of the upcoming 8.04 release:

in the footsteps of Ubuntu 7.10 with even more virtualization support and security enhancements - enabling AppArmor for more applications by default, improving protection of kernel memory against attacks, and supporting KVM and iSCSI technologies out of the box. Sat, 29 Mar 2008 14:26:00 GMT donotreply@osnews.com (netpython) Comments RE: There's no invincible OS http://osnews.com/thread?307133 http://osnews.com/thread?307133

But at the end of the day, if the user is stupid, and doesn't exact some sort of logical thinking while using a PC

I am not anti-mac by a long shot. But... as I posted earlier, all the user had to do was visit the web site with the exploit to give the cracker the foot in the door he needed. (There was no "Please download and run this." and no "Please enter your administrator password".) This site could just as easily have been a Google search hit encountered while a user was comparing the relative fuel economies of two cars he we considering buying. I really don't see how or why anyone would choose to defend it. And by blaming the user, at that!

Apple needs to fix this serious security hole. Period.

That said, people are still safer with Mac than with Windows. Because the fact of the matter is that, for whatever reason (it doesn't matter), Windows users are the ones under siege. If you had a choice of two Kevlar vests, of known equal quality, and of two associated destinations, would you rather wear vest #1 and go to Omaha Nebraska, where occasionally one reads in the paper about how someone was shot? Or would you rather wear vest #2 and go to a war zone?

While arguments that state, or imply, that if everybody used Operating System Q, it "would be just as vulnerable as Operating W is" are common, they are also completely specious.

Windows advocates: "If only it were you under attack. If only I weren't the one under attack all the time!"

Everyone else: "Butcha are, Blanche! Ya are!"

Reality prevails... again.Edited 2008-03-29 14:40 UTC Sat, 29 Mar 2008 14:36:00 GMT donotreply@osnews.com (sbergman27) Comments RE[2]: Comment by apoclypse http://osnews.com/thread?307135 http://osnews.com/thread?307135

I don't agree. Just have a look at the release notes of the upcoming 8.04 release:

FWIW, the claims that Ubuntu is not security conscious mainly seem to be coming from the "SELinux is the one true security framework" camp.

I would be interested in seeing a contest like this conducted between various Linux distros. (Obviously, the contest would have to run a lot longer than this one that included easier targets, like MacOSX and Windows.) But I'd like to see if the claims made by the Fedora camp (which I more or less consider to be my distro if choice) are valid, or just a bunch of smoke.

On the topic of firewalls, it is true that Ubuntu does not run one by default. But it also has no services listening on any ports, by default. IIRC, while Fedora has a firewall by default, the SSH service is running, and port 22 is open by default, giving Ubuntu the security edge, overall, on that front. Sat, 29 Mar 2008 15:08:00 GMT donotreply@osnews.com (sbergman27) Comments RE[2]: Here you go!1 http://osnews.com/thread?307139 http://osnews.com/thread?307139 I agree the Mac lost hands down, Although I would like to see what the exploit involved before I pass judgment. Vista was eventually broken after adding Java(or Flash I can't remember) to the mix and Apple has that software pre-installed on the OS. But time will tell and we will know when its all out in the open. Sat, 29 Mar 2008 16:14:00 GMT donotreply@osnews.com (tweakedenigma) Comments RE[3]: Comment by apoclypse http://osnews.com/thread?307140 http://osnews.com/thread?307140 It's simply not true that Ubuntu doesn't have a firewall enabled by default, it's called IPtables. Hardy has all ports stealthed by default but I'm not sure about Gutsy. I just had all my ports scanned and they are all stealthed from 0 -1055 in a default hardy install. Sat, 29 Mar 2008 16:34:00 GMT donotreply@osnews.com (SlackerJack) Comments RE[2]: OS X security http://osnews.com/thread?307142 http://osnews.com/thread?307142 Actually, my son wanted to validate what fellow Linux users were telling him about Windows security.

He followed the instructions at UbuntuGeek on setting up a VMWare server. Then he installed the original Win XP install CD that came with his Alienware box.

I suggested he go to a game emulator site. Sure enough, within minutes, his virtual XP instance was being set up to be remotely controlled.

After powering off and deleting the contaminated Windows container we booted up a clean-and-pristine backup and I showed him how to harden a Windows system.

He's been running Linux for well over a year now after learning how to install it on his own at 12. He was less than impressed with the POS called Windows XP.

Since I religiously monitor my internal network I can say that under normal Internet activities our Linux and OS X systems are rock solid. Even our lowly XP system has yet to be compromised due to extensive hardening and teaching the users to be safe. Sat, 29 Mar 2008 16:42:00 GMT donotreply@osnews.com (mind!dagger) Comments RE[2]: LMFAO http://osnews.com/thread?307144 http://osnews.com/thread?307144 I don't know, when webkit is considered to be a core api, it needs to be treated as such. same with ie on windows. or with khtml on kde.

Firefox is just another app as far as the os is concerned. Sat, 29 Mar 2008 16:51:00 GMT donotreply@osnews.com (google_ninja) Comments RE: Safari? http://osnews.com/thread?307145 http://osnews.com/thread?307145 I remember reading somewhere that it was close to 80%. Don't take my word for it though, cause i don't even remember the source, and it was a long time ago. Sat, 29 Mar 2008 16:53:00 GMT donotreply@osnews.com (google_ninja) Comments RE[3]: Hmm http://osnews.com/thread?307147 http://osnews.com/thread?307147 These are laptops, Ubuntu is the most common desktop/laptop Linux distro currently.

Before I get accused of fanboyism or anything I've recently started moving my desktop / laptop to Debian.

[Edited for clarity]Edited 2008-03-29 17:09 UTC Sat, 29 Mar 2008 17:02:00 GMT donotreply@osnews.com (slight) Comments RE[4]: Comment by apoclypse http://osnews.com/thread?307148 http://osnews.com/thread?307148

It's simply not true that Ubuntu doesn't have a firewall enabled by default, it's called IPtables.

That would be a new feature of Hardy, then. I ran a Hardy development release for a while on my laptop a couple of months ago, and didn't notice. But I believe I did an in-place upgrade.

But as I indicated, there have never been any ports listening by default on an Ubuntu install. And so, as Spock would say, a difference which makes no difference is no difference.Edited 2008-03-29 17:15 UTC Sat, 29 Mar 2008 17:09:00 GMT donotreply@osnews.com (sbergman27) Comments RE[2]: Awesome http://osnews.com/thread?307149 http://osnews.com/thread?307149 That wasn't the original poster's point. The guy who broke safari knew about the exploit before the contest but had not informed Apple but waited till the contest. Sat, 29 Mar 2008 17:12:00 GMT donotreply@osnews.com (Arun) Comments RE[5]: Comment by apoclypse http://osnews.com/thread?307150 http://osnews.com/thread?307150 It's not a new feature, it's just they must have modified the iptables better to suit. By default before Ubuntu used to respond to ICMP Echo Requests, in hardy is doesn't, I actually remember making a report about this to the Ubuntu devs.Edited 2008-03-29 17:24 UTC Sat, 29 Mar 2008 17:23:00 GMT donotreply@osnews.com (SlackerJack) Comments RE[4]: Finally... http://osnews.com/thread?307154 http://osnews.com/thread?307154 Even if the piece of software IS insecure, most attacks won't have any chance in OpenBSD.

Read this.
http://en.wikipedia.org/wiki/OpenBSD_security_features Sat, 29 Mar 2008 18:03:00 GMT donotreply@osnews.com (sakeniwefu) Comments RE[5]: LMFAO http://osnews.com/thread?307155 http://osnews.com/thread?307155 I think you made the case against, there. I for one think of "hacking" as actively breaking into a target system, without needing some unwitting assistance from the owner. Trojans and browser exploits cannot really be targeted towards a specific victim, unless you go to the trouble of performing some trick of social engineering, to get that person to run the trojan.exe or visit your poisoned website.

hacking = targeted, unaided
trojan-ing = indiscriminate, requires unwitting assistance of victim

Discussion welcome

Sat, 29 Mar 2008 18:03:00 GMT donotreply@osnews.com (Havin_it) Comments RE[3]: LMFAO http://osnews.com/thread?307157 http://osnews.com/thread?307157

The exploit involved getting an end user to click on a link, which opened up a port that he was then able to telnet into. Once connected, he was able to remotely run code of his choosing. "

If that is true, the following observations come to mind:

1) telnet itself is obsolete because of security reasons, and sshd should be off by default in desktop systems (and regular user should not be able to turn it on).

2)Only root should be able to open a port.

3) Even if arbitrary code is executed as regular user, it shouldn't be able to get root account, except, maybe , by privilege escalation. Privilege escalation is an issue in Linux as well (as discussed in the "fakesudo" thread in Ubuntu forums), but I think the risk can be avoided if you never su or sudo from your regular user account. Instead, create a new user from whom you su or sudo, and run a lightweight DE with this user in another tty, just to run synaptic and things like that. I'm assuming a user program can run a fake kde session fullscreen, but it can't capture CTRL+ALT+f8. I have to check that one, though.

So, even if it was a vulnerability in Safari, it was the OS fault if this led to a remote root login without the user entering its password. Not to mention that Safari is an Apple program, installed by default in OS-X, so there are no palliatives. Sat, 29 Mar 2008 18:15:00 GMT donotreply@osnews.com (wannabe geek) Comments RE: Here you go!1 http://osnews.com/thread?307158 http://osnews.com/thread?307158 I believe he was being sarcastic, well that's the way I read it Sat, 29 Mar 2008 18:16:00 GMT donotreply@osnews.com (_txf_) Comments RE[6]: Comment by apoclypse http://osnews.com/thread?307159 http://osnews.com/thread?307159 I'm quite certain that in previous Ubuntu releases:

iptables -L -n

lists no rules at all. I've checked that after more than one default install.

http://www.linux.com/articles/55319
https://wiki.ubuntu.com/UbuntuFirewall
http://tinyurl.com/377dbm

I did a bit of research, and it looks like they are adding something called "Uncomplicated Firewall" in Hardy, and perhaps now have some default iptables rules in place after the install.Edited 2008-03-29 18:23 UTC Sat, 29 Mar 2008 18:22:00 GMT donotreply@osnews.com (sbergman27) Comments So where exactly the difference is... http://osnews.com/thread?307162 http://osnews.com/thread?307162 ... between the Windows and Linux ? Lack of "mainstream" games and ability to run MS Office 2007 on the latter ? Sat, 29 Mar 2008 18:38:00 GMT donotreply@osnews.com (autumnlover) Comments RE[2]: Comment by apoclypse http://osnews.com/thread?307170 http://osnews.com/thread?307170 Well I meant to say in the past. I think they've included an easy to use command line firewall utility this time around and they should be working on a UI for the next release. With 7.10 many complained about Ubuntu's security compared to other distros and the Ubuntu devs heard their pleas and are now making the OS more secure (than it already is apparently).

I think Ubuntu was the perfect candidate for Linux in this contest, Its the most popular distro out there and because of the market that canonical wants to focus on the distro would be perfect to exploit. The fact that it couldn't be done even with all the third party apps that come installed with Ubuntu by default and all the binary drivers that it installs for your hardware, it just makes Linux look like a rock.

The funniest thing about apple is that they don't even acknowledge the Linux community, their focus (and I guess rightly so) is solely on windows users. This just doesn't make them look good at all, loosing to windows is harsh, Sat, 29 Mar 2008 21:00:00 GMT donotreply@osnews.com (apoclypse) Comments RE: Ubuntu wins http://osnews.com/thread?307172 http://osnews.com/thread?307172

I've got to be honest, I'm surprised and *very* impressed that both Vista lasted this long, and that the eventual downfall of the Vista machine was caused by non-MS code.

Why are you surprised? I do not use Vista and am not particularly impressed with what I have seen of it but it has had a decent security record. Not outstanding, but quite decent, especially for Microsoft.

I'm even more impressed that Ubuntu (which doesn't run a firewall by default, and doesn't use SELinux) is still going.

Again why?
1) Ubuntu has no services listening on an external address by default. This somewhat limits the utility or need for a firewall.
2) SELinux is not a miracle cure acting as the only line of defense on a Linux system. Properly configured SELinux makes a system more secure, no argument there. But if all applications running on the system are patched and do not have known buffer overrun or privilege escalation vulnerabilities then a system without SELinux can still be quite secure. The dire security need for SELinux is predicated on there being exploitable vulnerabilities on a system and an attempt to be made to use the exploit.

The trend I have been seeing on SELinux going from being seen as a tool to increase security to people arguing that a system is not secure without it is bothersome. The absence of SElinux does not make a system inherently vulnerable to attack. SELinux makes a system which has an exploit in need of being patched less likely to be compromised. The key here is the application with the exploit should be patched in any case. Sat, 29 Mar 2008 21:53:00 GMT donotreply@osnews.com (Kokopelli) Comments RE[4]: Hmm http://osnews.com/thread?307173 http://osnews.com/thread?307173

"Why don't you face reality , there is no common distribution. Your comment amount to another person saying that Toyota are the only cars because they are the most common on is street where they live and the most shown on there TV channels ...

Get over yourself. They only have one computer to equip with Linux, and only one distribution to run on it. Ubuntu is the most popular, whether you like it or not. "

Well, to be honest Mollinneuf was somewhat correct when pointing out that the EeePC has been very successful and probably is about to turn Xandros THE layman Linux distro. Ubuntu has a large mindshare within geeks and earlier adopters and the fact that ShipIt will send free CDs free of charge to whomever asks for it certainly has something to do with it but I still think that you're jumping the gun a little when saying that Ubuntu is Linux for all intents and purposes. It isn't for me and for a lot of people that I know (and I DO know personally lots of Linux users, mind you!) Sat, 29 Mar 2008 22:03:00 GMT donotreply@osnews.com (DeadFishMan) Comments RE[2]: Ubuntu wins http://osnews.com/thread?307175 http://osnews.com/thread?307175

The trend I have been seeing on SELinux going from being seen as a tool to increase security to people arguing that a system is not secure without it is bothersome.

Hear! Hear!

I would have further described it as "damned irritating", as well. But you really hit the nail on the head, there. Sat, 29 Mar 2008 22:34:00 GMT donotreply@osnews.com (sbergman27) Comments RE: There's no invincible OS http://osnews.com/thread?307176 http://osnews.com/thread?307176

You can't patch a user..

Does a swift kick from the foot to the ass count as a user-level patch?

Most of the repairs I've made were to user-level stupidity. Porn sites being the main culprit. Sat, 29 Mar 2008 22:43:00 GMT donotreply@osnews.com (mind!dagger) Comments RE[5]: Hmm http://osnews.com/thread?307177 http://osnews.com/thread?307177

Well, to be honest Mollinneuf was somewhat correct when pointing out that the EeePC has been very successful and probably is about to turn Xandros THE layman Linux distro.

... between the Windows and Linux ? Lack of "mainstream" games and ability to run MS Office 2007 on the latter ?

More a matter of most Linux distros being of a "batteries included" nature, whereas with Windows, the user has to either go out and buy a lot of stuff to make it really useful, or steal it.

With Linux, one can keep both his wallet and his conscience happy. Nice troll, though. :-) Sat, 29 Mar 2008 22:55:00 GMT donotreply@osnews.com (sbergman27) Comments RE[2]: LMFAO http://osnews.com/thread?307181 http://osnews.com/thread?307181 No...they knew of vulnerabilities in Linux. Nobody wanted to go through the effort to do it.

The glitzy got hacked first. Sat, 29 Mar 2008 23:31:00 GMT donotreply@osnews.com (sigzero) Comments RE: Oh no! http://osnews.com/thread?307185 http://osnews.com/thread?307185 I will never understand people who have vendettas against Macs. It is like having a vendetta against fuzzy bunnies.Edited 2008-03-29 23:55 UTC Sat, 29 Mar 2008 23:54:00 GMT donotreply@osnews.com (Quag7) Comments RE[6]: Hmm http://osnews.com/thread?307186 http://osnews.com/thread?307186 im betting they are running windows xp for the most part...

atleast thats my experience tracking a forum thread on the topic... Sat, 29 Mar 2008 23:58:00 GMT donotreply@osnews.com (hobgoblin) Comments RE[4]: LMFAO http://osnews.com/thread?307187 http://osnews.com/thread?307187

The telnet service is obsolete sure. Telnet as a client is an easy way to connect to an arbitrary service on an arbitrary port. Taking as a random example it is a good way to connect to an exploit that is listening on a port...

2)Only root should be able to open a port.

Uh... you are aware that if an Linux distro were so ill advised as to do this it would break many things? The idea is only root should be able to open privileged ports.

3) Even if arbitrary code is executed as regular user, it shouldn't be able to get root account, except, maybe , by privilege escalation.

That is the definition of privilege escalation yes...

Privilege escalation is an issue in Linux as well (as discussed in the "fakesudo" thread in Ubuntu forums),

This has nothing to do with privilege escalation. this is malware.

but I think the risk can be avoided if you never su or sudo from your regular user account. Instead, create a new user from whom you su or sudo, and run a lightweight DE with this user in another tty, just to run synaptic and things like that. I'm assuming a user program can run a fake kde session fullscreen, but it can't capture CTRL+ALT+f8. I have to check that one, though.

So, even if it was a vulnerability in Safari, it was the OS fault if this led to a remote root login without the user entering its password. Not to mention that Safari is an Apple program, installed by default in OS-X, so there are no palliatives.

It in theory will stop some privilege escalation attacks, but not all. In general setting up your system like that would be too inconvenient for most normal users (especially of OS X). Sun, 30 Mar 2008 00:02:00 GMT donotreply@osnews.com (Kokopelli) Comments RE[2]: Finally... http://osnews.com/thread?307188 http://osnews.com/thread?307188 bsd running a apple made DE and other bits. and it was one of those other bits that got hit, not the bsd bit. Sun, 30 Mar 2008 00:04:00 GMT donotreply@osnews.com (hobgoblin) Comments RE: Comment by hhas http://osnews.com/thread?307189 http://osnews.com/thread?307189 i suspect it needs to go deep, hardware deep... Sun, 30 Mar 2008 00:08:00 GMT donotreply@osnews.com (hobgoblin) Comments RE[6]: Hmm http://osnews.com/thread?307191 http://osnews.com/thread?307191

"Well, to be honest Mollinneuf was somewhat correct when pointing out that the EeePC has been very successful and probably is about to turn Xandros THE layman Linux distro.

The distro that the eee pc (I have one) is based upon is Xandros. It is not Xandros itself. It is thoroughly consumerised and appliancised. So it is questionable whether it is at all accurate to say that the eee pc runs Xandros. And does it really matter what OS an appliance runs anyway? Until you install a real OS, the eee pc really is just an appliance.

When I got mine, the first thing I did was install Ubuntu. I've since moved it to Fedora 8, not because I was unhappy with it, but because I wanted to get all my machines running the same distro.

I would wager that most of the eee pc's out there are either still running as appliances, or are running, as real laptops, with something that isn't Xandros.

And I'll bet that a lot of those are eeebuntu or Ubuntu. "

Agreed that it is an appliance based on Xandros but then Xandros is the closest thing to a Linux distro that ships with EeePC. When you turn on the "advanced desktop" thing, it is an Xandros KDE desktop, isn't it? I realize that there are lots of distros out there that have releases specifically for Eee but I'd bet that most people don't really change what comes with the laptop by default.

Had they used a Linux for Scratch base, I'd agree with you 100% that it is not Xandros but let's face the facts: Xandros hit the home run with this one. Canonical didn't even see this one coming! I don't know how this deal helps their Linux business - if it helps at all - but let's give credit where credit is due.

Disclaimer: I use Debian Lenny so I'm not a Xandros fanboy. Just pointing out that they made a great move to promote their Linux business when they managed to get their distro installed into the EeePC... Sun, 30 Mar 2008 00:23:00 GMT donotreply@osnews.com (DeadFishMan) Comments RE[6]: Finally... http://osnews.com/thread?307192 http://osnews.com/thread?307192 yes, I was having a laugh, sorry there is no icon here though

Sun, 30 Mar 2008 00:26:00 GMT donotreply@osnews.com (raver31) Comments RE[2]: Oh no! http://osnews.com/thread?307196 http://osnews.com/thread?307196 Geez, is it that hard to read sarcasm? Sun, 30 Mar 2008 02:20:00 GMT donotreply@osnews.com (Johann Chua) Comments RE[2]: Oh no! http://osnews.com/thread?307203 http://osnews.com/thread?307203 That was awsome. Sun, 30 Mar 2008 04:29:00 GMT donotreply@osnews.com (google_ninja) Comments RE[5]: Hmm http://osnews.com/thread?307216 http://osnews.com/thread?307216 Ubuntu has large mindshare among geeks? The geeks I know regard Ubuntu as african for "Can't install debian".

Actually, the only non-geeks I know that actually use Linux at home are always using Ubuntu. The Eee PC maybe gaining ground, but at least here in Norway Ubuntu us definetely the most popular distro. Espescially among non-geeks. Sun, 30 Mar 2008 09:49:00 GMT donotreply@osnews.com (TLZ_) Comments New informations about the mac exploit! Here we go!!! http://osnews.com/thread?307220 http://osnews.com/thread?307220 It seems that Miller took an advantage of a overflow bug in the PCRE regex library used by webkit's JavaScript engine.

http://daringfireball.net/

http://trac.webkit.org/projects/webkit/changeset/31388

This means that everything which uses webkit out there is affected by this bug, including Linux distributions that use KDE.

Moreover the bug is in PCRE library (http://www.pcre.org/), which is also used by Gnome (GLib), and KDE, and if the bug is also confirmed there (we'll wait and see) then basically all Linux distribution are affected by the same issue.

But the funny thing is that the Mac lost in that context because of a bug in an open source code!!!!

Think about it, particularly the linux fanboys that may think that Linux won the context, it did not.... Sun, 30 Mar 2008 10:28:00 GMT donotreply@osnews.com (Hakime) Comments RE: New informations about the mac exploit! Here we go!!! http://osnews.com/thread?307233 http://osnews.com/thread?307233 I figured it would be a problem with webkit, pretty much anyone with more than two braincells in their head would. There is not much left in Safari that would be exploitable that is not webkit. The strength of open source code is not that it is without flaws, it is that it is open to inspection and once a flaw is found quickly fixed.

Based on the patch though it does not look like the problem is in PCRE itself but in Webkit calculating the length of a nested regex. The length is then used to store the compiled regex. So now this is not a flaw in PCRE but one in Webkit and perhaps KHTML. Webkit based browsers on Linux would be vulnerable to this though not the default browser for Ubuntu (or most other Gnome based distros), Firefox.

So GLib, and other apps not using Webkit (Apache and PHP among others) are not vulnerable to this particular attack.

EDIT: Nice sensationalist post without fact checking though.Edited 2008-03-30 14:09 UTC Sun, 30 Mar 2008 13:59:00 GMT donotreply@osnews.com (Kokopelli) Comments RE[2]: New informations about the mac exploit! Here we http://osnews.com/thread?307235 http://osnews.com/thread?307235 Good post. And thanks for clearing up hakime's disinformation with actual facts. Sun, 30 Mar 2008 14:40:00 GMT donotreply@osnews.com (sbergman27) Comments RE[3]: Awesome http://osnews.com/thread?307241 http://osnews.com/thread?307241

That wasn't the original poster's point. The guy who broke safari knew about the exploit before the contest but had not informed Apple but waited till the contest.

And what's wrong about that. Why miss the opportunity to earn 10k and a laptop. You'd be a fool if you didn't do it.Edited 2008-03-30 15:56 UTC Sun, 30 Mar 2008 15:56:00 GMT donotreply@osnews.com (Gryzor) Comments RE[3]: Finally... http://osnews.com/thread?307244 http://osnews.com/thread?307244 Where is it implied that they are vulnerable?

I really would like to see where this is stated. Sun, 30 Mar 2008 16:28:00 GMT donotreply@osnews.com (aesiamun) Comments RE: New informations about the mac exploit! Here we go! http://osnews.com/thread?307259 http://osnews.com/thread?307259 Okay. So if Linux didn't win, what did? If Ubuntu was the last man standing doesn't that count as a win? You also have to remember that the used was Ubuntu, a gnome based distro, and even though you mentioned that the error is also in glib apparently it was not exploitable. So it has to be an issue with the OS itself to allow the hack to get through. Besides that KDE is NOT using webkit, they are still using their own kde specific library and are planning to move to webkit soon, but the change hasn't happened and many are not happy with that decision.

Blaming the library then pointing at Linux, when linux isn't the end all be all of the OSS universe is kind of stupid. Apple uses open source software in their products as well including webkit which they maintain so the blame falls only on Apple and and not the Linux community which has very little to nothing to do with the webkit or the libraries used therein. Sun, 30 Mar 2008 20:10:00 GMT donotreply@osnews.com (apoclypse) Comments would Smoothwall have saved them ? http://osnews.com/thread?307261 http://osnews.com/thread?307261 hi guys,

given the info we have on the hacks, i'm curious to know if a firewall such as Smoothwall or similar would have prevented the comprimises (given that one of the two hacks used telnet via a port assigned during a webpage view)

anyone have any ideas about that ????

cheers
anyweb Sun, 30 Mar 2008 20:18:00 GMT donotreply@osnews.com (anyweb) Comments RE[7]: Comment by apoclypse http://osnews.com/thread?307262 http://osnews.com/thread?307262 when I reviewed Ubuntu 7.04 in 2007 (30 days with Ubuntu 7.04) I found that iptables had no rules setup whatsoever.

Please see here:-

http://linux-noob.com/review/ubuntu/7.04/part2.html#bittorrent

and I quote:-

"For a change, I decided to take it easy and not configure/fix/install anything, so I tested bittorent in Ubuntu, and guess what, it worked, first time, with no questions. But, that did lead me to check the firewall status which apparently is non-existant (and yes I'm aware of the Firestarter application):-

root@anyweb-laptop:~# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination

Chain FORWARD (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

Why are there no iptables rules defined at all?, seems strange in a modern day linux distro (much like the lack of default screensaver password) described earlier."Edited 2008-03-30 20:34 UTC Sun, 30 Mar 2008 20:27:00 GMT donotreply@osnews.com (anyweb) Comments RE: would Smoothwall have saved them ? http://osnews.com/thread?307264 http://osnews.com/thread?307264 Assuming the client machine was behind a dedicated firewall such as shorewall the exploit on the Mac would not have succeeded in its current fashion. At that stage the exploit would have to initiate the socket connection with the hackers machine rather than just opening a port. This is more difficult and depending on configuration of the firewall even this might not have been possible.

Generally when you have a dedicated firewall you specify the type and port of traffic allowed in both directions. This is less common on local firewalls, where the most common configuration is to restrict incoming but not outgoing connections.

Also I would like to note that while I argue that a firewall on a system without any open ports is less critical, it very likely would have prevented the OS X exploit since the FW would have blocked the opened socket. This is an argument in favor of having a default firewall that blocks all incoming ports unless specifically opened. Personally I run shorewall on all my boxes whether they have any services running or not.

I have not looked at the Vista exploit so can't really comment one way or the other on that.

EDIT: The statements above are under the assumption that the OS X exploit opened an unprivileged port allowing the hacker telnet into the box. I have not seen anything definite on how the flaw was actually exploited but that seems to be the consensus.Edited 2008-03-30 20:48 UTC Sun, 30 Mar 2008 20:40:00 GMT donotreply@osnews.com (Kokopelli) Comments RE[5]: LMFAO http://osnews.com/thread?307302 http://osnews.com/thread?307302

Uh... you are aware that if an Linux distro were so ill advised as to do this it would break many things? The idea is only root should be able to open privileged ports.

Well, I was assuming some firewall beyond iptables (something like firestarter) was present. I don't know how much safer it makes the system, but I tend to use them. It doesn't come by default in Ubuntu, though.

" Privilege escalation is an issue in Linux as well (as discussed in the "fakesudo" thread in Ubuntu forums),

This has nothing to do with privilege escalation. this is malware.
"

Right, maybe my usage of "privilege escalation" was incorrect, but "malware" is too general. What I meant is dialog spoofing and similar strategies, where you first control the user account and then get the root password from the user input. That's what the fakesudo thread was about.

It in theory will stop some privilege escalation attacks, but not all. In general setting up your system like that would be too inconvenient for most normal users (especially of OS X).

I've been using this setup for a few months in Linux.I expected OSX to have something more convenient and about as safe. I haven't heard of a better way to avoid dialog spoofing attacks, but I'm open to suggestions.

Sun, 30 Mar 2008 23:55:00 GMT donotreply@osnews.com (wannabe geek) Comments time http://osnews.com/thread?307330 http://osnews.com/thread?307330 there's one more important faktor we should not forget: time.

Leopard is the the youngest operating system in the test. That means less time to patch security flaws. Mon, 31 Mar 2008 04:43:00 GMT donotreply@osnews.com (SK8T) Comments RE: Ubuntu wins http://osnews.com/thread?307335 http://osnews.com/thread?307335 Flash doesn't even come with Windows by default, so should that even count? Mon, 31 Mar 2008 05:44:00 GMT donotreply@osnews.com (eggs) Comments RE[4]: Finally... http://osnews.com/thread?307339 http://osnews.com/thread?307339

Where is it implied that they are vulnerable? I really would like to see where this is stated.

Read for comprehension. I said they implied they were invulnerable compared to a PC. Mon, 31 Mar 2008 06:24:00 GMT donotreply@osnews.com (tomcat) Comments RE[2]: There's no invincible OS http://osnews.com/thread?307340 http://osnews.com/thread?307340

That said, people are still safer with Mac than with Windows. Because the fact of the matter is that, for whatever reason (it doesn't matter), Windows users are the ones under siege.

It's this kind of denial and complancency which has led Apple to fall on its face over security. Personallty, I'd rather use an OS from a supplier that has shown willingness and demonstrable success in improving security. At least Microsoft has that going in its favor. Mon, 31 Mar 2008 06:37:00 GMT donotreply@osnews.com (tomcat) Comments RE: h http://osnews.com/thread?307343 http://osnews.com/thread?307343 Leopard may indeed be the most recently released of the bunch, but jut like windows and Linux it is based offs of pre-existing code.Webkit wasn't released yeeteday, the issue probably existed before but was never exploited. The reason the exploit is a big deal is that it also affects the iPhone. As it we pointe the guy who flu d the exploit also found similar issues with safari on the iphone. It was obvious that the app is unsate, the stupid thning let you hack the device by using a tiff file. Blaming on the time is kind of lame. Safari is on version 3 which should be enough versions to at least make the browser safe. Apple doesn't have their eye on security and probably won't until they go through the same experience that MS had. Mon, 31 Mar 2008 06:57:00 GMT donotreply@osnews.com (apoclypse) Comments Three words ... http://osnews.com/thread?307374 http://osnews.com/thread?307374 Apple products suck.

I have an iPod. I'm really dissatisfied with it. It doesn't let me sync, or even manually copy, with any other media player other than iTunes. Your iPod will become bricked if you try to sync it with anything other thatn iTunes (I've tried twice with Amarok), albeit, it does automatically repair to factory settings next time you sync it with your iTunes on the original computer you synced it with.

That is ridiculous. I should be able to sync it with anything, with any computer. I legally purchased my music, and should be able to copy it to whatever device or PC I want, without artificial restrictions. I should also have an easy means of disaster recover, which was the original reason I tried to sync my iPod with another iTunes installation (so that I could copy music from my iPod to the second PC after the original machine died). When it would not let me do it, I was completely furious. It was a huge time waster, and I had to rip my CDs again. F&^% Apple.

And the fact that you can't easily replace the battery is a joke. You have to take it to third parties and pay them to replace it for you, or you have to go to an Apple store and pay for a new iPod (at a reduced price).

How about this, Apple - just let me go to Longs or Radio shack and buy friggin standard battery for $10 or so, and easily put it in myself? I don't give a rats ass about the sleek design or the compactness. I just want to easily replace the friggin battery when it dies, just like every other product on the market.

And iTunes sucks. It's butt ugly, it's slow, and any purchased music is wrapped in Apple DRM, which can't be used with any other device other than iPod.

And Safari sucks. It is indeed fast as Apple claims, but it too is butt ugly and has fuzzy fonts. And the iTunes and Quicktime updates try to force a Safari install if you aren't paying attention.

My iPod is my first Apple product. It will be my last. I did research it, and compared it to other MP3 players, and asked lot's of different people. Yes, it's sleek, has a great interface, and syncing with iTunes is very easy. But the other restrictions and inconveniences are infuriating.

To add to all that, Steve Jobs is a world class prick, and treats his employees like dog poop. Generally speaking, I like doing business at establishments that treat their employees well, because I generally get better products and services that way. That's why I shop at places like Trader Joes and Costco (among other reasons) - their employees seem happy.

I think Apple products are the Heather Mills of tech products. Sure, pretty and seemingly friendly at first. But then they'll rake you over the coals and try to take your money and leave you.

Just like Paul McCartney was stupid to be suckered in by a young pretty face after losing his beloved Linda to cancer, I was stupid by being suckered into the pretty interface iPods offer.

And if the all the Apple zealots don't like what I've said. tough. I'm a dissatisfied paying customer. Deal with it. Mon, 31 Mar 2008 16:22:00 GMT donotreply@osnews.com (JeffS) Comments RE: There's no invincible OS http://osnews.com/thread?307823 http://osnews.com/thread?307823 Of all the stuff that been has written so far, this scares me the most -- even if Apple and Microsoft wrote perfect, secure code as soon as a user is involved any hope of security goes out the window. In a default "out of the box" install the first user on a Mac is an admin account, maybe I need to go and read the fine print of the contest and this wouldn't be allowed, but with an admin account on a Mac and the user will run the application for me root access is 6 clicks. While I appreciate the inventiveness of the folks that cracked this -- 3 weeks of work for something that would take 10 minutes on the phone with a user seems a little silly. And while it might take more than 6 clicks, I am sure that Vista would fail the same way, and the only saving grace for the *nix OS (yes I know OSX is a *nix OS but the world seems to think it is different (at least taht's what Apple says)) is that the users tend to be a little more in tune with security. As soon as Mom and Dad buy an ubuntu box from Wal-Mart or Dell, even that differential will go away. Seems like the security folks are looking in the wrong direction and would rather people bought the latest super duper security suite version 10. Wed, 02 Apr 2008 23:11:00 GMT donotreply@osnews.com (andyfisk) Comments RE: Three words ... http://osnews.com/thread?307827 http://osnews.com/thread?307827 So your concern about OS security is that you can't buy a battery for your ipod or sync with something other than itunes?
You know there are other MP3 players on the market -- and if you stop paying Apple for iPods and buy another brand with the features you want, maybe Apple will respond to the market and you would be less cranky. Wed, 02 Apr 2008 23:28:00 GMT donotreply@osnews.com (andyfisk) Comments