Daniel Eran Dilger
Random header image... Refresh for more!

CanSecWest and Swiss Federal Institute of Tech Deliver Attacks on the Reality of Mac Security

Daniel Eran Dilger
In back to back press releases with payloads of sensationalized misinformation, two apparently unrelated groups launched attacks on Mac OS X’s reputation for delivering better real world security for its users compared to Microsoft’s Windows. In the first, a contest held at the CanSecWest Applied Security Conference, sponsored in part by Microsoft, suggested that hacking a MacBook Air was faster than hacking a Sony or Fujitsu Windows PC laptop. Thousands of miles away, the Swiss Federal Institute of Technology engaged in Vulnerability Numerology to declare that Apple’s operating system had fewer promptly patched software vulnerabilities compared to Windows. The premise behind both widely publicized stories are wrong, here’s why.

Charlie Miller Cracks a Mac in Two Minutes at CanSecWest.
Echoing last years’ CanSecWest event, where security researcher Dino Dai Zovi was able to access files on a Mac after being allowed to guide an automated user to access a tainted website from the laptop, this year’s contest was won in two minutes by Zovi’s business partner, Charlie Miller. Both were unable to access the systems over the first day of the contest, where only direct attacks over the network were allowed.

On day two, both were able to quickly win the contest after the rules were relaxed to allow them to send emails to an automated user or direct it toward a malicious web server they had set up. While the quick win makes for a perfect headline and reflects the Hollywood image of “hackers” that twiddle on a keyboard and almost instantly “access the mainframe” while a counter runs in the background, a more intelligent question is: why did the Mac get hacked first, and why was the attack so quick?

The easy answer is that nobody had any political reason to attack Windows at an event sponsored by Microsoft. Such an exploit wouldn’t even have been newsworthy. The speed of the attack also has something to do with the business of security researchers like Miller, who have clearly expressed the intent to repeatedly prove that Macs (and the iPhone) are as easy to exploit as Windows-based systems. More on that in a moment.

It is an uncontroversial fact that Windows PCs suffer under the threat of tens of thousands of real world viruses, are routinely infected by malware and often unwittingly participate in spam and adware botnets, while Mac systems have no viruses, and no significant real world malware, spyware or botnet problems. However, there is a constant din of pundits, researchers, and security product salesmen who insist that Macs not only have serious security problems, but may actually suffer from more vulnerabilities than Windows PCs. How can these two contradictory ideas possibly be harmonized?

Gone in 2 minutes: Mac gets hacked first in contest – Yahoo! News
InfoWorld Publishes False Report on Mac Security

Attacking the iPhone.
Miller has worked hard to establish his reputation as a security expert. For any security expert, this means demonstrating the ability to discover high profile attacks on notable targets. Last year, Miller described a vulnerability on the iPhone related to the open source Perl Compatible Regular Expression Library libtiff software. This vulnerability was related to the jailbreak exploit that allowed users to install their own software on the iPhone by working around Apple’s security barrier, but it also had the potential for allowing a malicious user to inject their own malware onto unpatched iPhones that were directed to an exploiting website.

His attack on the iPhone’s security delivered Miller significant notoriety, but his discovery, even after being widely published, did not result in any malware industry popping up around the millions of iPhones being sold to well heeled users. Why not? For starters, PCREL libtiff was eventually patched; there were only a few weeks of any open vulnerability to exploit. Malware writers would have to return to the drawing board repeatedly in order to keep their iPhone attacks valid, just as the jailbreak community had to regularly rework their efforts to maintain the ability to install their unsupported (but non-malicious) apps on the iPhone.

The work of attacking the security barriers on the iPhone in order to maintain the ability to install unsupported apps has continued for months, and has kept the iPhone open to installing these applications since the first workaround was discovered. Why hasn’t the horde of spyware and spammer villians attacked the iPhone using the same tools? As I noted earlier, the iPhone does not actually offer much of an attractive target for malware authors because:

  • the installed base is currently too small to be used for botnet spamming,
  • the network uplink speed is also too slow and/or spotty to be used for spamming,
  • unlike wide-open Windows, the iPhone is closed and any open exploits can be pinched off quickly,
  • software updates on the iPhone are much easier to deliver and install than PC updates,
  • unlike a PC, the iPhone can be instantly cleaned up by plugging it into iTunes and hitting Restore.

So despite Charlie Miller’s disdainful evaluation of the iPhone’s security, the phone has seen no real world security epidemics; even if a virus were delivered for it, the amount of problems it could cause would be limited by the easy to restore design of the device. Miller has noted significant flaws in the device, but those flaws have been irrelevant in terms of real threats facing users. In theory, the iPhone has been exploitable; in practice, it has not been exploited.

Kim Zetter and the iPhone Root Security Myth
UnWired! Rick Farrow, Metasploit, and My iPhone Security Interview
About Security Update 2007-007: CVE-ID: CVE-2007-3944

The Theory of Vulnerability.
Many of those same principles that prevented Miller’s prognostication of dire woe for iPhone users from coming to pass have similarly protected Mac users from actually suffering from any of the theoretical vulnerabilities reported for their platform. While Windows Enthusiasts like to suggest that the only thing preventing a Mac malware meltdown is the platform’s relatively low market share compared to Windows, that idea is both wrong and deceptively simplistic.

First, Mac market share has risen in specific markets to the point where, if there were real vulnerabilities that left it wide open to attack like Windows, it would be facing real problems. While Apple sells a small proportion of the total worldwide market for all PC desktops, workstations, and servers, it now sells over 8% of all the computers sold in the US.

Further, Apple’s low penetration into the enterprise market means that Apple’s 8% of the total US market is actually a 10 to 20% or higher percentage in the home, SOHO, and education markets. Still, we don’t see Apple suffering from 10 to 20% of the malware out there in the wild; Macs effectively have no malware to worry about, and few users even run anti-virus software. There is also currently no need for spyware clean and repair utilities at all. Macs don’t have a fractional tenth of Windows’ problems; they have no real world security problems at all.

Even more damning to the pundits’ logic, the markets where Apple is strongest are exactly those where malware is most prevalent. Who writes spyware aimed at attacking servers supervised by professional IT staff and protected by sophisticated firewalls? Macs are a prime target for spyware and identity thieves, as the Mac user demographic tends to have more money to steal. The fact that Apple’s installed base lies directly on top of the most attractive target for malware authors, yet has zero viruses and no significant real world malware problem says more about the reality of vulnerabilities than any amount of statistical humdrum churned out by people trying to bait links and suggest that up is down.

10 FAS: 10 – Apple’s Mac and iPhone Security Crisis

Swiss Swing and a Miss.
Which brings us to the report issued by the Swiss Federal Institute of Technology. Following in the footsteps of such luminaries as CNET Apple hater George Ou, the group reported findings after looking “at how many times over the past six years the two vendors [Apple and Microsoft] were able to have a patch available on the day a vulnerability became publicly known, which they call the 0-day patch rate,” according to a report by IDG.

Their conclusion: “the number of unpatched vulnerabilities are higher at Apple.” That conclusion provided IDG such ripe opportunity for sensationalizing that the author of the IDG article threw in a bizarre disclaimer at the end. The study was “such a glowing affirmation of Microsoft’s increased focus on security in the past few years that it prompted [Andrew Cushman, director of Microsoft's Security and Research] to ask [study researcher Stefan] Frei, ”Did Microsoft fund this research?“ ”This is independent academic research,“ Frei replied.”

Why would IDG feel the need to note that Microsoft didn’t pay for this, and why would a Microsoft research director think to ask if his company had paid for the results of such a study? Because Microsoft is well known for funding “research” that serves to promote its marketing goals. However, we don’t even need to doubt the funding of the study in order to discard it as irresponsible garbage.

Vista vs Mac OS X Security: Why George Ou’s ZDNet Vulnerability Numerology is Absurd

Vista vs Mac OS X Security: Why George Ou’s ZDNet Vulnerability Numerology is Absurd
security.itworld.com – Microsoft vs. Apple: Who patches 0-days faster?
PdfMeNot.com – 0-Day Patch Study

Why the Swiss Study was Fatally Flawed.
The main tipoff that the study was completely worthless is that it neatly compares “0-day” patches across unrelated platforms. Three main points below describe specifically why this is inherently flawed. As an introduction: a 0-day patch is one delivered the same day the exploitable flaw that it corrects becomes publicly disclosed.

Many theoretical exploits are fixed at or before they are publicly disclosed, while other flaws linger for weeks, even years, before being patched. A publicly known but unpatched flaw sounds more dangerous than one hiding behind the veil of “security by obscurity,” but there are also many flaws that are discovered by malicious parties to be sold or directly exploited before they are ever disclosed, let alone patched. That means 0-day patches are only ideal for flaws that only the vendor knows about. The study simply ignored discovered but undisclosed flaws, no doubt because they are obviously more difficult to identify and write papers about. They are not any less dangerous to users however.

Windows is plagued by many discovered but undisclosed and unpatched flaws; Mac OS X is not; there are zero viruses and no real world malware problems dogging Mac users. But ignore all that for a moment to take a look at why the very specific study on 0-day patches is so very wrong in three significant areas.

1. The scope and relative threat posed by a specific vulnerability is lost in the aggregated statistics that Vulnerability Numerologists like to report. Windows’ infamous “shatter attack,” an extremely serious, fundamental flaw in the architecture of Windows, was only just addressed in Vista. The flaw was not some simple buffer overflow error; Microsoft designed Windows NT/2000/XP in such a way to give all services within the interactive desktop the same, communally high privileges. The gravity of this extremely poor design decision was widely reported back in 2002, but never fully addressed until the release of Vista, which many Windows users still cannot or will not deploy for various reasons.

Windows XP and Server versions prior to 2008 are still exposed to shatter attack vulnerabilities, but “researchers” would only give this grave flaw one vulnerability count on their tally list. This is just a single example of how irresponsible and ignorant the practice of comparing vulnerabilities by numerical count is across unrelated systems. Mac OS X does not suffer from Windows’ overloaded services architecture nor the subsequent problem of shatter attacks, because it benefits from the well known, highly regarded, multiple concurrent process design savvy of Unix.

Unix has been pulled apart and examined by academia for decades, and individual utilities and software packages are commonly open to public scrutiny, as is Apple’s entire core OS of Darwin, the Mach/BSD hybrid that serves as the foundation for Mac OS X. Microsoft’s Windows kernel and its core OS foundation has not benefitted from such independent review and examination on a similar scale.

Studying counts of 0-day patches issued and plotting the delivery dates of patches relative to the public disclosure of the flaws they address strains out the gnat and gulps down the camel in a brain dead effort to analyze irrelevant statistics that have only a tenuous association with real security.

Five Windows Flaws – 1: Windows’ Interactive Services

2. Microsoft’s operating system is entirely closed source. Relatively few third party researchers have inside access to see how it works, and therefore can’t as easily discover flaws before they are patched. The top half of Apple’s Mac OS X is also closed source, and Apple similarly releases patches for flaws nobody outside the company was aware of. The difference is that when Microsoft patches unknown flaws, the media hails it as proactive, while every time Apple releases a patch, tech pundits riffle through it, recounting the number of flaws that nobody knew existed, and then work to sensationalize this into the message that Apple’s software is riddled with problems. This is grossly hypocritical, yet occurs with clockwork precision every time Apple releases a security patch.

However, there is something even more grotesquely self serving and dishonest that Vulnerability Numerologists love to do. Flaws in Windows are always tallied up as bugs found exclusively in the Windows kernel, shell, and its core bundled utilities. Flaws in Internet Explorer, Microsoft’s server products such as Exchange email, IIS web services, and other software are nearly always excluded; each product has a significant list of flaws that grant it its own listing. However, for Mac OS X and Linux, Vulnerability Numerologists count all of the flaws reported for every open source package associated with the distribution, including the web browser, email and web servers, and all related libraries and packages.

One could reasonably argue that a flaw in Microsoft’s IIS wouldn’t affect desktop users, few of which would be using the service. However, these same “researchers” will gleefully tally up vulnerabilities found in PHP, Apache, Samba, and every other open source product bundled with Mac OS X (or Linux), regardless of whether such tools are likely to be in use, or even exposed to actual exploit. This is also grossly hypocritical and dishonest, yet characterizes every vulnerability diatribe.

The other side of the same coin is that security researchers, like CanSecWest contest winner Miller, can easily discover flaws in open source software, sit on them unreported, then dramatically employ them at events like CanSecWest to demonstrate being able to hack Mac OS X in minutes. Clearly, Miller knew what exploit he would use long before day two of the contest gave him sufficient machine access in order to use it.

The problem is, Miller’s intimate familiarity with the flaws in open source packages used by Mac OS X are not resulting in a real security problem for Macs in actual use outside of carefully planned security contests. Miller is focusing attention on the weaknesses of open source, but in reality, that openness is a strength. Apple can and does leverage the input of the community to incorporate security fixes for all of the packages it ships with Mac OS X. I’m sure Miller’s attack is directed upon Apple, not open source, but his methods are a reviling of open source, and he acts as a black hat researcher in exploiting the openness of the community to dig up his ammunition.

Microsoft’s flaws in Windows are hidden, and while supposedly not as well known as the flaws in open software, they’re also not addressed by the same community mechanism that constantly hardens Mac OS X and other distributions of Unix and Linux. Many researchers argue that Apple should be quicker to incorporate updates to the open source packages it bundles with Mac OS X, and Apple’s slowness does expose some risk. However, the majority of expert users with a need for hardened security also have the option of obtaining and installing newer versions of those open source libraries and packages themselves; Windows users don’t.

Open source is a strength; fixating on 0-day statistics while comparing unrelated numbers of vulnerabilities across two different platforms is an effort in proving that the trees in a forest can’t be seen through the forest itself, when they obviously can to anyone not trying to prove otherwise.

Apple’s Open Source Assault
Microsoft’s Unwinnable War on Linux and Open Source

3. A third problem with the Swiss study relates directly to its “0-day” focus. Every open source package on Earth has both full transparency (its code is wide open for security experts to explore) and has documented notes on its revision progress. Apple bundles lots of these packages into Mac OS X. That makes it trivially easy for “security researchers” to tally up numbers of known and disclosed issues, and compare them to what Apple is shipping. Microsoft doesn’t include open source projects as part of a Windows distribution, so researchers have to do lots of actual work to discover problems in Windows and report them.

Despite Windows’ advantage of code secrecy and its resulting “security by obscurity,” there are still similar numbers of bugs found in Windows compared to Mac OS X and all of the open source libraries that ship with it. The study in question looked at “658 vulnerabilities affecting Microsoft products and 738 affecting Apple [and the open source projects Apple ships in Mac OS X].”

It should come as no surprise that flaws in the open software Apple uses are often publicly disclosed before Apple ships a patch, and that flaws in Windows’ closed code are less likely to go public before being patched. To clarify the timing of the discovery, reporting and patching of flaws, the study defined four points along the lifecycle of a vulnerability:

  • discovery time: when the flaw is first discovered (commonly internally for closed source code)
  • exploit time: when a virus or hacker tool of some sort is developed to exploit the flaw
  • disclosure time: when the discovery of the flaw is publicly announced
  • patch time: when the vendor solves the flaw with a workaround or patch

A 0-day patch would be one where the vendor releases a patch the same day as its disclosure. This is easier to do if only the vendor knows about the flaw’s discovery. Microsoft therefore has a huge advantage in issuing 0-day patches, because it patches flaws that are not exposed in open source. Apple’s use of open source presents many opportunities for third parties to discover a flaw and disclose it before Apple can deliver an official patch.

Also notable in the Swiss study is the idea that they refused to acknowledge a patch supplied by a third party. That means their 0-day numbers are biased toward closed source in that the vendor would likely discover its flaws first, and biased against open source in that they do not consider third party patches supplied the open source project itself, but only when the patch is officially distributed by Apple. On the other hand, the study defines a patch as being any sort of workaround or instruction given on how to avoid the flaw, whether or not that information is effectively communicated to users.

So if Microsoft publishes a Knowledge Base entry telling users not to perform a certain action that would result in exploitable vulnerability, it has “patched” a flaw. Conversely, if Apple bundles a version of an open source library that contains a flaw that can be patched by third parties (as was the case with the iPhone’s libtiff flaw, which was patched by the community before Apple addressed it), the flaw is still regarded as unpatched. But hold on, things get worse.

The Colors of Risk.
The Swiss study also defines three colors of risk describing periods of time before or after a vulnerability discovery or patch:

  • Black Risk: the time between discovery and disclosure, where the public is unaware of a known, exploitable problem
  • Grey Risk: the time between discovery and patching, where the public is aware of a flaw but does not yet have a solution for it
  • White Risk: the time between patch availability and its installation, where the public has access to a patch but has not yet installed it

The study fixates entirely upon Grey Risk, which flatters Microsoft as a closed source vendor. However, the real problems affecting PC users involve Black Risk, where users are attacked through exploits they know nothing about, and White Risk, where patches exist but users don’t know to install them, or can’t be bothered to deal with poorly designed patching tools. Both problems are severe risks facing Windows users that the Swiss study pushed aside to entirely focus on the idea of how much time elapsed between the exploit going public (that is, not discovered, but rather publicly disclosed) and its being patched. This is ridiculous.

News Flash: Apple Better At Delivering Software Than Microsoft.
Also noted in the report, but suspiciously not in IDG’s coverage of it, was the fact that Apple has exceeded Microsoft in the number of security patches it has issued over the last six years, delivering 815 patches to Microsoft’s 678. That’s despite the fact that Microsoft serves more customers with greater security problems, more avenues for exploit, and infinitely more real world losses due to security issues. This also includes the patches Microsoft provides its “enterprise customers.” Microsoft has improved in the number of patches it offers, but Apple has made even faster progress, delivering nearly twice as many patches just last year alone.

Why was this detail omitted from IDG’s corporate media report? Because it didn’t flatter Microsoft. The Swiss report also noted the number of major operating system releases each vendor delivered, but for some reason, counted Microsoft’s Service Packs as a major release while only counting Apple’s retail references releases as such. These numbers were presented relative to the idea that delivering a major software release consumed the vendor’s development resources, making it more difficult for them to supply security patches in a timely matter.

Undercounting Apple’s far more prolific ability to deliver significant new feature updates–despite having a far smaller engineering team–distorts the report’s findings in egregious ways. When actually counting the real number of significant updates each vendor has released since 2002, Apple comes in at 33 (not including 5 iPhone OS X updates) but Microsoft at 7. Note that this credits Windows Server service packs as a release, but does not count Mac OS X Server releases. When those are added in, Apple has delivered 66 major releases to Microsoft’s 7 over the six years of the study. That should play into the study’s 0-day reporting, but it unfortunately did not.

Patches: Apple vs Microsoft

So why did the Swiss team issue a sensationalized report suggesting proof to refute the reality that Mac users have zero viruses and no real malware problems, symptoms that would logically follow if Apple’s operating system were open to easy exploit?

Attacking Windows’ security would not be noteworthy. Suggesting that Apple is lying when it advertises that Macs have no viruses and that users are spared the problems of malware that are very real on the Windows platform is not only salable “news,” but plays right into the prejudices of an idiot public that wants to believe something other than the truth.

IDG wants to titillate its Windows Enthusiast readership by falsely discrediting Apple, and the Swiss team obliged by providing it a misleading report to support such a story. Both parties win notoriety at the expense of being entirely wrong and deceiving the public.

Ten Myths of Leopard: 10 Leopard is a Vista Knockoff!

Ten Myths of Leopard: 10 Leopard is a Vista Knockoff!

How to Prove the Truth Is Wrong.
It is simply far too easy to refute the truth. Humans have a built in mechanism for collecting useful information that is completely vulnerable to liars. Propagandists have exploited this flaw since the dawn of time. Repeat a lie frequently enough, and it will become reality to the sheepish audience that listens to it uncritically.

As an example, compare the reality of Federal spending by US presidents by their party affiliation. According to the Republican right, Democrats “tax and spend,” working up deficits that impede growth and stifle economic productivity. This message has been repeatedly pounded into the public by right-leaning think tanks for decades. However, a look at the actual spending record of presidents over the last few decades proves this to be entirely false.

increases in the national debt

Why Windows Enthusiasts Refute the Truth.
Similarly, while there are many reasons for various parties to advance the idea that Macs are troubled by latent security problems that have made it “as bad as Windows” since at least 2003, including:

  • security researchers like Miller who are making a career from reporting sensational, yet inconsequential vulnerability findings,
  • security think tanks like the Swiss group, who desperately crave the attention that a sensationalized report will bring them,
  • columnists and pundits who make a name for themselves by refuting reality with carefully cited statistical fallacy, and
  • groups directly sponsored by Microsoft to report the idea that Windows is not the most irresponsibly security plagued software in the Universe,

the fact remains that Windows has and continues to suffer from serious security flaws. The security advancements that Microsoft has made in Windows Vista are significant, but have only served as a theoretical remedy for many users, who can’t even use Vista due to its hardware requirements, its architectural changes that have left enterprise customers with a “wait and see” perspective, its increased expense, increased license policing, and its performance problems, made only worse by the problematic release of SP1.

What Needs To Happen Around Here.
Rather than trying to overturn the simple truth that Microsoft chased short term profits throughout the 90s and subsequently delivered a poorly architected operating system with little regard for real world security issues, and then failed to see any need to fix things before finding itself paralyzed by the worst security epidemic the world has ever seen, security researchers should admit that Microsoft ushered in a lot of problems it would now like to pretend don’t exist, when they most certainly do.

Microsoft should spend its fortunes really solving the security problems of its Windows users at its own expense, rather than expecting them to pay an astronomical premium for Vista, software that largely only fixes issues that resulted from the company’s wild profiteering over the previous decade, and doesn’t really work all that well itself.

The corporate media should look past the enormous advertising revenue it receives from Microsoft in order to tell the truth and actually inform its readers, rather than serving to advertise the importance of declaring allegiance to Microsoft in every news story. But of course no one in the corporate media needs to listen to someone like me, who is so biased toward good technology and fair competition in the market that they can’t see much good at all in Microsoft’s criminal actions against its customers, partners, and the state of the art itself.

I really like to hear from readers. Comment in the Forum or email me with your ideas.

Like reading RoughlyDrafted? Share articles with your friends, link from your blog, and subscribe to my podcast! Submit to Reddit or Slashdot, or consider making a small donation supporting this site. Thanks!

Technorati Tags: , , , , ,

  • UrbanBard

    mmbossman said,

    “I have no problem with you posting your disagreements. But spamming the board (you account for 7 of the past 16 posts) is both annoying and counterproductive, as people see you as a troll. ”

    All I am doing is replying to comments. Should I not reply to false arguments?

    Second, What I see here is an attempt to censor me by mobbing me. The people here imply that I have no right to post.

    None of you have addressed the issue– Daniel’s propaganda. In fact, you blame me, not Daniel for starting this.

    If no one tried to attack my contentions, there would be no problem– no posts from me.

    Welcome John Muir. Are you sure that you want in this hornets nest?

    I wasn’t a McCain man. I liked Thompson better, but anyone is better for the country than a Democrat.

    His Shadow said:

    “The Dept of Homeland Security blows any talk of “smaller government” out of the water. Did the Democrats twist Bush’s arm to make him establish a massive parallel bureaucracy to funnel even more pork cash around? ”

    Yes. The Democrats had to be paid off to keep from sabotaging the war effort. Do you remember Senator Harry Reid’s mantra about unionizing the TSA, “You don’t professionalize, unless you federalize.” What a fiasco.

    “Are warrantless wiretaps and aborgation of the Constitution signs of a political party that wants smaller government and less interference in citizen’s lives?”

    Yes. According to the six ex-FISA judges testifying before congressional hearings, those are either Presidential powers granted by Article II of the US Constitution or by the war powers act passed by congress after 9/11.

    I drink no Kool-air here.

    “And nice try with all the economic mumbo jumbo. The simple fact of the matter is that the deficit is the deficit is the deficit. It’s an indication of the spending habits of the party in power. It’s that simple. ”

    It’s not so simple, Congressional rules make it difficult to cut taxes and easy to increase them.

    Take a look at the Midnight earmarks which are not voted upon at the senate floor. Are they legal? They are presumed so, if Bush signs the Act containing them without a signing document to explain how he will enforce them. Of Course, the Democrats opposes Bush even issuing signing documents. But, other Presidents have used them.

    “How you can pretend that the party that oversees the most massive growth in the debt that has ever been seen can still be reconciled with the lie of “smaller governemnt”… well it simply can’t.”

    It’s simple: we have a war to fight. Wars are expensive. The Democrats would love for America to lose this war. They have to be bought off.

    windinthedust said:

    “It is interesting to note, that most people are of a particular religion or political affiliation, because they were born into it. The status quo is not questioned. ”

    Not so, in my case, on all counts. I was a working man all my life– an engineer. My father was a welder; a life long Democrat, as I was. I went into the service and served in the Philippines and Vietnam.

    I came back, went to College and earned an Electrical Engineering degree on the GI bill. It wasn’t until I had saved a few dollars and wanted to invest them wisely that I started looking into Economics, Politics and investing.

    President Carter’s Stagflation persuaded me that Keynesean Economics was nuts, as did President Nixon’s wage and price Controls. Those started me on a path away from the Democrat Party in 1976. But, I never registered Republican until 2002.

    “To make a comparison to technology now… it is interesting that many people that use PC’s and windows, do so, because they were ‘born’ doing so. In other words, it was the only the choice, the unquestioned status quo. Technology has become personal to them, and often driven by their peer group. ”

    Some people are risk takers, many people are not. Taking risks is often unsettling, uncomfortable and painful. It also depends on how high a pain ratio you have. Windows was always painful for me to use.

    It was painful for me to learn how to think, but I recommend it to you.

    “Daniel does us a service by injecting fact and reason into these often emotional topics.”

    I agree about that when he refrains from injecting Leftist politics into these discussions.

    Jeff said”
    “That’s the only thing the graph was supposed to show, and it showed it. That’s it. It worked.”

    That’s the problem with specous logic. It seems plausable. Or it merely confirms your prejudices. We must not confuse it with truth, though.

    What I asked from Daniel was the source for the chart so, I could check out whether it was accurate. I, then, speculated why it might not be. You people jumped on me with both feet.

  • http://johnsessays.blogspot.com John Muir

    @ UrbanBard

    I think McCain has every chance right now because of one Hillary Rodham Clinton. When Howard Dean drew up the Democratic primary process, he made a horrendous nightmare if and when two equal candidates ran its gauntlet. As fate would have it this is precisely what happened on its first go. McCain won handily on the other side because of a better designed process. And so long as Hillary is still in the race – which will be right into the convention at the end of August – McCain’s position is advanced. Hillary’s people are punching well below the belt already. Obama has the skill to see it off so far, but can he keep it up for five more hysterical months?

    I’m no Republican. Neither am I a Democrat. But I am thankful that there is at least one safe pair of hands to pick up the mess.

  • slappy


    Where is the URL on that story?

  • dscottbuch

    I just found it


    If true as written then this is really a non-issue as previously stated.

  • slappy


    I still don’t see that mentioned on the article link you posted.

    “Well, apparently the exploit was achieved by clicking on a URL which opened a port number on the Mac, which in turn allowed them the telnet to the machine.”

  • UrbanBard

    Thank you, windinthedust,

    “There was nothing wrong with your use of the political chart… simply give it the same due diligence and thoughtfulness you give everything else (however, if you have to explain, prove, and back up an illustration, perhaps it’s not an appropriate one :-)

    You state my case perfectly. This is a matter of intellectual rigor. If wish Daniel would either defend his position or refrain from shooting off his mouth. The chart added nothing to his technical discussion.

    Hello again, John Muir.

    Jesus, windinthedust,

    You continue to amaze me.

    “It is a proven economic fact that cutting taxes spurs business growth, expansion and job creation whereas raising taxes has the opposite effect. All will agree with that statement.”

    Many Democrats will agree with that statement when applying it to cigarette taxes–sin taxes, but not to taxing the rich. Why? Because they want to destroy the rich, not cigarettes. “The power to tax is the power to destroy,” Said Justice Blackburn.

    “Here’s the sticker: Many think that raising taxes increase revenue to the government… when actually the opposite is true.”

    This depend on where we are on the Laffer Curve. We know that we are the “overtaxed area” where any tax cuts increases revenues into the IRS. This happened with the “Bush Tax Cuts” in 2002. The Democrats want to end them in 2010, so we can expect a major recession, then.

    Hi John Muir, who said:

    “Just look at the stock markets to see how chaotic and (as with AAPL lately) downright counterintuitive trends can be in anything but the long term. If everything worked like Laffer’s curve, we’d be sitting on the optimum tax rates and even oil price just like the rocks gather themselves together to form Saturn’s rings.”

    The issue here is when conflicting governmental policies which confuse the indicators. The Fractional Reserve Banking System and the American Federal Reserve Board are partially responsible, because when the FED artificially decreases the interest rates by increasing the money supply, this will, in a number of years, cause a recession to wash out the “easy money.” A Recession is “in the offing,” but no one knows when.

    Greenspan had been using a mechanism which tried to compensate for the credit expansion. It seemed to work well, but FED Chairman Bernanke abandoned that a year ago. There seems to be some sign that the FED is trying to return to that policy. Is it too late?

    There is a dispute among economists over whether we just have “Housing bubble” caused by government caused easy lending policies to avoid the accusation of “Red lining” or if there is a general problem with the Economy. This could be a Media scare; they have been talking down the economy for six years. We are still experiencing economic growth though, so we’ll have to wait to see.

    Hi John Muir,

    I think the Democrats are in serious difficulty if either Hillary Clinton or Barrack Obama wins the nomination. But with the election eight months away, it is too soon to call.

    This race has boggled my mind, so far. I keep wondering what train wreck lies ahead.

    The Iranians and the Sadr brigade are heating up the war in Iraq again. But, I think it is jumping the gun to aid the Democrats now. Three months later would be more effective.

    The Terrorists are, reportedly, running out of suicidal young men. That is why the terrorists recently used two Downs Syndrome women to explode bombs in an Iraqi crowd.

  • dscottbuch


    direct quote – second and third sentence of first paragraph.

    “The exploit involved getting an end user to click on a link, which opened up a port that he was then able to telnet into. Once connected, he was able to remotely run code of his choosing. ”

    To actually do this

    1) telnet daemon would have to be enabled – very unusual for OS X
    2) he would need a logon, or to execute ‘any’ code an admin logon

  • slappy

    Oh I see. I was looking at the comments to find a appleinsider link or reference. Hmmm thanks for that little tidbit.

  • WebManWalking

    It’s conceivable that the libtiff bug and a carefully crafted TIFF image could allow the execution of a sudo that installs a telnet daemon, creates a new admin account for the assailant, etc. But it seems to me that Mac OS X would require authentication on the sudo.

    There’s more to this than they’re telling us. I guess that’s good.

  • dscottbuch

    I would think that installing a new user, let alone a new admin user, would require an already present, long-standing, hole that allowed the sudo to execute. That hole would be bigger news than the exploit being reported so that would be a HUGE stretch IMO. Once again it seems that the PR value of ‘a OS X bug’ outweight transparent disclosure of the process.

  • WebManWalking

    Well, you don’t need sudo to install a socket listener on a high port number. So the main question is, even with an open port, how does a user telnet into a machine without an account on that machine?

  • WebManWalking

    Are they giving away laptops for logging in as ‘guest’?

  • dscottbuch


    “Well, you don’t need sudo to install a socket listener on a high port number. So the main question is, even with an open port, how does a user telnet into a machine without an account on that machine?”

    Well, I don’t guest is on for login from telnet or ssh by default in any case and even then I don’t think guest could install the listener.

  • WebManWalking

    Telnet and ssh don’t have their own logins. They require the user to enter a Unix logins. I wasn’t at my Mac when I facetiously suggested ‘guest’. On my Tiger machine (now), you go to Applications > Utilities > NetInfo Manager > users. Wow, look at all the Unix logins. But ‘guest’ isn’t among them.

    The installation of the telnet daemon would happen as the user of the browser, so that’s no mystery. I’m still puzzling over how Miller got a username and password to log in over telnet, however.

  • http://www.ecphorizer.com Tod

    @Daniel: Wonderfully written piece. Well researched and presented. I worked in CH with half a dozen of other non-CH Europeans and the secret motto was “The Swiss Love to Lie.” Apparently it’s because they want to bring further credence to the world-wide belief that the Swiss can do no wrong and are very neutral in all their dealings with the outside world.

    Daniel, is there some way that we readers can do the equivalent of “kill-filing” the trolls who wast bandwidth going off on their totally off-topic tangents? I hate to be reading interesting comments (from both sides) only to be interrupted by a squalling child trying to score political points. When my kids interrupt, I take care of the problem and we adults continue with our conversation.

  • http://www.ecphorizer.com Tod

    Edit “wast” to be “waste.”

  • slayerjr

    Dan, you have to stop being an apologist for Apple because all you are doing is hurting the platform. Fact of the matter is, OS X was hacked. How, why or what method was used is unimportant. I’ve said this before on a similar topic here, that astute professionals are worried about the way Apple handles its security and rightly so.

    You’ve worked hard at making yourself an authority on Apple and you are now in a position to make the fanboys sit up and listen and guide them towards understanding that while their platform has the potential to be great, they must be vigilant and force Apple to do a better job at making it so and keeping it that way. Fanboys should be asking the hard questions and demanding the very perfection Apple claims to put forward. Instead you lead them down the garden path with claims that everything is AOK.

    Discounting the claims of Techie journo’s is a no-brainer. If they knew their chops they wouldn’t be where they are today. It is much harder to be critical of oneself and the choices you make in defending your ground but that is exactly where you and the fanboys are failing. As a result the platform and the company you are so fond of is suffering. You really ought to demand more from Apple. Praise the company when it is appropriate and shame them when they fail. Forget Microsoft and its cronies, focus on demanding that when the next round of exploits for cash rolls around there is nothing to be found and security experts nod in approval that OS X is everything that an operating system should be. Until that happens nothing you write about security is worth a damn. Security is and should be black & white, anything in between is an optical illusion, just like the current state of Mac OS X.

  • Player_16

    You have a plan to break into a jewelry shop. You’re going to steal watches. Choice of 3 types of watches and if caught, could land you 7 years! The watches: Casio, Timex, Rolex. Chances are, you’re going to make it worth your while. Sure the first 2 has all sorts of functions (I don’t need to tell you). The Rolex does not do much in way of functions but is metal, a self winder and a looker – serious bling! You break in and you’re caught with Casios and/or Timexs? I don’t think so!!

  • materro

    Really Daniel, I’m quite disappointed that you’re discounting the events of CanSecWest. You’re inventing a reason that the MBA got hacked first, and it was for political reasons. But bear in mind that two other computers loaded with Vista and Ubuntu were being worked on (none of the three were hacked the first day). Also remember that there was a prize of $10000 and the laptop that was hacked. Given that the stakes were so high, do you really think the competitors would have gone after such a rock solid operating system? I know I would have gone after Vista, since I would assume that to be the easiest target to break.

    But Vista wasn’t the first to be hacked, even after the rules were relaxed. And pointing out the Miller used a previously prepared attack is irrelevant; all the people competing did, as well. It shouldn’t come as any surprise that a successfully hacked machine would fall so quickly; all the serious competitors worked on code before CanSecWest.

    I’m really disappointed by this article, because the fact stands that the MBA was hacked first, and no matter what “political” reasons justify it, it was hacked first. Additionally, I believe that your logic is flawed in claiming that the way the Mac was hacked first was due to insecure open source packages. Windows definitely has a lot more vulnerabilities than OS X. And a lot of them are unreported. It’s not much of a stretch to imagine that there are more unreported Windows flaws a researcher might know than available exploits in OS X’s open source components.

    I also think it’s disingenuous to attack CanSecWest as a Microsoft enterprise; Cisco, Adobe, and Google all sponsored the event, as well.

  • John E

    (a) Bard: forget you.

    (b) the hack. no body really know what the fuck they did or did not do.

  • beanie

    Someone won the Vista machine on day three when popular applications were installed. Someone found a 0-day Flash hack.


    So MacOSX fell on day two when the “default” OS was the target and Vista fell on day three when “popular” applications were installed.

  • Jon T

    This thread demonstrates why you need to keep politics OFF the RDM website Daniel!!

    I like most people, I imagine, come here to be informed and entertained about IT, not socialism etc…

  • duckie

    I’m afraid you are labouring under a misconception. Security is the complete opposite of black and white. Just as there is no such thing as 100% perfect software code (and the two are not entirely unrelated) security is the business of mitigating risk, not completely eliminating it. I can still remember when Windows NT passed an important security benchmark of the time (allowing marketing drones to trumpet its security credentials), but closer examination revealed that it only did so by being tested without connection to a network of any sort. While this still makes me chuckle, it illustrates the point that a balance always has to be struck between usability and security. The most secure system is one that is connected to nothing, locked in a concrete bunker underground. This isn’t terribly useful.

    Software, and OSX is no exception, will always have vulnerabilities, which is why this hacking competition is meaningless, and “demanding perfection from Apple” is unrealistic. Software is imperfect. The important thing, which is what Daniel is always trying to underline, is how those vulnerabilities are dealt with, and how many real world exploits are out there ensnaring users on a daily basis.

  • http://johnsessays.blogspot.com John Muir


    Quite right. The reports so far out of this hacking contest are too obfuscated to draw the sorts of conclusions that – by nature – the tech press are running wild with. That’s a failure in the design of the contest.


    You too however have a point. If anyone’s in a good position to criticise Apple when it really is falling short, Daniel’s the man. I think he’d do the site and his reputation well by broadening a bit and making the very prototype of well reasoned and wholly factual critique that the tech press are so unable to fulfil; every once in a while.

    We all exist in a tech world dominated by anti-Apple stories, but that doesn’t necessarily mean we have to line up to man the barricade at every possible occasion. Indeed, the battle seems to have been turning for years now and it’s the MS shills who are in panic. It could be time to adapt to a new environment over here as well as over there.

  • MikieV

    What a bunch of crap in the press…

    1. “Macbook Air was hacked in 2-minutes…”

    But the hardware wasn’t “hacked”, the OS was “hacked” via the default browser.

    How many ignorant people are now thinking there is something -specific- to the Macbook Air which allowed it to be “hacked” so quickly??

    And not just the mac-bashers who can now gloat that “Apple’s newest computer” has been hacked… but the mac-users who may not realize that using Safari can leave them vulnerable, even if they are not using a Macbook Air…

    2. I saw a headline that read “Vista, Macbook, Linux…”

    Why is that?

    Why not Vista, OSX, Ubuntu? Isn’t that a more accurate portrayal of what was being testing?

    Why not “Fuji, Apple, Sony”? Or “Lifebook, Macbook, Viao”?

    Oh, thats right, its not about the hardware, is it… :(

    3. “None were hacked in the first day…”

    Did anyone even try?

    One team, trying to “hack” -one- of the OSes??

    That was the point of having laptops as the target, wasn’t it???

    To see if there was any vulnerability to using a laptop out in public, on ubiquitous WiFi networks??

    4. “They used a cross-over cable…”

    Read the rules:

    “To claim a laptop as your own, you will need to read the contents of a designated file on each system through exploitation of a 0day code execution vulnerability (ie: no directory traversal style bugs). Each laptop will only have a direct wired connection (exposed through a crossover cable) and only one person may attack each system at a time so that each team’s exploit remains private. ”

    5. “Miller was able to execute his own code…”

    Per the rules, above, all he had to do to win was read a file…

  • MikieV


    “The reports so far out of this hacking contest are too obfuscated to draw the sorts of conclusions that – by nature – the tech press are running wild with. That’s a failure in the design of the contest.”

    I disagree.

    The contest only allows “0-day” exploits to be used, and then keeps any successful exploits hush-hush until the vendor can issue a patch.

    I think it is a great way to give more people the incentive to look for flaws in our systems – WITHOUT -the irresponsible release of details to the public, so the “script kiddies” can run amok with an exploit which would be, in effect, handed to them on a silver platter…

    The “failure” is -not- in how the contest is run, but how the results are sensationalized by various groups – and some of the tech press – for their own purposes.

  • http://benjamin-newton.com/ bhuot

    “Reasoning on this: Lowering taxes means expanded businesses. More business means more jobs. More jobs and profitable businesses means that the government actually takes in more by cutting taxes, then raising taxes.” The taxes are only lowered on the businesses – where Enron at its height only paid $10 in taxes. That is why there is no money for schools. Look how the big national lender was bailed out for $30 Billion but the homeowners were given nothing or how the airlines were bailed out after 9/11. The truth is corporations want just as much intervention/money as poor people do, they are just less deserving. History has not proven that corporations hire more people especially American citizens when they get more money. Hiring more people does not automatically follow with expanding business. The big cost is labor, so the company will always cut labor as much as possible.

  • Pingback: Apple ()

  • http://www.roughlydrafted.com danieleran

    @slayerjr : you can call me names, but doing so reduces you to the level of TWIT podcasters who dismiss what I write rather than honestly examine it. Every time I point out some truth that is being ignored, you don’t have to bang your fists on the table and call me a fanboy. It’s getting tiresome.

    The details emerging from CanSecWest fill out a story that is bigger than a simple “Macs shot first” headlines convey. This was not a contest where three systems were placed in an equal foot race and the Mac simply lost due to being a slower runner.

    Various tech crackers with different backgrounds, motivations, and levels of expertise worked to find exploits in the three systems. Things to remember:

    1. – Exploits discovered for the Mac have little other value outside of these contests. Nobody would buy the exploit Charlie Miller found, because there is no market for it. In the Windows world, there is a thriving market for selling exploits (discovered, not disclosed AND 0-day disclosed, not patched) because spammers/botneters and identity thieves need them to stay in business. There is no malware underworld servicing the Mac.

    2. – The Mac exploit was something Miller had in hand when he arrived. There was nothing else he could use it for other than winning the contest. If it were a remote exploit, he could have made $20k rather than $10k. He knew exactly what it was worth and what it could do.

    3. – Another report http://news.yahoo.com/s/pcworld/20080329/tc_pcworld/143962 noted that the researcher who cracked the Vista machine was stymied by the fact that he didn’t expect it to have SP1 installed. So Miller was prepared better. That’s a positive reflection on Miller more than a negative reflection on Mac OS X.

    4. – Miller reported hacking something related to Safari, but the details haven’t been revealed. Whether this was a real world vulnerability in Apple’s code, a copy-and-paste attack on a FOSS library as Miller’s PCREL exploit was (or the libtiff exploit found by another researcher after PCREL was patched), OR a contrived test that had opened up telnet and gave the researchers an account to use is still unknown. The notes so far suggest that it really had little to do with Apple’s code.

    5. – The PCWorld article also noted that people at the event with the ability to crack Linux “didn’t want to put the work into developing the exploit code that would be required to win the contest.” Why not? Because they lacked the political motivation to prove Linux was easy to hack, and they lacked the financial motivation to earn $10k at a contest when they might be able to sell their discovery for more.

    6. – Miller has repeatedly stated that his life’s work is to discredit the security of the Apple’s platforms. The only outlet and business model for such an effort is currently CanSecWest. Last year, Miller’s partner won the same contest the exact same way. Both have repeatedly stated that Macs are trivially easy to attack. Yes, if you’re a security expert with an outdated FOSS exploit in hand, you can beat your non-motivated colleagues on Windows who have sold their exploits to spammers, and your Linux expert colleagues who have no interest in trying to make FOSS look bad.

    Also note that nowhere in the article did I say that Macs are invulnerable to attack. I even noted that Apple’s use of open source makes it easier for researchers like Miller to identify exploits, including those that have been patched by the FOSS project, but have not been updated/distributed by Apple. I specifically noted that this is an area where Apple has received criticism, and ideally, that Apple should be faster at keeping its FOSS components up to date.

    Of course, there are also issues related to using the bleeding edge of FOSS software, which despite being patched for vulnerabilities, may have other problems related to its newness.

    Corporate IT staff frequently do NOT patch critical software until they know what the patch will actually do and that it will not cause other problems. Apple’s distributing of FOSS patches to its commercial customers requires a similar delay. FOSS projects can blow out patches fast and furiously, but Apple can’t or we’d all be annoyed to see patch updates in Software Update on a daily basis.

    Which is the other elephant in the room: Apple patches its OS software far more frequently than Microsoft. It also improves its operating systems far more rapidly, 66 to 7 releases over the six years of the Swiss study. That was entirely ignored by the media to focus on the completely idiotic “who statistically patches flaws faster relative to the flaws’ public disclosure” metric.

    So you can say we should all just admit that the Mac lost the security test fair and square because the corporate media reported it that way, and you can say the Swiss group’s study is easy to tear apart because its a study, but the reason I wrote about both is because I like to examine the real story behind the headlines.

    I think I should post this as its own article.

  • obiwan

    Dont know if you are right about Miller. Looks like he did a good job. Some more infos are here:

    Quote from the article :

    Miller further elaborated, “I use a MacBook all the time and that’s what I used in the contest to attack the MacBook Air. I like Macs. That’s the reason I went for it; it’s in my best interest for them to be as secure as possible.”

  • beanie

    “researcher who cracked the Vista machine was stymied by the fact that he didn’t expect it to have SP1 installed”

    Isn’t SP1 (Service Pack 1) just Vista with all patches applied since its release in one convenient package? Anyway, all the OSes had all the latest security patches applied. Mac OS X 10.5.2 was used.

  • Pingback: Mac Shot First: 10 Reasons Why CanSecWest Targets Apple — RoughlyDrafted Magazine()

  • http://www.roughlydrafted.com danieleran

    76 Comments, 8 Diggs, 2 points on Reddit.

    I should figure out a way to goad UrbanBard into channeling his boundless neocon energy into promoting my articles via syndication sites rather than writing an encyclopedia of replies to dispute the legitimacy of a single sentence that happens to trigger his Righty Sense.

  • lmasanti

    WebKit Fix for Charlie Miller’s Contest-Winning Exploit
    His CanSecWest contest-winning exploit took advantage of a bug in the PCRE regex library used by WebKit’s JavaScript engine.

    Daring Fireball 3/29/08 17:32 John Gruber http://daringfireball.net/

  • http://www.ecphorizer.com Tod

    @Daniel: Again I ask if there’s any way we readers can “killfile” certain posters who relentlessly and with malice continue to post “off topic” on your forum? I for one am totally fed up with so-called essays that do nothing to advance any particular POV, but rather tend to reinforce negative opinions of those who espouse certain POVs. If these posters would spend half their energy writing something useful and ON TOPIC, then we’d all be grateful.

    I think we’re learning a lesson here about not feeding the troll.

    And Daniel, I have absolutely no problem with your illustrating a point with an analogy that some people think makes an oh-so-righteous political statement, which, according to their self-defined netiquette, has no business in a private blog, a blog that a private citizen writes for his readers’ enjoyment and funds out of his own pocket.

    Keep it up and don’t change your style to fit the narrow minds who try to pollute the commentary.

  • sebastianlewis

    Looks like I’m going to become unpopular here, but comment #83 by Daniel, that really wasn’t called for. Anything you post on your blog is fair game for attack, diverge from the topic a bit and that’s fair game for UrbanBard or anyone else who responds. UrbanBard has posted some really stupid crap about how he was unwillingly exposed to your “leftist propaganda” as he calls it, but I doubt that since it’s his choice to read this blog in the first place.

    UrbanBard, nothing against you, I’m not going to agree or disagree with your political points because at this point, I just don’t have enough experience in either politics or economics to argue either side, I’m 16 so I can’t vote but I do hope Obama wins this next election. I can’t stand conservative opinions… they’re too well, conservative for my taste, but you still have a right to express your opinion and I can’t stand people who would argue you don’t, since everything in Daniel’s blogs are fair game for response, either via the comments, trackback or hell, on your own blog or anywhere else for that matter. Even if it’s a sentence or small paragraph or a chart that just somehow pops up, it’s there and it’s game for anyone who agrees or disagrees.

    Regardless I don’t think your comments about being “unwillingly exposed” to political commentary on a personal blog, that’s right a personal blog, not a newspaper, but volunteer work by Daniel in a space for him to express his views whether it’s politics or tech, that was just uncalled for as well. I won’t tell you to ignore it since it’s fair game, but I do advise you ignore the people who immediately jump to Daniel’s aid just because someone disagreed with his political commentary, I advise the same to them about ignoring you.


  • Pingback: Boycott Novell » Links 30/03/2008: Security Fiasco, Security Disinformation and a Good Look at KDE 4.0.x()

  • http://www.thecarbonlesspaper.com johnnyapple

    UrbanBard, you wrote “But, neither Daniel, nor any of his “peanut gallery,” understand enough about logic, economics or politics to say anything meaningful. So, I invite them to keep quiet until they can make an intelligent point.”

    Are you saying that we should all voluntarily censor our comments until we can find something to say that you find agreeable?

  • http://www.atsysusa.com atsysusa


    I have read through this back-and-forth and it is not only tedious but debilitating.

    I read this blog for its technical content and perspective. You should avoid political comment and characterization. Not only because it is inappropriate but also because you exhibit an extraordinary lack of knowledge of history, politics and economics. In that regard I agree with UrbanBard.

    In support I cite an instance when you claimed that the United States invaded Korea and Viet Nam. I don’t know how that “discussion” turned out because I stopped reading at that point. In point of fact, the invaders in both instances were communists from the North of each country.

    I understand that you live and work in San Francisco. You need to get out more.

    btw – johnnyapple: UrbanBard was only repeating what his mother told him [and perhaps yours as well] If you don’t know what you are talking about, keep your opinions to yourself.

  • HamSandwich

    Bard: http://www.lafn.org/politics/gvdc/Natl_Debt_Chart.html

    Found by googling the table title. Easy Peasy. All good numbers and details too. Nothing leftist about data. Sun comes up, Sun goes down. No one owns that.

    As for the argument here it is relevant! It shows how bias works to deflect people away from the real details.

    Sound bites, short quotes, and the inclusion of excusable circumstances are used for good reason. Like a magician who waves his hand or snaps a finger it serves to distract us from the real action – the hiding of the quarter or the dropping of the disappearing object.

    Fact is it may be incendiary to some, but we’re all grownups. I think it puts the exclamation mark on the whole point.

    I work in IT enterprise level support. Windows vs Mac is a stupid argument. But there are entrenched biases everywhere. Then U come along with Unix/Windows/Linux/mac & Macos X experience. I look like a genius, or a freak.

    Drop the bias, tinker away. Every tool has a use.

    And if you are tired about political debates, why not adopt a real political system – parliamentary democracy ;)


  • Pingback: Thom Holwerda of OSNews Calls “Mac Shot First” Misinformation and Slander. Oops! — RoughlyDrafted Magazine()

  • wafflejuice

    “Found by googling the table title. Easy Peasy. All good numbers and details too. Nothing leftist about data. Sun comes up, Sun goes down. No one owns that.”

    HamSandwich is my new hero! :)

  • Patrick Walker

    One idea I think people missed is how much in the way of security experts are REALLY looking into Vista. What I mean by this is given the absolute lacklustre penetration of Vista, do people really find it economic to even bother looking? At the university I’m currently at, MS is offering Vista for free but even then people aren’t interested. They’re opting for WinXP still. To be fair, the 2009 contest should have FOUR laptops. A Windows XP box should always be there because it is still a viable consumer OS. I’m rather surprised if MS was using this event as a marketing ploy, wouldn’t they want to play up Vista by having it compared directly to WinXP?

  • Patrick Walker

    What I should have added to #91 is if there will never be a major market for Vista, does it make economic sense to spend time and money investigating Vista? Some have said people didn’t try getting the Vista because they don’t want to bother and explore Vista. Security through obscurity indeed.

  • Pingback: The Unavoidable Malware Myth: Why Apple Won’t Inherit Microsoft’s Malware Crown — RoughlyDrafted Magazine()

  • Pingback: The Mac is a Wonderful (and Secure) Platform - IT in the Ad Biz()

  • Pingback: MBE - Mac Business Experts » Blog Archive » Segurança não é questão de plataforma, mas sim de cultura (parte 1)()

  • Pingback: Windows Vista, 7, and Singularity: The New Copland, Gershwin, Taligent — RoughlyDrafted Magazine()

  • Pingback: Segurança não é questão de plataforma, mas sim de cultura (parte 1) « MBE | Mac Business Experts()