Daniel Eran Dilger in San Francisco
Random header image... Refresh for more!

CanSecWest and Swiss Federal Institute of Tech Deliver Attacks on the Reality of Mac Security

200803280136
Daniel Eran Dilger
In back to back press releases with payloads of sensationalized misinformation, two apparently unrelated groups launched attacks on Mac OS X’s reputation for delivering better real world security for its users compared to Microsoft’s Windows. In the first, a contest held at the CanSecWest Applied Security Conference, sponsored in part by Microsoft, suggested that hacking a MacBook Air was faster than hacking a Sony or Fujitsu Windows PC laptop. Thousands of miles away, the Swiss Federal Institute of Technology engaged in Vulnerability Numerology to declare that Apple’s operating system had fewer promptly patched software vulnerabilities compared to Windows. The premise behind both widely publicized stories are wrong, here’s why.


Charlie Miller Cracks a Mac in Two Minutes at CanSecWest.
Echoing last years’ CanSecWest event, where security researcher Dino Dai Zovi was able to access files on a Mac after being allowed to guide an automated user to access a tainted website from the laptop, this year’s contest was won in two minutes by Zovi’s business partner, Charlie Miller. Both were unable to access the systems over the first day of the contest, where only direct attacks over the network were allowed.

On day two, both were able to quickly win the contest after the rules were relaxed to allow them to send emails to an automated user or direct it toward a malicious web server they had set up. While the quick win makes for a perfect headline and reflects the Hollywood image of “hackers” that twiddle on a keyboard and almost instantly “access the mainframe” while a counter runs in the background, a more intelligent question is: why did the Mac get hacked first, and why was the attack so quick?

The easy answer is that nobody had any political reason to attack Windows at an event sponsored by Microsoft. Such an exploit wouldn’t even have been newsworthy. The speed of the attack also has something to do with the business of security researchers like Miller, who have clearly expressed the intent to repeatedly prove that Macs (and the iPhone) are as easy to exploit as Windows-based systems. More on that in a moment.

It is an uncontroversial fact that Windows PCs suffer under the threat of tens of thousands of real world viruses, are routinely infected by malware and often unwittingly participate in spam and adware botnets, while Mac systems have no viruses, and no significant real world malware, spyware or botnet problems. However, there is a constant din of pundits, researchers, and security product salesmen who insist that Macs not only have serious security problems, but may actually suffer from more vulnerabilities than Windows PCs. How can these two contradictory ideas possibly be harmonized?

Gone in 2 minutes: Mac gets hacked first in contest – Yahoo! News
InfoWorld Publishes False Report on Mac Security

Attacking the iPhone.
Miller has worked hard to establish his reputation as a security expert. For any security expert, this means demonstrating the ability to discover high profile attacks on notable targets. Last year, Miller described a vulnerability on the iPhone related to the open source Perl Compatible Regular Expression Library libtiff software. This vulnerability was related to the jailbreak exploit that allowed users to install their own software on the iPhone by working around Apple’s security barrier, but it also had the potential for allowing a malicious user to inject their own malware onto unpatched iPhones that were directed to an exploiting website.

His attack on the iPhone’s security delivered Miller significant notoriety, but his discovery, even after being widely published, did not result in any malware industry popping up around the millions of iPhones being sold to well heeled users. Why not? For starters, PCREL libtiff was eventually patched; there were only a few weeks of any open vulnerability to exploit. Malware writers would have to return to the drawing board repeatedly in order to keep their iPhone attacks valid, just as the jailbreak community had to regularly rework their efforts to maintain the ability to install their unsupported (but non-malicious) apps on the iPhone.

The work of attacking the security barriers on the iPhone in order to maintain the ability to install unsupported apps has continued for months, and has kept the iPhone open to installing these applications since the first workaround was discovered. Why hasn’t the horde of spyware and spammer villians attacked the iPhone using the same tools? As I noted earlier, the iPhone does not actually offer much of an attractive target for malware authors because:

  • the installed base is currently too small to be used for botnet spamming,
  • the network uplink speed is also too slow and/or spotty to be used for spamming,
  • unlike wide-open Windows, the iPhone is closed and any open exploits can be pinched off quickly,
  • software updates on the iPhone are much easier to deliver and install than PC updates,
  • unlike a PC, the iPhone can be instantly cleaned up by plugging it into iTunes and hitting Restore.

So despite Charlie Miller’s disdainful evaluation of the iPhone’s security, the phone has seen no real world security epidemics; even if a virus were delivered for it, the amount of problems it could cause would be limited by the easy to restore design of the device. Miller has noted significant flaws in the device, but those flaws have been irrelevant in terms of real threats facing users. In theory, the iPhone has been exploitable; in practice, it has not been exploited.

Kim Zetter and the iPhone Root Security Myth
UnWired! Rick Farrow, Metasploit, and My iPhone Security Interview
About Security Update 2007-007: CVE-ID: CVE-2007-3944

The Theory of Vulnerability.
Many of those same principles that prevented Miller’s prognostication of dire woe for iPhone users from coming to pass have similarly protected Mac users from actually suffering from any of the theoretical vulnerabilities reported for their platform. While Windows Enthusiasts like to suggest that the only thing preventing a Mac malware meltdown is the platform’s relatively low market share compared to Windows, that idea is both wrong and deceptively simplistic.

First, Mac market share has risen in specific markets to the point where, if there were real vulnerabilities that left it wide open to attack like Windows, it would be facing real problems. While Apple sells a small proportion of the total worldwide market for all PC desktops, workstations, and servers, it now sells over 8% of all the computers sold in the US.

Further, Apple’s low penetration into the enterprise market means that Apple’s 8% of the total US market is actually a 10 to 20% or higher percentage in the home, SOHO, and education markets. Still, we don’t see Apple suffering from 10 to 20% of the malware out there in the wild; Macs effectively have no malware to worry about, and few users even run anti-virus software. There is also currently no need for spyware clean and repair utilities at all. Macs don’t have a fractional tenth of Windows’ problems; they have no real world security problems at all.

Even more damning to the pundits’ logic, the markets where Apple is strongest are exactly those where malware is most prevalent. Who writes spyware aimed at attacking servers supervised by professional IT staff and protected by sophisticated firewalls? Macs are a prime target for spyware and identity thieves, as the Mac user demographic tends to have more money to steal. The fact that Apple’s installed base lies directly on top of the most attractive target for malware authors, yet has zero viruses and no significant real world malware problem says more about the reality of vulnerabilities than any amount of statistical humdrum churned out by people trying to bait links and suggest that up is down.

10 FAS: 10 – Apple’s Mac and iPhone Security Crisis

Swiss Swing and a Miss.
Which brings us to the report issued by the Swiss Federal Institute of Technology. Following in the footsteps of such luminaries as CNET Apple hater George Ou, the group reported findings after looking “at how many times over the past six years the two vendors [Apple and Microsoft] were able to have a patch available on the day a vulnerability became publicly known, which they call the 0-day patch rate,” according to a report by IDG.

Their conclusion: “the number of unpatched vulnerabilities are higher at Apple.” That conclusion provided IDG such ripe opportunity for sensationalizing that the author of the IDG article threw in a bizarre disclaimer at the end. The study was “such a glowing affirmation of Microsoft’s increased focus on security in the past few years that it prompted [Andrew Cushman, director of Microsoft's Security and Research] to ask [study researcher Stefan] Frei, ”Did Microsoft fund this research?“ ”This is independent academic research,“ Frei replied.”

Why would IDG feel the need to note that Microsoft didn’t pay for this, and why would a Microsoft research director think to ask if his company had paid for the results of such a study? Because Microsoft is well known for funding “research” that serves to promote its marketing goals. However, we don’t even need to doubt the funding of the study in order to discard it as irresponsible garbage.

Vista vs Mac OS X Security: Why George Ou’s ZDNet Vulnerability Numerology is Absurd

Vista vs Mac OS X Security: Why George Ou’s ZDNet Vulnerability Numerology is Absurd
security.itworld.com – Microsoft vs. Apple: Who patches 0-days faster?
PdfMeNot.com – 0-Day Patch Study

Why the Swiss Study was Fatally Flawed.
The main tipoff that the study was completely worthless is that it neatly compares “0-day” patches across unrelated platforms. Three main points below describe specifically why this is inherently flawed. As an introduction: a 0-day patch is one delivered the same day the exploitable flaw that it corrects becomes publicly disclosed.

Many theoretical exploits are fixed at or before they are publicly disclosed, while other flaws linger for weeks, even years, before being patched. A publicly known but unpatched flaw sounds more dangerous than one hiding behind the veil of “security by obscurity,” but there are also many flaws that are discovered by malicious parties to be sold or directly exploited before they are ever disclosed, let alone patched. That means 0-day patches are only ideal for flaws that only the vendor knows about. The study simply ignored discovered but undisclosed flaws, no doubt because they are obviously more difficult to identify and write papers about. They are not any less dangerous to users however.

Windows is plagued by many discovered but undisclosed and unpatched flaws; Mac OS X is not; there are zero viruses and no real world malware problems dogging Mac users. But ignore all that for a moment to take a look at why the very specific study on 0-day patches is so very wrong in three significant areas.

1. The scope and relative threat posed by a specific vulnerability is lost in the aggregated statistics that Vulnerability Numerologists like to report. Windows’ infamous “shatter attack,” an extremely serious, fundamental flaw in the architecture of Windows, was only just addressed in Vista. The flaw was not some simple buffer overflow error; Microsoft designed Windows NT/2000/XP in such a way to give all services within the interactive desktop the same, communally high privileges. The gravity of this extremely poor design decision was widely reported back in 2002, but never fully addressed until the release of Vista, which many Windows users still cannot or will not deploy for various reasons.

Windows XP and Server versions prior to 2008 are still exposed to shatter attack vulnerabilities, but “researchers” would only give this grave flaw one vulnerability count on their tally list. This is just a single example of how irresponsible and ignorant the practice of comparing vulnerabilities by numerical count is across unrelated systems. Mac OS X does not suffer from Windows’ overloaded services architecture nor the subsequent problem of shatter attacks, because it benefits from the well known, highly regarded, multiple concurrent process design savvy of Unix.

Unix has been pulled apart and examined by academia for decades, and individual utilities and software packages are commonly open to public scrutiny, as is Apple’s entire core OS of Darwin, the Mach/BSD hybrid that serves as the foundation for Mac OS X. Microsoft’s Windows kernel and its core OS foundation has not benefitted from such independent review and examination on a similar scale.

Studying counts of 0-day patches issued and plotting the delivery dates of patches relative to the public disclosure of the flaws they address strains out the gnat and gulps down the camel in a brain dead effort to analyze irrelevant statistics that have only a tenuous association with real security.

Five Windows Flaws – 1: Windows’ Interactive Services

2. Microsoft’s operating system is entirely closed source. Relatively few third party researchers have inside access to see how it works, and therefore can’t as easily discover flaws before they are patched. The top half of Apple’s Mac OS X is also closed source, and Apple similarly releases patches for flaws nobody outside the company was aware of. The difference is that when Microsoft patches unknown flaws, the media hails it as proactive, while every time Apple releases a patch, tech pundits riffle through it, recounting the number of flaws that nobody knew existed, and then work to sensationalize this into the message that Apple’s software is riddled with problems. This is grossly hypocritical, yet occurs with clockwork precision every time Apple releases a security patch.

However, there is something even more grotesquely self serving and dishonest that Vulnerability Numerologists love to do. Flaws in Windows are always tallied up as bugs found exclusively in the Windows kernel, shell, and its core bundled utilities. Flaws in Internet Explorer, Microsoft’s server products such as Exchange email, IIS web services, and other software are nearly always excluded; each product has a significant list of flaws that grant it its own listing. However, for Mac OS X and Linux, Vulnerability Numerologists count all of the flaws reported for every open source package associated with the distribution, including the web browser, email and web servers, and all related libraries and packages.

One could reasonably argue that a flaw in Microsoft’s IIS wouldn’t affect desktop users, few of which would be using the service. However, these same “researchers” will gleefully tally up vulnerabilities found in PHP, Apache, Samba, and every other open source product bundled with Mac OS X (or Linux), regardless of whether such tools are likely to be in use, or even exposed to actual exploit. This is also grossly hypocritical and dishonest, yet characterizes every vulnerability diatribe.

The other side of the same coin is that security researchers, like CanSecWest contest winner Miller, can easily discover flaws in open source software, sit on them unreported, then dramatically employ them at events like CanSecWest to demonstrate being able to hack Mac OS X in minutes. Clearly, Miller knew what exploit he would use long before day two of the contest gave him sufficient machine access in order to use it.

The problem is, Miller’s intimate familiarity with the flaws in open source packages used by Mac OS X are not resulting in a real security problem for Macs in actual use outside of carefully planned security contests. Miller is focusing attention on the weaknesses of open source, but in reality, that openness is a strength. Apple can and does leverage the input of the community to incorporate security fixes for all of the packages it ships with Mac OS X. I’m sure Miller’s attack is directed upon Apple, not open source, but his methods are a reviling of open source, and he acts as a black hat researcher in exploiting the openness of the community to dig up his ammunition.

Microsoft’s flaws in Windows are hidden, and while supposedly not as well known as the flaws in open software, they’re also not addressed by the same community mechanism that constantly hardens Mac OS X and other distributions of Unix and Linux. Many researchers argue that Apple should be quicker to incorporate updates to the open source packages it bundles with Mac OS X, and Apple’s slowness does expose some risk. However, the majority of expert users with a need for hardened security also have the option of obtaining and installing newer versions of those open source libraries and packages themselves; Windows users don’t.

Open source is a strength; fixating on 0-day statistics while comparing unrelated numbers of vulnerabilities across two different platforms is an effort in proving that the trees in a forest can’t be seen through the forest itself, when they obviously can to anyone not trying to prove otherwise.

Apple’s Open Source Assault
Microsoft’s Unwinnable War on Linux and Open Source

3. A third problem with the Swiss study relates directly to its “0-day” focus. Every open source package on Earth has both full transparency (its code is wide open for security experts to explore) and has documented notes on its revision progress. Apple bundles lots of these packages into Mac OS X. That makes it trivially easy for “security researchers” to tally up numbers of known and disclosed issues, and compare them to what Apple is shipping. Microsoft doesn’t include open source projects as part of a Windows distribution, so researchers have to do lots of actual work to discover problems in Windows and report them.

Despite Windows’ advantage of code secrecy and its resulting “security by obscurity,” there are still similar numbers of bugs found in Windows compared to Mac OS X and all of the open source libraries that ship with it. The study in question looked at “658 vulnerabilities affecting Microsoft products and 738 affecting Apple [and the open source projects Apple ships in Mac OS X].”

It should come as no surprise that flaws in the open software Apple uses are often publicly disclosed before Apple ships a patch, and that flaws in Windows’ closed code are less likely to go public before being patched. To clarify the timing of the discovery, reporting and patching of flaws, the study defined four points along the lifecycle of a vulnerability:

  • discovery time: when the flaw is first discovered (commonly internally for closed source code)
  • exploit time: when a virus or hacker tool of some sort is developed to exploit the flaw
  • disclosure time: when the discovery of the flaw is publicly announced
  • patch time: when the vendor solves the flaw with a workaround or patch

A 0-day patch would be one where the vendor releases a patch the same day as its disclosure. This is easier to do if only the vendor knows about the flaw’s discovery. Microsoft therefore has a huge advantage in issuing 0-day patches, because it patches flaws that are not exposed in open source. Apple’s use of open source presents many opportunities for third parties to discover a flaw and disclose it before Apple can deliver an official patch.

Also notable in the Swiss study is the idea that they refused to acknowledge a patch supplied by a third party. That means their 0-day numbers are biased toward closed source in that the vendor would likely discover its flaws first, and biased against open source in that they do not consider third party patches supplied the open source project itself, but only when the patch is officially distributed by Apple. On the other hand, the study defines a patch as being any sort of workaround or instruction given on how to avoid the flaw, whether or not that information is effectively communicated to users.

So if Microsoft publishes a Knowledge Base entry telling users not to perform a certain action that would result in exploitable vulnerability, it has “patched” a flaw. Conversely, if Apple bundles a version of an open source library that contains a flaw that can be patched by third parties (as was the case with the iPhone’s libtiff flaw, which was patched by the community before Apple addressed it), the flaw is still regarded as unpatched. But hold on, things get worse.

The Colors of Risk.
The Swiss study also defines three colors of risk describing periods of time before or after a vulnerability discovery or patch:

  • Black Risk: the time between discovery and disclosure, where the public is unaware of a known, exploitable problem
  • Grey Risk: the time between discovery and patching, where the public is aware of a flaw but does not yet have a solution for it
  • White Risk: the time between patch availability and its installation, where the public has access to a patch but has not yet installed it

The study fixates entirely upon Grey Risk, which flatters Microsoft as a closed source vendor. However, the real problems affecting PC users involve Black Risk, where users are attacked through exploits they know nothing about, and White Risk, where patches exist but users don’t know to install them, or can’t be bothered to deal with poorly designed patching tools. Both problems are severe risks facing Windows users that the Swiss study pushed aside to entirely focus on the idea of how much time elapsed between the exploit going public (that is, not discovered, but rather publicly disclosed) and its being patched. This is ridiculous.

News Flash: Apple Better At Delivering Software Than Microsoft.
Also noted in the report, but suspiciously not in IDG’s coverage of it, was the fact that Apple has exceeded Microsoft in the number of security patches it has issued over the last six years, delivering 815 patches to Microsoft’s 678. That’s despite the fact that Microsoft serves more customers with greater security problems, more avenues for exploit, and infinitely more real world losses due to security issues. This also includes the patches Microsoft provides its “enterprise customers.” Microsoft has improved in the number of patches it offers, but Apple has made even faster progress, delivering nearly twice as many patches just last year alone.

Why was this detail omitted from IDG’s corporate media report? Because it didn’t flatter Microsoft. The Swiss report also noted the number of major operating system releases each vendor delivered, but for some reason, counted Microsoft’s Service Packs as a major release while only counting Apple’s retail references releases as such. These numbers were presented relative to the idea that delivering a major software release consumed the vendor’s development resources, making it more difficult for them to supply security patches in a timely matter.

Undercounting Apple’s far more prolific ability to deliver significant new feature updates–despite having a far smaller engineering team–distorts the report’s findings in egregious ways. When actually counting the real number of significant updates each vendor has released since 2002, Apple comes in at 33 (not including 5 iPhone OS X updates) but Microsoft at 7. Note that this credits Windows Server service packs as a release, but does not count Mac OS X Server releases. When those are added in, Apple has delivered 66 major releases to Microsoft’s 7 over the six years of the study. That should play into the study’s 0-day reporting, but it unfortunately did not.

Patches: Apple vs Microsoft

So why did the Swiss team issue a sensationalized report suggesting proof to refute the reality that Mac users have zero viruses and no real malware problems, symptoms that would logically follow if Apple’s operating system were open to easy exploit?

Attacking Windows’ security would not be noteworthy. Suggesting that Apple is lying when it advertises that Macs have no viruses and that users are spared the problems of malware that are very real on the Windows platform is not only salable “news,” but plays right into the prejudices of an idiot public that wants to believe something other than the truth.

IDG wants to titillate its Windows Enthusiast readership by falsely discrediting Apple, and the Swiss team obliged by providing it a misleading report to support such a story. Both parties win notoriety at the expense of being entirely wrong and deceiving the public.

Ten Myths of Leopard: 10 Leopard is a Vista Knockoff!

Ten Myths of Leopard: 10 Leopard is a Vista Knockoff!

How to Prove the Truth Is Wrong.
It is simply far too easy to refute the truth. Humans have a built in mechanism for collecting useful information that is completely vulnerable to liars. Propagandists have exploited this flaw since the dawn of time. Repeat a lie frequently enough, and it will become reality to the sheepish audience that listens to it uncritically.

As an example, compare the reality of Federal spending by US presidents by their party affiliation. According to the Republican right, Democrats “tax and spend,” working up deficits that impede growth and stifle economic productivity. This message has been repeatedly pounded into the public by right-leaning think tanks for decades. However, a look at the actual spending record of presidents over the last few decades proves this to be entirely false.

increases in the national debt

Why Windows Enthusiasts Refute the Truth.
Similarly, while there are many reasons for various parties to advance the idea that Macs are troubled by latent security problems that have made it “as bad as Windows” since at least 2003, including:

  • security researchers like Miller who are making a career from reporting sensational, yet inconsequential vulnerability findings,
  • security think tanks like the Swiss group, who desperately crave the attention that a sensationalized report will bring them,
  • columnists and pundits who make a name for themselves by refuting reality with carefully cited statistical fallacy, and
  • groups directly sponsored by Microsoft to report the idea that Windows is not the most irresponsibly security plagued software in the Universe,

the fact remains that Windows has and continues to suffer from serious security flaws. The security advancements that Microsoft has made in Windows Vista are significant, but have only served as a theoretical remedy for many users, who can’t even use Vista due to its hardware requirements, its architectural changes that have left enterprise customers with a “wait and see” perspective, its increased expense, increased license policing, and its performance problems, made only worse by the problematic release of SP1.

What Needs To Happen Around Here.
Rather than trying to overturn the simple truth that Microsoft chased short term profits throughout the 90s and subsequently delivered a poorly architected operating system with little regard for real world security issues, and then failed to see any need to fix things before finding itself paralyzed by the worst security epidemic the world has ever seen, security researchers should admit that Microsoft ushered in a lot of problems it would now like to pretend don’t exist, when they most certainly do.

Microsoft should spend its fortunes really solving the security problems of its Windows users at its own expense, rather than expecting them to pay an astronomical premium for Vista, software that largely only fixes issues that resulted from the company’s wild profiteering over the previous decade, and doesn’t really work all that well itself.

The corporate media should look past the enormous advertising revenue it receives from Microsoft in order to tell the truth and actually inform its readers, rather than serving to advertise the importance of declaring allegiance to Microsoft in every news story. But of course no one in the corporate media needs to listen to someone like me, who is so biased toward good technology and fair competition in the market that they can’t see much good at all in Microsoft’s criminal actions against its customers, partners, and the state of the art itself.

I really like to hear from readers. Comment in the Forum or email me with your ideas.

Like reading RoughlyDrafted? Share articles with your friends, link from your blog, and subscribe to my podcast! Submit to Reddit or Slashdot, or consider making a small donation supporting this site. Thanks!

Technorati Tags: , , , , ,

99 comments

1 BjK { 03.28.08 at 5:47 am }

Great article Dan,

Just one thing, your graph may illustrate that republican presidents spend, but it’s measuring debt, not budgets, tax rates, or federal income against GDP. Also, the graph doesn’t show that democrats don’t tax and spend. :)

And so begins a long line of useless/frustrating political commentary on the forum of an otherwise great weblog… Why? Why do you do this to us?

2 Jon T { 03.28.08 at 5:54 am }

The wonderful thing is that nothing in these reports will do anything to stop the rise and rise of OSX.

It will give some misinformation to Windows zealots who are all proven stupid already…

So, so what, I say.

3 axk { 03.28.08 at 8:03 am }

Umm, no. The libtiff bugs were found by Tavis Ormandy http://docs.info.apple.com/article.html?artnum=306993.

Typing “libtiff 0day” into google and downloading the el33t codez does not make you a hacker.

[Yes I corrected the name of the library. Thanks for the correction. - Dan]

4 John Muir { 03.28.08 at 9:16 am }
5 lmasanti { 03.28.08 at 9:19 am }

quote:
“why did the Mac get hacked first, and why was the attack so quick?”

It makes sense. The prize (other than the money) was an Apple Macbook Air… The other OS had Vaio and Fujitsu… Who will fight for them?
Motivation! Better prize, more enthusiam!

6 acidscan { 03.28.08 at 9:48 am }

First I would like to tell you that your articles denote a great level of research and I read your page every time a new article is posted, you have VERY interesting material posted here, BUT…

I think sometimes in the fervor of your adoration for the mac you loose contact with reality (no offense).

Defending the fact that only because the mac is an unattractive media for exploits to be developed is (I think) a good think and you can rest assure that you are safe is a total error.

The web browser was the entry point for this exploit. This is the MAIN point of entry for any system at this moment (html emails use the same motor so web/mail is almost the same) and if you have a very secure castle with a door made of paper you don’t have a secure castle.

Keep the good work !!

7 Jeff { 03.28.08 at 10:48 am }

BjK >> Just one thing, your graph may illustrate that republican presidents spend, but…

Why ‘but?’ That’s the only thing the graph was supposed to show, and it showed it. That’s it. It worked.

Why the fear of useless/frustrating political commentary? You agreed that the graph did what it said it was going to do. What else is there to say?

8 Blad_Rnr { 03.28.08 at 11:05 am }

We can spin this anyway we want. But when you have to have someone open an email and then click on a link in the email…are you kidding? Why wasn’t the Mac hacked in the first day? Simple basic questions that never get answered.

The truth of the matter, as Daniel points out, is that Windows PCs are compromised every day, infested with spyware and become spybots for Eastern European syndicates (http://rixstep.com/1/1/20071014,00.shtml)
that can take down the Internets of small countries, like Estonia, (http://www.wired.com/politics/security/magazine/15-09/ff_estonia) at will. If the average IT person can’t see these exploits and come to the conclusion that somehow Windows is a completely unsafe OS, we have bigger problems with the brain matter of people who work in the IT field.

This is not a Mac vs. PC argument. It’s a plea for safe and secure computers and making rational decisions about which OSes are going to provide that safe environemnets for users.

9 lightstab { 03.28.08 at 11:18 am }

Dan, I don’t have time to read the entire article right now, but what is the significance of the fact that allowed Charlie Miller to hack the MacBook Air using a crossover cable, which gave him direct access from his MacBook?

I saw this story on Engadget and I sent them an e-mail telling them about their error and they corrected it. But it seems to me that this was an important part of the exploit that wasn’t mentioned.

After all, no one was able to hack the MacBook Air remotely on the first day and I doubt very much whether I’ll be allowing any hackers to connect directly to my Mac anytime soon, so this whole contest is starting to look like so much baloney to me.

10 lightstab { 03.28.08 at 11:34 am }

BTW, here’s a picture of Charlie Miller connected directly to the MacBook Air via crossover cable.

http://dvlabs.tippingpoint.com/blog/2008/03/27/day-two-of-cansecwest-pwn-to-own—we-have-our-first-official-winner-with-picture

And the rules clearly stated that the hack was to be done over crossover cable.

http://cansecwest.com/post/2008-03-20.21:33:00.CanSecWest_PWN2OWN_2008

11 slappy { 03.28.08 at 12:35 pm }

But from the articles on the net, all 3 machines were attacked at the same time on Thursday. The MacBook Air wasn’t singled out. According to vnunet.com.

http://www.vnu.co.uk/vnunet/news/2213035/mac-falls-two-minutes

“But Miller succeeded when the organisers allowed hackers to direct human operators of the three machines to visit websites and open emails.”

12 slappy { 03.28.08 at 12:47 pm }

I also found this. Seems pretty clear cut to me that Vista pretty much beat the pants out of our beloved Mac OS on this one.

http://www.infoworld.com/article/08/03/27/Gone-in-2-minutes-Mac-gets-hacked-first-in-contest_1.html

Shane Macaulay, who was Dai Zovi’s co-winner last year, spent much of Thursday trying to hack into the Fujitsu Vista laptop, at one point rushing back to his Vancouver area home to retrieve a file that he thought might help him hack into the system.

But it was all in vain.

13 nat { 03.28.08 at 12:47 pm }

lightstab,

I read that too. If they were hacking a MacBook Air using a crossover cable…that means the only way to hack the Air was by purchasing the separate $30 ethernet adapter! Not much of a hacker.

14 nat { 03.28.08 at 12:52 pm }

acidscan said:
“Defending the fact that only because the mac is an unattractive media for exploits to be developed is (I think) a good think and you can rest assure that you are safe is a total error.”

No, Dan said that about the iPhone. He said the exact opposite about the Mac. Look under the heading “The Theory of Vulnerability.”

15 gus2000 { 03.28.08 at 1:18 pm }

I guess they should have included an ATM cash machine as part of the contest:

http://news.zdnet.com/2100-1009_22-6233030.html

“…the stability of Windows-based ATMs was worse than that of their OS/2-based predecessors, saying some ATMs suffered downtime of up to 30 percent.”

Security through unavailability? lol

Hey Dan, what’s with the Swiss having so many holes in their logic? I thought Switzerland was neutral?!?

16 John E { 03.28.08 at 1:40 pm }

what isn’t clear from any of the reports is in fact what the Air/Safari attack achieved. simply “retrieving a file” is not the same at all as taking control of a computer. for that one needs to install some form of application that controls more than Safari alone. or at least get access to a keychain for valuable password info. did they somehow bypass password requirements to do stuff?

and there was no info about how the Air was set up. was it running as a User with or without administrator status? (no experienced user casually surfs the web as an Administrator).

can Dan or someone explain these simple things to us non-techs?

17 dscottbuch { 03.28.08 at 1:48 pm }

From reading the inforworld article there isn’t enough information about the hack to really assess it. For example, if this hack was WebKit based and is for Safari 3.1 then this falls under Daniel’s comments about Open source code and security.

1) Miller would then have found it because he could get to the source code – the potential downside of open-source security but…

2) Miller would then be simply irresponsible for not reporting this earlier when found allowing it to be fixed – the up-side of Open source security.

Of course his motivation is NOT to report these this things immediately upon discovery because they then could be fixed before he could exploit them for his benefit.

But – we don’t know what it is and so can’t really assess how serious, or not, this is.

18 UrbanBard { 03.28.08 at 1:50 pm }

There are some serious problems with the chart you used to contend that the Republicans are the “Real Tax and Spenders.” The chart, on the surface, looks like Leftist propaganda. How you presented it is.

1. You provide no source whereby we can ascertain if the chart is accurate. It is too small to look at any of details. In Economics or Politics, the devil is in the details.

Thus, nominal figures, alone, can be used by liars to confuse us. Who published this, George Soros? Ward Churchill? Jack Krugman? How good are their reputations for honesty, integrity and accuracy?

You expect us to swallow this chart without a quibble. Can you see that this unsupported argument harms your reputation for honesty, integrity and accuracy?

People in politics, on both sides, often lie for selfish reasons. Therefore, you need to prove your contentions, not merely throw them out to be accepted on faith, as you did.

The burden of proof is on the person making the argument; that is–you. In this assertion, you are no better, in politics, than the Anti Apple pundits are, in technology. Neither your methods, nor theirs, are honest.

2. Are these figures adjusted for inflation? Who knows? President Carter’s figures are suspect, because that was a time of high taxes, low federal tax receipts, high budget deficits, high price inflation, high unemployment and a bad economy. Stagflation was what it was called. But his national debt figures on the chart are low. Something is odd here. You expect us to be economically ignorant; some of us are not.

3. Some government expenses are necessary. War is, by definition, a necessary and traditional expense of government; social spending is not. Social Spending grew in the Carter and Clinton administrations.

President’s Reagan, G.H.W. Bush and G.W. Bush all had war budgets where we can reasonably expect higher government expenditures.

Carter’s and Clinton’s declared a “Peace dividend” that damaged our national security. This had to be made up for in the following Republican administrations. Thus, mismanagement and the lack of necessary spending in a Democrat administration can lead to higher expenditures in a Republican one. So, a chart like this can mislead to gullible.

Nor are the figures referenced to GDP. Thus, we cannot tell whether the numbers are affordable by the economy or not.

4. Congress is the agency, defined by the Constitution, as responsible for budgets, the debt limits and thus, the national debt. Yet, you cast no blame on Big Spending Democrat Party Congresses, merely Presidents who had no direct control.

5. I have warned you before that your Bay Area, Socialist contentions are inappropriate for a technical webpage, such as this.

Your Socialist assertions do not illustrate or confirm your technical truths, but merely provoke political divisiveness. Worse, you do not even try to prove your opinions and defame anyone who questions their validity.

You expect your “peanut gallery” to handle any disputes. But they can’t win with me, because I know history, politics and Economics. They do not. Nor do you.

You blame me for being contentious and verbose, when you insist on talking through your Leftist hat. I agree with your technical assertions, but your politics are rubbish. Rubbish that you do not even try to prove.

19 Robb { 03.28.08 at 2:10 pm }

@BjK
Well, you called it. The biggest reply is to a chart used as an analogy.
@UrbanBard
Nice diatribe, you hit most of the talking points, but I’m going to have to give you a 9.1 score for failing to use the term “Godless” somewhere in your comments. :-D

20 John E { 03.28.08 at 2:17 pm }

i hate to rise to the bait, but Mr. Bard, to suggest that all wars are “necessary” and in particular that the current $1 Trillion war is anything but “discretionary” would be utterly, completely, and blatantly preposterous as a matter of fact (and human history).

21 johnnyapple { 03.28.08 at 2:25 pm }

A simple Google search turned up this page detailing national debt by President.
http://en.wikipedia.org/wiki/National_debt_by_U.S._presidential_terms

22 UrbanBard { 03.28.08 at 2:29 pm }

If politics is inappropriate in technical webpages, such as this, because their arguments cannot be proved, then I fail to see how religion would serve to convince Leftist disbelievers.

Yes, I know you were being facetious. You were implying that I had an all encompassing bigotry. You mistake my point: The purpose of an illustration, such as a chart, is to take what is unknown and explain it by comparing it to the known and similar. Daniel was comparing it to the unknown, dissimilar and propagandistic. I consider that inappropriate.

This is not about me. This is about Daniel exposing me unwillingly to Leftist propaganda. It would be fine if he would argue about his contentions, but he will not. He will not give his sources. Nor will he listen to any contrary evidence which disputes his arguments, because they do not come from Leftist Sources.

23 Jeff { 03.28.08 at 2:43 pm }

UrbanBard,

Dan’s ONLY point was this:
Republicans claim that they spend less than Democrats but there’s no evidence that this is true – people believe it just because they say it’s so.

That’s it. That’s the only point he made.

You’ve now written several hundred words without directly addressing that point at all. Do you disagree with it? Do you refute it? I don’t know. You somehow talked about many, many other things without talking about Dan’s actual point.

(The counter-point being, of course, proof that Democrats actually do spend more than Republicans, as a rule. Feel free to share proof of that if you have it.)

So why blame Dan for bringing politics into the blog when he only made one point and you’re the one raising dozens of un-related political issues? Seems like you’re the worse offender in that regard.

24 UrbanBard { 03.28.08 at 2:48 pm }

John E said:
“i hate to rise to the bait, but Mr. Bard, to suggest that all wars are “necessary” ”

I never made the case that all wars are necessary, but their expenses may necessarily follow.

I merely made the case, that if you have a war, even a “Cold War” such as in the Reagan era where the military was built up after President Carter’s neglect, there are likely to be higher expenditures which will be unfunded through taxes.

I leave it up to the historians, as to whether a war is necessary. It’s hard to tell, while you are in a war, due to anti-war propaganda. I suggest that you look up the “Copperheads” from the American Civil War. They made President Lincoln’s life miserable with their lies and deceptions.

I consider World War One to be an unnecessary war for America to be involved in. But, once an administration goes to war, it is inevitable that there will be war expenses, budget deficits and, most likely a higher national debt to finance them.

Can you catch the distinction?

25 duckie { 03.28.08 at 3:03 pm }

Guys, do not feed the troll. It only makes him uglier.

26 Dowap { 03.28.08 at 3:07 pm }

Woot! We have UrbanBard throwing out the term “Leftist propaganda”.

So is Apple leftist and Microsoft rightwing?

Dude, take a step away from the caffeine drink, take 5 deep breaths, and just skip the section that causes you to freak out like a meth addict looking for a fix.

27 pa { 03.28.08 at 3:11 pm }

“Who writes spyware aimed at attacking servers supervised by professional IT staff and protected by sophisticated firewalls?”

http://biz.yahoo.com/ap/080328/retail_data_breach.html

28 UrbanBard { 03.28.08 at 3:16 pm }

Yes, Johnny Apple, The point was that Daniel did not provide this information. Nor does he show where he got the chart. Why is it so wrong for me to ask for that information?

The information that you provided on Wikipedia contradicts Daniel’s Chart. At a 3.9% increase of the national debt, it is one of the smallest of the war eras.

I found the chart to be irrelevant. It did not prove his technical case, because the chart, itself, was not proven. The Chart is based on the idea that President Bush is a dictator who can control everything and thus, must take responsibility for it. This is anything but the truth. Congress controls the budgets and the national debt.

In Daniel’s technical writings, he is careful to show a trail of evidence for us to check on. He does not expect us to be an ignoramus. In his politics, he provides none of that rigor. Why should I not complain?

29 UrbanBard { 03.28.08 at 3:26 pm }

Please, duckie, do ignore me, since you have nothing relevant to say.

Dowap said:
“”Woot! We have UrbanBard throwing out the term “Leftist propaganda”.

So is Apple leftist and Microsoft rightwing?”"

No. I was making a distinction that you did not catch: that including that chart proved nothing. It was irrelevant to the discussion. It was only there as “soft” antiwar propaganda.

Do you like being preached to, unwillingly? I don’t.

“Dude, take a step away from the caffeine drink, …”

I assure you that I am calm and lucid. I merely made a logical case to refute Daniel’s emotional one. I merely asked him to provide links and to prove his position.

What I want him to do is stop being political on these webpages. It insults half his audience.

30 dscottbuch { 03.28.08 at 3:27 pm }

Jeff

If, as you claim, the only point being made was

“Republicans claim that they spend less than Democrats but there’s no evidence that this is true – people believe it just because they say it’s so.

Then I presume you’re implying the the chart was meant as a counter example to that claim?

The problem with the chart is that it does not show spending rates, only debt. Debt can increase, even with reduced spending, if there is an economic downturn which reduces income. Debt can decrease, even with increased spending, if there is an economic boom. The relationship between debt and spending is far more complex than implied by the chart proffered and the implied explanation.

Please note I am NOT arguing either side of this issue, my position is irrelevant.

The incidental inclusion of politics into this blog is, IMO, its major weakness, but it his blog and his call. The rest of the blog makes up for it.

In this case, unfortunately, the example shown (irrespective of the underlying truth, or not, of the statement being made) is a good example of using statistics incorrectly to support a given position.

31 Brau { 03.28.08 at 3:37 pm }

I read in an interview with the winner that he was waiting for the moment the rules would be relaxed to try out his exploit. This of course shows he was prepared well in advance of the competition. Two minutes is simply not enough time to randomly explore for vulnerabilities and then craft a way to gain control.

This is going to be a huge PR shot in the arm for MS and all their shills, despite real world security leaning heavily in favour of the Mac.

(I’m just another Mac user with over a decade of not needing any “security software” … and counting)

32 mmbossman { 03.28.08 at 3:40 pm }

UrbanBard, enough with the political crap. We get it, you have strong political opinions. I do too, but I read RDM for the technical analysis. If there happens to be a political statement I don’t agree with, I don’t immediately have an aneurysm and start posting short novels. Simmer down and please visit another forum to when you feel the need to vent about political issues.

33 UrbanBard { 03.28.08 at 3:48 pm }

Jeff said:

“Dan’s ONLY point was this:
Republicans claim that they spend less than Democrats but there’s no evidence that this is true – people believe it just because they say it’s so.”

You mistake the Republican’s point: they wish to have smaller government, but Politics is the art of the possible. Sometimes, it is not possible to get what you want. Smaller government has not been achieved, because the Republicans have not had a filibuster proof Senate.

It took the Democrats sixty years to get us into this mess; it will not be corrected overnight.

What Daniel was doing was to imply hypocrisy on the Republican’s part: the difference between what they claim they wanted and what they have achieved. The assumption is that the Republicans could get anything they want.

That is not so. Why? Other people stand in the way. The Democrat Party stands in the way. The war stands in the way. The Electorate which wants to defend its “Special Interests” stands in the way.

“You’ve now written several hundred words without directly addressing that point at all. ”

I did. You weren’t listening. I explained all my points doubting that chart and why it was included.

“So why blame Dan for bringing politics into the blog when he only made one point ”

If he had made a technical point that was bogus, I would have addressed that. I rarely disagree him on technology. Why? Because he make sense there. But, not on his politics. Or his manners.

34 UrbanBard { 03.28.08 at 4:01 pm }

dscottbuch said:

“The incidental inclusion of politics into this blog is, IMO, its major weakness, but it his blog and his call. ”

I agree. But, Daniel’s politics are not without a cost. I am applying that cost, in an attempt, to dissuade him from farting his Leftist opinions in public.

mmbossman said:

“UrbanBard, enough with the political crap. ”

I agree completely. I wish Daniel would agree.

“I read RDM for the technical analysis. ”

So, do I. I never start the politics here.

“If there happens to be a political statement I don’t agree with, I don’t immediately have an aneurysm and start posting short novels.”

Nor do I. This is a reasoned analysis; my emotions are not involved. Perhaps, you have never heard of one. I am merely replying on the behalf of Daniel’s Conservative audience.

“Simmer down and please visit another forum to when you feel the need to vent about political issues.”

I am trying to persuade Daniel of that. So far he hasn’t taken the hint.

In your opinion, my political opinions should be suppressed?

35 mmbossman { 03.28.08 at 4:36 pm }

In my opinion, this is a technically based blog 95% of the time, and whether Daniel wants to talk about politics or penguins for the other 5% is up to him. And if he says something in that other 5% that you don’t agree with, I have no problem with you posting your disagreements. But spamming the board (you account for 7 of the past 16 posts) is both annoying and counterproductive, as people see you as a troll. Speak your peace in one or two posts and leave it at that. Try to respect the other people who visit RDM for the technology, and not the politics.

36 John Muir { 03.28.08 at 5:14 pm }

Once McCain is sworn in, maybe we’ll see some progress on the small government front. He’s the first Republican to get anywhere near the White House in years.

Now I’d better duck for cover! :D

By the way: I do agree with the “politics = RDM’s Achilles Heel” point. I’d also maybe add consoles. Dan is free to address whatever he likes – and often does so very well – but those two areas, well, it’s not just me…

37 John E { 03.28.08 at 5:27 pm }

can someone please just answer my question: how much control of the MacBook Air did the hacker really get? merely downloading a file from it means little.

38 Windinthedust { 03.28.08 at 5:55 pm }

Great article Dan, as always.

I started reading because I was impressed with the technical research, historical summaries, use of illustrations, and the candor that you employ.

It is rare today, in all media, to get this type of thorough and thoughtful writing.

Candor is a huge area, that many people miss out on…. however, the more a writer can use candor in his arguments, the more transparent it becomes, that his motives are to seek the truth of the subject. The writer then becomes, not just believable to his audience, but trusted.

It is clear that you have achieved this rare, trusted status, when it comes to speaking about technology.

Regarding politics and religion, it is clear from all of the posts, you have not yet reached “trusted” status. Therefore, you have to expect to be tested by the knowledgeable and defended by the ignorant… and vise vera, when it comes to these subjects.

However, by your use of candor, even here too, eventually, you will also receive trust & respect (and especially from those that disagree).

From reading UrbanBard & dscottbuch; it is clear they respect you, and they just want to help you keep that reputation when speaking off topic. There was nothing wrong with your use of the political chart… simply give it the same due diligence and thoughtfulness you give everything else (however, if you have to explain, prove, and back up an illustration, perhaps it’s not an appropriate one :-) ).

As you’ve reasoned on in previous articles, Mac users are not divided by political party… after all, you have both Al Gore & Rush Limbaugh that absolutely love and espouse technology that works. It would be reasonable to assume that your readers also come from diverse political backgrounds. Because of this, please, continue to speak about diverse issues… but remember your audience has the same freedoms that you do.

Keep up with the fine writing, and thanks for hosting this diverse site.

39 slappy { 03.28.08 at 6:08 pm }

The MBA wasn’t controlled. Thats not the purpose of the contest. It could have been anyway since he was able to gain access with the hack. Not matter how you cut it. Mac OSX is much easier to attack that Vista. The guy just proved it and even stated it on computerworld.

40 WebManWalking { 03.28.08 at 6:25 pm }

While reading this article, for some reason, the book How to Lie with Statistics kept coming to mind.

http://en.wikipedia.org/wiki/How_to_Lie_with_Statistics

41 His Shadow { 03.28.08 at 6:31 pm }

>You mistake the Republican’s point: they wish to have smaller government, but Politics is the art of the possible. Sometimes, it is not possible to get what you want. Smaller government has not been achieved, because the Republicans have not had a filibuster proof Senate.

Bullshit.

The Dept of Homeland Security blows any talk of “smaller government” out of the water. Did the Democrats twist Bush’s arm to make him establish a massive parallel bureaucracy to funnel even more pork cash around? Are warrantless wiretaps and aborgation of the Constitution signs of a political party that wants smaller government and less interference in citizen’s lives?

Face it. You drank the Repbulican Kool-Aid that the leadership won’t touch.

And nice try with all the economic mumbo jumbo. The simple fact of the matter is that the deficit is the deficit is the deficit. It’s an indication of the spending habits of the party in power. It’s that simple. How you can pretend that the party that oversees the most massive growth in the debt that has ever been seen can still be reconciled with the lie of “smaller governemnt”… well it simply can’t.

42 mmbossman { 03.28.08 at 6:37 pm }

*Sigh*… and we were just starting to get back on topic. I’ll just stop reading the comments, I suppose.

43 Windinthedust { 03.28.08 at 6:39 pm }

It is interesting to note, that most people are of a particular religion or political affiliation, because they were born into it. The status quo is not questioned.

As an example, what religion would you be if you were born in Saudi Arabia and not SF? What political affiliation would you be if born in Texas?

Why is the ‘status quo’ not questioned? Maybe it’s the emotional attachments from family tradition & peer groups. Maybe it’s just apathy.

Whatever the case, most fear to have an honest dialog about these topics… “it’s personal”, yet these very topics so un-personally and profoundly affect the world.

To make a comparison to technology now… it is interesting that many people that use PC’s and windows, do so, because they were ‘born’ doing so. In other words, it was the only the choice, the unquestioned status quo. Technology has become personal to them, and often driven by their peer group. I am not saying this is right or wrong… but Daniel does us a service by injecting fact and reason into these often emotional topics.

44 John Muir { 03.28.08 at 6:49 pm }

@Windinthedust

Correct!

I was a Windows user because the “whole world was too” for years, having scarcely ever encountered an old-school Macintosh. Though whenever I did they worked eerily well…

Meanwhile, born into a social democrat culture I’ve always been instinctively irritated by it and discover that my apparent right-wing extremism in Scottish terms is actually just good old moderate politics in America.

It’s strange what you discover the moment you broaden your horizons. The internet is the biggest step we’ve taken with that as a planet since the printing press.

45 WebManWalking { 03.28.08 at 7:09 pm }

For example, Daniel’s comments about the Gray Risk focus of the Swiss study reminds me of Chapter 1 of How to Lie with Statistics: The Sample with the Built-in Bias.

I wonder what the average IQ of people who rant about politics would be compared to the average IQ of people who talk about fair statistical analysis of computers?

46 Windinthedust { 03.28.08 at 7:39 pm }

Dan, I just thought of an alternative illustration to the political spending chart…

It is a proven economic fact that cutting taxes spurs business growth, expansion, & job creation whereas raising taxes has the opposite effect. All will agree with that statement.

Here’s the sticker: Many think that raising taxes increase revenue to the government… when actually the opposite is true.

Reasoning on this: Lowering taxes means expanded businesses. More business means more jobs. More jobs and profitable businesses means that the government actually takes in more by cutting taxes, then raising taxes.

This is because the taxable market is larger at the lower rate, then it is at the higher rate. Also in effect here, is honesty. People will less likely cheat on reasonable tax rates, then they will on unreasonable ones.

This is universal… in the music & video industry, the best anti-piracy policy is reasonable prices & easy availability (like iTunes, Amazon, and eMusic).

On sales, low profit margins are made up by high volume whereas low volume products need high margins… of course, finding the “sweat spot” is always the hard part.

The iPhone is an example of this… lowering prices spurs sales, and Apple actually makes more money on a higher volume product, even though it is selling at a lower cost. Of course, Apple can’t go too low, otherwise it would hurt profits… but it also can’t go too high…. this too will hurt profits by stifling sales.

While pundits debate the math of cutting versus raising taxes, all they have to do is look at history to see the results when it has been tried.

http://www.economicsuk.com/blog/000159.html

47 beanie { 03.28.08 at 7:42 pm }

The Sony Vaio has Ubuntu 7.1. You wrote it like it also contained Vista. So this was a contest between Vista, MacOSX, and Ubuntu.

Microsoft being a sponsor does not make a difference. Attendees choose the platform they wanted to hack. So Windows experts probably chose to hack Vista. The winner Charlie Miller is a Mac user.

48 John Muir { 03.28.08 at 7:46 pm }

You mean the…
http://en.wikipedia.org/wiki/Laffer_curve

I’m all for the general link between low tax and thriving business, the problem however seems to be in boiling things down to be quite that simple. Just look at the stock markets to see how chaotic and (as with AAPL lately) downright counterintuitive trends can be in anything but the long term. If everything worked like Laffer’s curve, we’d be sitting on the optimum tax rates and even oil price just like the rocks gather themselves together to form Saturn’s rings.

The human element is where things get interesting. And crazy. Welcome to the world.

49 slappy { 03.28.08 at 7:47 pm }

@beanie

Even more incredulous for Mac OS X. The Windows experts could not even hack Vista even with many known exploits at hand. Last I checked, it is still not compromised. Mac on the other hand already lost.

Including its credibility as a secure platform it seems.

50 dscottbuch { 03.28.08 at 7:55 pm }

Someone over at Appleinsider forums posted the following…

“Well, apparently the exploit was achieved by clicking on a URL which opened a port number on the Mac, which in turn allowed them the telnet to the machine.”

This was without a link. Anyone know if this is true? If so, its not much of a concern as

1) This would be defeated by a NAT
2) You have to turn on remote login, which is not one by default (which I believe is ssh in any case but that’s just a different port)
3) you need a logon, specifically an admin logon.

51 UrbanBard { 03.28.08 at 7:55 pm }

mmbossman said,

“I have no problem with you posting your disagreements. But spamming the board (you account for 7 of the past 16 posts) is both annoying and counterproductive, as people see you as a troll. ”

All I am doing is replying to comments. Should I not reply to false arguments?

Second, What I see here is an attempt to censor me by mobbing me. The people here imply that I have no right to post.

None of you have addressed the issue– Daniel’s propaganda. In fact, you blame me, not Daniel for starting this.

If no one tried to attack my contentions, there would be no problem– no posts from me.

Welcome John Muir. Are you sure that you want in this hornets nest?

I wasn’t a McCain man. I liked Thompson better, but anyone is better for the country than a Democrat.

His Shadow said:

“The Dept of Homeland Security blows any talk of “smaller government” out of the water. Did the Democrats twist Bush’s arm to make him establish a massive parallel bureaucracy to funnel even more pork cash around? ”

Yes. The Democrats had to be paid off to keep from sabotaging the war effort. Do you remember Senator Harry Reid’s mantra about unionizing the TSA, “You don’t professionalize, unless you federalize.” What a fiasco.

“Are warrantless wiretaps and aborgation of the Constitution signs of a political party that wants smaller government and less interference in citizen’s lives?”

Yes. According to the six ex-FISA judges testifying before congressional hearings, those are either Presidential powers granted by Article II of the US Constitution or by the war powers act passed by congress after 9/11.

I drink no Kool-air here.

“And nice try with all the economic mumbo jumbo. The simple fact of the matter is that the deficit is the deficit is the deficit. It’s an indication of the spending habits of the party in power. It’s that simple. ”

It’s not so simple, Congressional rules make it difficult to cut taxes and easy to increase them.

Take a look at the Midnight earmarks which are not voted upon at the senate floor. Are they legal? They are presumed so, if Bush signs the Act containing them without a signing document to explain how he will enforce them. Of Course, the Democrats opposes Bush even issuing signing documents. But, other Presidents have used them.

“How you can pretend that the party that oversees the most massive growth in the debt that has ever been seen can still be reconciled with the lie of “smaller governemnt”… well it simply can’t.”

It’s simple: we have a war to fight. Wars are expensive. The Democrats would love for America to lose this war. They have to be bought off.

windinthedust said:

“It is interesting to note, that most people are of a particular religion or political affiliation, because they were born into it. The status quo is not questioned. ”

Not so, in my case, on all counts. I was a working man all my life– an engineer. My father was a welder; a life long Democrat, as I was. I went into the service and served in the Philippines and Vietnam.

I came back, went to College and earned an Electrical Engineering degree on the GI bill. It wasn’t until I had saved a few dollars and wanted to invest them wisely that I started looking into Economics, Politics and investing.

President Carter’s Stagflation persuaded me that Keynesean Economics was nuts, as did President Nixon’s wage and price Controls. Those started me on a path away from the Democrat Party in 1976. But, I never registered Republican until 2002.

“To make a comparison to technology now… it is interesting that many people that use PC’s and windows, do so, because they were ‘born’ doing so. In other words, it was the only the choice, the unquestioned status quo. Technology has become personal to them, and often driven by their peer group. ”

Some people are risk takers, many people are not. Taking risks is often unsettling, uncomfortable and painful. It also depends on how high a pain ratio you have. Windows was always painful for me to use.

It was painful for me to learn how to think, but I recommend it to you.

“Daniel does us a service by injecting fact and reason into these often emotional topics.”

I agree about that when he refrains from injecting Leftist politics into these discussions.

Jeff said”
“That’s the only thing the graph was supposed to show, and it showed it. That’s it. It worked.”

That’s the problem with specous logic. It seems plausable. Or it merely confirms your prejudices. We must not confuse it with truth, though.

What I asked from Daniel was the source for the chart so, I could check out whether it was accurate. I, then, speculated why it might not be. You people jumped on me with both feet.

52 John Muir { 03.28.08 at 8:08 pm }

@ UrbanBard

I think McCain has every chance right now because of one Hillary Rodham Clinton. When Howard Dean drew up the Democratic primary process, he made a horrendous nightmare if and when two equal candidates ran its gauntlet. As fate would have it this is precisely what happened on its first go. McCain won handily on the other side because of a better designed process. And so long as Hillary is still in the race – which will be right into the convention at the end of August – McCain’s position is advanced. Hillary’s people are punching well below the belt already. Obama has the skill to see it off so far, but can he keep it up for five more hysterical months?

I’m no Republican. Neither am I a Democrat. But I am thankful that there is at least one safe pair of hands to pick up the mess.

53 slappy { 03.28.08 at 8:13 pm }

@dscottbuch

Where is the URL on that story?

54 dscottbuch { 03.28.08 at 8:38 pm }

I just found it

http://www.channelregister.co.uk/2008/03/28/mac_hack/

If true as written then this is really a non-issue as previously stated.

55 slappy { 03.28.08 at 8:51 pm }

@dscottbuch

I still don’t see that mentioned on the article link you posted.

“Well, apparently the exploit was achieved by clicking on a URL which opened a port number on the Mac, which in turn allowed them the telnet to the machine.”

56 UrbanBard { 03.28.08 at 9:09 pm }

Thank you, windinthedust,

“There was nothing wrong with your use of the political chart… simply give it the same due diligence and thoughtfulness you give everything else (however, if you have to explain, prove, and back up an illustration, perhaps it’s not an appropriate one :-)
).”

You state my case perfectly. This is a matter of intellectual rigor. If wish Daniel would either defend his position or refrain from shooting off his mouth. The chart added nothing to his technical discussion.

Hello again, John Muir.

Jesus, windinthedust,

You continue to amaze me.

“It is a proven economic fact that cutting taxes spurs business growth, expansion and job creation whereas raising taxes has the opposite effect. All will agree with that statement.”

Many Democrats will agree with that statement when applying it to cigarette taxes–sin taxes, but not to taxing the rich. Why? Because they want to destroy the rich, not cigarettes. “The power to tax is the power to destroy,” Said Justice Blackburn.

“Here’s the sticker: Many think that raising taxes increase revenue to the government… when actually the opposite is true.”

This depend on where we are on the Laffer Curve. We know that we are the “overtaxed area” where any tax cuts increases revenues into the IRS. This happened with the “Bush Tax Cuts” in 2002. The Democrats want to end them in 2010, so we can expect a major recession, then.

Hi John Muir, who said:

“Just look at the stock markets to see how chaotic and (as with AAPL lately) downright counterintuitive trends can be in anything but the long term. If everything worked like Laffer’s curve, we’d be sitting on the optimum tax rates and even oil price just like the rocks gather themselves together to form Saturn’s rings.”

The issue here is when conflicting governmental policies which confuse the indicators. The Fractional Reserve Banking System and the American Federal Reserve Board are partially responsible, because when the FED artificially decreases the interest rates by increasing the money supply, this will, in a number of years, cause a recession to wash out the “easy money.” A Recession is “in the offing,” but no one knows when.

Greenspan had been using a mechanism which tried to compensate for the credit expansion. It seemed to work well, but FED Chairman Bernanke abandoned that a year ago. There seems to be some sign that the FED is trying to return to that policy. Is it too late?

There is a dispute among economists over whether we just have “Housing bubble” caused by government caused easy lending policies to avoid the accusation of “Red lining” or if there is a general problem with the Economy. This could be a Media scare; they have been talking down the economy for six years. We are still experiencing economic growth though, so we’ll have to wait to see.

Hi John Muir,

I think the Democrats are in serious difficulty if either Hillary Clinton or Barrack Obama wins the nomination. But with the election eight months away, it is too soon to call.

This race has boggled my mind, so far. I keep wondering what train wreck lies ahead.

The Iranians and the Sadr brigade are heating up the war in Iraq again. But, I think it is jumping the gun to aid the Democrats now. Three months later would be more effective.

The Terrorists are, reportedly, running out of suicidal young men. That is why the terrorists recently used two Downs Syndrome women to explode bombs in an Iraqi crowd.

57 dscottbuch { 03.28.08 at 9:12 pm }

@slappy

direct quote – second and third sentence of first paragraph.

“The exploit involved getting an end user to click on a link, which opened up a port that he was then able to telnet into. Once connected, he was able to remotely run code of his choosing. ”

To actually do this

1) telnet daemon would have to be enabled – very unusual for OS X
2) he would need a logon, or to execute ‘any’ code an admin logon

58 slappy { 03.28.08 at 9:14 pm }

Oh I see. I was looking at the comments to find a appleinsider link or reference. Hmmm thanks for that little tidbit.

59 WebManWalking { 03.28.08 at 10:27 pm }

It’s conceivable that the libtiff bug and a carefully crafted TIFF image could allow the execution of a sudo that installs a telnet daemon, creates a new admin account for the assailant, etc. But it seems to me that Mac OS X would require authentication on the sudo.

There’s more to this than they’re telling us. I guess that’s good.

60 dscottbuch { 03.28.08 at 10:38 pm }

I would think that installing a new user, let alone a new admin user, would require an already present, long-standing, hole that allowed the sudo to execute. That hole would be bigger news than the exploit being reported so that would be a HUGE stretch IMO. Once again it seems that the PR value of ‘a OS X bug’ outweight transparent disclosure of the process.

61 WebManWalking { 03.28.08 at 10:48 pm }

Well, you don’t need sudo to install a socket listener on a high port number. So the main question is, even with an open port, how does a user telnet into a machine without an account on that machine?

62 WebManWalking { 03.28.08 at 10:51 pm }

Are they giving away laptops for logging in as ‘guest’?

63 dscottbuch { 03.28.08 at 11:15 pm }

@WebManWalking

“Well, you don’t need sudo to install a socket listener on a high port number. So the main question is, even with an open port, how does a user telnet into a machine without an account on that machine?”

Well, I don’t guest is on for login from telnet or ssh by default in any case and even then I don’t think guest could install the listener.

64 WebManWalking { 03.29.08 at 12:33 am }

Telnet and ssh don’t have their own logins. They require the user to enter a Unix logins. I wasn’t at my Mac when I facetiously suggested ‘guest’. On my Tiger machine (now), you go to Applications > Utilities > NetInfo Manager > users. Wow, look at all the Unix logins. But ‘guest’ isn’t among them.

The installation of the telnet daemon would happen as the user of the browser, so that’s no mystery. I’m still puzzling over how Miller got a username and password to log in over telnet, however.

65 Tod { 03.29.08 at 2:23 am }

@Daniel: Wonderfully written piece. Well researched and presented. I worked in CH with half a dozen of other non-CH Europeans and the secret motto was “The Swiss Love to Lie.” Apparently it’s because they want to bring further credence to the world-wide belief that the Swiss can do no wrong and are very neutral in all their dealings with the outside world.

Daniel, is there some way that we readers can do the equivalent of “kill-filing” the trolls who wast bandwidth going off on their totally off-topic tangents? I hate to be reading interesting comments (from both sides) only to be interrupted by a squalling child trying to score political points. When my kids interrupt, I take care of the problem and we adults continue with our conversation.

66 Tod { 03.29.08 at 2:24 am }

Edit “wast” to be “waste.”

67 slayerjr { 03.29.08 at 2:56 am }

Dan, you have to stop being an apologist for Apple because all you are doing is hurting the platform. Fact of the matter is, OS X was hacked. How, why or what method was used is unimportant. I’ve said this before on a similar topic here, that astute professionals are worried about the way Apple handles its security and rightly so.

You’ve worked hard at making yourself an authority on Apple and you are now in a position to make the fanboys sit up and listen and guide them towards understanding that while their platform has the potential to be great, they must be vigilant and force Apple to do a better job at making it so and keeping it that way. Fanboys should be asking the hard questions and demanding the very perfection Apple claims to put forward. Instead you lead them down the garden path with claims that everything is AOK.

Discounting the claims of Techie journo’s is a no-brainer. If they knew their chops they wouldn’t be where they are today. It is much harder to be critical of oneself and the choices you make in defending your ground but that is exactly where you and the fanboys are failing. As a result the platform and the company you are so fond of is suffering. You really ought to demand more from Apple. Praise the company when it is appropriate and shame them when they fail. Forget Microsoft and its cronies, focus on demanding that when the next round of exploits for cash rolls around there is nothing to be found and security experts nod in approval that OS X is everything that an operating system should be. Until that happens nothing you write about security is worth a damn. Security is and should be black & white, anything in between is an optical illusion, just like the current state of Mac OS X.

68 Player_16 { 03.29.08 at 3:42 am }

You have a plan to break into a jewelry shop. You’re going to steal watches. Choice of 3 types of watches and if caught, could land you 7 years! The watches: Casio, Timex, Rolex. Chances are, you’re going to make it worth your while. Sure the first 2 has all sorts of functions (I don’t need to tell you). The Rolex does not do much in way of functions but is metal, a self winder and a looker – serious bling! You break in and you’re caught with Casios and/or Timexs? I don’t think so!!

69 materro { 03.29.08 at 4:02 am }

Really Daniel, I’m quite disappointed that you’re discounting the events of CanSecWest. You’re inventing a reason that the MBA got hacked first, and it was for political reasons. But bear in mind that two other computers loaded with Vista and Ubuntu were being worked on (none of the three were hacked the first day). Also remember that there was a prize of $10000 and the laptop that was hacked. Given that the stakes were so high, do you really think the competitors would have gone after such a rock solid operating system? I know I would have gone after Vista, since I would assume that to be the easiest target to break.

But Vista wasn’t the first to be hacked, even after the rules were relaxed. And pointing out the Miller used a previously prepared attack is irrelevant; all the people competing did, as well. It shouldn’t come as any surprise that a successfully hacked machine would fall so quickly; all the serious competitors worked on code before CanSecWest.

I’m really disappointed by this article, because the fact stands that the MBA was hacked first, and no matter what “political” reasons justify it, it was hacked first. Additionally, I believe that your logic is flawed in claiming that the way the Mac was hacked first was due to insecure open source packages. Windows definitely has a lot more vulnerabilities than OS X. And a lot of them are unreported. It’s not much of a stretch to imagine that there are more unreported Windows flaws a researcher might know than available exploits in OS X’s open source components.

I also think it’s disingenuous to attack CanSecWest as a Microsoft enterprise; Cisco, Adobe, and Google all sponsored the event, as well.

70 John E { 03.29.08 at 4:05 am }

(a) Bard: forget you.

(b) the hack. no body really know what the fuck they did or did not do.

71 beanie { 03.29.08 at 4:09 am }

Someone won the Vista machine on day three when popular applications were installed. Someone found a 0-day Flash hack.

http://dvlabs.tippingpoint.com/blog/2008/03/28/pwn-to-own-final-day-and-wrap-up

So MacOSX fell on day two when the “default” OS was the target and Vista fell on day three when “popular” applications were installed.

72 Jon T { 03.29.08 at 6:54 am }

This thread demonstrates why you need to keep politics OFF the RDM website Daniel!!

I like most people, I imagine, come here to be informed and entertained about IT, not socialism etc…

73 duckie { 03.29.08 at 7:40 am }

@slayerjr
I’m afraid you are labouring under a misconception. Security is the complete opposite of black and white. Just as there is no such thing as 100% perfect software code (and the two are not entirely unrelated) security is the business of mitigating risk, not completely eliminating it. I can still remember when Windows NT passed an important security benchmark of the time (allowing marketing drones to trumpet its security credentials), but closer examination revealed that it only did so by being tested without connection to a network of any sort. While this still makes me chuckle, it illustrates the point that a balance always has to be struck between usability and security. The most secure system is one that is connected to nothing, locked in a concrete bunker underground. This isn’t terribly useful.

Software, and OSX is no exception, will always have vulnerabilities, which is why this hacking competition is meaningless, and “demanding perfection from Apple” is unrealistic. Software is imperfect. The important thing, which is what Daniel is always trying to underline, is how those vulnerabilities are dealt with, and how many real world exploits are out there ensnaring users on a daily basis.

74 John Muir { 03.29.08 at 8:29 am }

@duckie

Quite right. The reports so far out of this hacking contest are too obfuscated to draw the sorts of conclusions that – by nature – the tech press are running wild with. That’s a failure in the design of the contest.

@slayerjr

You too however have a point. If anyone’s in a good position to criticise Apple when it really is falling short, Daniel’s the man. I think he’d do the site and his reputation well by broadening a bit and making the very prototype of well reasoned and wholly factual critique that the tech press are so unable to fulfil; every once in a while.

We all exist in a tech world dominated by anti-Apple stories, but that doesn’t necessarily mean we have to line up to man the barricade at every possible occasion. Indeed, the battle seems to have been turning for years now and it’s the MS shills who are in panic. It could be time to adapt to a new environment over here as well as over there.

75 MikieV { 03.29.08 at 11:15 am }

What a bunch of crap in the press…

1. “Macbook Air was hacked in 2-minutes…”

But the hardware wasn’t “hacked”, the OS was “hacked” via the default browser.

How many ignorant people are now thinking there is something -specific- to the Macbook Air which allowed it to be “hacked” so quickly??

And not just the mac-bashers who can now gloat that “Apple’s newest computer” has been hacked… but the mac-users who may not realize that using Safari can leave them vulnerable, even if they are not using a Macbook Air…

2. I saw a headline that read “Vista, Macbook, Linux…”

Why is that?

Why not Vista, OSX, Ubuntu? Isn’t that a more accurate portrayal of what was being testing?

Why not “Fuji, Apple, Sony”? Or “Lifebook, Macbook, Viao”?

Oh, thats right, its not about the hardware, is it… :(

3. “None were hacked in the first day…”

Did anyone even try?

One team, trying to “hack” -one- of the OSes??

That was the point of having laptops as the target, wasn’t it???

To see if there was any vulnerability to using a laptop out in public, on ubiquitous WiFi networks??

4. “They used a cross-over cable…”

Read the rules:
http://dvlabs.tippingpoint.com/blog/2008/03/19/cansecwest-pwn-to-own-2008

“To claim a laptop as your own, you will need to read the contents of a designated file on each system through exploitation of a 0day code execution vulnerability (ie: no directory traversal style bugs). Each laptop will only have a direct wired connection (exposed through a crossover cable) and only one person may attack each system at a time so that each team’s exploit remains private. ”

5. “Miller was able to execute his own code…”

Per the rules, above, all he had to do to win was read a file…

76 MikieV { 03.29.08 at 11:29 am }

@JohnMuir

“The reports so far out of this hacking contest are too obfuscated to draw the sorts of conclusions that – by nature – the tech press are running wild with. That’s a failure in the design of the contest.”

I disagree.

The contest only allows “0-day” exploits to be used, and then keeps any successful exploits hush-hush until the vendor can issue a patch.

I think it is a great way to give more people the incentive to look for flaws in our systems – WITHOUT -the irresponsible release of details to the public, so the “script kiddies” can run amok with an exploit which would be, in effect, handed to them on a silver platter…

The “failure” is -not- in how the contest is run, but how the results are sensationalized by various groups – and some of the tech press – for their own purposes.

77 bhuot { 03.29.08 at 12:41 pm }

“Reasoning on this: Lowering taxes means expanded businesses. More business means more jobs. More jobs and profitable businesses means that the government actually takes in more by cutting taxes, then raising taxes.” The taxes are only lowered on the businesses – where Enron at its height only paid $10 in taxes. That is why there is no money for schools. Look how the big national lender was bailed out for $30 Billion but the homeowners were given nothing or how the airlines were bailed out after 9/11. The truth is corporations want just as much intervention/money as poor people do, they are just less deserving. History has not proven that corporations hire more people especially American citizens when they get more money. Hiring more people does not automatically follow with expanding business. The big cost is labor, so the company will always cut labor as much as possible.

78 Apple { 03.29.08 at 1:19 pm }

[...] | #4 A propos m.in. powyższych informacji polecam lekturę artykułu: CanSecWest and Swiss Federal Institute of Tech Deliver Attacks on the Reality of Mac Security &#8212… Komputer: iMac Core 2 Duo 20", iBook G3 Telefon: N6300 Strona WWW: [...]

79 danieleran { 03.29.08 at 1:32 pm }

@slayerjr : you can call me names, but doing so reduces you to the level of TWIT podcasters who dismiss what I write rather than honestly examine it. Every time I point out some truth that is being ignored, you don’t have to bang your fists on the table and call me a fanboy. It’s getting tiresome.

The details emerging from CanSecWest fill out a story that is bigger than a simple “Macs shot first” headlines convey. This was not a contest where three systems were placed in an equal foot race and the Mac simply lost due to being a slower runner.

Various tech crackers with different backgrounds, motivations, and levels of expertise worked to find exploits in the three systems. Things to remember:

1. – Exploits discovered for the Mac have little other value outside of these contests. Nobody would buy the exploit Charlie Miller found, because there is no market for it. In the Windows world, there is a thriving market for selling exploits (discovered, not disclosed AND 0-day disclosed, not patched) because spammers/botneters and identity thieves need them to stay in business. There is no malware underworld servicing the Mac.

2. – The Mac exploit was something Miller had in hand when he arrived. There was nothing else he could use it for other than winning the contest. If it were a remote exploit, he could have made $20k rather than $10k. He knew exactly what it was worth and what it could do.

3. – Another report http://news.yahoo.com/s/pcworld/20080329/tc_pcworld/143962 noted that the researcher who cracked the Vista machine was stymied by the fact that he didn’t expect it to have SP1 installed. So Miller was prepared better. That’s a positive reflection on Miller more than a negative reflection on Mac OS X.

4. – Miller reported hacking something related to Safari, but the details haven’t been revealed. Whether this was a real world vulnerability in Apple’s code, a copy-and-paste attack on a FOSS library as Miller’s PCREL exploit was (or the libtiff exploit found by another researcher after PCREL was patched), OR a contrived test that had opened up telnet and gave the researchers an account to use is still unknown. The notes so far suggest that it really had little to do with Apple’s code.

5. – The PCWorld article also noted that people at the event with the ability to crack Linux “didn’t want to put the work into developing the exploit code that would be required to win the contest.” Why not? Because they lacked the political motivation to prove Linux was easy to hack, and they lacked the financial motivation to earn $10k at a contest when they might be able to sell their discovery for more.

6. – Miller has repeatedly stated that his life’s work is to discredit the security of the Apple’s platforms. The only outlet and business model for such an effort is currently CanSecWest. Last year, Miller’s partner won the same contest the exact same way. Both have repeatedly stated that Macs are trivially easy to attack. Yes, if you’re a security expert with an outdated FOSS exploit in hand, you can beat your non-motivated colleagues on Windows who have sold their exploits to spammers, and your Linux expert colleagues who have no interest in trying to make FOSS look bad.

Also note that nowhere in the article did I say that Macs are invulnerable to attack. I even noted that Apple’s use of open source makes it easier for researchers like Miller to identify exploits, including those that have been patched by the FOSS project, but have not been updated/distributed by Apple. I specifically noted that this is an area where Apple has received criticism, and ideally, that Apple should be faster at keeping its FOSS components up to date.

Of course, there are also issues related to using the bleeding edge of FOSS software, which despite being patched for vulnerabilities, may have other problems related to its newness.

Corporate IT staff frequently do NOT patch critical software until they know what the patch will actually do and that it will not cause other problems. Apple’s distributing of FOSS patches to its commercial customers requires a similar delay. FOSS projects can blow out patches fast and furiously, but Apple can’t or we’d all be annoyed to see patch updates in Software Update on a daily basis.

Which is the other elephant in the room: Apple patches its OS software far more frequently than Microsoft. It also improves its operating systems far more rapidly, 66 to 7 releases over the six years of the Swiss study. That was entirely ignored by the media to focus on the completely idiotic “who statistically patches flaws faster relative to the flaws’ public disclosure” metric.

So you can say we should all just admit that the Mac lost the security test fair and square because the corporate media reported it that way, and you can say the Swiss group’s study is easy to tear apart because its a study, but the reason I wrote about both is because I like to examine the real story behind the headlines.

I think I should post this as its own article.

80 obiwan { 03.29.08 at 3:16 pm }

Dont know if you are right about Miller. Looks like he did a good job. Some more infos are here:
http://lucky13linux.wordpress.com/

Quote from the article :

Miller further elaborated, “I use a MacBook all the time and that’s what I used in the contest to attack the MacBook Air. I like Macs. That’s the reason I went for it; it’s in my best interest for them to be as secure as possible.”

81 beanie { 03.29.08 at 3:59 pm }

“researcher who cracked the Vista machine was stymied by the fact that he didn’t expect it to have SP1 installed”

Isn’t SP1 (Service Pack 1) just Vista with all patches applied since its release in one convenient package? Anyway, all the OSes had all the latest security patches applied. Mac OS X 10.5.2 was used.

82 Mac Shot First: 10 Reasons Why CanSecWest Targets Apple — RoughlyDrafted Magazine { 03.29.08 at 4:35 pm }

[...] CanSecWest and Swiss Federal Institute of Tech Deliver Attacks on the Reality of Mac Security [...]

83 danieleran { 03.29.08 at 4:44 pm }

76 Comments, 8 Diggs, 2 points on Reddit.

I should figure out a way to goad UrbanBard into channeling his boundless neocon energy into promoting my articles via syndication sites rather than writing an encyclopedia of replies to dispute the legitimacy of a single sentence that happens to trigger his Righty Sense.

84 lmasanti { 03.29.08 at 5:08 pm }

WebKit Fix for Charlie Miller’s Contest-Winning Exploit
His CanSecWest contest-winning exploit took advantage of a bug in the PCRE regex library used by WebKit’s JavaScript engine.


Daring Fireball 3/29/08 17:32 John Gruber http://daringfireball.net/

85 Tod { 03.29.08 at 5:43 pm }

@Daniel: Again I ask if there’s any way we readers can “killfile” certain posters who relentlessly and with malice continue to post “off topic” on your forum? I for one am totally fed up with so-called essays that do nothing to advance any particular POV, but rather tend to reinforce negative opinions of those who espouse certain POVs. If these posters would spend half their energy writing something useful and ON TOPIC, then we’d all be grateful.

I think we’re learning a lesson here about not feeding the troll.

And Daniel, I have absolutely no problem with your illustrating a point with an analogy that some people think makes an oh-so-righteous political statement, which, according to their self-defined netiquette, has no business in a private blog, a blog that a private citizen writes for his readers’ enjoyment and funds out of his own pocket.

Keep it up and don’t change your style to fit the narrow minds who try to pollute the commentary.

86 sebastianlewis { 03.30.08 at 12:54 am }

Looks like I’m going to become unpopular here, but comment #83 by Daniel, that really wasn’t called for. Anything you post on your blog is fair game for attack, diverge from the topic a bit and that’s fair game for UrbanBard or anyone else who responds. UrbanBard has posted some really stupid crap about how he was unwillingly exposed to your “leftist propaganda” as he calls it, but I doubt that since it’s his choice to read this blog in the first place.

UrbanBard, nothing against you, I’m not going to agree or disagree with your political points because at this point, I just don’t have enough experience in either politics or economics to argue either side, I’m 16 so I can’t vote but I do hope Obama wins this next election. I can’t stand conservative opinions… they’re too well, conservative for my taste, but you still have a right to express your opinion and I can’t stand people who would argue you don’t, since everything in Daniel’s blogs are fair game for response, either via the comments, trackback or hell, on your own blog or anywhere else for that matter. Even if it’s a sentence or small paragraph or a chart that just somehow pops up, it’s there and it’s game for anyone who agrees or disagrees.

Regardless I don’t think your comments about being “unwillingly exposed” to political commentary on a personal blog, that’s right a personal blog, not a newspaper, but volunteer work by Daniel in a space for him to express his views whether it’s politics or tech, that was just uncalled for as well. I won’t tell you to ignore it since it’s fair game, but I do advise you ignore the people who immediately jump to Daniel’s aid just because someone disagreed with his political commentary, I advise the same to them about ignoring you.

Sebastian

87 Boycott Novell » Links 30/03/2008: Security Fiasco, Security Disinformation and a Good Look at KDE 4.0.x { 03.30.08 at 3:20 am }

[...] CanSecWest and Swiss Federal Institute of Tech Deliver Attacks on the Reality of Mac Security [...]

88 johnnyapple { 03.30.08 at 4:45 pm }

UrbanBard, you wrote “But, neither Daniel, nor any of his “peanut gallery,” understand enough about logic, economics or politics to say anything meaningful. So, I invite them to keep quiet until they can make an intelligent point.”

Are you saying that we should all voluntarily censor our comments until we can find something to say that you find agreeable?

89 atsysusa { 03.30.08 at 5:30 pm }

Daniel:

I have read through this back-and-forth and it is not only tedious but debilitating.

I read this blog for its technical content and perspective. You should avoid political comment and characterization. Not only because it is inappropriate but also because you exhibit an extraordinary lack of knowledge of history, politics and economics. In that regard I agree with UrbanBard.

In support I cite an instance when you claimed that the United States invaded Korea and Viet Nam. I don’t know how that “discussion” turned out because I stopped reading at that point. In point of fact, the invaders in both instances were communists from the North of each country.

I understand that you live and work in San Francisco. You need to get out more.

btw – johnnyapple: UrbanBard was only repeating what his mother told him [and perhaps yours as well] If you don’t know what you are talking about, keep your opinions to yourself.

90 HamSandwich { 03.30.08 at 11:12 pm }

Bard: http://www.lafn.org/politics/gvdc/Natl_Debt_Chart.html

Found by googling the table title. Easy Peasy. All good numbers and details too. Nothing leftist about data. Sun comes up, Sun goes down. No one owns that.

As for the argument here it is relevant! It shows how bias works to deflect people away from the real details.

Sound bites, short quotes, and the inclusion of excusable circumstances are used for good reason. Like a magician who waves his hand or snaps a finger it serves to distract us from the real action – the hiding of the quarter or the dropping of the disappearing object.

Fact is it may be incendiary to some, but we’re all grownups. I think it puts the exclamation mark on the whole point.

I work in IT enterprise level support. Windows vs Mac is a stupid argument. But there are entrenched biases everywhere. Then U come along with Unix/Windows/Linux/mac & Macos X experience. I look like a genius, or a freak.

Drop the bias, tinker away. Every tool has a use.

And if you are tired about political debates, why not adopt a real political system – parliamentary democracy ;)

JB

91 Thom Holwerda of OSNews Calls “Mac Shot First” Misinformation and Slander. Oops! — RoughlyDrafted Magazine { 03.31.08 at 1:55 am }

[...] CanSecWest and Swiss Federal Institute of Tech Deliver Attacks on the Reality of Mac Security [...]

92 wafflejuice { 03.31.08 at 12:10 pm }

“Found by googling the table title. Easy Peasy. All good numbers and details too. Nothing leftist about data. Sun comes up, Sun goes down. No one owns that.”

HamSandwich is my new hero! :)

93 Patrick Walker { 03.31.08 at 12:44 pm }

One idea I think people missed is how much in the way of security experts are REALLY looking into Vista. What I mean by this is given the absolute lacklustre penetration of Vista, do people really find it economic to even bother looking? At the university I’m currently at, MS is offering Vista for free but even then people aren’t interested. They’re opting for WinXP still. To be fair, the 2009 contest should have FOUR laptops. A Windows XP box should always be there because it is still a viable consumer OS. I’m rather surprised if MS was using this event as a marketing ploy, wouldn’t they want to play up Vista by having it compared directly to WinXP?

94 Patrick Walker { 03.31.08 at 1:02 pm }

What I should have added to #91 is if there will never be a major market for Vista, does it make economic sense to spend time and money investigating Vista? Some have said people didn’t try getting the Vista because they don’t want to bother and explore Vista. Security through obscurity indeed.

95 The Unavoidable Malware Myth: Why Apple Won’t Inherit Microsoft’s Malware Crown — RoughlyDrafted Magazine { 04.01.08 at 5:57 am }

[...] CanSecWest and Swiss Federal Institute of Tech Deliver Attacks on the Reality of Mac Security Mac Shot First: 10 Reasons Why CanSecWest Targets Apple Thom Holwerda of OSNews Calls “Mac Shot First” Misinformation and Slander. Oops! The Past is Not the Future. If we could travel back to 2001 and somehow alter history to give Windows a 5% share of the PC market, and grant Mac OS X a 95% share of the market, that reversal of fortune would result in spammers finding that their existing malware exploits were nearly worthless. It could also induce them to desire to write or obtain attacks exploiting Mac OS X. Third party developers would also have to make a huge shift in their allocation of software development resources, as Windows software would have much less value, while demand for Mac software would explode. [...]

96 The Mac is a Wonderful (and Secure) Platform - IT in the Ad Biz { 04.01.08 at 11:36 am }

[...] already received one e-mail from a reader pointing me to a blog post refuting the claims of security issues with the Mac . I suppose I should take some consolation in [...]

97 MBE - Mac Business Experts » Blog Archive » Segurança não é questão de plataforma, mas sim de cultura (parte 1) { 04.01.08 at 11:40 pm }

[...] entrarei no mérito da invasão em si, apesar das controvérsias geradas, mas acho importante falarmos de maneira objetiva e imparcial sobre [...]

98 Windows Vista, 7, and Singularity: The New Copland, Gershwin, Taligent — RoughlyDrafted Magazine { 04.23.08 at 12:03 am }

[...] CanSecWest and Swiss Federal Institute of Tech Deliver Attacks on the Reality of Mac Security YouTube – Stupid Internal Microsoft Vista SP1 Video [...]

99 Segurança não é questão de plataforma, mas sim de cultura (parte 1) « MBE | Mac Business Experts { 12.28.08 at 12:02 am }

[...] entrarei no mérito da invasão em si, apesar das controvérsias geradas, mas acho importante falarmos de maneira objetiva e imparcial sobre [...]

You must log in to post a comment.