Daniel Eran Dilger
Random header image... Refresh for more!

CanSecWest and Swiss Federal Institute of Tech Deliver Attacks on the Reality of Mac Security

200803280136
Daniel Eran Dilger
In back to back press releases with payloads of sensationalized misinformation, two apparently unrelated groups launched attacks on Mac OS X’s reputation for delivering better real world security for its users compared to Microsoft’s Windows. In the first, a contest held at the CanSecWest Applied Security Conference, sponsored in part by Microsoft, suggested that hacking a MacBook Air was faster than hacking a Sony or Fujitsu Windows PC laptop. Thousands of miles away, the Swiss Federal Institute of Technology engaged in Vulnerability Numerology to declare that Apple’s operating system had fewer promptly patched software vulnerabilities compared to Windows. The premise behind both widely publicized stories are wrong, here’s why.


Charlie Miller Cracks a Mac in Two Minutes at CanSecWest.
Echoing last years’ CanSecWest event, where security researcher Dino Dai Zovi was able to access files on a Mac after being allowed to guide an automated user to access a tainted website from the laptop, this year’s contest was won in two minutes by Zovi’s business partner, Charlie Miller. Both were unable to access the systems over the first day of the contest, where only direct attacks over the network were allowed.

On day two, both were able to quickly win the contest after the rules were relaxed to allow them to send emails to an automated user or direct it toward a malicious web server they had set up. While the quick win makes for a perfect headline and reflects the Hollywood image of “hackers” that twiddle on a keyboard and almost instantly “access the mainframe” while a counter runs in the background, a more intelligent question is: why did the Mac get hacked first, and why was the attack so quick?

The easy answer is that nobody had any political reason to attack Windows at an event sponsored by Microsoft. Such an exploit wouldn’t even have been newsworthy. The speed of the attack also has something to do with the business of security researchers like Miller, who have clearly expressed the intent to repeatedly prove that Macs (and the iPhone) are as easy to exploit as Windows-based systems. More on that in a moment.

It is an uncontroversial fact that Windows PCs suffer under the threat of tens of thousands of real world viruses, are routinely infected by malware and often unwittingly participate in spam and adware botnets, while Mac systems have no viruses, and no significant real world malware, spyware or botnet problems. However, there is a constant din of pundits, researchers, and security product salesmen who insist that Macs not only have serious security problems, but may actually suffer from more vulnerabilities than Windows PCs. How can these two contradictory ideas possibly be harmonized?

Gone in 2 minutes: Mac gets hacked first in contest – Yahoo! News
InfoWorld Publishes False Report on Mac Security

Attacking the iPhone.
Miller has worked hard to establish his reputation as a security expert. For any security expert, this means demonstrating the ability to discover high profile attacks on notable targets. Last year, Miller described a vulnerability on the iPhone related to the open source Perl Compatible Regular Expression Library libtiff software. This vulnerability was related to the jailbreak exploit that allowed users to install their own software on the iPhone by working around Apple’s security barrier, but it also had the potential for allowing a malicious user to inject their own malware onto unpatched iPhones that were directed to an exploiting website.

His attack on the iPhone’s security delivered Miller significant notoriety, but his discovery, even after being widely published, did not result in any malware industry popping up around the millions of iPhones being sold to well heeled users. Why not? For starters, PCREL libtiff was eventually patched; there were only a few weeks of any open vulnerability to exploit. Malware writers would have to return to the drawing board repeatedly in order to keep their iPhone attacks valid, just as the jailbreak community had to regularly rework their efforts to maintain the ability to install their unsupported (but non-malicious) apps on the iPhone.

The work of attacking the security barriers on the iPhone in order to maintain the ability to install unsupported apps has continued for months, and has kept the iPhone open to installing these applications since the first workaround was discovered. Why hasn’t the horde of spyware and spammer villians attacked the iPhone using the same tools? As I noted earlier, the iPhone does not actually offer much of an attractive target for malware authors because:

  • the installed base is currently too small to be used for botnet spamming,
  • the network uplink speed is also too slow and/or spotty to be used for spamming,
  • unlike wide-open Windows, the iPhone is closed and any open exploits can be pinched off quickly,
  • software updates on the iPhone are much easier to deliver and install than PC updates,
  • unlike a PC, the iPhone can be instantly cleaned up by plugging it into iTunes and hitting Restore.

So despite Charlie Miller’s disdainful evaluation of the iPhone’s security, the phone has seen no real world security epidemics; even if a virus were delivered for it, the amount of problems it could cause would be limited by the easy to restore design of the device. Miller has noted significant flaws in the device, but those flaws have been irrelevant in terms of real threats facing users. In theory, the iPhone has been exploitable; in practice, it has not been exploited.

Kim Zetter and the iPhone Root Security Myth
UnWired! Rick Farrow, Metasploit, and My iPhone Security Interview
About Security Update 2007-007: CVE-ID: CVE-2007-3944

The Theory of Vulnerability.
Many of those same principles that prevented Miller’s prognostication of dire woe for iPhone users from coming to pass have similarly protected Mac users from actually suffering from any of the theoretical vulnerabilities reported for their platform. While Windows Enthusiasts like to suggest that the only thing preventing a Mac malware meltdown is the platform’s relatively low market share compared to Windows, that idea is both wrong and deceptively simplistic.

First, Mac market share has risen in specific markets to the point where, if there were real vulnerabilities that left it wide open to attack like Windows, it would be facing real problems. While Apple sells a small proportion of the total worldwide market for all PC desktops, workstations, and servers, it now sells over 8% of all the computers sold in the US.

Further, Apple’s low penetration into the enterprise market means that Apple’s 8% of the total US market is actually a 10 to 20% or higher percentage in the home, SOHO, and education markets. Still, we don’t see Apple suffering from 10 to 20% of the malware out there in the wild; Macs effectively have no malware to worry about, and few users even run anti-virus software. There is also currently no need for spyware clean and repair utilities at all. Macs don’t have a fractional tenth of Windows’ problems; they have no real world security problems at all.

Even more damning to the pundits’ logic, the markets where Apple is strongest are exactly those where malware is most prevalent. Who writes spyware aimed at attacking servers supervised by professional IT staff and protected by sophisticated firewalls? Macs are a prime target for spyware and identity thieves, as the Mac user demographic tends to have more money to steal. The fact that Apple’s installed base lies directly on top of the most attractive target for malware authors, yet has zero viruses and no significant real world malware problem says more about the reality of vulnerabilities than any amount of statistical humdrum churned out by people trying to bait links and suggest that up is down.

10 FAS: 10 – Apple’s Mac and iPhone Security Crisis

Swiss Swing and a Miss.
Which brings us to the report issued by the Swiss Federal Institute of Technology. Following in the footsteps of such luminaries as CNET Apple hater George Ou, the group reported findings after looking “at how many times over the past six years the two vendors [Apple and Microsoft] were able to have a patch available on the day a vulnerability became publicly known, which they call the 0-day patch rate,” according to a report by IDG.

Their conclusion: “the number of unpatched vulnerabilities are higher at Apple.” That conclusion provided IDG such ripe opportunity for sensationalizing that the author of the IDG article threw in a bizarre disclaimer at the end. The study was “such a glowing affirmation of Microsoft’s increased focus on security in the past few years that it prompted [Andrew Cushman, director of Microsoft’s Security and Research] to ask [study researcher Stefan] Frei, ”Did Microsoft fund this research?“ ”This is independent academic research,“ Frei replied.”

Why would IDG feel the need to note that Microsoft didn’t pay for this, and why would a Microsoft research director think to ask if his company had paid for the results of such a study? Because Microsoft is well known for funding “research” that serves to promote its marketing goals. However, we don’t even need to doubt the funding of the study in order to discard it as irresponsible garbage.

Vista vs Mac OS X Security: Why George Ou’s ZDNet Vulnerability Numerology is Absurd

Vista vs Mac OS X Security: Why George Ou’s ZDNet Vulnerability Numerology is Absurd
security.itworld.com – Microsoft vs. Apple: Who patches 0-days faster?
PdfMeNot.com – 0-Day Patch Study

Why the Swiss Study was Fatally Flawed.
The main tipoff that the study was completely worthless is that it neatly compares “0-day” patches across unrelated platforms. Three main points below describe specifically why this is inherently flawed. As an introduction: a 0-day patch is one delivered the same day the exploitable flaw that it corrects becomes publicly disclosed.

Many theoretical exploits are fixed at or before they are publicly disclosed, while other flaws linger for weeks, even years, before being patched. A publicly known but unpatched flaw sounds more dangerous than one hiding behind the veil of “security by obscurity,” but there are also many flaws that are discovered by malicious parties to be sold or directly exploited before they are ever disclosed, let alone patched. That means 0-day patches are only ideal for flaws that only the vendor knows about. The study simply ignored discovered but undisclosed flaws, no doubt because they are obviously more difficult to identify and write papers about. They are not any less dangerous to users however.

Windows is plagued by many discovered but undisclosed and unpatched flaws; Mac OS X is not; there are zero viruses and no real world malware problems dogging Mac users. But ignore all that for a moment to take a look at why the very specific study on 0-day patches is so very wrong in three significant areas.

1. The scope and relative threat posed by a specific vulnerability is lost in the aggregated statistics that Vulnerability Numerologists like to report. Windows’ infamous “shatter attack,” an extremely serious, fundamental flaw in the architecture of Windows, was only just addressed in Vista. The flaw was not some simple buffer overflow error; Microsoft designed Windows NT/2000/XP in such a way to give all services within the interactive desktop the same, communally high privileges. The gravity of this extremely poor design decision was widely reported back in 2002, but never fully addressed until the release of Vista, which many Windows users still cannot or will not deploy for various reasons.

Windows XP and Server versions prior to 2008 are still exposed to shatter attack vulnerabilities, but “researchers” would only give this grave flaw one vulnerability count on their tally list. This is just a single example of how irresponsible and ignorant the practice of comparing vulnerabilities by numerical count is across unrelated systems. Mac OS X does not suffer from Windows’ overloaded services architecture nor the subsequent problem of shatter attacks, because it benefits from the well known, highly regarded, multiple concurrent process design savvy of Unix.

Unix has been pulled apart and examined by academia for decades, and individual utilities and software packages are commonly open to public scrutiny, as is Apple’s entire core OS of Darwin, the Mach/BSD hybrid that serves as the foundation for Mac OS X. Microsoft’s Windows kernel and its core OS foundation has not benefitted from such independent review and examination on a similar scale.

Studying counts of 0-day patches issued and plotting the delivery dates of patches relative to the public disclosure of the flaws they address strains out the gnat and gulps down the camel in a brain dead effort to analyze irrelevant statistics that have only a tenuous association with real security.

Five Windows Flaws – 1: Windows’ Interactive Services

2. Microsoft’s operating system is entirely closed source. Relatively few third party researchers have inside access to see how it works, and therefore can’t as easily discover flaws before they are patched. The top half of Apple’s Mac OS X is also closed source, and Apple similarly releases patches for flaws nobody outside the company was aware of. The difference is that when Microsoft patches unknown flaws, the media hails it as proactive, while every time Apple releases a patch, tech pundits riffle through it, recounting the number of flaws that nobody knew existed, and then work to sensationalize this into the message that Apple’s software is riddled with problems. This is grossly hypocritical, yet occurs with clockwork precision every time Apple releases a security patch.

However, there is something even more grotesquely self serving and dishonest that Vulnerability Numerologists love to do. Flaws in Windows are always tallied up as bugs found exclusively in the Windows kernel, shell, and its core bundled utilities. Flaws in Internet Explorer, Microsoft’s server products such as Exchange email, IIS web services, and other software are nearly always excluded; each product has a significant list of flaws that grant it its own listing. However, for Mac OS X and Linux, Vulnerability Numerologists count all of the flaws reported for every open source package associated with the distribution, including the web browser, email and web servers, and all related libraries and packages.

One could reasonably argue that a flaw in Microsoft’s IIS wouldn’t affect desktop users, few of which would be using the service. However, these same “researchers” will gleefully tally up vulnerabilities found in PHP, Apache, Samba, and every other open source product bundled with Mac OS X (or Linux), regardless of whether such tools are likely to be in use, or even exposed to actual exploit. This is also grossly hypocritical and dishonest, yet characterizes every vulnerability diatribe.

The other side of the same coin is that security researchers, like CanSecWest contest winner Miller, can easily discover flaws in open source software, sit on them unreported, then dramatically employ them at events like CanSecWest to demonstrate being able to hack Mac OS X in minutes. Clearly, Miller knew what exploit he would use long before day two of the contest gave him sufficient machine access in order to use it.

The problem is, Miller’s intimate familiarity with the flaws in open source packages used by Mac OS X are not resulting in a real security problem for Macs in actual use outside of carefully planned security contests. Miller is focusing attention on the weaknesses of open source, but in reality, that openness is a strength. Apple can and does leverage the input of the community to incorporate security fixes for all of the packages it ships with Mac OS X. I’m sure Miller’s attack is directed upon Apple, not open source, but his methods are a reviling of open source, and he acts as a black hat researcher in exploiting the openness of the community to dig up his ammunition.

Microsoft’s flaws in Windows are hidden, and while supposedly not as well known as the flaws in open software, they’re also not addressed by the same community mechanism that constantly hardens Mac OS X and other distributions of Unix and Linux. Many researchers argue that Apple should be quicker to incorporate updates to the open source packages it bundles with Mac OS X, and Apple’s slowness does expose some risk. However, the majority of expert users with a need for hardened security also have the option of obtaining and installing newer versions of those open source libraries and packages themselves; Windows users don’t.

Open source is a strength; fixating on 0-day statistics while comparing unrelated numbers of vulnerabilities across two different platforms is an effort in proving that the trees in a forest can’t be seen through the forest itself, when they obviously can to anyone not trying to prove otherwise.

Apple’s Open Source Assault
Microsoft’s Unwinnable War on Linux and Open Source

3. A third problem with the Swiss study relates directly to its “0-day” focus. Every open source package on Earth has both full transparency (its code is wide open for security experts to explore) and has documented notes on its revision progress. Apple bundles lots of these packages into Mac OS X. That makes it trivially easy for “security researchers” to tally up numbers of known and disclosed issues, and compare them to what Apple is shipping. Microsoft doesn’t include open source projects as part of a Windows distribution, so researchers have to do lots of actual work to discover problems in Windows and report them.

Despite Windows’ advantage of code secrecy and its resulting “security by obscurity,” there are still similar numbers of bugs found in Windows compared to Mac OS X and all of the open source libraries that ship with it. The study in question looked at “658 vulnerabilities affecting Microsoft products and 738 affecting Apple [and the open source projects Apple ships in Mac OS X].”

It should come as no surprise that flaws in the open software Apple uses are often publicly disclosed before Apple ships a patch, and that flaws in Windows’ closed code are less likely to go public before being patched. To clarify the timing of the discovery, reporting and patching of flaws, the study defined four points along the lifecycle of a vulnerability:

  • discovery time: when the flaw is first discovered (commonly internally for closed source code)
  • exploit time: when a virus or hacker tool of some sort is developed to exploit the flaw
  • disclosure time: when the discovery of the flaw is publicly announced
  • patch time: when the vendor solves the flaw with a workaround or patch

A 0-day patch would be one where the vendor releases a patch the same day as its disclosure. This is easier to do if only the vendor knows about the flaw’s discovery. Microsoft therefore has a huge advantage in issuing 0-day patches, because it patches flaws that are not exposed in open source. Apple’s use of open source presents many opportunities for third parties to discover a flaw and disclose it before Apple can deliver an official patch.

Also notable in the Swiss study is the idea that they refused to acknowledge a patch supplied by a third party. That means their 0-day numbers are biased toward closed source in that the vendor would likely discover its flaws first, and biased against open source in that they do not consider third party patches supplied the open source project itself, but only when the patch is officially distributed by Apple. On the other hand, the study defines a patch as being any sort of workaround or instruction given on how to avoid the flaw, whether or not that information is effectively communicated to users.

So if Microsoft publishes a Knowledge Base entry telling users not to perform a certain action that would result in exploitable vulnerability, it has “patched” a flaw. Conversely, if Apple bundles a version of an open source library that contains a flaw that can be patched by third parties (as was the case with the iPhone’s libtiff flaw, which was patched by the community before Apple addressed it), the flaw is still regarded as unpatched. But hold on, things get worse.

The Colors of Risk.
The Swiss study also defines three colors of risk describing periods of time before or after a vulnerability discovery or patch:

  • Black Risk: the time between discovery and disclosure, where the public is unaware of a known, exploitable problem
  • Grey Risk: the time between discovery and patching, where the public is aware of a flaw but does not yet have a solution for it
  • White Risk: the time between patch availability and its installation, where the public has access to a patch but has not yet installed it

The study fixates entirely upon Grey Risk, which flatters Microsoft as a closed source vendor. However, the real problems affecting PC users involve Black Risk, where users are attacked through exploits they know nothing about, and White Risk, where patches exist but users don’t know to install them, or can’t be bothered to deal with poorly designed patching tools. Both problems are severe risks facing Windows users that the Swiss study pushed aside to entirely focus on the idea of how much time elapsed between the exploit going public (that is, not discovered, but rather publicly disclosed) and its being patched. This is ridiculous.

News Flash: Apple Better At Delivering Software Than Microsoft.
Also noted in the report, but suspiciously not in IDG’s coverage of it, was the fact that Apple has exceeded Microsoft in the number of security patches it has issued over the last six years, delivering 815 patches to Microsoft’s 678. That’s despite the fact that Microsoft serves more customers with greater security problems, more avenues for exploit, and infinitely more real world losses due to security issues. This also includes the patches Microsoft provides its “enterprise customers.” Microsoft has improved in the number of patches it offers, but Apple has made even faster progress, delivering nearly twice as many patches just last year alone.

Why was this detail omitted from IDG’s corporate media report? Because it didn’t flatter Microsoft. The Swiss report also noted the number of major operating system releases each vendor delivered, but for some reason, counted Microsoft’s Service Packs as a major release while only counting Apple’s retail references releases as such. These numbers were presented relative to the idea that delivering a major software release consumed the vendor’s development resources, making it more difficult for them to supply security patches in a timely matter.

Undercounting Apple’s far more prolific ability to deliver significant new feature updates–despite having a far smaller engineering team–distorts the report’s findings in egregious ways. When actually counting the real number of significant updates each vendor has released since 2002, Apple comes in at 33 (not including 5 iPhone OS X updates) but Microsoft at 7. Note that this credits Windows Server service packs as a release, but does not count Mac OS X Server releases. When those are added in, Apple has delivered 66 major releases to Microsoft’s 7 over the six years of the study. That should play into the study’s 0-day reporting, but it unfortunately did not.

Patches: Apple vs Microsoft

So why did the Swiss team issue a sensationalized report suggesting proof to refute the reality that Mac users have zero viruses and no real malware problems, symptoms that would logically follow if Apple’s operating system were open to easy exploit?

Attacking Windows’ security would not be noteworthy. Suggesting that Apple is lying when it advertises that Macs have no viruses and that users are spared the problems of malware that are very real on the Windows platform is not only salable “news,” but plays right into the prejudices of an idiot public that wants to believe something other than the truth.

IDG wants to titillate its Windows Enthusiast readership by falsely discrediting Apple, and the Swiss team obliged by providing it a misleading report to support such a story. Both parties win notoriety at the expense of being entirely wrong and deceiving the public.

Ten Myths of Leopard: 10 Leopard is a Vista Knockoff!

Ten Myths of Leopard: 10 Leopard is a Vista Knockoff!

How to Prove the Truth Is Wrong.
It is simply far too easy to refute the truth. Humans have a built in mechanism for collecting useful information that is completely vulnerable to liars. Propagandists have exploited this flaw since the dawn of time. Repeat a lie frequently enough, and it will become reality to the sheepish audience that listens to it uncritically.

As an example, compare the reality of Federal spending by US presidents by their party affiliation. According to the Republican right, Democrats “tax and spend,” working up deficits that impede growth and stifle economic productivity. This message has been repeatedly pounded into the public by right-leaning think tanks for decades. However, a look at the actual spending record of presidents over the last few decades proves this to be entirely false.

increases in the national debt

Why Windows Enthusiasts Refute the Truth.
Similarly, while there are many reasons for various parties to advance the idea that Macs are troubled by latent security problems that have made it “as bad as Windows” since at least 2003, including:

  • security researchers like Miller who are making a career from reporting sensational, yet inconsequential vulnerability findings,
  • security think tanks like the Swiss group, who desperately crave the attention that a sensationalized report will bring them,
  • columnists and pundits who make a name for themselves by refuting reality with carefully cited statistical fallacy, and
  • groups directly sponsored by Microsoft to report the idea that Windows is not the most irresponsibly security plagued software in the Universe,

the fact remains that Windows has and continues to suffer from serious security flaws. The security advancements that Microsoft has made in Windows Vista are significant, but have only served as a theoretical remedy for many users, who can’t even use Vista due to its hardware requirements, its architectural changes that have left enterprise customers with a “wait and see” perspective, its increased expense, increased license policing, and its performance problems, made only worse by the problematic release of SP1.

What Needs To Happen Around Here.
Rather than trying to overturn the simple truth that Microsoft chased short term profits throughout the 90s and subsequently delivered a poorly architected operating system with little regard for real world security issues, and then failed to see any need to fix things before finding itself paralyzed by the worst security epidemic the world has ever seen, security researchers should admit that Microsoft ushered in a lot of problems it would now like to pretend don’t exist, when they most certainly do.

Microsoft should spend its fortunes really solving the security problems of its Windows users at its own expense, rather than expecting them to pay an astronomical premium for Vista, software that largely only fixes issues that resulted from the company’s wild profiteering over the previous decade, and doesn’t really work all that well itself.

The corporate media should look past the enormous advertising revenue it receives from Microsoft in order to tell the truth and actually inform its readers, rather than serving to advertise the importance of declaring allegiance to Microsoft in every news story. But of course no one in the corporate media needs to listen to someone like me, who is so biased toward good technology and fair competition in the market that they can’t see much good at all in Microsoft’s criminal actions against its customers, partners, and the state of the art itself.

I really like to hear from readers. Comment in the Forum or email me with your ideas.

Like reading RoughlyDrafted? Share articles with your friends, link from your blog, and subscribe to my podcast! Submit to Reddit or Slashdot, or consider making a small donation supporting this site. Thanks!

Technorati Tags: , , , , ,

  • BjK

    Great article Dan,

    Just one thing, your graph may illustrate that republican presidents spend, but it’s measuring debt, not budgets, tax rates, or federal income against GDP. Also, the graph doesn’t show that democrats don’t tax and spend. :)

    And so begins a long line of useless/frustrating political commentary on the forum of an otherwise great weblog… Why? Why do you do this to us?

  • Jon T

    The wonderful thing is that nothing in these reports will do anything to stop the rise and rise of OSX.

    It will give some misinformation to Windows zealots who are all proven stupid already…

    So, so what, I say.

  • axk

    Umm, no. The libtiff bugs were found by Tavis Ormandy http://docs.info.apple.com/article.html?artnum=306993.

    Typing “libtiff 0day” into google and downloading the el33t codez does not make you a hacker.

    [Yes I corrected the name of the library. Thanks for the correction. – Dan]

  • http://johnsessays.blogspot.com John Muir
  • lmasanti

    quote:
    “why did the Mac get hacked first, and why was the attack so quick?”

    It makes sense. The prize (other than the money) was an Apple Macbook Air… The other OS had Vaio and Fujitsu… Who will fight for them?
    Motivation! Better prize, more enthusiam!

  • acidscan

    First I would like to tell you that your articles denote a great level of research and I read your page every time a new article is posted, you have VERY interesting material posted here, BUT…

    I think sometimes in the fervor of your adoration for the mac you loose contact with reality (no offense).

    Defending the fact that only because the mac is an unattractive media for exploits to be developed is (I think) a good think and you can rest assure that you are safe is a total error.

    The web browser was the entry point for this exploit. This is the MAIN point of entry for any system at this moment (html emails use the same motor so web/mail is almost the same) and if you have a very secure castle with a door made of paper you don’t have a secure castle.

    Keep the good work !!

  • Jeff

    BjK >> Just one thing, your graph may illustrate that republican presidents spend, but…

    Why ‘but?’ That’s the only thing the graph was supposed to show, and it showed it. That’s it. It worked.

    Why the fear of useless/frustrating political commentary? You agreed that the graph did what it said it was going to do. What else is there to say?

  • Blad_Rnr

    We can spin this anyway we want. But when you have to have someone open an email and then click on a link in the email…are you kidding? Why wasn’t the Mac hacked in the first day? Simple basic questions that never get answered.

    The truth of the matter, as Daniel points out, is that Windows PCs are compromised every day, infested with spyware and become spybots for Eastern European syndicates (http://rixstep.com/1/1/20071014,00.shtml)
    that can take down the Internets of small countries, like Estonia, (http://www.wired.com/politics/security/magazine/15-09/ff_estonia) at will. If the average IT person can’t see these exploits and come to the conclusion that somehow Windows is a completely unsafe OS, we have bigger problems with the brain matter of people who work in the IT field.

    This is not a Mac vs. PC argument. It’s a plea for safe and secure computers and making rational decisions about which OSes are going to provide that safe environemnets for users.

  • lightstab

    Dan, I don’t have time to read the entire article right now, but what is the significance of the fact that allowed Charlie Miller to hack the MacBook Air using a crossover cable, which gave him direct access from his MacBook?

    I saw this story on Engadget and I sent them an e-mail telling them about their error and they corrected it. But it seems to me that this was an important part of the exploit that wasn’t mentioned.

    After all, no one was able to hack the MacBook Air remotely on the first day and I doubt very much whether I’ll be allowing any hackers to connect directly to my Mac anytime soon, so this whole contest is starting to look like so much baloney to me.

  • lightstab

    BTW, here’s a picture of Charlie Miller connected directly to the MacBook Air via crossover cable.

    http://dvlabs.tippingpoint.com/blog/2008/03/27/day-two-of-cansecwest-pwn-to-own—we-have-our-first-official-winner-with-picture

    And the rules clearly stated that the hack was to be done over crossover cable.

    http://cansecwest.com/post/2008-03-20.21:33:00.CanSecWest_PWN2OWN_2008

  • slappy

    But from the articles on the net, all 3 machines were attacked at the same time on Thursday. The MacBook Air wasn’t singled out. According to vnunet.com.

    http://www.vnu.co.uk/vnunet/news/2213035/mac-falls-two-minutes

    “But Miller succeeded when the organisers allowed hackers to direct human operators of the three machines to visit websites and open emails.”

  • slappy

    I also found this. Seems pretty clear cut to me that Vista pretty much beat the pants out of our beloved Mac OS on this one.

    http://www.infoworld.com/article/08/03/27/Gone-in-2-minutes-Mac-gets-hacked-first-in-contest_1.html

    Shane Macaulay, who was Dai Zovi’s co-winner last year, spent much of Thursday trying to hack into the Fujitsu Vista laptop, at one point rushing back to his Vancouver area home to retrieve a file that he thought might help him hack into the system.

    But it was all in vain.

  • nat

    lightstab,

    I read that too. If they were hacking a MacBook Air using a crossover cable…that means the only way to hack the Air was by purchasing the separate $30 ethernet adapter! Not much of a hacker.

  • nat

    acidscan said:
    “Defending the fact that only because the mac is an unattractive media for exploits to be developed is (I think) a good think and you can rest assure that you are safe is a total error.”

    No, Dan said that about the iPhone. He said the exact opposite about the Mac. Look under the heading “The Theory of Vulnerability.”

  • gus2000

    I guess they should have included an ATM cash machine as part of the contest:

    http://news.zdnet.com/2100-1009_22-6233030.html

    “…the stability of Windows-based ATMs was worse than that of their OS/2-based predecessors, saying some ATMs suffered downtime of up to 30 percent.”

    Security through unavailability? lol

    Hey Dan, what’s with the Swiss having so many holes in their logic? I thought Switzerland was neutral?!?

  • John E

    what isn’t clear from any of the reports is in fact what the Air/Safari attack achieved. simply “retrieving a file” is not the same at all as taking control of a computer. for that one needs to install some form of application that controls more than Safari alone. or at least get access to a keychain for valuable password info. did they somehow bypass password requirements to do stuff?

    and there was no info about how the Air was set up. was it running as a User with or without administrator status? (no experienced user casually surfs the web as an Administrator).

    can Dan or someone explain these simple things to us non-techs?

  • dscottbuch

    From reading the inforworld article there isn’t enough information about the hack to really assess it. For example, if this hack was WebKit based and is for Safari 3.1 then this falls under Daniel’s comments about Open source code and security.

    1) Miller would then have found it because he could get to the source code – the potential downside of open-source security but…

    2) Miller would then be simply irresponsible for not reporting this earlier when found allowing it to be fixed – the up-side of Open source security.

    Of course his motivation is NOT to report these this things immediately upon discovery because they then could be fixed before he could exploit them for his benefit.

    But – we don’t know what it is and so can’t really assess how serious, or not, this is.

  • UrbanBard

    There are some serious problems with the chart you used to contend that the Republicans are the “Real Tax and Spenders.” The chart, on the surface, looks like Leftist propaganda. How you presented it is.

    1. You provide no source whereby we can ascertain if the chart is accurate. It is too small to look at any of details. In Economics or Politics, the devil is in the details.

    Thus, nominal figures, alone, can be used by liars to confuse us. Who published this, George Soros? Ward Churchill? Jack Krugman? How good are their reputations for honesty, integrity and accuracy?

    You expect us to swallow this chart without a quibble. Can you see that this unsupported argument harms your reputation for honesty, integrity and accuracy?

    People in politics, on both sides, often lie for selfish reasons. Therefore, you need to prove your contentions, not merely throw them out to be accepted on faith, as you did.

    The burden of proof is on the person making the argument; that is–you. In this assertion, you are no better, in politics, than the Anti Apple pundits are, in technology. Neither your methods, nor theirs, are honest.

    2. Are these figures adjusted for inflation? Who knows? President Carter’s figures are suspect, because that was a time of high taxes, low federal tax receipts, high budget deficits, high price inflation, high unemployment and a bad economy. Stagflation was what it was called. But his national debt figures on the chart are low. Something is odd here. You expect us to be economically ignorant; some of us are not.

    3. Some government expenses are necessary. War is, by definition, a necessary and traditional expense of government; social spending is not. Social Spending grew in the Carter and Clinton administrations.

    President’s Reagan, G.H.W. Bush and G.W. Bush all had war budgets where we can reasonably expect higher government expenditures.

    Carter’s and Clinton’s declared a “Peace dividend” that damaged our national security. This had to be made up for in the following Republican administrations. Thus, mismanagement and the lack of necessary spending in a Democrat administration can lead to higher expenditures in a Republican one. So, a chart like this can mislead to gullible.

    Nor are the figures referenced to GDP. Thus, we cannot tell whether the numbers are affordable by the economy or not.

    4. Congress is the agency, defined by the Constitution, as responsible for budgets, the debt limits and thus, the national debt. Yet, you cast no blame on Big Spending Democrat Party Congresses, merely Presidents who had no direct control.

    5. I have warned you before that your Bay Area, Socialist contentions are inappropriate for a technical webpage, such as this.

    Your Socialist assertions do not illustrate or confirm your technical truths, but merely provoke political divisiveness. Worse, you do not even try to prove your opinions and defame anyone who questions their validity.

    You expect your “peanut gallery” to handle any disputes. But they can’t win with me, because I know history, politics and Economics. They do not. Nor do you.

    You blame me for being contentious and verbose, when you insist on talking through your Leftist hat. I agree with your technical assertions, but your politics are rubbish. Rubbish that you do not even try to prove.

  • Robb

    @BjK
    Well, you called it. The biggest reply is to a chart used as an analogy.
    @UrbanBard
    Nice diatribe, you hit most of the talking points, but I’m going to have to give you a 9.1 score for failing to use the term “Godless” somewhere in your comments. :-D

  • John E

    i hate to rise to the bait, but Mr. Bard, to suggest that all wars are “necessary” and in particular that the current $1 Trillion war is anything but “discretionary” would be utterly, completely, and blatantly preposterous as a matter of fact (and human history).

  • http://www.thecarbonlesspaper.com johnnyapple

    A simple Google search turned up this page detailing national debt by President.
    http://en.wikipedia.org/wiki/National_debt_by_U.S._presidential_terms

  • UrbanBard

    If politics is inappropriate in technical webpages, such as this, because their arguments cannot be proved, then I fail to see how religion would serve to convince Leftist disbelievers.

    Yes, I know you were being facetious. You were implying that I had an all encompassing bigotry. You mistake my point: The purpose of an illustration, such as a chart, is to take what is unknown and explain it by comparing it to the known and similar. Daniel was comparing it to the unknown, dissimilar and propagandistic. I consider that inappropriate.

    This is not about me. This is about Daniel exposing me unwillingly to Leftist propaganda. It would be fine if he would argue about his contentions, but he will not. He will not give his sources. Nor will he listen to any contrary evidence which disputes his arguments, because they do not come from Leftist Sources.

  • Jeff

    UrbanBard,

    Dan’s ONLY point was this:
    Republicans claim that they spend less than Democrats but there’s no evidence that this is true – people believe it just because they say it’s so.

    That’s it. That’s the only point he made.

    You’ve now written several hundred words without directly addressing that point at all. Do you disagree with it? Do you refute it? I don’t know. You somehow talked about many, many other things without talking about Dan’s actual point.

    (The counter-point being, of course, proof that Democrats actually do spend more than Republicans, as a rule. Feel free to share proof of that if you have it.)

    So why blame Dan for bringing politics into the blog when he only made one point and you’re the one raising dozens of un-related political issues? Seems like you’re the worse offender in that regard.

  • UrbanBard

    John E said:
    “i hate to rise to the bait, but Mr. Bard, to suggest that all wars are “necessary” ”

    I never made the case that all wars are necessary, but their expenses may necessarily follow.

    I merely made the case, that if you have a war, even a “Cold War” such as in the Reagan era where the military was built up after President Carter’s neglect, there are likely to be higher expenditures which will be unfunded through taxes.

    I leave it up to the historians, as to whether a war is necessary. It’s hard to tell, while you are in a war, due to anti-war propaganda. I suggest that you look up the “Copperheads” from the American Civil War. They made President Lincoln’s life miserable with their lies and deceptions.

    I consider World War One to be an unnecessary war for America to be involved in. But, once an administration goes to war, it is inevitable that there will be war expenses, budget deficits and, most likely a higher national debt to finance them.

    Can you catch the distinction?

  • duckie

    Guys, do not feed the troll. It only makes him uglier.

  • Dowap

    Woot! We have UrbanBard throwing out the term “Leftist propaganda”.

    So is Apple leftist and Microsoft rightwing?

    Dude, take a step away from the caffeine drink, take 5 deep breaths, and just skip the section that causes you to freak out like a meth addict looking for a fix.

  • pa

    “Who writes spyware aimed at attacking servers supervised by professional IT staff and protected by sophisticated firewalls?”

    http://biz.yahoo.com/ap/080328/retail_data_breach.html

  • UrbanBard

    Yes, Johnny Apple, The point was that Daniel did not provide this information. Nor does he show where he got the chart. Why is it so wrong for me to ask for that information?

    The information that you provided on Wikipedia contradicts Daniel’s Chart. At a 3.9% increase of the national debt, it is one of the smallest of the war eras.

    I found the chart to be irrelevant. It did not prove his technical case, because the chart, itself, was not proven. The Chart is based on the idea that President Bush is a dictator who can control everything and thus, must take responsibility for it. This is anything but the truth. Congress controls the budgets and the national debt.

    In Daniel’s technical writings, he is careful to show a trail of evidence for us to check on. He does not expect us to be an ignoramus. In his politics, he provides none of that rigor. Why should I not complain?

  • UrbanBard

    Please, duckie, do ignore me, since you have nothing relevant to say.

    Dowap said:
    “”Woot! We have UrbanBard throwing out the term “Leftist propaganda”.

    So is Apple leftist and Microsoft rightwing?””

    No. I was making a distinction that you did not catch: that including that chart proved nothing. It was irrelevant to the discussion. It was only there as “soft” antiwar propaganda.

    Do you like being preached to, unwillingly? I don’t.

    “Dude, take a step away from the caffeine drink, …”

    I assure you that I am calm and lucid. I merely made a logical case to refute Daniel’s emotional one. I merely asked him to provide links and to prove his position.

    What I want him to do is stop being political on these webpages. It insults half his audience.

  • dscottbuch

    Jeff

    If, as you claim, the only point being made was

    “Republicans claim that they spend less than Democrats but there’s no evidence that this is true – people believe it just because they say it’s so.

    Then I presume you’re implying the the chart was meant as a counter example to that claim?

    The problem with the chart is that it does not show spending rates, only debt. Debt can increase, even with reduced spending, if there is an economic downturn which reduces income. Debt can decrease, even with increased spending, if there is an economic boom. The relationship between debt and spending is far more complex than implied by the chart proffered and the implied explanation.

    Please note I am NOT arguing either side of this issue, my position is irrelevant.

    The incidental inclusion of politics into this blog is, IMO, its major weakness, but it his blog and his call. The rest of the blog makes up for it.

    In this case, unfortunately, the example shown (irrespective of the underlying truth, or not, of the statement being made) is a good example of using statistics incorrectly to support a given position.

  • Brau

    I read in an interview with the winner that he was waiting for the moment the rules would be relaxed to try out his exploit. This of course shows he was prepared well in advance of the competition. Two minutes is simply not enough time to randomly explore for vulnerabilities and then craft a way to gain control.

    This is going to be a huge PR shot in the arm for MS and all their shills, despite real world security leaning heavily in favour of the Mac.

    (I’m just another Mac user with over a decade of not needing any “security software” … and counting)

  • mmbossman

    UrbanBard, enough with the political crap. We get it, you have strong political opinions. I do too, but I read RDM for the technical analysis. If there happens to be a political statement I don’t agree with, I don’t immediately have an aneurysm and start posting short novels. Simmer down and please visit another forum to when you feel the need to vent about political issues.

  • UrbanBard

    Jeff said:

    “Dan’s ONLY point was this:
    Republicans claim that they spend less than Democrats but there’s no evidence that this is true – people believe it just because they say it’s so.”

    You mistake the Republican’s point: they wish to have smaller government, but Politics is the art of the possible. Sometimes, it is not possible to get what you want. Smaller government has not been achieved, because the Republicans have not had a filibuster proof Senate.

    It took the Democrats sixty years to get us into this mess; it will not be corrected overnight.

    What Daniel was doing was to imply hypocrisy on the Republican’s part: the difference between what they claim they wanted and what they have achieved. The assumption is that the Republicans could get anything they want.

    That is not so. Why? Other people stand in the way. The Democrat Party stands in the way. The war stands in the way. The Electorate which wants to defend its “Special Interests” stands in the way.

    “You’ve now written several hundred words without directly addressing that point at all. ”

    I did. You weren’t listening. I explained all my points doubting that chart and why it was included.

    “So why blame Dan for bringing politics into the blog when he only made one point ”

    If he had made a technical point that was bogus, I would have addressed that. I rarely disagree him on technology. Why? Because he make sense there. But, not on his politics. Or his manners.

  • UrbanBard

    dscottbuch said:

    “The incidental inclusion of politics into this blog is, IMO, its major weakness, but it his blog and his call. ”

    I agree. But, Daniel’s politics are not without a cost. I am applying that cost, in an attempt, to dissuade him from farting his Leftist opinions in public.

    mmbossman said:

    “UrbanBard, enough with the political crap. ”

    I agree completely. I wish Daniel would agree.

    “I read RDM for the technical analysis. ”

    So, do I. I never start the politics here.

    “If there happens to be a political statement I don’t agree with, I don’t immediately have an aneurysm and start posting short novels.”

    Nor do I. This is a reasoned analysis; my emotions are not involved. Perhaps, you have never heard of one. I am merely replying on the behalf of Daniel’s Conservative audience.

    “Simmer down and please visit another forum to when you feel the need to vent about political issues.”

    I am trying to persuade Daniel of that. So far he hasn’t taken the hint.

    In your opinion, my political opinions should be suppressed?

  • mmbossman

    In my opinion, this is a technically based blog 95% of the time, and whether Daniel wants to talk about politics or penguins for the other 5% is up to him. And if he says something in that other 5% that you don’t agree with, I have no problem with you posting your disagreements. But spamming the board (you account for 7 of the past 16 posts) is both annoying and counterproductive, as people see you as a troll. Speak your peace in one or two posts and leave it at that. Try to respect the other people who visit RDM for the technology, and not the politics.

  • http://johnsessays.blogspot.com John Muir

    Once McCain is sworn in, maybe we’ll see some progress on the small government front. He’s the first Republican to get anywhere near the White House in years.

    Now I’d better duck for cover! :D

    By the way: I do agree with the “politics = RDM’s Achilles Heel” point. I’d also maybe add consoles. Dan is free to address whatever he likes – and often does so very well – but those two areas, well, it’s not just me…

  • John E

    can someone please just answer my question: how much control of the MacBook Air did the hacker really get? merely downloading a file from it means little.

  • http://www.radianttechnology.net Windinthedust

    Great article Dan, as always.

    I started reading because I was impressed with the technical research, historical summaries, use of illustrations, and the candor that you employ.

    It is rare today, in all media, to get this type of thorough and thoughtful writing.

    Candor is a huge area, that many people miss out on…. however, the more a writer can use candor in his arguments, the more transparent it becomes, that his motives are to seek the truth of the subject. The writer then becomes, not just believable to his audience, but trusted.

    It is clear that you have achieved this rare, trusted status, when it comes to speaking about technology.

    Regarding politics and religion, it is clear from all of the posts, you have not yet reached “trusted” status. Therefore, you have to expect to be tested by the knowledgeable and defended by the ignorant… and vise vera, when it comes to these subjects.

    However, by your use of candor, even here too, eventually, you will also receive trust & respect (and especially from those that disagree).

    From reading UrbanBard & dscottbuch; it is clear they respect you, and they just want to help you keep that reputation when speaking off topic. There was nothing wrong with your use of the political chart… simply give it the same due diligence and thoughtfulness you give everything else (however, if you have to explain, prove, and back up an illustration, perhaps it’s not an appropriate one :-) ).

    As you’ve reasoned on in previous articles, Mac users are not divided by political party… after all, you have both Al Gore & Rush Limbaugh that absolutely love and espouse technology that works. It would be reasonable to assume that your readers also come from diverse political backgrounds. Because of this, please, continue to speak about diverse issues… but remember your audience has the same freedoms that you do.

    Keep up with the fine writing, and thanks for hosting this diverse site.

  • slappy

    The MBA wasn’t controlled. Thats not the purpose of the contest. It could have been anyway since he was able to gain access with the hack. Not matter how you cut it. Mac OSX is much easier to attack that Vista. The guy just proved it and even stated it on computerworld.

  • WebManWalking

    While reading this article, for some reason, the book How to Lie with Statistics kept coming to mind.

    http://en.wikipedia.org/wiki/How_to_Lie_with_Statistics

  • http://lexx.warpedsystems.skc.a His Shadow

    >You mistake the Republican’s point: they wish to have smaller government, but Politics is the art of the possible. Sometimes, it is not possible to get what you want. Smaller government has not been achieved, because the Republicans have not had a filibuster proof Senate.

    Bullshit.

    The Dept of Homeland Security blows any talk of “smaller government” out of the water. Did the Democrats twist Bush’s arm to make him establish a massive parallel bureaucracy to funnel even more pork cash around? Are warrantless wiretaps and aborgation of the Constitution signs of a political party that wants smaller government and less interference in citizen’s lives?

    Face it. You drank the Repbulican Kool-Aid that the leadership won’t touch.

    And nice try with all the economic mumbo jumbo. The simple fact of the matter is that the deficit is the deficit is the deficit. It’s an indication of the spending habits of the party in power. It’s that simple. How you can pretend that the party that oversees the most massive growth in the debt that has ever been seen can still be reconciled with the lie of “smaller governemnt”… well it simply can’t.

  • mmbossman

    *Sigh*… and we were just starting to get back on topic. I’ll just stop reading the comments, I suppose.

  • http://www.radianttechnology.net Windinthedust

    It is interesting to note, that most people are of a particular religion or political affiliation, because they were born into it. The status quo is not questioned.

    As an example, what religion would you be if you were born in Saudi Arabia and not SF? What political affiliation would you be if born in Texas?

    Why is the ‘status quo’ not questioned? Maybe it’s the emotional attachments from family tradition & peer groups. Maybe it’s just apathy.

    Whatever the case, most fear to have an honest dialog about these topics… “it’s personal”, yet these very topics so un-personally and profoundly affect the world.

    To make a comparison to technology now… it is interesting that many people that use PC’s and windows, do so, because they were ‘born’ doing so. In other words, it was the only the choice, the unquestioned status quo. Technology has become personal to them, and often driven by their peer group. I am not saying this is right or wrong… but Daniel does us a service by injecting fact and reason into these often emotional topics.

  • http://johnsessays.blogspot.com John Muir

    @Windinthedust

    Correct!

    I was a Windows user because the “whole world was too” for years, having scarcely ever encountered an old-school Macintosh. Though whenever I did they worked eerily well…

    Meanwhile, born into a social democrat culture I’ve always been instinctively irritated by it and discover that my apparent right-wing extremism in Scottish terms is actually just good old moderate politics in America.

    It’s strange what you discover the moment you broaden your horizons. The internet is the biggest step we’ve taken with that as a planet since the printing press.

  • WebManWalking

    For example, Daniel’s comments about the Gray Risk focus of the Swiss study reminds me of Chapter 1 of How to Lie with Statistics: The Sample with the Built-in Bias.

    I wonder what the average IQ of people who rant about politics would be compared to the average IQ of people who talk about fair statistical analysis of computers?

  • http://www.radianttechnology.net Windinthedust

    Dan, I just thought of an alternative illustration to the political spending chart…

    It is a proven economic fact that cutting taxes spurs business growth, expansion, & job creation whereas raising taxes has the opposite effect. All will agree with that statement.

    Here’s the sticker: Many think that raising taxes increase revenue to the government… when actually the opposite is true.

    Reasoning on this: Lowering taxes means expanded businesses. More business means more jobs. More jobs and profitable businesses means that the government actually takes in more by cutting taxes, then raising taxes.

    This is because the taxable market is larger at the lower rate, then it is at the higher rate. Also in effect here, is honesty. People will less likely cheat on reasonable tax rates, then they will on unreasonable ones.

    This is universal… in the music & video industry, the best anti-piracy policy is reasonable prices & easy availability (like iTunes, Amazon, and eMusic).

    On sales, low profit margins are made up by high volume whereas low volume products need high margins… of course, finding the “sweat spot” is always the hard part.

    The iPhone is an example of this… lowering prices spurs sales, and Apple actually makes more money on a higher volume product, even though it is selling at a lower cost. Of course, Apple can’t go too low, otherwise it would hurt profits… but it also can’t go too high…. this too will hurt profits by stifling sales.

    While pundits debate the math of cutting versus raising taxes, all they have to do is look at history to see the results when it has been tried.

    http://www.economicsuk.com/blog/000159.html

  • beanie

    The Sony Vaio has Ubuntu 7.1. You wrote it like it also contained Vista. So this was a contest between Vista, MacOSX, and Ubuntu.

    Microsoft being a sponsor does not make a difference. Attendees choose the platform they wanted to hack. So Windows experts probably chose to hack Vista. The winner Charlie Miller is a Mac user.

  • http://johnsessays.blogspot.com John Muir

    You mean the…
    http://en.wikipedia.org/wiki/Laffer_curve

    I’m all for the general link between low tax and thriving business, the problem however seems to be in boiling things down to be quite that simple. Just look at the stock markets to see how chaotic and (as with AAPL lately) downright counterintuitive trends can be in anything but the long term. If everything worked like Laffer’s curve, we’d be sitting on the optimum tax rates and even oil price just like the rocks gather themselves together to form Saturn’s rings.

    The human element is where things get interesting. And crazy. Welcome to the world.

  • slappy

    @beanie

    Even more incredulous for Mac OS X. The Windows experts could not even hack Vista even with many known exploits at hand. Last I checked, it is still not compromised. Mac on the other hand already lost.

    Including its credibility as a secure platform it seems.

  • dscottbuch

    Someone over at Appleinsider forums posted the following…

    “Well, apparently the exploit was achieved by clicking on a URL which opened a port number on the Mac, which in turn allowed them the telnet to the machine.”

    This was without a link. Anyone know if this is true? If so, its not much of a concern as

    1) This would be defeated by a NAT
    2) You have to turn on remote login, which is not one by default (which I believe is ssh in any case but that’s just a different port)
    3) you need a logon, specifically an admin logon.