Daniel Eran Dilger in San Francisco
Random header image... Refresh for more!

Mac Shot First: 10 Reasons Why CanSecWest Targets Apple

200803291312
Daniel Eran Dilger
The details emerging from the CanSecWest security contest fill out a story that is bigger than the simple “Mac Shot First” headlines convey. This was not a contest where three systems were placed in an equal foot race and the Mac simply lost due to being a slower runner. Here’s why.


The CanSecWest contest featured a number of security researchers, each with different backgrounds, motivations, and levels of expertise working to exploit flaws in the three systems running Mac OS X, Windows Vista, and Ubuntu Linux. However, rather than being a level contest to expose the flaws in the three systems, it was really a contest highlighting the knowledge and abilities of the researchers, each of whom targeted the platform of their choice.

10 Things to Remember About CanSecWest and Software Vulnerabilities.

1. Exploits discovered for the Mac have little other value outside of contests like CanSecWest. Nobody would buy the exploit Charlie Miller found, because there is no market for it. In the Windows world, there is a thriving market for selling exploits (discovered, not disclosed and “0-day” disclosed, not patched) because spammers, botneters, and identity thieves need them to stay in business. There is no malware underworld servicing the Mac, and subsequently no demand for obtaining such exploits. Once discovered, Mac exploits are patched within a few weeks, so while they make lots of heat and light for headlines, in the real world they don’t result in any catastrophic destruction in the manner that Windows exploits do.

CanSecWest was a controlled explosion designed to demonstrate how fearsome a theoretical attack on Macs might be if there were any market to support such an event from actually happening outside of an artificial contest. The tech media has reported the event as if it stands on an equal footing with the millions of successful, real world attacks on Windows PCs that occur daily, and which actually cause real damage and lost time, and demand the continual, vigilant use of performance-robbing anti-virus software at all times on the Windows platform. This is grossly misleading and hypocritical.

2. The CanSecWest contest clearly appears intent to transfer the security focus belaboring Windows to other platforms. Microsoft has repeatedly paid for research that might suggest that enterprise users could face greater theoretical security risks on Linux. Microsoft desperately desires to rid itself of its decades long reputation for abysmal security, and the best way to hide the obvious reality of the Windows security crisis is to craft misleading headlines that announce that up is down.

Mission accomplished: despite billions of dollars in real world losses annually due to the mess of Windows’ active virus and malware crisis, CanSecWest has announced that Macs are less secure than Windows, and a childlike media and idiot public have chosen to believe that the stark reality around them has been authoritatively disproved by a publicity stunt.

[Update: while the motives of those setting up CanSecWest's contest can be argued both ways, Microsoft's maximizing of the simplistic marketing message in the media can't. Jeff Jones, a director in Microsoft's security group, blogged about the winning Mac OS X crack, noting:

“I don't really care for 'hack the box' contests. If a machine doesn't get hacked, it does not mean it isn't breakable. If it does get hacked, it just shows us what we already know - any machine can be broken under the right circumstances. So, don't read too much into the PWN 2 OWN results. I don't.”

Jones' blog is headlined “SECURITY IS NOT SIMPLE, SO WE SHOULD TRY NOT TO SIMPLIFY IT TO THE POINT OF USELESSNESS.” However, he also added, “having said that, given how obnoxious and misleading I find those Mac OS X ads and how they've spent millions of dollars publicly criticizing Windows Vista security improvements, I find it ironic and apropos that Mac OS X was the first machine to be owned in the PWN 2 OWN contest at CanSecWest today.”

The media only reported his final line. Further, Jones' comment that Apple's 'Get a Mac' ads are “misleading” is fully unsubstantiated. Windows Enthusiasts like to work themselves into a frenzy relating how upset they are about this message, but they don't refute it. Also, saying Apple spends “millions of dollars publicly criticizing Windows Vista security improvements” is not really accurate or fair.

Jeff Jones Security Blog : Mac OS X Security - Reality Check #2]
3. The contest prominently focused attention on the brand name of the MacBook Air, while only describing the other two laptops by their manufacturer. This delivered the most sensational headline payload possible, associating the security problems dogging Windows with Mac OS X while also serving to malign Apple’s new laptop with the suggested taint of some special insecurity. Apple will have to step up its “I’m a Mac, Vista is dreadful” advertising just to balance things out.

4. The Mac exploit was something Charlie Miller had in hand when he arrived. There was nothing else he could use it for other than winning the contest. If it were a remote exploit, he could have made $20,000 rather than $10,000 by using it the first day of the contest. He knew exactly what his exploit was worth and what it could do. He’s a security expert.

[Update: Some people think this was a controversial idea I invented. It is not. Reader Don Bach sent in a link to an article interviewing Miller, and he states, with regard to the Mac OS X exploit he used to win the contest, “We sat down about three weeks ago and decided we wanted to throw our hats into the ring. It took us a couple of days to find something, then the rest of the week to work up an exploit and test it. It took us maybe a week altogether”.

Miller's comments intended to express how trivially easy it was to find an exploit by raking through FOSS code that Apple hasn't updated, but it also points out that Miller had a plan in hand and was politically motivated beyond many of his colleagues to find an exploit that would target the Mac. The rest of the article repeated portions of Jones' comments above, devoid of any context. Shame on Softpedia.

Microsoft Finds Irony in Mac OS X Getting Hacked Before Vista SP1 - Courtesy of Jeff Jones, Strategy Director in the Microsoft Security Technology Unit - Softpedia ]
5. The researcher who cracked the Vista machine was stymied by the fact that he didn’t expect it to have SP1 installed, according to a follow up report by IDG’s Robert McMillan. So Miller was better prepared than the second place winner. That’s a positive reflection on Miller more than a negative reflection on Mac OS X.

Incidentally, last year Apple released a Mac OS X update prior to CanSecWest that similarly addressed several exploits contestants were planning to use. This year, Mozilla also pushed out Firefox 2.0.013 the day before the contest, patching flaws that might otherwise have been used to attack the Ubuntu installation.

The date CanSecWest is held, relative to release of security updates by each vendor, results in a variable that can have a big impact on the contest but doesn’t really say anything about the overall security of each platform. Had the contest been held prior to the release of Vista SP1 (which was released a full year after Vista arrived), it would have reflected the actual level of security Vista users enjoyed throughout 2007. Instead, it only reflects the state of Vista for users who have elected to install SP1, which has been dogged by problems of its own.

Steve Gold complained in IT Pro Portal that “Microsoft’s problems with SP1 are on a scale of BAA’s problems with Heathrow Terminal 5, but on a worldwide scale. Like BAA they’ve had months to iron out any problems, yet it singularly failed to do so. The known problems list makes for eye-popping reading.”

Earlier this week, the day before CanSecWest’s contest was held, Stuart Johnston observed in PC World, “Service Pack 1 for Windows Vista is (almost) ready for prime time. SP1 contains a whopping 573 bug fixes and patches that have accumulated since Vista first shipped in early 2007, plus some performance improvements. I advise you to get it–but only after the wrinkles are ironed out.”

If Vista’s SP1 has so many issues holding back PC World from recommending an immediate deployment, how much does CanSecWest’s contest, which installed SP1 on the Vista test machine, really say about the relative security of the users running Vista?

Vista, MacBook Out–Only Linux Left in Hacking Contest – Yahoo! News
ITProPortal.com – Vista SP1 – I’m losing what little hair I have left…
PC World – Vista Service Pack 1: 573 Fixes in Limbo

6. Miller reported hacking something related to Safari, but the details haven’t been revealed. Whether this was a real world vulnerability in Apple’s code, a copy-and-paste attack on a FOSS library as Miller’s PCREL exploit was (or the libtiff exploit found by another researcher after PCREL was patched), or a contrived test that opened up telnet remote login on the machine and gave the researchers an account to use is still unknown. The notes so far suggest that it really had little to do with Apple’s own code, although Apple is still responsible for the versions of FOSS code it distributes as part of Mac OS X.

Incidentally, both the PCREL and libtiff vulnerabilities had exploits developed for them that were used both to demonstrate their use, and to work around security on the iPhone in order to install unsupported software. Neither were actively used to do any actual damage, and both were patched within a few weeks of their discovery.

[Update: John Gruber of the Daring Fireball says the “contest-winning exploit took advantage of an overflow bug in the PCRE regex library used by WebKit’s JavaScript engine.” That means that Miller reused his same vector of attack on the iPhone last fall, and suggests that Miller knows a lot about PCREL and identified a new bug. Gruber says the issue has been immediately addressed within WebKit's JavaScriptCore. This suggests that the entire contest was about Miller proving he could temporarily outsmart an open source development project for a few days, rather than having anything significant to do with relative platform security between Macs, Windows, and Linux.

Changeset 31388 - WebKit - Trac via Daring Fireball.]

The security problem affecting Windows users relates to the fact that there are not only more discovered flaws, but that these are being actively exploited to develop viruses, spyware, adware, and other malware. Further, there are vast numbers of machines that are not promptly updated with the patches that do exist, resulting in fleets of vulnerable botnets that actively distribute new attacks to other systems. These two problems aggravate each other to create the Windows security crisis.

Pointing out the presence of a theoretical attack vector in Mac OS X that can be easily addressed is nowhere near the scale of the actively destructive, virulently perpetuating problem that dogs Microsoft. Because there is actually very little Microsoft can now do to solve the problem it created in the 90s, it is left with only two options: doing what it can to solve security problems in Vista, which most Windows users have elected not to use, and erecting a smokescreen of misleading marketing that says the problem does not really exist and that other more secure platforms are actually somehow at greater theoretical risk.

7. Attendees with the ability to crack Linux “didn’t want to put the work into developing the exploit code that would be required to win the contest,” according to the IDG article cited above. Why not? Because they lacked the political motivation to prove Linux was easy to hack, and they lacked the financial motivation to earn $10,000 at a contest when they might be able to sell their vulnerability discovery for more than that.

8. Many exploits and vulnerabilities are not unique to “Mac, Windows, or Linux,” but instead are cross platform threats. Vista was cracked this year using a flaw related to Java Adobe Flash. Vulnerabilities discovered in Java, generic browser flaws, and other common code implementations mean that researchers can often use a given vulnerability discovery to attack the platform they chose. In the past, Miller has applied this principle to use FOSS vulnerabilities against Apple. In the same manner, experts in FOSS vulnerabilities affecting both Linux and Windows could sell their findings to Windows spammers.

This elasticity in discovered flaws demonstrates that vulnerabilities are most likely be used to gain the most value to finder, rather than being applied equally in some sort of convenient platform shootout that empirically rates the overall security reputation of each platform in one dramatic contest. Reality clearly demonstrates that in practice, discovered flaws are more often channeled into the thriving malware market related to Windows in order to create spyware, adware, and other malicious tools commonly distributed by viruses.

9. Miller has repeatedly stated that his life’s work is to discredit the security of the Apple’s platforms. The only outlet and business model for such an effort is currently CanSecWest. Last year, Miller’s partner, working for the same company, won the same contest the exact same way. Both have repeatedly stated that Macs are trivially easy to attack each time they were given the opportunity to plant that particular meme into media coverage.

Certainly, if you’re a security expert with an outdated FOSS exploit in hand, you can beat both your non-motivated colleagues on Windows who have sold their exploits to spammers, and your Linux expert colleagues who have no interest in trying to make FOSS look bad, and easily win a contest like CanSecWest by exposing a flaw in Apple’s distribution of open source code. But again, that says more about your knowledge, expertise, and motivations that it does about Mac OS X, Windows, and Linux.

10. Apple’s use of open source makes it easier for researchers like Miller to identify exploits, including those that have been patched by their FOSS project, but have not been updated and distributed by Apple. I specifically noted in yesterday’s article that this is an area where Apple has received criticism, and ideally, that Apple should be faster at keeping its FOSS components up to date. Of course, there are also issues related to using the bleeding edge of FOSS software revisions, which despite being patched for vulnerabilities, may have other problems related to their newness.

Corporate IT staff frequently do not immediately patch their critical software until they know what the patch will actually do and that it will not cause other problems or expose other vulnerabilities. Apple’s distributing of FOSS patches to its commercial customers requires a similar delay. FOSS projects can blow out patches fast and furiously, but Apple can’t or we’d all be annoyed to see patch updates in Software Update on a daily basis. Apple’s commercial customers demand software that “just works,” which requires a very different approach to version management than the “do it yourself” model in the Linux world.

It is overly simplistic to criticize Apple for not always distributing the newest version of every open source component it ships. Certainly, there are specific cases where Apple has dropped the ball and needs to improve. But making a blanket criticism that Apple doesn’t just throw together the most recent versions of every open source library available shows a gross ignorance of version management.

Apple Patches Faster than Microsoft Because it Patches More than Microsoft.
Which brings us to the other elephant in the room: Apple patches its OS software far more frequently than Microsoft, according to the same Swiss study that worked to discredit the timing of Apple’s patches relative to their vulnerabilities’ official date of disclosure.

Apple also improves its operating systems far more rapidly, with 66 updates to its Mac OS X desktop and server products (not including the iPhone) versus 7 releases of Windows desktop and server service packs over the six years of the Swiss study. That was entirely ignored by the media to focus on the completely skewed “who statistically patches flaws faster relative to the flaws’ public disclosure” metric.

Pasted-Graphic-6

For a media enraptured with titillating headlines, and an idiot public entertained by hearing what they want to hear instead of being informed of the more complex reality, CanSecWest delivers in spades. The rest of us have more facts to consider.

CanSecWest and Swiss Federal Institute of Tech Deliver Attacks on the Reality of Mac Security

CanSecWest and Swiss Federal Institute of Tech Deliver Attacks on the Reality of Mac Security

I really like to hear from readers. Comment in the Forum or email me with your ideas.

Like reading RoughlyDrafted? Share articles with your friends, link from your blog, and subscribe to my podcast! Submit to Reddit or Slashdot, or consider making a small donation supporting this site. Thanks!

Technorati Tags: , , , , , , ,

79 comments

1 dustbag { 03.29.08 at 5:37 pm }

Hi Daniel,
I’m a regular reader and love the posts. I’m a Mac user since 1987. I too was irritated by what is clearly a publicity stunt, and am disturbed its already getting skewed coverage in even the Washington Post.

I’m not a programmer, but I’m also not naive enough to believe that Mac’s are invulnerable to viruses, just that they are much more resistant to attack because of they way the core OS is constructed.

All that said, doesn’t your point #1 above kind of prove the point of the Windows defenders that once there is enough incentive out there that Mac’s will become just as much a target as Window’s PCs?

Anyway, I’ll be looking forward to your future analysis. Thanks for all you do here to keep the rest of us on an even keel in a sea of Windows pundits.

2 dscottbuch { 03.29.08 at 5:42 pm }

I agree with dustbag in that the majority of the points in this article are basically the Mac isn’t popular enough to justify the effort. If that’s really the results of the contest then there is a real problem.

3 slayerjr { 03.29.08 at 5:50 pm }

I hope you will read this article again when you’re less hopped up on paranoia beans Dan. You’re sliding fast into the same zone you so often accuse others of. Its a sad day for those of us who respect your views and opinions. Very disappointing.

4 tripleman { 03.29.08 at 6:17 pm }

I don’t think that he’s saying that apple has “security through obscurity”, I think he’s saying that the economic model for finding exploits and using them for adware/spambots/malware just is not there. Not only is it not there now, it most likely never will be because of the underlying core of unix – an inherently more secure system than windows.

Microsoft may surprise everyone and make an extremely secure version of vista (or whatever comes afterwards) and it still won’t help us for a long, long time because of the massive amount of existing compromised win95, 98, NT, 2000, 2001, Me and XP systems out there.

What bothers me is that, as a mac user, I have no idea how much of my ISP cost goes into paying for added infrastructure to combat the insane amount of spam that is flying around the net. Fatter pipelines, software filters, dedicated appliances, man hours – all of this because Microsoft was/is too stupid and greedy to build a better system.

I’m not a fan of lawsuits, but seriously, I don’t think it’s a hard argument to make that a class action lawsuit alleging negligence on Microsoft’s part is not frivolous and has cost everyone billions of dollars.

5 dscottbuch { 03.29.08 at 6:21 pm }

@tripleman

“I don’t think that he’s saying that apple has \“security through obscurity\”, I think he’s saying that the economic model for finding exploits and using them for adware/spambots/malware just is not there. ”

But I believe that is quite circular as the reason its not there is most likely the small size of the platform installed base.

Don’t get me wrong, I don’t believe this argument but that’s what being said in this article.

6 tripleman { 03.29.08 at 6:51 pm }

@dscottbuch

The very next line read:

“Not only is it not there now, it most likely never will be because of the underlying core of unix – an inherently more secure system than windows.”

Since you chose that particular quote without including the next sentence, the sentence that gives a reason other than security through obscurity, it sounds like you’re just cherry-picking.

There are a whole host of technical reasons why it’s unlikely that we will ever see a mass of compromised macs being used as spambots lousing our internet experience and costing us money. What makes windows an attractive target isn’t that there are a lot of PCs, but that they are easy to break. In terms of quantity, there certainly are enough macs out there to create bot armies – linux too for that matter – but why bother when there are easy windows systems to use.

The weakest systems will always be the target, not the most prevalent.

7 dscottbuch { 03.29.08 at 7:34 pm }

@trippleman

That’s what you said, not the article. I’m talking about the article. I agree with you in general.

8 La Mansarda del Takkino » Post Inutile.. { 03.29.08 at 7:43 pm }

[...] Leggo di questa sfida, molto interessante tra Leopard, Vista e Ubuntu per scoprire che in sicurezza vince Ubuntu (Grazie, bella scoperta..) e perde Leopard (Questa sì che è una novità!!!) con Vista timidamente secondo, stroncato da un Bug nel Flash Payer! E ovviamente i sostenitori di Leopard hanno le loro opinioni.. [...]

9 Brau { 03.29.08 at 8:16 pm }

Personally I find it a bit perplexing that the “security via obscurity” viewpoint must continually be expressed in such black or white terms and defined as absolutely true or not. Almost everyone knows Macs are by design not as vulnerable as Windows and we also know there are a lot less Macs than PCs; it is these two things together that afford today’s Mac user such a trouble-free environment. (In some selfish way I find myself hoping Apple’s market share never increases, or decreases. I like their current BMW-like status.)

Of special note are the latest reports that Vista is *apparently* doing better regarding security … most of this can be attributed to the fact that MS is now following the same format as Apple by employing an admin account, separate from the root account, and by making the user aware any time a link tries to download an executable file.

Most of the past advertised Mac “exploits” required a Mac user to be blatantly stupid, click a link, authorize the resulting Trojan download and then opt to run the program. What bothered me about this latest news was that by getting the end user to simply click a link in Safari, control of the Mac was achieved. That is the “Windows” kind of exploit I have never had to worry about as a Mac user. I’m just glad it happened in a closed environment. I want to know more though, like did he succeed in getting Admin access, or Root? What was defined as “control”?

So does this mean as Mac market share rises that Mac users will all need security software? Not necessarily. Anti-Viral software only becomes a necessity if the problem(s) become widespread and can’t be patched without denying needed services to the user. This is the sad case with Windows and their ever growing list of known viruses.

10 years of Mac use, no AV software, no firewall, no worries, …. and counting. :)

10 danieleran { 03.29.08 at 9:08 pm }

The article focuses on today’s reality, and does not extrapolate a possible fantasy world where Apple owns 95% of the desktop.

As I noted earlier, Apple now has 20% or more of certain markets, but does not have even 1% of the malware market. The idea that Apple will inherit Microsoft’s problems is based in the ignorance that Windows’ security problems are rooted in its popularity, rather than its poor architectural design. That is not true.

Back when all computers used floppy disks, and floppies were easy to infect with boot sector viruses, Macs carried and transmitted viruses on floppies despite never having more than 11% of the market. Viruses were there because of a weakness, not because of the Mac reaching a certain market share threshold in popularity.

Today, and over the last two decades, Windows has been plagued with malware because it is easy to infect. That ease results in the cost of creating Windows malware, added to the risk of getting caught, still being much less than the payback spammers earn. Windows malware is cost effective.

Creating Mac malware would cost more because it is harder to write, harder to keep working, and too easy to clean away. There’s no Windows Registry, no convoluted installation system, and Macs are easy to keep up to date. There would be no payback for malware writers, not because the Mac market isn’t big enough, but because creating a botnet of Macs would be too expensively difficult to maintain. Adding more Macs to the population does not change that.

My first point above is that Windows has a thriving market of spammers. This is not because of platform popularity, but because there were and continue to be weaknesses in the design of Windows that made it easy and cheap to exploit. That in turn created a market because supply stokes demand. It was not demand that created the supply.

However, we don’t even have to speculate about whether or not the 90s might return with Apple playing the part of Microsoft’s villain. That’s because the future of the PC is dead.

Microsoft reigned over a tremendous growth spurt in PCs from 1990 to 2005. Over much of that time, new PC sales were greater than several prior years of sales. The PC has plateaued. PCs aren’t going to evaporate of course, but sales are not going to turn over the installed base every couple years any more.

Incidentally, that’s why Apple is focusing on mobile computers and sees so much potential in the iPhone/iPod Touch. Microsoft itself has been predicting the fall of the PC, but thought growth would shift to Handheld PCs, Tablet PCs, and UMPCs. It did not.

NOW, take all that into consideration with your idea that Apple will fall prey to Microsoft’s malware problem simply because it is gaining market share. Then consider:

First, Apple’s iPhone is malware resistant. As that platform grows, it will be very difficult to distribute malware, easy to kill it, and trivial to clean it up.

Second, Mac OS X is going to follow in some of the same security practices as the iPhone: code signing, sandboxing, etc. As the Mac grows in market share (and the Mac has FAR more growth potential in taking over total PC numbers than the Windows PC has in growing its total share; Apple can only grow, while Microsoft can only struggle against shrinkage), Apple will continue to erect new barriers to the problems that DO NOT CURRENTLY affect the Mac platform. There will not be a scourge of Mac malware.

Third, Microsoft is doing many of the same things to secure Vista. However, neither Vista nor the Mac will solve the problems related to Microsoft’s PC legacy. There are lots of botnet PCs out there that will remain connected to the network, sending out spam. There are lots of WinXP computers that will remain out there for the next decade, and fully open to the infectious pool that is the Windows security nightmare.

Fourth, a new class of cheap PC replacements is working its way into emerging markets. Linux based PCs like the OLPC’s system will create an alternative to the growth of the conventional PC in those markets. These will likely be more resistant to malware, but also less attractive to malware authors, as a WiFi OLPC isn’t going to make a great botnet spam server in the way that a WinXP gamer PC on cable Internet does.

That means new Macs/PCs/emerging market systems will be quite resistant to malware attacks, new platforms like the iPhone/iPod touch will be malware free, but the disease pool of today’s Windows PCs, including all those enterprise boxes that won’t be upgrading to Vista anytime soon, will continue to breed a cheap and profitable malware industry that sends out spam, pops up ads, and tries to replicate itself into new botnet nodes.

Now, ask me again why my ideas are so tragically stupid because of a mythical idea that Apple will become Microsoft.

11 lmasanti { 03.29.08 at 11:54 pm }

WebKit Fix for Charlie Miller’s Contest-Winning Exploit
His CanSecWest contest-winning exploit took advantage of a bug in the PCRE regex library used by WebKit’s JavaScript engine.


Daring Fireball 3/29/08 17:32 John Gruber http://daringfireball.net/

12 Rip Ragged { 03.30.08 at 2:05 am }

21 years as a Mac user. SE/LC/Performa/iMacDV SE/G4 AGP/G5/MacPro/a bunch of laptops. No viruses.

Spin that however you like. That’s the raw data.

My major complaint with Apple is that a member of their board is a lousy predictor of weather. It’s April and I’m freezing my globals off.

13 materro { 03.30.08 at 5:32 am }

I believe that this series of articles is flawed, and the arguments that the PWN to OWN contest was biased is simply ridiculous. I’ll do my best to address each of the points proposed by Dan.

1. Profitability has nothing to do with this competition. The proposition that a virus or exploit is useless because no one would buy it is irrelevant. That’s like saying that a great invention is useless because there’s currently no market for it currently. Looking into the future, there might be a market for this kind of exploit; I really have no idea about what the future holds. Even assuming that there is no market, consider these two possibilities: someone who finds an exploit could himself design a virus to take over people’s computers en masse–why must someone else buy it? Worse yet, what if the crack were distributed for free? What if every virus writer on Earth had a copy of the exploit? Economics have nothing to do with the viability of virii but instead a whole lot to do with how virii are implemented.

2. Good gravy, the belief that Microsoft funded an effort to make Macs look insecure and called it CanSecWest is ridiculous if you look at the facts. First, look at the sponsors. Microsoft is one of them. But so are Google, Cisco, Juniper Networks, and Adobe… as well as smaller security companies. You’d be paranoid to think that they all have it in for Apple.

And have you even read the PWN to OWN blog?
http://dvlabs.tippingpoint.com/blog/2008/03/19/cansecwest-pwn-to-own-2008

“The main purpose of this contest is to responsibly unearth new vulnerabilities within these systems so that the affected vendor(s) can address them.”

I don’t understand how telling affected vendors what problems there are with their software targets Apple. Indeed, the Windows Vista laptop was cracked with an exploit found in Flash. I haven’t heard of Adobe furiously exclaiming that the contest was biased against them.

And when did CanSecWest announce that OS X is less secure than Windows? Never. The tech media has reported that the Mac was cracked first in a contest, not that OS X is the new Windows ME.

3. People associate Macs with the operating system installed on them by default. There’s really no issue here. The MBA was specifically identified as running OS X fully patched. Because Apple puts OS X on every computer it sells, and because any other operating systems have to be installed on those machines manually, it’s not hard at all to associate OS X with the computers that run them. In fact, it would be unnecessary to identify the MBA as the “OS X laptop,” because there are only three models of laptops that legally run OS X… and they are all made by Apple.

4. Dan, are you penalizing someone for doing their homework? Would you really expect the contestants to show up and say, “I have no idea what I’m going to do or what can be exploited in the system I want to target! I suppose I should get started right away on using my allotted 30 minutes to begin my research and possibly have a working result by the 3rd day–if I’m lucky!” Everyone in this contest was a security researcher. It would have been rather silly to show up without having anything to try.

5. It’s really too bad that McMillan wasn’t aware that SP1 would be installed. But that’s his own fault; the contest websites specifically states that each machine is “all patched.” Was McMillan really unable to get his hands on a copy of Vista SP1 Beta, legally or illegally? It’s not like this is a surprise contest. It was arranged months prior, possibly in early 2007. If he were better prepared, we would definitely see the Vista laptop hacked first, and there would be none of this nonsense about Apple being targeted.

6. What exactly is the problem here? The point was to gain access to the system. Miller did exactly as anyone else could have done, and his actions are hardly shameful; the purpose of the contest was to patch vulnerabilities, and I’ve little doubt that Miller was unaware that the hole he found would be patched.

7. No one in the contest got to sell their exploits. People probably lacked the motivation for hacking Ubuntu because they knew it would be the hardest. It makes no sense to use people’s personal motivations to claim that the contest itself was biased.

8. Adobe Flash is a common application on people’s computers, and the point of the contest was to find vulnerabilities in the average computer; the exploit using Flash was perfectly acceptable. I doubt that exploit writers are going to “play fair” in the real world and not go for the cross-platform holes.

9. Dan, please stop criticizing CanSecWest for its participants having crazy opinions. Should they stop people they don’t like from entering the contest even if they can fix a problem? Would you rather that a bug went unpatched because it was found by someone you don’t like? Should CanSecWest have not admitted any participants with personal convictions?

10. OS X was an easy target because it uses open source? Hardly. Vista is by far the easiest the easiest target. Not only has it been out for more than a year, but it’s Windows for heaven’s sake. Plus, if OS X was easier to crack because of FOSS, then Ubuntu should have been a piece of cake.

14 obiwan { 03.30.08 at 5:44 am }

Regarding your point 4 (he had it in hand before he arrived):
Do you really expect the teams to go down there and try
to hack a system within 30 minutes WITHOUT serious preparation ?
All teams had their exploits prepared beforehand, I think.
You also intend that he could not use his exploit on some “free market”
and therefore had to use it at the event. That is like saying
if he only had the chance, he would have gone criminal.
That is a really bad assumption.

Of course the whole event does not tell much about the overall
relative security of OSs or applications. We dont know the number of
attacks launched against each system and we dont know about the
reputation/expertise of the attendees (at least I dont know).
One outcome: Safari was hacked. So what? Get over it.

After all it is a show event, and thats fine with me. It may help
to push vendors to pay more attention to security issues.

15 Rip Ragged { 03.30.08 at 8:35 am }

RE: “You’d have to be paranoid to think they all have it in for Apple.”

An old wise guy once said, “Just because you’re paranoid doesn’t mean they’re not out to get you.”

Not that I mean anything by that.

16 dscottbuch { 03.30.08 at 9:40 am }

@materro

I think that the fact the the identification is ‘Macbook Air’, Vista and Linux does clearly indicate some underlying biases or differences in treatment. There is no reason for this other than publicity.

Regarding “1. Profitability has nothing to do with this competition.” I think the point that was being made is that other exploits that might have been used against Vista or Linux might not have been used because they have more value elsewhere (since they have to be reported at the end of the contest and presumably fixed). So, that if they were used their value decrease significantly. Don’t know if this is true but, if true, this would bias any such contest right out of the box independent of contest design.

17 addicted44 { 03.30.08 at 2:38 pm }

I don’t think the contest was as biased as Miller is. The problem is, any ethical security researcher on discovering a bug, lets the developer of the OS know about it. This leads to the bug being patched, preventing security flaws from being exploited.

With Miller (and a few other researchers, e.g. Maynor) you have a situation where they discover these bugs, and keep them close to their chest, so they can exploit them for fame, and personal gain. This seems to be especially true in the case of Apple. The reasons for this seems twofold.

1) Apple (from what I have read on the net, so take it with a grain of salt) has had friction with some researchers in the past. However, those have been reduced dramatically, as Apple is learning to coordinate with them better. However, some researchers still harbor resentments from the past.

2) There exists and anti-apple cult that is as big or bigger and as vocal as the pro-apple cult. A lot of these researchers fall under that. This is not just an opinion, but rather coming straight from these researchers’ mouths. They have (as Dan points out) stated that their intention is not to help improve the security of Mac OS X, but rather to prove that it is not invulnerable. This is why they are attracted to this contest, rather than other forums, because it is a publicity affair (which is what they want) rather than a security affair.

e.g. David “cigarette in the eye” Maynor.

18 Rip Ragged { 03.30.08 at 2:48 pm }

Yea, verily, Addicted44 –

The weird thing is no one (well, no one who’s worth reading) has said that the Mac is invulnerable. Least of all, Apple. Ironically, in trying to prove the Mac is NOT invulnerable, the ocular ashtray people make it seem more so.

19 gus2000 { 03.30.08 at 2:51 pm }

The point of Daniel’s article is that the Mac is not the most vulnerable operating system, even though CanSecWest (with the help of the media) made it appear so. The slant has certainly worked, as the media luddites are now reporting ludicrous conclusion as undisputed fact:

“Mac OS is the most vulnerable of operating systems, proved by technologist [Charlie Miller] who blotted all safety claims of Mac OS when he hacked a MacBook…in less than two minutes.”

themoneytimes.com

What a load of crap. The fact that OSX has a vulnerability does not make it the least secure.

Why wasn’t Windows XP part of the contest? Isn’t that still sold? They excluded XP because they didn’t need contestants to show the flaws. All they had to do was install XP and hook it to the open internet to download the service packs, and the spam bots would take care of the rest.

They used bad data to draw an incorrect conclusion. Daniel may or may not be right about individual motivations but he’s right on the money about how this story is being distorted.

20 Technically Sound { 03.30.08 at 3:13 pm }

[...] Roughly Drafted: Mac Shot First: 10 Reasons Why CanSecWest Targets Apple 1. Exploits discovered for the Mac have little other value outside of contests like CanSecWest. Nobody would buy the exploit Charlie Miller found, because there is no market for it. [...]

21 freedom { 03.30.08 at 3:31 pm }

If steve Jobs were President!

My first thought as I read the article was “Who cares about popularity”. All I here from my mac friends is how secure a mac is simply based on the fact that you rarely here about it being targeted with malware. I think a contest like this helps put things into perspective.

But the point I would really like to make is this; Regardless of vulnerability, what sets PC’s (windows and linux) apart from macs is FREEDOM.

If Steve Jobs were President his version of homeland security would be to simply not allow us to fly if he could not figure out a way to completely lock flight safety down.

My point here is that Apples issue with gaining market share has nothing to do with whether it is a better platform or not (it very well COULD be). It has to do with limiting the users freedom to do as he wishes.

A gamer has the ability to go wild and waste a ton of cash building a high end custom PC if he wishes; can he build his own custom Mac?

A programmer can write any program he wishes for a Windows Mobile device but what about an iPhone programmer? (full discloser; I currently carry an iPhone)

In my own case I am actually building an app and website optimized for the iPhone because it is by far the best pocket browsing platform to date. How ever I am very concerned that after putting a lot of time and effort and $$$ into my product that the Marxist regime at Apple may not allow part or any of my product to be installed on my own phone.

The point of all of this is to say that Freedom is why Apple does not have a bigger market share and security issues will not change that as long as Freedom is still in check at Apple.

And for the record I realize that that lack of Freedom is exactly why the Mac just may be a more secure platform, but just like I want the option to fly when and where I choose, I also want to compute how I choose and I am willing to have to safeguard my data with a little extra effort if it affords me that Freedom

Viva La Freedom to compute as you want!!!!

22 addicted44 { 03.30.08 at 4:24 pm }

@RipRagged

Actually a VERY important member of the Mac community does indeed claim that they are invulnerable, and he is quoted in several major press outlets.

Artie MacStrawman
(http://www.crazyapplerumors.com/?p=664)

:-)

23 addicted44 { 03.30.08 at 4:32 pm }

@freedom

You can use ideology to determine what is your favorite tool, but I prefer choosing what works best for me.

For some freedom in computing is important, and to them I say, more power to you, go get some Dell cake with some Linux on top. For me, I’ll go with improving my grades (thanks SchoolHouse) missing less meetings (thanks iCal + Data Detectors in Mail.app), editing songs more easily for my sister’s dance routines (thanks GarageBand), making better photo albums i can share with my family (thanks iPhoto + .Mac), developing better looking and more usable software (thanks xCode) and still being able to delve in the dirty, ugly world of Windows and much purer but inconvenient world of Linux (thanks Intel macs) etc… and doing all this in far less time, overhead, and headaches than ever before.

But for some ideology trumps everything, so more power to them.

Btw, let me qualify this by stating I am primarily a mac user who uses an XP based PC on the side (came with Vista installed) and occasionally dual boots into Ubuntu. I never touched (or saw a mac) until i entered college 4 yrs ago, and built and sold Linux / Windows based PC’s for pocket money until college.

24 addicted44 { 03.30.08 at 4:45 pm }

(Sorry everyone for the multiple posts. I wont post again, unless asked to since I dont want to hijack this thread)
@freedom

About the iphone, the problem you are facing as an iPhone developer is not a problem with its limited SDK model, but rather a problem with Apple’s delivery regime. Apple should not restrict installation of apps to the App store, and I completely agree with that notion. I think Apple plans on moving to that model (or will be forced to by regulators), but are taking small steps with the iphone. If someone chooses to shoot themselves in the foot and install software from outside the app store, to which no one is accountable, they should be free to do so. However, there is nothing wrong with Apple only allowing apps following the SDK to run. As long as you can accomplish something using the SDK, you should be allowed to run that app on the iphone. Think about limitations of the SDK as limitations in the device. Much like your TV cannot make toast, or run Linux (both of which can be made possible by an ingenious enough developer with current TVs, but no manufacturer authorizes) the iphone does not allow people to do X,Y or Z software tricks. Again limitations on the SDK I am on Apple’s side, however, limitations in app installation methods I disagree with Apple on. (I hope that disabuses the notion that I am some sort of fanboy).

Also, please try and avoid using silly name-calling (Marxist Regime!!! Right, Apple totally hates private property and is in favor of rewards based on needs! No wonder they patent like crazy, and pay Steve Jobs only $1 as salary, (and several millions in bonuses (Parentheses in Parentheses in Parentheses…Cool Nesting!)))in your comments. It devalues good points you might make, and makes you look like an idiot.

25 nakul { 03.30.08 at 4:50 pm }

I have loved your site as your reason are based on fact but this time it was too hypothetical . U should not defend
just for the sake of defending.

26 Bill { 03.30.08 at 5:33 pm }

The guys at OSnews just blasted your article. Here:

http://www.osnews.com/story/19545/CanSecWest%3A_Countering_Misinformation

You should go over there and fire back Dan.

27 slayerjr { 03.30.08 at 6:57 pm }

It seems weird that you would shoot yourself in the foot like this Dan. The CanSecWest articles have you looking like a paranoiac with a tin foil hat. You may well be getting too close to your subject, taking on the role of defender rather than an objective observer. I would like to challenge you to research and write an article about Apple’s current weaknesses. Your writing and point of view will benefit greatly from such an exercise.

28 Mr. Reeee { 03.30.08 at 7:41 pm }

Personally, I think that Microsoft has a HUGE financial stake in KEEPING Windows wholly holey!

There’s a VAST infrastructure of companies, software and IT people to battle viruses, spy and malware. Plug all the holes, make Windows truly secure and you’d literally put thousands of people out of work in an instant.

MS has a huge interest in keeping this house of cards standing.

I was going to mention the idiot’s response to the article here at OSnews.com. Seriously, don’t bother. Don’t give the guy any hits, either.

29 Rip Ragged { 03.30.08 at 7:46 pm }

@slayerjr (Apologies, Dan, but I have to.)

The point of view that Apple’s weaknesses need to be discussed and exposed at Roughly Drafted is interesting, but silly. The security planet is all ablather about “OS X is not invulnerable.” Every time a security expert with an ax to grind exposes some hypothetical vulnerability it is headline news.

This, in spite of the fact that (with the exception of Artie MacStrawman) no one has made a counter claim.

There is no similar discussion going on with regard to Vista, XP, or Linux. If you take, on a percentage basis, how many exploits the public knows about, Mac is almost 100%. And almost all of those are purely theoretical. The new Windows exploits born today outnumber all exploits ever generated for OS X. Where is the press coverage? How much of the consumer public knows each time new spyware or a new botnet is released for XP?

Mister Dilger has not said that Mac is invulnerable. Only that the vulnerabilities that have been exposed are not precursors to exploits. Historically, he’s right. Given that no exploits exist in the wild, and none are likely to result from the demonstration at CanSecWest, what was the point of the show?

It isn’t about money, some say. $10,000 changed hands. It must have some fiscal interest somewhere.

If Daniel is being pilloried as a foil-hat paranoiac by the CanSecWest folks, it says more about CanSecWest than Daniel. And frankly, what is says isn’t good.

30 slayerjr { 03.30.08 at 8:20 pm }

Learn to read Rip. The idea is for Dan to practice objectivity so that he can become a better communicator and not a zealot. I don’t provide mean spirited advice for the sake of an argument but I choose to comment because I like Dan and the stance he’s taken against FUD. You however are rehashing the same message and creating FUD of your own without adding any value to the discussion. This just makes you part of the problem.

31 Rip Ragged { 03.30.08 at 8:46 pm }

FUD is bad generally. I’m against it as a rule. But, Daniel wrote a very balanced piece. Daniel’s post was objective. Look up “objective.” It doesn’t mean “friendly to every different opinion.” It means “accurate and correct to a measurable standard.” CanSecWest should ensure that it puts out a good message about the intent of its show, and what conclusions should be drawn from it.

CanSecWest should publicly, openly, and clearly disavow any conclusions it doesn’t want drawn. People buy and sell Apple stock based on these little melodramas. They need to present an actual picture of risk, or clearly delineate that they are not showing real risk at all.

I’ve been running Macs malware-free for 21 years. If I’m promoting fear, uncertainty, or doubt in the conclusions drawn by CanSecWest’s Big Mac Attack, I’m okay with that.

If CanSecWest’s answer is to paint Daniel Eran Dilger a slobbering fanboy because he analyzed objectively, that’s their problem.

32 WholesaleMagic { 03.30.08 at 8:50 pm }

It seems to me that all the adversity here is due to two conflicting premises:

1. That Apple is less easy to exploit, and therefore will never be attacked as much as Windows.

2. That Apple is less popular, and therefore will be attacked as much as Windows if it becomes more popular.

I think everyone has to agree to disagree here. Time will tell.

33 danieleran { 03.30.08 at 9:02 pm }

It is greatly disappointing (or perhaps the opposite) to see that the only critical response anyone can make is to list off the bold title of each of the ten items I outlined, and then put together a series of non sequitur responses that jump on specific words I used rather than actually addressing any of the points I leveled.

I can take rational criticism, but a flood of wordy responses like the linked article, which says a lot by saying noting, are sad to see.

Even more disappointing are the responses that totally ignore everything I wrote with a dismissive insistence that I’ve crafted a conspiracy theory using tin foil and some sort of zealotry. Since when is a rational argument the same as emotional fanaticism?

The main point of the article is that “rather than being a level contest to expose the flaws in the three systems, it was really a contest highlighting the knowledge and abilities of the researchers, each of whom targeted the platform of their choice.”

The points just outlined why that was the case. Trying to insist that I’m somehow wrong is an effort in futility, because that statement isn’t really assailable.

Charlie Miller targeted Mac OS X to prove his previous statements that Macs have poor security, but nobody else had any similar motivation to attack Linux, and attacking Vista is hardly even noteworthy. It was a publicity stunt.

The point, clearly, was to create headlines that announce “up is down”: while the Windows installed base currently has serious security problems that Vista can not address, Mac OS X has no real world exploits or viruses that affect users.

If Miller wants to be the canary in the coal mine for Apple’s security efforts, that’s great, and he has made public comments that his real intent is only to improve the Mac platform. I am only calling that out as disingenuous, as the contest was clearly designed to propagate the sensationalized, fact-free headlines it resulted in.

Pointing out reality is not a conspiracy theory, and outlining facts that support an idea is not FUD, paranoia, or emotional fanboyism. It seems that the world is so estranged from rational thought that once presented with it, they can only recoil in fear and dismiss it with sloganisms and name calling. Down the tubes we are as a society.

34 slayerjr { 03.30.08 at 9:04 pm }

You still can’t read Rip and you have drawn the wrong conclusion from both the articles and my comments, which were meant for Dan and not you.

35 Rip Ragged { 03.30.08 at 9:14 pm }

slayerjr –

I own Macs. I own Apple stock. I read very well. I know what the original article says. I know what the CanSecWest articles say.

You criticize my reading. That is, on your part, subjective.

I’m arguing with your writing. That is objective.

If I’m reading something other than what you meant, you should work on your writing.

If your comments are not for public discourse, this is the wrong place for them.

36 brad { 03.30.08 at 9:16 pm }

I’ve read Daniel’s articles with interest for the last few months, and find his posts to be objective and balanced. In this particular article he points out the obviously biased nature of the contest against Apple. Some seem to imply it was sponsored “for the good of the consumer” and out of the goodness of Microsoft’s heart, when that couldn’t be further from the truth —The motivating factor is the almighty dollar. As market share continues to increase for Apple, Microsoft will do anything it can to stop people from switching. It is naive to think that they would not stoop to this level by injecting doubt into the issue of OS security via the media. With billions of dollars at stake it is, in fact, very likely.

Do not forget that people are ASKING for downgrades to XP….very sad. And now Microsoft must deal with the iPhone.

37 slayerjr { 03.30.08 at 9:25 pm }

Sorry Dan but in this case you are as guilty as the parties you are damning. What you refer to as facts are really your personal opinions. However you did get one thing right, as a society we are at the lowest levels of the tubes with little chance of rising above the muck. Don’t add to it by being emotional while writing your articles because you’re not doing yourself any favours. You are at a crossroads here, do a U-Turn and re-think your position. You’ve got what it takes to be truly great but we all stray from time to time and need to re-examine the path we’re on. Keep up the good fight. ;)

38 Rip Ragged { 03.30.08 at 9:49 pm }

Sorry Daniel for taking over the comments,

I didn’t think you needed a defender, but I’m sick and tired of any questioning of anti-Apple FUD being categorized as fanboyism.

It isn’t paranoid to see the fact of the constant drumbeat of anti-Apple FUD. Left unquestioned, disinformation hurts everyone.

Your post was well written and objective in the old meaning of “objective.” The new meaning of objectivity seems to be more in tune with not pissing anyone off. I’ve never been good at that.

Keep up the great writing.

39 danieleran { 03.30.08 at 10:20 pm }

How To Disagree
http://www.paulgraham.com/disagree.html

@slayerjr: I don’t mind being challenged, but what does this mean: “What you refer to as facts are really your personal opinions.”

Of the ten points in bold above, which do you think are opinions? They are all uncontroversial facts.

40 dscottbuch { 03.30.08 at 10:46 pm }

Daniel,

I really believe you’ve gone overboard in your responses here (an opinion for sure :) ) but I’ll try to go step by step. I have removed portions of your comments for brevity. I don’t believe I removed factual reference, but if I did I apologize in advance.

Dan: 1. Exploits discovered for the Mac have little other value outside of contests like CanSecWest. Nobody would buy the exploit Charlie Miller found, because there is no market for it. In the Windows world, there is a thriving market for selling exploits …

dscottbuch:
Doesn’t this simply boil down to ‘security by obscurity’ ? You make an assertion that there is not a market – lets accept that. If so – why? You don’t comment but the most reasonable conclusion is because the market for the exploits is too small which would be because the market share is small? How does this support your title/premise – “10 Reasons Why CanSecWest Targets Apple”

Dan: 2. The CanSecWest contest clearly appears intent to transfer the security focus belaboring Windows to other platforms. Microsoft has repeatedly paid for research that might suggest that enterprise users could face greater theoretical security risks on Linux. …

dscottbuch:
Even if one accepts this premise that Microsoft has done this (which I do) what does that have to do with CanSecWest? I don’t know. Do you have a reference that they fund CanSecWest in a significant way? Who else is a sponsor and to what level relative to MS? Any facts/references to support this implications. Your words are somewhat CanSecWest promotes Windows security, Microsoft pays people to promote Windows security therefore Microsoft pays CanSecWest to do so.

Dan: 3. The contest prominently focused attention on the brand name of the MacBook Air, while only describing the other two laptops by their manufacturer.

dscottbuch:
No question with this – this was just strange (and as I said elsewhere this reflects the power of the Apple brand(s) to draw publicity)

Dan: 4. The Mac exploit was something Charlie Miller had in hand when he arrived.

dscottbuch:
Agreed, but so what. An exploit is an exploit. How does this invalidate the result or implicate CanSecWest.

Dan: 5. The researcher who cracked the Vista machine was stymied by the fact that he didn’t expect it to have SP1 installed, according to a follow up report by IDG’s Robert McMillan. So Miller was better prepared than the second place winner. That’s a positive reflection on Miller more than a negative reflection on Mac OS X.

dscottbuch:
Again, no argument and I would expect this always to be the case in these somewhat ‘quick’ contests. (was it the driver or the car that won the race) But, what does this have to do with your title/premise – “10 Reasons Why CanSecWest Targets Apple”

Dan: 6. Miller reported hacking something related to Safari, but the details haven’t been revealed. Whether this was a real world vulnerability in Apple’s code, a copy-and-paste attack on a FOSS library as Miller’s PCREL exploit was (or the libtiff exploit found by another researcher after PCREL was patched), or a contrived test that opened up telnet remote login on the machine and gave the researchers an account to use is still unknown…

dscottbuch:
Agreed but what does this have to do with your title/premise – “10 Reasons Why CanSecWest Targets Apple”

Dan: 7. Attendees with the ability to crack Linux “didn’t want to put the work into developing the exploit code that would be required to win the contest,” according to the IDG article cited above. Why not? Because they lacked the political motivation to prove Linux was easy to hack, and they lacked the financial motivation to earn $10,000 at a contest when they might be able to sell their vulnerability discovery for more than that.

dscottbuch:
The last part of this comment is, IMO, again ‘security by obscurity’ as the value to do this to Mac is again inferred be low. Also, again, how does this support the title/premise.

Dan: 8. Many exploits and vulnerabilities are not unique to “Mac, Windows, or Linux,” but instead are cross platform threats. Vista was cracked this year using a flaw related to Java Adobe Flash. Vulnerabilities discovered in Java, generic browser flaws, and other common code implementations mean that researchers can often use a given vulnerability discovery to attack the platform they chose. In the past, Miller has applied this principle to use FOSS vulnerabilities against Apple. In the same manner, experts in FOSS vulnerabilities affecting both Linux and Windows could sell their findings to Windows spammers.

dscottbuch:
Agreed, but what does this have to do with your title/premise – “10 Reasons Why CanSecWest Targets Apple”

Dan: 9. Miller has repeatedly stated that his life’s work is to discredit the security of the Apple’s platforms. The only outlet and business model for such an effort is currently CanSecWest. Last year, Miller’s partner, working for the same company, won the same contest the exact same way. …

dscottbuch:
I guess your trying to say the CanSecWest choose Miller because of this bias, due to the premise that CanSecWest were targeting Apple. I don’t know how you support this, would be difficult. Did they also purposefully pick less capable people for Windows? If so, and if they’re driven by MS, why didn’t they get a better expert for the attack on linux. These are reasonable questions to have addressed given the premise.

Dan: 10. Apple’s use of open source makes it easier for researchers like Miller to identify exploits, including those that have been patched by their FOSS project, but have not been updated and distributed by Apple. I specifically noted in yesterday’s article that this is an area where Apple has received criticism, and ideally, that Apple should be faster at keeping its FOSS components up to date. Of course, there are also issues related to using the bleeding edge of FOSS software revisions, which despite being patched for vulnerabilities, may have other problems related to their newness…

dscottbuch:
This is a ‘risk’ that Apple takes by going this route for their OS. I think it a much better approach than MS’s closed approach but the risks, though fewer and more often found in the open, are real. Again, what does this have to do with your title/premise – “10 Reasons Why CanSecWest Targets Apple”.

I did say elsewhere that this is where Miller might have been disingenuous in not reporting the flaw earlier. How this related to CanSecWest’s intent is not clear to me.
——————
Look, I have no doubt in my mind that OS X is much more secure and that CanSecWest is sensationalized. I have never had virus/malware SW on my Macs for >15 years. But, I have not seen anything concrete about the charge in the title.

41 freedom { 03.30.08 at 11:31 pm }

@WholesaleMagic

I think both points are true to a degree, In my earlier post I was trying to point out that while OSX “MAY” be more secure there is a price to be paid for it, limited freedom. And Windows of any flavor may be more vulnerable, but that is a price many are apparently willing to pay. I am happy for Mac users who can make prettier pictures or more “easily” edit video or whatever it is you do, but I enjoy the freedom to buy or build my PC, to upgrade and change just about anything I choose.

Microsoft has garnered more user share because they went with the more open IBM platform that allowed entrepreneurs the freedom to be more creative in creating any product or service they saw fit, while Apple chose to be a more closed platform. Both have their strong points.

This is not be a perfect analogy, but it should help make the point -

A Mac is like a K-Mart (without the low price) – they have most of what you need to survive and they serve you very well. When it comes to security they just have one or two entrances to manage and one receiving area so security is pretty good, but you are basically limited to what they want to sell you.

A PC by contrast is like a Mall – there are many many stores that can be as creative as they want with their product offerings and you can find just about everything you could imagine. But when it comes to security every store has a front entrance and a rear receiving area, the Mall itself has numerous entrances and loading areas. I won’t belabor the point since it should be obvious – designing security for the Mall environment is a much more daunting task especially considering the shared task of managing the entrances between mall management and all of the individual shop keepers, but that is the price you pay for so much selection and freedom.

To be clear, this is not FUD and I am not saying that PC is better than Mac or vice versa. I am pointing out the realities of an open platform Vs. a closed platform. Considering this, it is remarkable how secure a PC is compared to a Mac, but more over I am saying it is like comparing apples to oranges and bragging that an apple isn’t as messy when you cut it open. If I want the taste of an orange then an apple just won’t do.

As Microsoft tries to move its technology forward it has to be sure not to alienate the hundreds of other companies that produce PC offerings so it has to make advances incrementally and consider industry input. Contrast with that case that Apple totally controls it core hardware platform and can move much more deftly with its advances and with very little outside influence.

As stated earlier, I am currently using an iPhone and admit it is very cool regarding mobile web browsing. With my Windows mobile phone I could make any MP3 my ringtone, but with my iPhone I first have to pay Steve for a song even though I already own the CD, then I have to pay Steve again to turn that same song into a ringtone, it really makes me feel like a dang lemming. Now I just have to wait until Steve decides that the “ultimate music phone” will support stereo Bluetooth headsets… The same headsets that have worked for the last several years with my Windows mobile phone…

@addicted44

My original post used the metaphor of “If Steve Jobs were president” so I thought it was funny to tongue-and-cheek refer to Apple Management as a “Marxist Regime” in reference to the lack of freedom Apple allows its users. Well I was sitting with one of my Mac friends when I was writing that and I jokingly said “while it’s a funny comment that fits with the whole Steve as President theme I better not use it because surely some Mac Fanboy will take it too literally”. He argued that that would not be the case, so we made a bet… So thanks, I won the $20… Plus I won the bonus $10 for your name calling. What made it so funny was that you were complaining that my tongue-in-cheek reference to an impersonal group was name calling while you were saying that made me an idiot… …Isn’t that actually you doing the name calling? Fortunately I am not easily offended so no harm no foul. Thanks for the cash and for the laughs…

@Dan

Sorry if this thread takes away from the points you are trying to make. My main point for your article is that while your 10 premises may be factually accurate they assume that you are comparing Apples to Apples. If you don’t mind one more flawed analogy; It’s like saying your Nascar is safer then my Jeep; they are both 4 wheeled vehicles that have the same basic components but mine was designed to have a lot of flexibility for a much more versatile environment while yours has a limited objective and it’s design and capabilities are strictly controlled and governed (by that Marxist regime! (Sorry I couldn’t resist (wow did you see that nesting skill at work?)))

Peace

42 addicted44 { 03.31.08 at 12:08 am }

@freedom

You are welcome for me earning you the $20.

What I was indeed pointing out about your Marxist Regime “joke” was that Marxism has NOTHING to do with freedom. It is only a set of principles that relate to economics, and not freedom. Similarly, the concept of capitalism has nothing to do with freedom either. You can have a decidedly capitalistic society in a non-free country (kind of the direction China is taking). In America far too many words are used which are simply considered “bad” without meaning anything in context. This is a HUGE problem (especially in the political context) since to declare someone’s position as bad, all politicians need to do is call it “socialist” or “communist” or marxist” while it may actually be the complete opposite of that position. So I am very sensitive to misuse of terms because it has a massive negative effect on discourse.

You might call it name-calling, however, pointing out that misusing terms makes you look like “a person of sub-normal intelligence” (Google “define: idiot”) is not the same as calling you “a person of sub-normal intelligence” (I never called you an idiot). Either way, using the word idiot in no ways added to the argument. I should have just said makes you look unintelligent. My bad.

43 WholesaleMagic { 03.31.08 at 12:17 am }

@freedom: Can’t you simply import your mp3 into GarageBand, edit it there, then export it as a ringtone? GarageBand comes free with all Macs.

I’m not going to debate any of the points raised here, but I’d like to support Dan on one point: all reality is media reality, and there are many media organisations jumping at any opportunity to point out flaws in Apple products.

Let me give an example. I live in Sydney, Australia. The most respected newspaper in Sydney is the Sydney Morning Herald. I read the Herald. I have, however, been very disappointed with their coverage of all things Apple.

The Herald have been very quick to point out any minor flaw with any product Apple make. In a recent article about the MacBook Air, they say that “Apple has released a software patch for the MacBook Air, hoping to fix overheating issues that have plagued the super-thin laptop since launch”.

The go on to say that users have found the fix “useless”. This is not the most infuriating part of the article, though. Check this out:

“Apple has long faced problems with the first generations of its products. Early iPods were prone to scratching; previous MacBook models suffered staining, whining noises emanating from their innards and random shutdown errors, to name a few.”

WTF? They’re listing ‘scratching’ as a flaw? I’d also like to hear about the other problems they’re not naming. What about the hundreds and thousands of problems with Windows PCs?

What’s more, they go on to actually quote comments on the Apple Discussion boards as sources:

“”I noticed that if you don’t touch it for 1-2 minutes, and you let it cool down, it starts working normally again,” one user wrote.

“I REALLY hope they find a way to fix this, because it is IMPOSSIBLE to work this way.”

What the hell is this? This is terrible journalism. The comments weren’t meant for publication, the sources quoted weren’t informed that their comments were going to be published, and people posting on an online forum aren’t exactly the most reliable of folk. Hyperbole, anyone?

Being a journalism student, articles like this make me livid. This kind of journalism is not isolated. If a respected news organisation publishes this kind of drivel, what do you think minor publications are doing?

Why aren’t articles like this being written about Windows? Because, as Dan says, it’s not newsworthy. Would you click on a link or read past a headline that said ‘Virus attacks thousands of Windows PCs’? What about ‘Virus attacks thousands of Macs’?

The media is going downhill, and so are the public. Writing and believing this crap is not only counterintuitive, but is also destructive and counterproductive. Journalists should be rethinking who they attack and support, because they’re fast devolving into babbling, impressionable idiots.

You can read the SMH article here:

http://www.smh.com.au/news/technology/apple-fans-burned-by-hot-airs/2008/03/13/1205126082565.html

44 gus2000 { 03.31.08 at 12:50 am }

“Microsoft has garnered more user share because they went with the more open IBM platform that allowed entrepreneurs the freedom to be more creative in creating any product or service they saw fit.”

Mr. freedom, welcome to Roughly Drafted. Can I take your coat? While you wait, please feel free to peruse our back catalog:

Why the World Went Windows

How Closed Is The iPhone?

Windows is 5X More Expensive than OS X

How Microsoft Got Its Office Monopoly

Microsoft’s Assault on Lotus and IBM

Microsoft’s Plot to Kill Quicktime

History of OS’s: 1980s

The Tentacles of Legacy

I’m sure you’ll find our articles to be satisfying, nutritious, and 99% FUD-free with no artificial filler, flavor or color.

45 Thom Holwerda of OSNews Calls “Mac Shot First” Misinformation and Slander. Oops! — RoughlyDrafted Magazine { 03.31.08 at 1:08 am }

[...] misinformation, OSNews Mac Shot First: 10 Reasons Why CanSecWest Targets Apple To get a sense of Holwerda’s biases, his initial OSNews report on the CanSecWest event [...]

46 jltnol { 03.31.08 at 1:37 am }

Look

I’M as big an Applefanboy as the next guy, but you can’t have it both ways…

I just don’t think it’s fair to say Apple patches more than MS. Every time I turn on the XP box at the office, it updates SOMETHING.. perhaps not in the way that Apple updates it’s software, but something seems to be updated on XP… A LOT.

I also think its not fair to say that no one wants to hack Macs because there is no money in it. While this may be true, (and in ways I hope it is), this only can lead someone to the “security by obscurity” myth.

And of course, the overall issue for me is this is NOT a remote exploit. You’d have to have someone click on a particular link, or open a e-mail attachment to get it to work.

47 addicted44 { 03.31.08 at 3:20 am }

Security by Obscurity is not a myth for macs. There is reality behind the claims that macs are targeted less because they have a smaller market share.

The real myth is that Security by Obscurity is the ONLY reason why macs are safer. Macs are also safer because OS X is built on a rock-solid and heavily tested UNIX foundation that in the form of NextStep was running on Military computers, and was recommended by the military as the OS of choice.

The reasoning behind rejecting “Security by Obscurity” as the only reason (and Dan has outlined this several times in the past) is that if macs have a 4% market share, it might be reasonable to imagine they would be the target of about 4% of the viruses. However, there have been 0 viruses for OS X.

Furthermore, a claim may be made that a certain threshold market share is needed before an OS is targeted for malignant attacks. However, this claim is also proved unfounded when considering that the Classic Mac OS had several viruses, while maintaing as small (if not smaller) a market share as OS X.

The only thing this contest proves is that OS X (actually Safari) had 1 unpatched flaw. It speaks nothing about the strength of the OS as a whole. About the only way it could potentially be of benefit is if it made a company more pro-active in protecting against security. However, as Dan has outlined, Apple already does a pretty good job of patching OS X fast. So any marginal improvements in that speed caused by the contest are probably not worth the cost (in terms of negative overhyped publicity and energy and time wasted).

Instead, Apple does have legitimate concerns regarding some aspects of Leopard, such as WiFi issues, stability of Time Machine, etc… and all this hype does is distract from those legitimate problems.

48 Joel { 03.31.08 at 5:20 am }

Thanks Dan, for another interesting article, rather than peddling the same old press-release…

I just wish Microsoft would switch to Unix like model. I wonder what would happen when people stopped assuming that computers are insecure by default…?

49 Joel { 03.31.08 at 5:23 am }

Attendees with the ability to crack Linux “didn’t want to put the work into developing the exploit code that would be required to win the contest” : I don’t buy this. The first person to crack Linux is in a position to crack wide all those Apache webservers, with much more interesting and valuable information on them than some home machine… First person to do this on Linux will make themselves a (criminal) fortune.

50 [译文]Mac第一个倒下:为什么CanSecWest盯上了苹果 - StEp On My FeEt { 03.31.08 at 7:26 am }

[...] [译文]Mac第一个倒下:为什么CanSecWest盯上了苹果 Add 原文:Daniel Eran Dilger [...]

51 Bill { 03.31.08 at 8:15 am }

Dan, I linked the article to alert you. It is not meant to refute you. I was hoping that you would refute
some of the article’s responses, as I have seen you do before. I think that that anti-Apple FUD [or any FUD] hurts society, as it paints a picture that would impair the freedom of choice. I read here to get the real story. I post rarely as I am an MD, not an IT specialist, but have been using Macs [and Windows of course] for years, preferring the Mac OS. I only post if I think that I can give reasonable knowledge. Since I agreed with you of what I can understand [damn it Jim, I'm a doctor not a computer repairman!], I was hoping that you could refute the link too.

Peace.

52 althegeo { 03.31.08 at 11:08 am }

What a lot of people are forgetting, when they criticize Dan’s CanSecWest article, is the fact that there was only one computer on the firing line at CanSecWest last year. There was no problem pointing fingers last year when the only target was a Mac. Thus the changes this year.
As for the contest rules, let’s face it, if updated, out of the box, Linux, Vista and Mac laptops were put on the net for an hour prior to the first hacking attempt, the Vista laptop would have been part of a botnet prior to the first hacking attempt.
Of course the contest was rigged. Not being on the net can’t be a real world test.

53 Robb { 03.31.08 at 11:37 am }

Well, I’m not sure what the best way to respond to CanWestSec exploit would be, but you sure stirred up a hornet’s nest this time. Maybe your response comes off as a little over the top to me, but that’s because I usually shrug off contests like this (and their FUD follow up) because they haven’t occurred in the wild.

The bottom line for me (I’ll echo the comments of a couple others) is that I’ve been using Macs for 18 years and in that time I’ve seen two viruses (both caught by NAV) and one instance of malware activity. Now some might dismiss that because it hasn’t happened to me, but in my career I’ve supported several hundred Macs of all shapes and sizes, all sharing files with the “outside world” (i.e. beyond our corporate firewall) and I haven’t seen a virus in over ten years.

54 dustbag { 03.31.08 at 11:45 am }

Hi Dan,
As the first one to board this roller coaster, I would just like to step on one more time to thank you for your clarification.

I’ve never really believed the ‘secure via obscure’ arguments. You’re original post confused me a bit. Now I understand better your point. Thanks.

BTW – I run Norton AV on my Mac because I log on to my employer’s network from home and they insisted. In 5 years Norton has detected a total of 2 viruses on my Mac – both Windows OS specific, both forwarded via email from a co-worker on a Windows machine. In the same period my Windows XP machine at work has been plagued with a couple dozen infections, each one resulting in the company network being shutdown while they isolate, clean, and update the virus definitions.

55 thgd { 03.31.08 at 3:45 pm }

You can sure tell when Dan is getting uncomfortably close to the truth when the PC thought police start appearing in force to straighten out our thinking.

Unfortunately for them the truth is on his side. There are no viruses or malware on OSX running uncontrolled in the wild. Using a cheap hat trick at a supposedly serious event to counter this fact proves nothing except the hubris of the hacker.
Show me these security breaches running with the same rapacity on millions of Macs as on Windows and we’ll have a believable news story.

Meanwhile the apologists, such as slayerjr, might want to stick to facts instead of thinly veiled attacks written with such saccharin condescension toward the messenger.

56 Ownano Vista e Mac OS X. Resiste Ubuntu « Sudoaptget’s Weblog { 03.31.08 at 5:55 pm }

[...] che aveva permesso al socio dei vincitori, Dino Dai Zovi, di aggiudicarsi il premio): non è stato neppure svelato se la falla faccia parte del codice open source su cui si basa Safari, o se invece si tratti della [...]

57 gus2000 { 04.01.08 at 1:04 am }

Microsoft has garnered more user share because they went with the more open IBM platform that allowed entrepreneurs the freedom to be more creative in creating any product or service they saw fit.

Mr. freedom, welcome to Roughly Drafted. Can I take your coat? While you wait, please feel free to peruse our back catalog:

Why the World Went Windows

How Closed Is The iPhone?

Windows is 5X More Expensive than OS X

I’m sure you’ll find our articles to be satisfying, nutritious, and 99% FUD-free with no artificial filler, flavor or color.

58 gus2000 { 04.01.08 at 1:09 am }

WordPress does not like my comments. Or…it likes to eat them. Mmmmmmm, comments.

59 Ownano Vista e Mac OS X. Resiste Ubuntu « My Weblog { 04.01.08 at 3:27 am }

[...] che aveva permesso al socio dei vincitori, Dino Dai Zovi, di aggiudicarsi il premio): non è stato neppure svelato se la falla faccia parte del codice open source su cui si basa Safari, o se invece si tratti della [...]

60 The Unavoidable Malware Myth: Why Apple Won’t Inherit Microsoft’s Malware Crown — RoughlyDrafted Magazine { 04.01.08 at 6:01 am }

[...] and Swiss Federal Institute of Tech Deliver Attacks on the Reality of Mac Security Mac Shot First: 10 Reasons Why CanSecWest Targets Apple Thom Holwerda of OSNews Calls “Mac Shot First” Misinformation and Slander. [...]

61 Assistance44 | Concours de hacking : Ubuntu plus résistant que Mac OS ou Vista { 04.01.08 at 11:17 am }

[...] fait l’objet d’une controverse sur la blogosphère, notamment sur le cas du MacBook Air qui aurait été pris pour une cible privilégiée. Certains observateurs notent également que des [...]

62 freedom { 04.01.08 at 4:44 pm }

@gus2000

Thanks for the oh so generous offer to dine on all the Apple Koolaid I can possibly drink. I expect it will be as pure as the driven snow and contain no one-sided Apple apologetics at all… The only problem is all the links you sent were from Koolaid HQ and the only thing on the menu is… you guessed it… Koolaid.

I actually did read the first article and skimmed several of the others. Prior to that I did not think of Roughly Drafted as a Koolaid site, but now I have to consider otherwise. For every argument someone makes about Apples Marketing there is a “Good Reason” or better yet “actually a very smart thing to do”.

To pick on one concept (and basically the excuse for overpriced hardware) is that Apple is really “selling software wrapped in hardware” WHAT LAME BS IS THAT?

What’s really funny is Mac users joke about all the “Bloat ware” that comes on a new PC and the fact that its just free trials and not full versions etc. DUH! why should it be assumed that everybody wants all the same software and further more have to pay for it whether they like it or not? But Freedom, it’s really really gooood software and its FULL versions”. Wow from my perspective if its software that I don’t want then its merely “MORE BLOATED”.

I do not stand behind every version of Windows ever created or every piece of software Microsoft has ever made (except for OneNote of Course). But it seems that at RoughlyDrafted Apple can do no wrong? It’s hard to read stuff that does not seem to have any unbiased representation. It’s like someone in the room ripped a really bad one, but you have gotten so used to the smell you don’t notice it any more. You need to step outside for a bit, get some fresh air and when you return maybe you can spot the Koolaid stains…

I am getting ready to buy a Mac. Why? Because it’s the only way I can develop for the iPhone, honestly it ticks me off to pay double for a Mac vs. a PC with identical hardware simply because it comes bloated with a bunch of software I don’t need, The sad part is – my Wife is a Graphic Artist so I can (to a degree) justify the purchase since we can both make use of it and she is in need of a hardware upgrade, but as to the sad part, there is no software on there that she will need either and in fact will now have buy Mac versions of all her Adobe software.

I’ll make a deal with you. I’ll become a Mac FanBoy if you can give one GOOD, I repeat GOOD reason that Steve won’t let me use my stereo Bluetooth headsets with my “Ultimate Music Phone” iPhone.

Personally I think the reason is this – Steve is so into the “Perfect User Experience” that he won’t release it until it is such. Right now the Stereo headset profile can be a bit finicky, but when mountain climbing I would rather have finicky then wires hanging out of my ears. Steve, Please let me decide what user experience I am willing to deal with and include free trials of your software but allow me to choose to buy it….. Freedom please…

BTW, I am selling a new fragrance called “That New Car Smell” but you’ll really love the packaging, it comes wrapped in a BMW.. Fragrance wrapped in Hardware… Genius idea… don’t ya think! Special pricing for Mac owners, please provide proof of Mac ownership with your orders.

63 Bill { 04.01.08 at 6:40 pm }

Freedom, you do not need to buy new software. Your Windows software will run fine if you load XP [or Vista] using Bootcamp. If you were a smart developer, you would know this.

Also, there are many PC magazines that show a similarly equipped Mac and PC are pretty darn close in price. In fact, the SDK will work on any $1199 iMac or $1099 MacBook. If a developer cannot afford that, or the $99 SDK fee [there is a free beta version too], then I think that you are in the wrong business. Otherwise, welcome to the club. I use both Windows and MacOS, but prefer the Mac. Many of my medical partners are switching as thier kids [or themselves] are getting numerous viruses and malware. I have personally seen a total over 1,000 [no BS] viruses on a handful of their computers, as well as numerous Trojans and crippling malware that required complete reinstall after erasing the hard drives. If you have good protection, and use the web wisely [like me], there is almost no worries with Windows. But boys will be boys, and P2P is dangerous.

Peace.

64 Rip Ragged { 04.01.08 at 8:39 pm }

@ Bill –

“freedom” wasn’t looking for information. If he was he would have included verifiable facts in his diatribe. Odd how dependent flame wars are on emotion, and how fact-free they tend to be. Rational conversations rarely require the invocation of instant soft-drink mix. Flamers need Kool-Aid, and hate facts.

He gives himself away for what he is when he says he would rather have “finicky then wires” (sic). Literacy disqualifies all the but the more polished flamers.

65 freedom { 04.02.08 at 12:16 pm }

@Bill

I appreciate the advice. You are right, I am not a smart programmer simply due to the fact that programming for the iPhone will be my first venture into programming. However I am fully aware of parallels and the fact that you can run windows programs in it, but per my Mac friends Photoshop is known to choke parallels and run very slow/ tends to hang, so they recommend going with the Mac versions.

For the record, My aversion to the price has nothing to do with what I can afford and everything to do with “My” perceived value. (Note to Fanboys, notice the use of “Opinion” here? Just because I believe the a Mac is not as good a value does not make it true)

@Rip

The use of Kool-Aid was an attempt to keep in context with the post I was responding to;

” I’m sure you’ll find our articles to be satisfying, nutritious, and 99% FUD-free with no artificial filler, flavor or color.”

Kool-Aid was the perfect counter since I find the articles that Gus referred to to be the exact opposite of FUD free with no artificial filler, flavor or color.

What I find most amazing is how FanBoys like yourself accuse everyone else of exactly what you are so guilty of, FUD and Hate facts. But more so than that, you don’t realize that just because you believe it, does not make it fact! Just because I believe it does not make it fact. I applaud addicted44 for admitting that there is some security by obscurity, and I also agree with him that that that is not the only reason (Note; this gives addicted some credibility). I would expect a Mac to be more secure simply because the hardware and software are both made by Apple. I would expect a PC to be less secure because MS only makes the OS they do not make the hardware and or the majority of the drivers etc. AND I can also say that the Mac OSX may actually be better written and more secure for that reason as well. The whole point of my original post was to point out that the arguments here do not accurately take into account the fact that you are comparing Apples to Oranges. A RATIONAL person could concede that a FanBoy could not.

The only factual thing in your response was a Typo, the rest was purely flames. In your next post you’ll be saying your dad can kick my dad’s ass! But it won’t be flames because its factual since you believe it.

(Note to Rip; Since you were not able to pick up on the Kool-Aid connection let me read between the lines for you here – I only threw in the “kick my Dad’s ass” line as a bit of ironic sarcasm – in case you still don’t understand; I was flaming you while accusing you of flaming me while accusing me of only flaming. If you still don’t get it just ask addicted, he has the whole nested statement thing down to a science.)

Peace,

the disqualified illiterate :-(

66 Bill { 04.02.08 at 1:48 pm }

Freedom, if you don’t own a Mac, or need another, there are some great proces on recertified models with huge savings on the 3GH quad and 2.8GHz 8 core. Go to the recert section at the on line Apple store. There are other models, but I prefer Towers. Example, Pro Tower 3GHZ quad, 2GB RAM, 250 GB HD, ATI 1900XT for $2299, with 1 yr warranty. $250 adds a 3 yr warranty. Sweet!

http://store.apple.com/1-800-MY-APPLE/WebObjects/AppleStore.woa/wa/RSLID?mco=44BD9AA1&nclm=CertifiedMac

67 Rip Ragged { 04.02.08 at 7:27 pm }

@freedom

Your opinions are valid. Opinions you disagree with are the opinions of Fanboys drinking koolaid. (That sounds like flaming to me)

Another flamewar standard is that a site that’s primarily about Apple’s successes and advantages needs more balance. Why?

There are plenty of places on the internet chronicling Apple’s perceived failures and shortcomings. Odd that you should come here to Apple fanboy land of your own free will and then complain about positive reporting on Apple.

Kinda like going to a Chinese restaurant and objecting to the smell of soy sauce.

My Dad’s last communication with another human being – just before they closed the door of the ambulance and he slipped into a coma – was to give his boss the finger. As far as I’m concerned, that kicks the ass of every other Dad I’ve heard of.

68 gus2000 { 04.04.08 at 3:27 pm }

Rip, sorry about your Dad. But yeah, that kicks ass.

69 Bill { 04.04.08 at 4:17 pm }

Rip, that is a great story. I would bet that my dad is laughing has wings off with your dad about it.

Peace.

70 freedom { 04.05.08 at 12:03 am }

@rip

Wow, no wonder you can’t read between the lines, you can’t even read the lines (and you are questioning my literacy?). In a way it is pointless to quote my previous post since you did not get it the first time, why would I expect you to get it the second time? But for the sake of others;

“just because you believe it, does not make it fact! Just because I believe it does not make it fact.”

Not sure, but I don’t think I could have put our “opinions” on any more equal ground then that. The point of my comment was to note that so many “opinions” stated here are referred to as facts when they are merely opinions. (and for the person who is about to point out any of the “provable facts” in this thread, don’t bother, I am not saying there are no facts I am just saying many are opinions) Note; Opinion + heartfelt sincerity does not =fact. Nor does opinion +agreement by most others of my thought-persuasion =fact.

I “willingly” came to this site, because I saw a link to this article and the title got my attention. I was expecting to be educated not opinionated. My reason for posting was to point out that I felt the article was ignoring a very important concept… ….and it seems Apple agrees with me…

As I have said twice now,

“The whole point of my original post was to point out that the arguments here do not accurately take into account the fact that you are comparing Apples to Oranges. A RATIONAL person could concede that, a FanBoy could not.”

I was watching a show recorded with Windows Media Center yesterday and as I was skipping through the commercials, I noticed an “I’m a Mac” commercial, so I backed up to watch it (They are well done and I enjoy them, way to go Steve). What da ya know… I would assume this one is entitled “It’s not your fault”.

Mac tells PC it is not his fault for having issues because… ….well let me just quote my previous post yet again

“I would expect a Mac to be more secure simply because the hardware and software are both made by Apple. I would expect a PC to be less secure because MS only makes the OS they do not make the hardware and or the majority of the drivers etc.”

And that is exactly what Apple claims in their commercial. I guess I need to start a Mac Fanboy Free site where Apples views can be more accurately portrayed. Lets call it http://www.ThechApple.com . And Rip since you don’t read between the lines well, allow me to decipher; chApple is a tongue-in-cheek reference to the “Cult” that is Apple Fanboys…

71 Rip Ragged { 04.05.08 at 1:02 am }

@freedom

I’m trying really hard to read between the lines, but I’ll need a little more help I guess.

You’ve agreed with the basic premise of the original article, I think, that OS X is more secure than other operating systems. Or at least that CanSecWest didn’t prove otherwise.

You’ve agreed with the reason why: Apple builds the whole widget, ergo they have more control over the entire system – hence security.

Your basic disagreement, then, is that those opinions lack validity because they are opinions. The very real empirical data that us old FanBoys have (years without malware) don’t solidify our opinions (in or between your lines). Twenty-one years without malware is not an opinion. It’s a fact. I was there.

You also seem to disagree with people who adamantly advance opinions that agree with yours because they’re “FanBoys,” or because in the comparison between Apples and Oranges we prefer Apples. That seems to be argument for its own sake from here, particularly when you agree with the basic tenets of the “cult.”

Reading between the lines doesn’t yield facts contradictory to Daniel’s original post; just that you seem to think there should be more “balance.”

If you have “balancing” facts, please post them. With no facts to counter our opinions we have no reason to change them.

I have an open mind. But it’s only open to new facts. New opinions, unsupported by new facts, must be very compelling.

Thank you for explaining the jokes. It takes all the mystery out of the comments. Really.

72 Pharaos World { 04.06.08 at 7:27 am }

[...] nice article about CanSecWest security [...]

73 Rails Podcast Brasil - Epis { 04.07.08 at 9:32 am }

[...] Mac Shot First: 10 Reasons Why CanSecWest Targets Apple [...]

74 Concours de hacking : Ubuntu plus résistant que Mac OS ou Vista! { 04.17.08 at 7:11 pm }

[...] fait l’objet d’une controverse sur la blogosphère, notamment sur le cas du MacBook Air qui aurait été pris pour une cible privilégiée. Certains observateurs notent également que des [...]

75 Paul Thurrott calls Apple “the Bad Guys” of Microsoft’s $300 Million Ads — RoughlyDrafted Magazine { 09.08.08 at 2:50 am }

[...] Mac Shot First: 10 Reasons Why CanSecWest Targets Apple [...]

76 Antivirus on a Mac Pt. 2 { 12.17.08 at 5:57 pm }

[...] that the Macbook Air was hacked in a few minutes at CanSecWest during the Pwn2Own competition. This article pretty much sums up my rebuttal to that claim. However I disagree with the ending paragraph in [...]

77 Concours de hacking : Ubuntu plus résistant que Mac OS ou Vista « Dionymartial’s Weblog { 01.25.09 at 5:49 pm }

[...] cette compétition fait l’objet d’une controverse sur la blogosphère, notamment sur le cas du MacBook Air qui aurait été pris pour une cible privilégiée. Certains observateurs notent également que des [...]

78 Mac security researcher wins Pwn2Own contest with Safari hack — RoughlyDrafted Magazine { 03.19.09 at 5:56 pm }

[...] Pwn2Own contest is being presented as a shootout between Mac and Windows browsers. Last year’s contest also included Linux, but attendees with the ability to crack Linux “didn’t want to put the work [...]

79 CanSecWest security competition falsely portrayed, again — RoughlyDrafted Magazine { 03.27.10 at 2:48 pm }

[...] Mac Shot First: 10 Reasons Why CanSecWest Targets Apple Who benefits from CanSecWest? A primary benefactor of the event, however, is Apple and its customers, who are shielded from any malicious application of the exploits hackers find. That’s because the people who discover exploits are rewarded by the event itself, while the vendor, in this case Apple, is given information needed to harden its software. [...]

You must log in to post a comment.