Free Republic
Browse · Search 		General/Chat
Topics · Post Article

To: Lagmeister
In PWN-to-Own hacking contests where hackers are timed to see who can infiltrate any system and take control of it the fastest Mac and Windows fair pretty much the same.

You really think they start from scratch at the contest? ROTFLMAO!

You have no clue how PWN-to-Own hacking contests work, not a clue, if you think timing the hack has anything to do with the hacking.

The vulnerability the hacker uses was discovered by the hacker months before he ever shows up to the contest and his hack prepared in advance. The time for the hack to work is irrelevant. All the hacker has to do is have the proctor do what he has prepared in advance, run a script, install a file, navigate to a malicious website and click on a button, etc., and WHAM it's done. Every one of these targeted computers has had Java installed on it. But Apple Macs are NOT shipped with Java installed or even present by default! Most users do not require Java to ever be installed. They are also generally running in Administrator mode, not the safer standard mode.

Every one of those hacker contests start with the idea that someone has to do something a normal user would not normally do, and the hack requires physical access to the computer by the proctor, often the installation of a piece of software prepared by the hacker, giving administrator permission for that install. In other words, the proctor does something that would normally be done by getting a user to do by phishing them to download something from an untrusted source, go to a malicious website, etc.

Getting that piece of software onto a Mac is not so easy as you may think without the willing participation of someone like the proctor. Even installing the software is not as easy as clicking "OK" on a PC is, because on a Mac, one has to know and enter an administrator's name and password to do that. If it is from an untrusted site, the user will have to take a proactive action to turn off the option that absolutely prevents downloads from such sources in the Security Pane, an action that also requires an administrator's name and password.

Since OS X El Capitan, the underlying UNIX™ OS is protected from being modified by even the superuser unless those protections are turned off which requires restarting the computer in a Recovery mode, which any downloaded software cannot survive. Ergo, On an OS X Mac, such a download cannot modify the underlying OS in any meaningful way unless the user has been industrial strength stupid..

In the past, all of the hackers have targeted the Mac because it was the most desirable target to win. Charlie Miller, ex-NSA cracker, and three time black hat winner explained his Apple Mac crack had been ready for six months. That particular hack, he said, would have worked on any computer there, since it exploited a Java vulnerability, but he wanted the MacBook Pro. The second place winners won the Sony Vaio laptop just as fast when they were up to try their crack. . . and used the same Java vulnerability but with a different approach. Miller was first because he was the defending champ from the previous year. They've now gone to random contestant selection because of the unfair advantage of being first to try gives the previous winner. Time to crack has nothing to do with it. Being prepared is everything!

One year, Apple issued an OS Security update one week before the contest and the contest operators decided the contestants got to use the UN-UPDATED version of the OS. . . because the vulnerabilities they were going to use had all been patched! This was a major change in the time honored rules that the hackers had to use a fully up-to-date OS . . . but, hey, you gotta have winners, ya know! OOPS! Now, they won't change those rules any more after a lot of people complained about the unfairness of that rule change.

Now that's changed because there are now monetary prizes attached to specific targets in software and hardware offered by the publishers and manufacturers. The hackers are going first for the big money targets. That frequently is not the Macs or any Apple product. . . although this last fall there was a $500,000 bounty on an iOS 9 remote jailbreak hack of an iPhone 6s from some S.F. Bay Area company (thought perhaps to be Apple, although others thought it might be another security company looking for a means of iPhone access) which was topped at the last minute by an Israeli security company at $1 million which several months later was monetizing the hack to government agencies around the world for a very large fee. Alphabet/Google offers big money. . .

66 posted on 10/20/2016 6:33:40 PM PDT by Swordmaker (This tag line is a Microsoft insult free zone... but if the insults to Mac users continue...)
[ Post Reply | Private Reply | To 56 | View Replies ]

To: Swordmaker
You are taking a lot of words describing how every malicious software gets into any computer. Who the hell said from scratch. Besides, if Microsoft put out a fix right before the contest it would be no different.

You are just kicking up dust with a few suggestions as to why hacking into a Mac might be a little more difficult - everyone has known about Java for... well, forever.

So sure, don't download certain software or click on certain email links or go to an untrusted webpage.

Gee! People do that don't they. Sounds like a good idea for Mac or Windows and sounds like how crap gets into any computer. If you don't do a lot of things you will not pick up malicious crap. I don't and I don't pick any of it up either on my Win 7 64bit OS.

The real issue is that there is simply more crap out there for Windows and virtually nothing for Mac.

70 posted on 10/20/2016 8:38:12 PM PDT by Lagmeister ( false prophets shall rise, and shall show signs and wonders Mark 13:22)
[ Post Reply | Private Reply | To 66 | View Replies ]

Free Republic
Browse · Search 		General/Chat
Topics · Post Article

FreeRepublic, LLC, PO BOX 9771, FRESNO, CA 93794
FreeRepublic.com is powered by software copyright 2000-2008 John Robinson