Macs Are Not Invulnerable

PC Magazine ^ | Dec. 11 | Lance Ulanoff

[Bush2000]

Macs Are Not Invulnerable
Windows Isn’t the Only System With Serious Flaws

Commentary
By Lance Ulanoff
PC Magazine

Dec. 11— I know this is wrong, but in one respect I was happy to learn earlier this month about the discovery of a significant security hole in the Jaguar and Panther versions (10.2 and 10.3, respectively) of the Apple operating system (OS).

I was tired of the "We use Macs because they don't get attacked by viruses and hackers" refrain from Mac nuts.

I generally counter with what is apparently a secret carefully hidden from Mac zealots: "That's because only a fraction of the world uses Macs. What's the point of attacking a niche market? No one will notice!"

But the mindlessly superior retort is always the same, "No, it's because the Apple OS does not have the same holes as Windows. OS X is just a better operating system."

Given this recent development, my question is, "Will you be stuffing that superior attitude in your crow or eating it separately, sir?"

A Major Mac Breach

This is a significant hole. The original report, found on Carrel.org, puts a frightening spin on the problem:

"A series of seemingly innocuous default settings can cause an affected Mac OS X machine to trust a malicious machine on a network for user, group, and volume mounting settings."

So an attacker who can gain access to your network — over a wired connection or wirelessly — can trick an affected system into trusting a rogue machine, and when the compromised machine reboots, take it over and even attack other systems on the network.

The truth is that the Mac OS is just as vulnerable as Microsoft Windows. Overall, maybe OS X is better than Windows, but that's not the point. Panther, for example, is a great OS, but it's also complex, and complexity leaves room for gaps — some small, some not.

From Mac Fan(atic) to Windows User

OS X 10.x may not be as widely used as Windows (let's face it, it isn't) but some of its devotees seem far more fanatical than Windows users. Those who toil in Windows — me, for instance — care about their OS to a certain degree, but hardly feel the need to jump to its defense or come up with ridiculous conspiracy theories to explain why, say, Bob bombed or Windows Me stank.

So I am by no means a Windows apologist or Microsoft partisan. I began my computing career as a Mac patriot, in fact. I used a Mac SE/30 with PageMaker version 1.2 and laughed at the lowly IBM PS/2, which could just hobble along on the subpar Windows 3.0 and had virtually no font support. I trained people on Macs, converted entire print production systems over to the Mac and PageMaker, and salivated over every software upgrade and hardware enhancement.

But even back then, I had this gnawing suspicion that 18-month software development cycles could somehow hurt the platform. Before the tide really turned, however, I switched to PCs. I had joined PC Magazine, and the editorial staff used them.

My introduction to the PC came at precisely the same time as Microsoft launched Windows 3.1. I was no longer focusing on the Mac, and Microsoft had finally released a viable GUI. It didn't beat the then-current Mac OS (System 7), but it was a start, and of course, people began buying millions of PCs with Windows 3.1 preloaded.

The rest is history.

The Target Everyone Loves to Hit

When Microsoft released Windows 95 three years and some months later, for the first time there was a degree of parity between the graphical interfaces. I found things to grumble about, but they were minor.

Microsoft's less-than-stellar OS security took a while to become apparent. In fact, the problem wasn't epidemic until a few years after the Internet took off. Windows' market domination makes it a target for the virus authoring community.

The OS also bears the burden of user wrath because those who depend on Windows so often feel let down. But nothing drives me crazier than Mac true believers shaking their heads and grinning at me every time another Windows virus hits.

This past summer was particularly difficult. As Blaster and SoBig wreaked havoc across the Internet and with millions of Windows PCs, Mac users would tell me with mock sympathy, "This wouldn't happen if we all ran Macs".

We don't, of course, and again, that's the point.

If the Tables Were Turned

The discovery of this OS X security hole will be like a tree falling in a particularly remote forest. So few people actually use Macs (notwithstanding, of course, what you see in the alternate universe of movies, where everyone appears to use them), that I think it's unlikely this problem will have any long-term effect. Hackers are unlikely to exploit this hole the way they have Windows failings.

If the Macintosh OS ever became dominant, the tables would turn, and there would be just as many reports of viruses, security holes, and attacks on it as we currently have with Windows. As one Macophile I spoke with noted, no one has even bothered to exploit this security flaw. I doubt anyone will.

Meanwhile, we can already see what happens when Apple has a broadly popular product that cuts across platforms. The Apple iPod is the number one MP3 player, and now that its companion computer utility, iTunes, is available for both the Mac and the PC, it has become a hack target. In fact, Jon Lech Johansen, the same Norwegian who cracked the DVD security code, recently circumvented the iTunes music protection scheme.

An event like that occurring makes sense to me, since iTunes' popularity makes it a target worth hacking — and whatever mystical Mac mojo there may be, it didn't go far in protecting a popular Apple product.

Who's Crowing Now?

Ultimately, those on the Mac fringe have to face facts: Panther and Jaguar were not better at outrunning vulnerabilities than Windows.

I expect other gaps will emerge, and while the Mac OS may still draw far fewer attacks, this discovery might suck a little wind (or is it Windows?) out of Mac radicals' sails. They can scarcely claim this was a minor hole. OS root access is serious stuff.

How cocky are you feeling now, Mac elite? Hmm. Suddenly it's gotten pretty quiet around here.

[Dont Mention the War]

Muckraking, the PC Way
Richard Forno
12 Dec 03
Copyright (c) 2003 by Author. Permission granted to reproduce in entirety with credit given.

comments

Richard Forno is a security technologist, author, and the former Chief Security Officer at Network Solutions.

---

Since Apple released Mac OS X, even the PC industry trade publications have raved about its quality, design, and features.  PC Magazine even gave Mac OS X "Panther" a 5-star rating in October 2003. Perhaps it was because Macs could now seamlessly fit into the Windows- dominated marketplace and satisfy Mac users refusing to relinquish their trusty systems and corporate IT staffs wanting to cut down on tech support calls. Whatever the reason, Mac OS X has proven itself as a worthy operating system for both consumers and business alike.

Of course, as with all operating systems, Mac OS X has had its share of technical problems and even a few major security vulnerabilities. Nearly all were quickly resolved by Apple via a downloaded patch or OS update.  But in general, Mac OS X is solid, secure, and perhaps the most trustworthy mainstream computing environment available today. As a result, Mac users are generally immune to the incessant security problems plaguing their Windows counterparts, and that somehow bothers PC Magazine columnist Lance Ulanoff.

In a December 11 column [1] that epitomizes the concept of yellow journalism, he's "happy" that Mac OS X is vulnerable to a new and quite significant security vulnerability. The article was based on a security advisory by researcher William Carrel regarding a DHCP vulnerability in Mac OS X. Carrel reported the vulnerability to Apple in mid-October and, through responsible disclosure practices, waited for a prolonged period before releasing the exploit information publicly since Apple was slow in responding to Carrel's report (a common problem with all big software vendors.)  Accordingly, Lance took this as a green light to launch into a snide tirade about how  "Mac OS is just as vulnerable as Microsoft Windows" while penning paragraph after paragraph saying "I told you so" and calling anyone who disagrees with him a "Mac zealot."

In other words, you're either with him or with the "zealots."  Where have we seen this narrow-minded extremist view before?  

More to the point, his article is replete with factual errors. Had he done his homework instead of rushing to smear the Mac security community and fuel his Windows-based envy, he'd have known that not only did Apple tell Carrel on November 19 that a technical fix for the problem would be released in its December Mac OS X update, but that Apple released easy-to-read guidance (complete with screenshots) for users to mitigate this problem on November 26.  Somehow he missed that.

Since he's obviously neither a technologist (despite writing for a technology magazine) nor a security expert, let's examine a few differences between Mac and Windows to see why Macintosh systems are, despite his crowing, whining, and wishing, inherently more secure than Windows systems.

The real security wisdom of Mac OS lies in its internal architecture and how the operating system works and interacts with applications. It’s also something Microsoft unfortunately can’t accomplish without a complete re-write of the Windows software -- starting with ripping out the bug-riddled Internet Explorer that serves as the Windows version of "Finder."  (That alone would seriously improve Windows security, methinks.)

At the very least, from the all-important network perspective, unlike Windows, Mac OS X ships with nearly all internet services turned off by default. Place an out-of-the-box Mac OS X installation on a network, and an attacker doesn’t have much to target in trying to compromise your system. A default installation of Windows, on the other hand, shows up like a big red bulls-eye on a network with numerous network services enabled and running. And, unlike Windows, with Mac OS X, there’s no hard-to-disable (for average users afraid to tweak things unfamiliar to them, that is)  “Messaging Services” that results in spam-like advertisements coming into the system by way of Windows-based pop-up message boxes. And, the Unix-based Mac OS X system firewall – simple enough protection for most users -- is enabled by default (in Mac OSX Server) and easy to find and configure in Mac OS X Client software (not that there's much that users need to worry about out-of-the-box anyway) -- something that Microsoft only recently realized was a good idea and acknowledged should be done in Windows clients as well.  I guess Lance didn't hear about that, either.

Then there's the stuff contributing to what I call "truly trustworthy computing."

When I install an application, such as a word processor, I want to know with certainty that it will not modify my system internals. Similarly, when I remove the application, I want to know that when I remove it (by either the uninstaller or manually) it’s gone, and nothing of it remains on or has modified my system. Applications installed on Mac OS X don’t  modify the system internals – the Mac version of the Windows/System directory stays pretty intact. However, install nearly any program in Windows, and chances are it will (for example) place a different .DLL file in the Windows/System directory or even replace existing ones with its own version in what system administrators of earlier Windows versions grudgingly called "DLL Hell."  Want to remove the application? You’ve got two choices: completely remove the application (going beyond the software uninstaller to manually remove things like a power user) and risk breaking Windows or remove the application (via the software uninstaller) and let whatever it added or modified in Windows/System to remain, thus presenting you a newly-but-unofficially patched version of your operating system that may cause problems down the road. To make matters worse, Windows patches or updates often re-enable something you’ve previously turned off or deleted (such as VBScript or Internet Explorer) or reconfigures parts of your system (such as network shares) without your knowledge and potentially places you at risk of other security problems or future downtime. Apparently, Lance doesn't see this as a major security concern.

Further, as seen in recent years, Microsoft used the guise of a critical security fix for its Media Player to forcibly inject controversial Digital Rights Management (DRM) into customer systems.[2] Users were free to not run the patch and avoid DRM on their systems, but if they wanted to be secure, they had to accept monopoly-enforcing DRM technologies and allow Microsoft to update such systems at any time in the future.  How can we trust that our systems are secure and configured the way we expect them to be (enterprise change management comes to mind) with such subtle vendor trickery being forced upon us? Sounds like blackmail to me.  (Incidentally, Lance believes the ability of a user to "hack" their own system to circumvent the Apple iTunes DRM makes the Macintosh a bigger "hack target" for the purposes of his article....apparently, he's not familiar with the many nuances of the terms "hack" and "hackers" or knows that power-users often "hack" their own systems for fun.)  Were Apple to do such a thing, Mac users would likely revolt, and Apple's credibility seriously damaged.

What does that say about trusting an operating system's ability to perform in a stable and secure manner? Windows users should wonder who’s really in control of their systems these days. But Lance is oblivious to this, and happy to exist in such an untrustworthy computing environment.

On the matter of malicious code, Lance reports being "driven crazy" when Mac users grin at not falling victim to another Windows virus or malicious code attack. He's free to rebuild his machine after each new attack if he wants, and needs to know that Mac users are grinning at not having to worry about such things getting in the way of being productive.  You see, because of how Mac OS X was originally designed, the chance of a user suffering from a malicious code attack - such as those nasty e-mail worms - is extremely low. Granted, Mac users may transmit copies of a Word Macro Virus if they receive an infected file (and use Microsoft Word) but it’s not likely that – again, due to Mac OS X's internal design – a piece of malicious code could wreak the same kind of havoc that it does repeatedly on Windows. Applications and the operating system just don’t have the same level of trusted interdependencies in Mac OS X that they do on Windows, making it much more difficult for most forms of malicious code to work against a Macintosh.

Unlike Windows, Mac OS X requires an administrator password to change certain configurations, run the system updater, and when installing new software.  From a security perspective, this is another example of how Apple takes a proactive approach to system-level security. If a virus, remote hacker, or co-worker tries to install or reconfigure something on the system, they’re stymied without knowing the administrator’s password stored in the hardened System Keychain. (Incidentally, this password is not the same as the Unix 'root' account password of the system's FreeBSD foundation, something that further enhances security.)  In some ways, this can be seen as Mac OS X protecting a careless user from themself as well as others.

Lance also fails to recognize that Windows and Mac OS are different not just by vendor and market share, but by the fundamental way that they're designed, developed, tested, and supported. By integrating Internet Explorer, Media Player, and any number of other 'extras' (such as VB Script and ActiveX) into the operating system to lock out competitors, Microsoft knowingly inflicts many of its security vulnerabilities onto itself.  As a result, its desire to achieve marketplace dominance over all facets of a user's system has created a situation that's anything but trustworthy or conducive to stable, secure computing.  Mac users are free to use whatever browser, e-mail client, or media player they want, and the system accepts (and more importantly, remembers!) their choice.

Contrary to his article, the small market segment held by Apple doesn't automatically make the Mac OS less vulnerable to attack or exploitation. Any competent security professional will tell you that "security through obscurity" - what Lance is referring to toward the end of his article - doesn't work. In other words, if, as he suggests, Mac OS was the dominant operating system, its users would still enjoy an inherently more secure and trustworthy computing environment even if the number of attacks against it increased.  That's because unlike Windows, Mac OS was designed from the ground up with security in mind.  Is it totally secure? Nothing will ever be totally secure. But  when compared to Windows, Mac OS is proving to be a significantly more reliable and (exponentially) more secure computing environment for today's users, including this security professional.

If Lance is sleeping well believing that he's on an equal level with the Mac regarding system security, he can crow about not being overly embarrassed while working on the only mainstream operating system that, among other high-profile incidents over the years, facilitated remote system exploitation through a word processor's clip art function! [3]

Trustworthy computing must be more than a catchy marketing phrase. Ironically, despite a few hiccups along the way, it's becoming clear that Mac OS, not Windows, epitomizes Microsoft's new mantra of "secure by design, default, and deployment."

Who's crowing now?


[1] Macs Are Not Invulnerable
http://abcnews.go.com/sections/scitech/ZDM/mac_vulnerablility_pcmag_031211.html

[2] Microsoft Makes An Offer You Can't Refuse
http://www.infowarrior.org/articles/2002-09.html

[3] Buffer Overflow in Clipart Gallery (MS00-015)
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/fq00-015.asp


# # # # #

Richard Forno is a security technologist, author, and the former Chief Security Officer at Network Solutions. His home in cyberspace is at http://www.infowarrior.org/.

[agitator]

ping

[Smogger]

That's what I have been saying all along.

Linux heads read up.

When *nix was the most popular OS on mini's and mainframes, and they were the ONLY computer connected to the Internet (or any networks for that matter) *nix was the BIGGEST target.

[quidnunc]

I just downloaded a firmware update for my G5 w/ Panther OS which plugged a security hole, so Apple is on the case.

[Bobibutu]

I have a router intrerfaced with my DSL connection. I am "Stealth" according to Gibson http://www.grc.com/

I do not worry - I'net user since '81

Arpanet user since '66

I have never had a problem.

Macs Rule!

Retired IBM Field Engineer.

[Bobibutu]

I am running Panther - osx 10.3.1

[Bush2000]

Of course, as with all operating systems, Mac OS X has had its share of technical problems and even a few major security vulnerabilities. Nearly all were quickly resolved by Apple via a downloaded patch or OS update. But in general, Mac OS X is solid, secure, and perhaps the most trustworthy mainstream computing environment available today. As a result, Mac users are generally immune to the incessant security problems plaguing their Windows counterparts, and that somehow bothers PC Magazine columnist Lance Ulanoff.

BS. It took Apple nearly two months to patch the DHCP critical flaw.

[Prime Choice]

As long as humans are designing operating systems, those operating systems will be flawed in some way. This is true of MacOS, Windows and all manner of Unices.

Like the old saying goes, "To err is human. To really foul things up requires a computer." ; )

[DB]

I'm also "Stealth" on Gibson's site.

I'm running Win2k.

I've never caught a virus from the Web. I use one dedicated Win2k machine as a router and server. The machine is on 24/7.

[Hawkeye's Girl]

I own both PCs and Macs. They are both good in different ways. Being fanatical about an operating system is just silly IMHO.

[ShorelineMike]

BS. It took Apple nearly two months to patch the DHCP critical flaw.

And your point, Bush2000?

Mr. Forno's column said "… Nearly all were quickly resolved by Apple … " so for you to jump on Apple's taking two months to distribute a patch for this situation as a refutation of Mr. Forno's entire column is a scurrilous gesture worthy of That Site Which Shall Not Be Named.

Further, while you are attacking Mr. Forno's position, would you care to share with us all of the stories of your friends and colleagues running Mac OS X who were affected by this DHCP flaw?

[Bush2000]

Mr. Forno's column said "… Nearly all were quickly resolved by Apple … " so for you to jump on Apple's taking two months to distribute a patch for this situation as a refutation of Mr. Forno's entire column is a scurrilous gesture worthy of That Site Which Shall Not Be Named.

His fundamental argument is flawed. Apple has not "quickly resolved" its security issues. And regardless of Forno's opinions on Mac security compared to PCs, it is undisputed that serious flaws have been discovered, despite Mac kneepadders arguments to the contrary. Ulanoff wasn't trying to promote the notion that PCs are safer than Macs. Forno seems to have missed this point, as he launched into a "Macs-are-safer-than-PCs" tirade. That's not the issue. The issue is whether serious vulnerabilities exist in the Mac platform. They do. That is undisputable.

[The Duke]

I own both PCs and Macs. They are both good in different ways. Being fanatical about an operating system is just silly IMHO.

I agree COMPLETELY.

Even if MACs do RULE!!! ;)

[pt17]

Being fanatical about an operating system is just silly IMHO

IMHO, you're right.

[Swordmaker]

BS. It took Apple nearly two months to patch the DHCP critical flaw.

Bush, not one user has been hit by anything coming through your "criticial flaw" and the "flaw" was easily fixed by users by changing ONE SETTING to "No" from the factory default setting of "Yes." It did NOT require a "patch" although the newer versions of OS-X do come with the factory default set to "NO."

Carrel reported this as a "serious" issue... not "critical."

I told you this and provided proof of the easy fix in an earlier post on this same subject as did others.

You are a WINDOWS bigot.

[Bush2000]

Bush, not one user has been hit by anything coming through your "criticial flaw" ...

This is wishful thinking on your part, since (a) you can't possibly know that, and (b) an attacker wouldn't advertise his or her presence on your network.

...and the "flaw" was easily fixed by users by changing ONE SETTING to "No" from the factory default setting of "Yes." It did NOT require a "patch" although the newer versions of OS-X do come with the factory default set to "NO."

Whoopie. Out of sight, out of mind. The more you argue about this, the more it becomes obvious that you guys are delusional about security. This issue is only the tip of the iceberg.

[Bush2000]

Carrel reported this as a "serious" issue... not "critical."

LMAO! "Seriouuuuuuuuuuuus". Oooooh. So hackers can seriously format Mac users' hard drives.

[Woahhs]

I own both PCs and Macs. They are both good in different ways. Being fanatical about an operating system is just silly IMHO.

You have obviously never been designated the family IT department by all your windows using relatives. Never ceases to amaze me how they were smart enough to ignore my purchasing advice, but never seem to be able to fix their own problems.

[Woahhs]

The more you argue about this, the more it becomes obvious that you guys are delusional about security. This issue is only the tip of the iceberg.

So why don't you just sit back quitely and wait for the shipwreck with a pocket full of "told ya so"s? Why do you have this intense need to convince macaddicts they're vulnerable to a hypothetical boogie-man?

[Swordmaker]

BS. It took Apple nearly two months to patch the DHCP critical flaw.

You might want to see what Willian Carrel has to say about Forno's article that YOU so blythely denigrate.

From Forno's site's comments on his article:

On 12/15/03 3:02 PM, "William A.Carrel" wrote:
I definitely appreciate the article rebutting the PC Mag guy who was trying to improve their unique viewer metrics.  (Yay for advertising-driven news?) . . .
. . . Thanks again.

Incidentally, shall we review the relative credentials between Richard Forno and YOU that qualify each of you to HAVE an opinion on the subject?

Mr. Forno: "Richard Forno is a security technologist, author, and the former Chief Security Officer at Network Solutions.***"

Bush2000: Unknown PC Windows user

***Nework Solutions, Inc. "Network Solutions, the first and largest registrar of domain names, offers a full range of Web-related services, including domain names, Web sites and e-mail. We make it simple and affordable for customers to build and manage a Web presence through a single, experienced provider. Network Solutions manages over 8 million domain names.

Whose facts and statements do you think we should give the greatest weight? Mr. Forno or Bush2000.

I think that your featherweight is overbalanced by Mr. Forno's much greater gravitas...

[Swordmaker]

"Ultimately, those on the Mac fringe have to face facts: Panther and Jaguar were not better at outrunning vulnerabilities than Windows." -- Lance Ulanoff

Ulanoff wasn't trying to promote the notion that PCs are safer than Macs. Forno seems to have missed this point, as he launched into a "Macs-are-safer-than-PCs" tirade. That's not the issue.

But, Bush, THAT IS THE ISSUE! Ulanof flatly states a falsehood: "Panther and Jaguar were not better at outrunning vulnerabilities than Windows."

Richard Forno pokes LARGE bloody holes in that statement. He provides Chapter AND verse as to why that statement is false.

[glorgau]

It took Apple two months, but it was an very esoteric and unexploited flaw. The problems with Firewire drives in the 10.3 release were more problematic IMHO.

[Swordmaker]

The only problem, Glorgau, with your statement of concern is that there WAS no problem with FireWire Drives in the 10.3 release... the problem was in the FIRMWARE of some FireWire800 drives. The manufacturer of the FIRMWARE, Oxford SemiConductor, released a patch for its FIRMWARE that solved the problem.

Apple's OS-X.3 was just the first implementation that used the FULL instruction set for FireWire 800 and therefore the first to encounter this problem with the Oxford Semi firmware error.

[Bobibutu]

Congrats - it can be done with any platform. Not rocket science. Like closing the doors to the car before one starts driving it. :-)

[glorgau]

The only problem, Glorgau, with your statement of concern ...

OK, so there was a problem somewhere...and it wasn't caught in pre-release testing.

[ShorelineMike]

This is wishful thinking on your part, since (a) you can't possibly know that, and (b) an attacker wouldn't advertise his or her presence on your network.

Bush2000,if you're really going to say this with a straight face, then you have *no* idea about how DHCP, LDAP, *or* Mac OS X logging work.

However, since we are generally a courteous bunch here on Free Republic, here's a hint: if I were to take over an LDAP server on your network that serves information needed by DHCP-requiring workstations, I could make your Windows machines …yes, even the ones you boast of as being "so thoroughly locked down" … fall as quickly as Mac OS X machines. One would certainly know if a machine had fallen to such an attack. (And yes; I've done it it in my classes. I teach security in mixed environments.)

Now, where were all the stories about the Windows machines that fell victim to this, since it was *such* a critical security flaw?

[Bush2000]

So why don't you just sit back quitely and wait for the shipwreck with a pocket full of "told ya so"s? Why do you have this intense need to convince macaddicts they're vulnerable to a hypothetical boogie-man?

Because I can't stand their self-deluding hypocrisy.

[Bush2000]

Bush2000,if you're really going to say this with a straight face, then you have *no* idea about how DHCP, LDAP, *or* Mac OS X logging work.

You misunderstood the context. I was referring to the fact that, if an attacker is compromising machines on your network, he or she will probably not send mail to let you know what they're doing; thus, you could be compromised and not even know it. Hence, the "my network isn't vulnerable because nobody's reported a problem" argument is a load of crap.

if I were to take over an LDAP server on your network that serves information needed by DHCP-requiring workstations, I could make your Windows machines …yes, even the ones you boast of as being "so thoroughly locked down" … fall as quickly as Mac OS X machines.

Fine. Document your attack and submit it for public review. Otherwise, you're blowing smoke.

[Bush2000]

It took Apple two months, but it was an very esoteric and unexploited flaw.

How do you know it wasn't exploited? Their are tons of clueless admins out there who are running unpatched boxes -- that have no idea that they're running zombie processes. Honestly, all of this denial is counterproductive with regard to security. I'll be the first to admit that lax administration is a huge problem on both sides (*nix, Windows) aisle. You can't guarantee that this hole hasn't already been exploited -- nor can you assert that it won't be exploited in the future due to lax administration.

[Bush2000]

Mr. Forno: "Richard Forno is a security technologist, author, and the former Chief Security Officer at Network Solutions.***"

Color me unimpressed:

Network Solutions Hacked

[MaryFromMichigan]

Us too! :)

[Porterville]

I had a Macintosh apple today; tasted like dirt.

[Woahhs]

Because I can't stand their self-deluding hypocrisy.

Do you have AIDS?

[Bush2000]

Do you have AIDS?

Do you have any more irrelevant questions?

[avg_freeper]

They're nigh invulnerable.

[ladyinred]

How cocky are you feeling now, Mac elite? Hmm. Suddenly it's gotten pretty quiet around here.

Still feeling pretty cocky thank you very much! :-) Wouldn't trade my mac for anything!

[ShorelineMike]

You misunderstood the context. I was referring to the fact that, if an attacker is compromising machines on your network, he or she will probably not send mail to let you know what they're doing; thus, you could be compromised and not even know it.

I didn't "misunderstand" your context at all; you had no context to misunderstand. Every time someone has held your feet to the fire on this issue, you have claimed to have been "misunderstood."

You have just proved my point in #27. There is no point in having a further discussion with you on this topic.

Fine. Document your attack and submit it for public review. Otherwise, you're blowing smoke.

BZZT! Sorry, thanks for playing … that dog don't hunt. "And he can't even run his own life …"

You're entitled to hate Macintoshes for whatever irrelevant reason suits your fancy. However, I'm not interested in having a discussion with anyone whose reasons for disliking them boil down to " I just don't."

I'll defend to the death your right to stay in your "Windows-is-the-ONLY-secure-operating-system" cocoon, though.

[glorgau]

Hey, if I wanted to, I could write the exploit.(I do have that level of knowledge) Maybe it was exploited, but it sure hasn't hit the newswires yet. Also, I didn't assert that it wouldn't be. Can't see where you read that into my post.

All that said, i'm not going to be booting my Powerbook in a coffee shop wi-fi net until it is patched.

[Woahhs]

Depends.

More than anything, the thought processes you've evinced here remind me of an AIDs activist.... One who knows for all intents and purposes, that cow in the polyester stretch pants, sporting a King James Bible or twelve pound Rosary, has essentially zero chance of contracting the disease that rules his every waking moment.

Now if you ask said activist why he loathes that simple woman, he will invariably concoct some fanasy about her lack of taste, ignorance of modernity, or some other such canard that blames the victim for his hatred.

Of course, the truth of the matter is his malignant narcissism just will not allow him to leave her peace of mind unmolested so long as his is disrupted. He can't stand a state of affairs where the riff-raff operate with impunity while their betters are "at risk."

This kind of malevolence is more commonly seen in liberals, but obviously it's not exclusive.

[Bush2000]

I didn't "misunderstand" your context at all; you had no context to misunderstand.

Whatever. I've made my point loud and clear on that issue: You can't provide any guarantees that the exploit isn't being used on countless networks around the world. Your assurances are worthless.

BZZT! Sorry, thanks for playing … that dog don't hunt. "And he can't even run his own life …" You're entitled to hate Macintoshes for whatever irrelevant reason suits your fancy. However, I'm not interested in having a discussion with anyone whose reasons for disliking them boil down to " I just don't."

In other words, you're making a claim that you either can't or don't want to back up. Either way, you're not providing any kind of proof, so I'm going to have to write you off as yet another chest-beating Mac quack.

[Bush2000]

More than anything, the thought processes you've evinced here remind me of an AIDs activist.... One who knows for all intents and purposes, that cow in the polyester stretch pants, sporting a King James Bible or twelve pound Rosary, has essentially zero chance of contracting the disease that rules his every waking moment.

Seek counseling. You're not even remotely in the known universe.

[Woahhs]

Struck a nerve, huh?

[Bush2000]

Struck a nerve, huh?

Hardly. If I had a dime for every time that some crackpot on FR made assumptions about my background...

[Woahhs]

Again, you evince a lack of ability to deal with reality without distorting it in some way. I made no assumptions about your background. You were asked a question (admittedly with sarcasm) that might lend some insight into why you ae so comfortable with the need to inflict distress on people whose only offense is their confidence in the computer they use.

For some reason, you can not leave that confidence alone. You claim it is because of others "self-deluding hypocrisy," but what is that more than name-calling?

Look up the definitions of the slurs you used in your justification. How are mac users hypocritical? How are they self-deluding? The only way you can justify using those particular terms is if you are so self-absorbed as to assume the expressions of confidence are actually calculated attempts to belittle you personally. "Grandiosity" anyone?

So what if mac users are technically incorrect about their confidence? They are totally correct in the functional sense. Yeah, you can beat a speeding ticket in principle; what effect does that have in practice?

The positions you've staked out for yourself, as well as the histrionics you employ to support them, say alot more about you than I'd ever be comfortable letting strangers know about me.

[Swordmaker]

OK, so there was a problem somewhere...and it wasn't caught in pre-release testing.

Not surprising. From what I have seen less than 20 users had a problem... it was not something that occurred with every FireWire drive, even with every Oxford Semiconductor controlled drive.

[Swordmaker]

Color me unimpressed:

The question is NOT whether Bush2000, a legend in his own mind, is impressed with Mr. Forno's credentials, it is what relative weight we should give YOUR uninformed opinion over his expert opinion!

YOU and your opinion are found extremely wanting in comparison. Now, as to the very interesting article you linked us to.

Exactly WHAT Operating System did the hackers violate? Gee, I wonder. Was it a Mac OS-X? WAs it any flavor of *nix? Was it Linux?

From the article:

Attackers compromised a system that hosted thousands of "parked" domains that had been registered through Network Solutions and were still under construction, according to a Verisign representative. . .

. . . The system, which was running Microsoft's Internet Information Server (IIS) on Windows 2000, was operated by Atlanta-based hosting firm Interland under an outsourcing agreement, according to Verisign spokesperson Pat Burns.

Gee, Bushie, exactly what was your point? That a Microsoft comptuter is vulnerable to hacking? Isn't that what Mr. Forno's was saying?

I might also point out that your link name is dishonest. It should not fraudulently claim "Network Solutions Hacked" when the company hacked was "Interland" a sub-contractor!

In fact, Bush, Mr. Forno criticizes his former employer's subcontracto r in the article you seem to think is evidence of Forno's lack of competence to impress YOU!

Also from the article:

Rick Forno, chief technology officer for Shadowlogic and the former head of security for Network Solutions, said Verisign has begun relying on numerous partners for services it bundles with domain sales.

While Verisign has the ultimate responsibility to its domain customers, the blame for the security breach falls squarely on Interland, he said.

"Verisign may want to re-evaluate the clause in their contract that talks about security - if there even is such a clause," said Forno.

How does it feel to sit on your Petard, waiting for the fuse to reach the powder charge, before hoisting you over the horizon???

Color the rest of us snickering at your unsupportable position.

[Swordmaker]

Apple has just released an update to OSX's Apple Remote Desktop Client utility.

The Apple Remote Desktop Client version 1.2.4 update delivers improvements to security, performance, and reliability of the Apple Remote Desktop 1.2 client software running on Mac OS X versions 10.1, 10.2 and 10.3. For more information on this update, please refer to Apple's Page on this update.

Bush2000 will probabbly spin this update like this:

"Apple has sent out a security update for OS-X that fixes a dire, serious, critical security flaw in Apple's Remote Desktop Access. Apple should have known about this security issue before they wrote OSX and never released the operating system until ALL flaws had been found and eliminated. Macintosh bigots will lissfully ignore this critical issue, despite the potential it had for destroying their computers. By releasing this update, Apple is admitting that OSX is less than perfectly secure!

BWAHAHAHAHAHAHAHAHAHAHAH!"

That should cover his opinion.

[Bush2000]

Attackers compromised a system that hosted thousands of "parked" domains that had been registered through Network Solutions and were still under construction, according to a Verisign representative. . . . . . The system, which was running Microsoft's Internet Information Server (IIS) on Windows 2000, was operated by Atlanta-based hosting firm Interland under an outsourcing agreement, according to Verisign spokesperson Pat Burns.

Oh, please. The issue isn't IIS. The issue is your source. In logic terms, you're trying to argue the Fallacy of Authority; that is, "accept his position because the speaker has credentials that are supposedly solid". But, as I pointed out, his organization (the one-time solitary guardian of the Internet's domain name registry) was badly hacked, which calls his judgement, competence, and credibility into question. That's the problem with putting your faith in so-called "authorities".

You're not seriously now trying to argue that your vaunted source -- Richard Forno, Chief Security Officer -- didn't know about or approve of this architecture, are you? He should have known how these machines were being deployed, what OS was being used, etc -- and if he didn't, then he wasn't much of a Chief Security Officer, was he?

[Swordmaker]

The issue is your source. In logic terms, you're trying to argue the Fallacy of Authority; that is, "accept his position because the speaker has credentials that are supposedly solid".

No, Bush, that is the Fallacy of Appeal to Authority... and your definition of what makes it fallacious is incorrect. Since I was a paid tutor in Logic when I was in college, many years ago, allow me to tutor you... no charge:

Appeal to Authority is a fallacy with the following syllogistic form:

Person P (Forno) is (claimed to be) an authority on subject S (Computer Security).
Person P (Forno) makes claim C (OS-X is more secure than Windows) about subject S (computer security).
Therefore, C (OS-X is more secure than Windows) is true.

The fallacy of Appeal to Authority is only committed when the person in question is not a legitimate authority on the subject. More formally, if person P is not qualified to make reliable claims in subject S, then the argument will be fallacious.

Since this sort of reasoning is fallacious only when the person is not a legitimate authority in a particular context, it is necessary to provide some acceptable standards of assessment. The following standards are widely accepted:

A: The person being claimed as an authority has sufficient expertise in the subject matter in question.

Claims made by a person who lacks the needed degree of expertise to make a reliable claim will, obviously, not be well supported. (That's you, Bush) In contrast, claims made by a person with the needed degree of expertise will be supported by the person's reliability in the area. (That's Forno)

B: The claim being made by the person is within her area(s) of expertise.

If a person makes a claim about some subject outside of his area(s) of expertise, then the person is not an expert in that context (Again, Bush, that is YOU). Hence, the claim in question is not backed by the required degree of expertise and is not reliable. However, if the person is citing an claim within his area of expertise, then his claim is considered reliable (again, that's Forno).

C: There is an adequate degree of agreement among the other experts in the subject in question.

If there is no agreement between experts in a subject, then arguers can play "dueling experts" with one expert denying the claim of another. The question then must be examined on other facts than Appeal to Authority.

D: The person in question is not significantly biased.

If an expert is significantly biased then the claims he makes within his are of bias will be less reliable (That is definately YOU, Bush). Since a biased expert will not be reliable, an Argument from Authority based on a biased expert will be fallacious. This is because the evidence will not justify accepting the claim. An unbiased expert's position is considered more reliable (That is Forno, who has used many OSes).

E: The area of expertise is a legitimate area or discipline.

Certain areas in which a person may claim expertise may have no legitimacy or validity as areas of knowledge or study. Obviously, claims made in such areas will not be very reliable. A person claiming expertise on UFOs would not be considered reliable because the area of knowledge is not considered valid.

F: The authority in question must be identified.

A common variation of the typical Appeal to Authority fallacy is an Appeal to an Unnamed Authority. This fallacy is also known as an Appeal to an Unidentified Authority.

So, has my source been found wanting?

Richard Forno (Criterion F, he is identified) has been deemed to be a qualified expert by being named Chief Security Officer and being paid GOBS of MONEY (Criterion B, this is Forno's area of expertise) by, in your words, " the . . . solitary guardian of the Internet's domain name registry." (Criterion E, legitimate area) In that position he used numerous computers utilizing many operating systems (Criterion D, not biased) and maintained their security for a number of years (Criterion A, sufficiently expert in area). Even YOUR cited expert who found the "flaw" in OS-X, William Carrel, congratulated Forno for his deconstruction of the rant in PC-World and many other computer security experts have noted Unix and its derivative systems as being exceptionally secure (Criterion C, agreement amoung experts).

Ergo, Mr. Richard Forno, has successfully met all of the standard criteria to be considered an expert in his field of Computer Security and his opinion on the subject should be given great weight. On the other hand, Mr. Bush2000, has met none. Quod erat demonstrandum.

But, as I pointed out, his organization[No, Bush, READ the article... it is his FORMER organization] (the one-time solitary guardian of the Internet's domain name registry) was badly hacked [NO, AGAIN! It is a sub-contractor, which by definition is a totally seperate entity], which calls his judgement, competence, and credibility into question. [Once AGAIN, NO, it calls YOUR ability to read and comprehend into question!] That's the problem with putting your faith in so-called "authorities".

You're not seriously now trying to argue that your vaunted source -- Richard Forno, [EX-]Chief Security Officer -- didn't know about or approve of this architecture, are you? [Why, yes I am, Bush. Why should his FORMER employer keep him informed of their errors of judgement? If you could read, you would have noticed he CRITICIZED his former employers for making such a decision!] He should have known Using ESP perhaps?]how these machines were being deployed, what OS was being used, etc -- and if he didn't, then he wasn't much of a Chief Security Officer, was he? [Thus speaks the absolutely PERFECT, Bush2000, who believes that he has never made an error ... except for his posts which are rife with errors... and who must believe that anyone who has ever made an error can never, ever again be relied upon.]

Again, you are hoist on your own Petard of ignorance, Bush2000.

It has now become obvious that needing a brain tumor removed YOU, because you don't trust "authority' or "experts", would select the local barber to do your surgery. After all, the barber has never lost a customer while performing brain surgery!