Free Republic
Browse · Search
News/Activism
Topics · Post Article

Skip to comments.

Apple and Microsoft get trashed by hackers again
The Inquirer (not the tabloid) ^ | 25 Mar 2010 | Nick Ferrel

Posted on 03/27/2010 11:48:17 AM PDT by for-q-clinton

DESPITE THE RABID CLAIMS of Apple fan boys that its software is more secure than anything else on the market, Jobs' Mob products were the first to be trashed again at a Pwn2Own hacking competition.

In fact flaws in the Iphone OS and zero-day vulnerabilities in Apple's Safari 4 web browser made a mockery of Apple's advertising.

Flaws were also found in Mozilla Firefox and Internet Explorer 8 but apparently hackers had some trouble getting around exploitation mitigations in Windows 7, although eventually they did.

Vincenzo Iozzo and Raif Weinmann were the first to successfully hack a mobile device, exploiting a flaw in the Iphone Safari browser to run SMS messages to a remote web server.

Researcher Charlie Miller, principal security analyst at Independent Security Evaluators, quickly exploited a vulnerability in the desktop version of Safari running on Mac OS X. He won $10,000 for the exploit, which was one of 20 zero-day bugs that Apple fanbois deny exist in OS X.

Miller's exploit opened up a remote shell, which he accessed and was able to run any malicious code he wanted. We guess it just worked!

Miller has said in the past that he is unhappy with Jobs' Mob's secure software development processes. While he will be telling them that the flaw that won the competition for him, he will be sitting on the other 19. Perhaps it will act as an incentive for Apple to get off its lazy arse and develop a security policy with some meaning rather than screwing around with punters while at the same time insisting they are safe.

Miller said discovering the 20 zero-day vulnerabilities took him only three weeks using three computers, so who knows what he would have found if he had kept looking.

Microsoft's Internet Exploder 8 eventually got turned over and Peter Vreugdenhil managed to get past its insecurity mitigation technologies. The flaw can be exploited if a user browses to a malicious website.

Fireferret was also successfully exploited by bypassing ASLR and DEP.

UK-based MWR Infosecurity targeted a memory vulnerability. It started a calculator on a laptop running Windows 7.

The most secure web browser out there was Google's Chrome 4 running on Windows 7.

No one bothered to take down Google's Nexus One, a RIM Blackberry Bold 9700 or a Nokia E72 device running Nokia's Symbian OS.


TOPICS: Crime/Corruption; Miscellaneous; News/Current Events
KEYWORDS: apple; hack; osx; spam; spamattack; spammityspam; spamtheforum; windows
Navigation: use the links below to view more comments.
first 1-5051-71 next last
Wow it appears as if Windows 7 and IE8 were actually harder to hack then OSX with Safari 4.

Very interesting. Has Mac finally gotten enough of a userbase to make it worth attacking? If so, I can see a ton of Apple zealots eating a lot of crow. Well technically they should already be eating it.

Bottomline: All software is vulnerable and security by obscurity isn't security at all.

1 posted on 03/27/2010 11:48:17 AM PDT by for-q-clinton
[ Post Reply | Private Reply | View Replies]

To: ShadowAce; Swordmaker

ping


2 posted on 03/27/2010 11:49:02 AM PDT by for-q-clinton (If at first you don't succeed keep on sucking until you do succeed)
[ Post Reply | Private Reply | To 1 | View Replies]

To: for-q-clinton

Macbots in 3...2...1...


3 posted on 03/27/2010 11:59:36 AM PDT by JRios1968 (The real first rule of Fight Club: don't invite Chuck Norris...EVER)
[ Post Reply | Private Reply | To 1 | View Replies]

To: JRios1968

Nope. I had some other threads and they are staying miles away from these threads. They are either too busy eating crow or are too distraught to post/read as their savior Steve Jobs has let them down and lied to them.


4 posted on 03/27/2010 12:01:05 PM PDT by for-q-clinton (If at first you don't succeed keep on sucking until you do succeed)
[ Post Reply | Private Reply | To 3 | View Replies]

To: for-q-clinton
Apple/Mac software has always been as hackable as anything else including Windows,

It's the target, not the OS, that decides the “popularity” of the victims.

With Apple holding a relatively small base of users vs. Microsoft and those users with few exceptions mainly using it for personal, or in the area of business, creative use, they were a small target economically or otherwise.

5 posted on 03/27/2010 12:01:26 PM PDT by ejonesie22 (Palin bashers on freerepublic, like a fart in Church...)
[ Post Reply | Private Reply | To 1 | View Replies]

To: ejonesie22

Exactly. So I wonder if Windows is really a much more secure platform now? I know MS has put a lot of time and money into improving their platform and their patching process.

Can apple’s update cycle match that of Microsoft’s?


6 posted on 03/27/2010 12:04:29 PM PDT by for-q-clinton (If at first you don't succeed keep on sucking until you do succeed)
[ Post Reply | Private Reply | To 5 | View Replies]

To: for-q-clinton
If they can leverage the same server and bandwidth power for updates as they do I-Tunes, sure.

As far as secure, every OS goes through vulnerability cycles during it's life time, with the lowest most secure points being right before it goes End of Life of course.

Windows 7 does show MS first real effort at starting out secure. As it remains out on the market vulnerabilities will be exposed, it be less secure than competitors for a bit, get patched be more secure, etc. etc.

7 posted on 03/27/2010 12:10:50 PM PDT by ejonesie22 (Palin bashers on freerepublic, like a fart in Church...)
[ Post Reply | Private Reply | To 6 | View Replies]

To: for-q-clinton

What’s a “apple”?


8 posted on 03/27/2010 12:11:30 PM PDT by Huebolt (Some people are born to be slaves. They register as democrats.)
[ Post Reply | Private Reply | To 6 | View Replies]

To: Huebolt

The company that makes iPhone, Mac OSX, iPad, etc...


9 posted on 03/27/2010 12:14:20 PM PDT by for-q-clinton (If at first you don't succeed keep on sucking until you do succeed)
[ Post Reply | Private Reply | To 8 | View Replies]

To: for-q-clinton

10 posted on 03/27/2010 12:27:02 PM PDT by James C. Bennett
[ Post Reply | Private Reply | To 1 | View Replies]

To: for-q-clinton

I’m sure that this is a dumb question, but how does one know he has been hacked.

All my Macs seem to be working as usual.


11 posted on 03/27/2010 12:27:23 PM PDT by basil (It's time to rid the country of "Gun Free Zones" aka "Killing Fields")
[ Post Reply | Private Reply | To 1 | View Replies]

To: for-q-clinton

This will be fun to see Swordmaker and the other Macbots or FR spins this one.


12 posted on 03/27/2010 12:50:18 PM PDT by Blue Highway ("Judge me by the people with whom I surround myself" Barack Obama, Oct 15, 2008 Presidential debate)
[ Post Reply | Private Reply | To 1 | View Replies]

To: for-q-clinton

Swordmaker and ANtirepublicrat will be here but they will spin it. Wait for it...


13 posted on 03/27/2010 12:51:07 PM PDT by Blue Highway ("Judge me by the people with whom I surround myself" Barack Obama, Oct 15, 2008 Presidential debate)
[ Post Reply | Private Reply | To 4 | View Replies]

To: for-q-clinton

No, Windows isn’t a “much more” secure platform now.

One of the problems with these sorts of “analysis” by bystanders to computer security is that they don’t ponder the question of “what would happen if Charlie Miller decided to go after Windows?”

Let’s back up a sec. Charlie Miller worked for the NSA for five years. That sort of experience gives him a big leg up on many DIY hackers in that the NSA has a large internal base of experience on cracking systems of all sorts. Let’s just say that it is obvious that Miller learned a trick or two in his time at Ft. Meade.

Why is Miller focusing on OS X? Because he analyzed the contest and took the path which offers him the highest probability of getting the $10K payoff. There aren’t that many hackers looking at the Mac as an attack target, but there are a bunch of hackers who have looked at Windows, and a few more than the Mac who go after Unix-variant systems because they’re used as servers and back ends. Fewest competitors means highest probability of winning the contest and taking home some cash.


14 posted on 03/27/2010 1:03:36 PM PDT by NVDave
[ Post Reply | Private Reply | To 6 | View Replies]

To: James C. Bennett
27" iMac
15 posted on 03/27/2010 1:18:47 PM PDT by doc11355
[ Post Reply | Private Reply | To 10 | View Replies]

To: for-q-clinton
I am not a 'fanboy' of either Apple or MS. Taking an objective stance in this MS vs. Apple (and Linux) battle is quite liberating as I'm not married to any of the above.

As a student of info security issues (and a certification at the moment), I understand that hackers will target what feeds their need. That need might be money, fame (infamy), or any other impetus. Because that is the case, as the number of systems of a certain operating system/application increases, the risk increases.

There is NO such thing as a completely secure system unless it is powered off, smashed to pieces, and buried in the backyard.

16 posted on 03/27/2010 1:29:22 PM PDT by DesertSapper (God, Family, Country . . . . . . . . . . and dead terrorists!!!)
[ Post Reply | Private Reply | To 1 | View Replies]

To: NVDave

So you are claiming Charlie Miller is the best hacker in the world and that he dwarfs all Windows hackers?

Get real. He’s a very good hacker but not the best. And he’s targeting OS X because Steve Jobs has been lying about their security and it’s footprint is now big enough worthy of a respsonse to protect its users. The NASA angle is stupid. I know many people that have worked for NASA, most are pretty smart, but not extremely smart. In most cases my IQ was higher than theirs (when that subject came up). So I’m not sure what working at NASA has to do with anything.

But you’re right there are a lot more script kiddies exploiting old vulnerabilities in windows than in OS X.


17 posted on 03/27/2010 1:43:06 PM PDT by for-q-clinton (If at first you don't succeed keep on sucking until you do succeed)
[ Post Reply | Private Reply | To 14 | View Replies]

To: for-q-clinton
>"Jobs' Mob products were the first to be trashed again at a Pwn2Own hacking competition. "

What? WHAT? Say it aint so, Steve, you little Liberal Prick.


18 posted on 03/27/2010 2:43:05 PM PDT by scoobysnak71 (I'm light skinned with no negro dialect. Could you milk me?)
[ Post Reply | Private Reply | To 1 | View Replies]

To: for-q-clinton

No, I’m not. And thanks for erecting such a fabulous strawman.

I read Miller’s reasons (which he openly disclosed) about why he’s targeting OS X and Safari a couple years ago when he started. It was as I said: He’s looking for the highest probability of getting the payoff - this is a contest, after all, with a tidy cash prize.

WTF are you talking about “NASA?” I said “NSA” - not “NASA.”

If you are at a level where you conflate the NSA with NASA, then you know nothing about computer security.


19 posted on 03/27/2010 2:43:56 PM PDT by NVDave
[ Post Reply | Private Reply | To 17 | View Replies]

To: NVDave

I misread your NASA point, but I too know people in NSA and once again the same argument holds true there as well ;-)

Typically it’s a few extremely bright people and then a lot of smart people who take that and put the message out.


20 posted on 03/27/2010 2:53:09 PM PDT by for-q-clinton (If at first you don't succeed keep on sucking until you do succeed)
[ Post Reply | Private Reply | To 19 | View Replies]

To: NVDave

Must have been that graphic right below your post that had my mind translate NSA to NASA.


21 posted on 03/27/2010 2:54:20 PM PDT by for-q-clinton (If at first you don't succeed keep on sucking until you do succeed)
[ Post Reply | Private Reply | To 19 | View Replies]

To: NVDave

He’s smarter than your average 5th grader.


22 posted on 03/27/2010 3:24:09 PM PDT by Shimmer1 (It wasn’t “hope and change” it was “rope and chains”. Y'all just misheard him.))
[ Post Reply | Private Reply | To 19 | View Replies]

To: for-q-clinton; NVDave
Must have been that graphic right below your post that had my mind translate NSA to NASA.

Maybe it's because you have a higher IQ than most of the people at NASA and NSA?

: )

23 posted on 03/27/2010 3:56:49 PM PDT by UCANSEE2 (The Last Boy Scout)
[ Post Reply | Private Reply | To 21 | View Replies]

To: UCANSEE2

Touche. I was asking for that. But I can’t lie about the facts and I do worth with people from NSA all the time in my line of work.


24 posted on 03/27/2010 4:12:31 PM PDT by for-q-clinton (If at first you don't succeed keep on sucking until you do succeed)
[ Post Reply | Private Reply | To 23 | View Replies]

To: for-q-clinton

It’s time for me to take a break. Worth = work.


25 posted on 03/27/2010 4:13:03 PM PDT by for-q-clinton (If at first you don't succeed keep on sucking until you do succeed)
[ Post Reply | Private Reply | To 24 | View Replies]

To: for-q-clinton

That is partly true.

In my interaction with them while I worked at cisco, I found them to be very capable people, who thought about security in very non-conventional ways.

They told us, for example, that our first VoIP phone set had a mic and a cradle for the handset that made it a “nearly ideal” whole-room bug with a little tweeking of the code. They weren’t content to simply intercept phone calls - they were able to download their own code to the device and turn it into a very nice bug for a room.

Then they told us that they could tell what code and data was running in a router - a device that is contained within a completely shielded aluminum box (for FCC certification, don’t you know) by remotely “listening” to emissions from the bus.

I’ve not yet seen that sort of sophistication in the “private sector” of hacking.


26 posted on 03/27/2010 4:34:59 PM PDT by NVDave
[ Post Reply | Private Reply | To 20 | View Replies]

To: DesertSapper

As someone who quit the tech industry over (in part) the white-wash that is “security,” I’ll offer this observation:

The single biggest impediment to real security are users.

Real security requires constant vigilance and (to use a somewhat ‘extreme’ description of behavior) paranoia. In the online world, yes, there are people who “out to get you.” All the time, every day, on every platform, for all manner of reasons.

When we in the computer hardware/software/networking industries try to impose some “mandated” security, all we get is a ration of crap from users.

I’ll give you an example: automatically enforced password changes. This is so simple to implement, yet yields such a big payback, you’d have to wonder “Why aren’t automatic password changes enforced all over corporate systems?” Well, because the users howl when you force them to change passwords. They come up with all manner of silly reasons why they can’t remember a new password.

Of course, any hacker worth their salt knows that the easiest line of attack on a multi-user system (and on laptops with passwords) is you try the name of the users: spouse, kid, pet dog, mother, father, etc. IN a guess chain of about 5 passwords, you’re into at least a third of accounts.

Let’s take browser security as another example, but switch our focus to development groups: Java was created by Sun’s engineers to be pretty secure. In the original design of Java, they put a LOT of effort into security.

But instead of working with Sun to make Java the standard client-side scripting language in browsers, Netscape created what is today called “JavaScript” (never mind the “Java” part of “JavaScript” - it resembles Java in only superficial ways). Java is a lot more secure than JavaScript.

Look at MS’s stubborn adherence to “active content” - the idea that you can receive a email message or surf to a web page and the message or page can cause things to execute on your computer. This is a security hole so big you can drive a M1 Abrams through it. MSFT has added one slap-dash change on top of other slap-dash changes in this idea - when the most secure thing to do would be eliminate it entirely. MSFT wants to keep their “active content” as a sales feature, and many users now want active content because it means you can have pretty dumb users. Consider the Windows Update script and how powerful it is. You can have your users just surf to the proper URL and the user’s computer is then updated. No training necessary, the scripting does everything. The solution to this would be to require users to bridge the gap between content downloading and execution. People don’t want to do it.

Lastly, let’s talk about programmers/engineers. They’re HARDLY blameless here for their slothful attitude towards security. What is the predominate programming language today? C and its successor, C++.

Having people write large, critical applications in C is like giving kids amped up on Jolt cola a handgun with which to play their shoot-em-up video games.

Having people write large, critical applications with C++ is like giving them a couple of pounds of high quality Peruvian Marching Dust and a squad automatic weapons. The results are predictable.

Could programmers create secure s/w in C/C++? Sure - with a GREAT deal of attention to detail. A faster way of getting programmers to think about security and reliability by enforcement would be to have them start writing software in Ada or a similarly strongly-typed language, or some programming environment that encourages or imposes constraint-based programming. Ah, but having the compiler or environment “enforce” good, consistent tight programming practice gets all manner of belllyaching from programmers - so we don’t do it until it is an application where people will almost certainly die from programming mistakes.

As you said, we can’t achieve a “completely secure system” - but the gap between where we are and a “reasonably secure system” is huge - and largely one of choice that we’d rather be standing on this side of the canyon with those who want to pillage and plunder because it is more convenient.


27 posted on 03/27/2010 5:26:32 PM PDT by NVDave
[ Post Reply | Private Reply | To 16 | View Replies]

To: ejonesie22
"If they can leverage the same server and bandwidth power for updates as they do I-Tunes, sure."

The last few attempts at placing viruses on my daughter's laptop via the internet came through iTunes.

28 posted on 03/27/2010 5:31:20 PM PDT by Mad Dawgg (If you're going to deny my 1st Amendment rights then I must proceed to the next one...)
[ Post Reply | Private Reply | To 7 | View Replies]

To: NVDave

THEY could make it so that remote takeover of your operating system was impossible.

However, that would mean THEY couldn’t take remote control of your operating system.

That is the quandary.


29 posted on 03/27/2010 5:39:42 PM PDT by UCANSEE2 (The Last Boy Scout)
[ Post Reply | Private Reply | To 27 | View Replies]

To: Mad Dawgg

My good computer was made into a paperweight by Windows updates.


30 posted on 03/27/2010 5:43:02 PM PDT by UCANSEE2 (The Last Boy Scout)
[ Post Reply | Private Reply | To 28 | View Replies]

To: NVDave

It’s funny you mention that. I swear the chicoms have a mic bug on my lenovo thinkpad. When I put on my headphones I can hear the feedback of the onboard mic through the headphones. My airplane noise cancelling headphones don’t work because the white noise is fed back through the built in mic. And it even does it when I even have the built in mic disabled. I truly do wonder if they have another inline mic set to capture room sound and they can control it if needed.

I know some people will place a cut mic jack in their PCs to prevent any snooping but I think my thinkpad will still capture sound if that is done. If I wanted to waste the money I’d crack it open and do some internal diagnostics. You know that would be a pretty big news story to find out if my lenovo thinkpad had a mic bug in it.


31 posted on 03/27/2010 9:56:56 PM PDT by for-q-clinton (If at first you don't succeed keep on sucking until you do succeed)
[ Post Reply | Private Reply | To 26 | View Replies]

To: ~Kim4VRWC's~; 1234; 50mm; Abundy; Action-America; acoulterfan; AFreeBird; Airwinger; Aliska; ...
Charlie Miller does it again with another prepared exploit... wins the Pwn2Own black hat contest by hacking into OSX... PING!


Mac OSX Security Ping!

If you want on or off the Mac Ping List, Freepmail me.

32 posted on 03/28/2010 2:28:49 PM PDT by Swordmaker (Remember, the proper pronunciation of IE isAAAAIIIIIEEEEEEE!)
[ Post Reply | Private Reply | To 1 | View Replies]

To: Swordmaker

Yawn. They are ever so hopeful. Rigged tests usually get the result you’re looking for.


33 posted on 03/28/2010 2:35:09 PM PDT by big'ol_freeper ("Anyone pushing Romney must love socialism...Piss on Romney and his enablers!!" ~ Jim Robinson)
[ Post Reply | Private Reply | To 32 | View Replies]

To: Swordmaker

after 28 years of never using any virus software, or being hacked, am I now supposed to worry?

using Macs to run our business, with no IT expenses, since 1982 (this li’l uneducated mom of 4 being to “go-to” girl), is it now time to get “skeered”?


34 posted on 03/28/2010 2:42:46 PM PDT by jacquej
[ Post Reply | Private Reply | To 32 | View Replies]

To: for-q-clinton

Lifetime Mac user. No virus software ever. The only problem I ever had was a MS Word macro virus. Get back to me when something actually makes it out into the wild on Apple computers and causes the same kind of problems that have been endemic on MS products from day one. I don’t care about any underlying reason.


35 posted on 03/28/2010 3:31:14 PM PDT by Locomotive Breath
[ Post Reply | Private Reply | To 1 | View Replies]

To: big'ol_freeper

How was it rigged?


36 posted on 03/28/2010 3:56:59 PM PDT by for-q-clinton (If at first you don't succeed keep on sucking until you do succeed)
[ Post Reply | Private Reply | To 33 | View Replies]

To: for-q-clinton

Where are the details on the exploit? Did anything other than Safari get corrupted on the Mac?


37 posted on 03/28/2010 4:09:17 PM PDT by LeGrande (The government wants to make a new Government program (Health Care) to fix Medicare and Medicaid.)
[ Post Reply | Private Reply | To 36 | View Replies]

To: LeGrande

What I was wondering.


38 posted on 03/28/2010 4:17:09 PM PDT by Mr. Blonde (You ever thought about being weird for a living?)
[ Post Reply | Private Reply | To 37 | View Replies]

To: Swordmaker
Hey Swordmaker, thanks for the ping.

Re: Anti-virus... Do you have an estimate of how many Macs are currently active on the internet? I know it's over 30,000,000, and probably over 40,000,000; has it hit 50,000,000 yet?

Reason I ask is that sooner or later the number of Macs is going to cross a threshold -- you know, that elusive magic number -- where the virus writers get interested enough to start writing viruses for OS-X, and Macs will have to start running anti-virus software.

Given that a successful botnet only requires perhaps 50,000 machines, and a million machines is considered huge, and virtually NONE of the Mac users have any anti-virus protection, and they're all running with administrative-level privilege, and they're mostly non-technical types who are NOT behind company firewalls, just cheap consumer NATs... I mean, that is such a ripe garden for picking... A thousand botnets worth of totally unprotected machines...

It puzzles me that the virus writers are so blind as to not seize that opportunity. Not one has done so, in many years of OS-X being out there in sufficient numbers. Mind-boggling.

Well, hopefully now that Charlie Miller has shown how trivial it is to crack OS-X (that was the point of the article, I think), I expect to see the new wild viruses rolling out any minute now. A dozen or so successful public in-the-wild self-replicating viruses would go a long way toward strengthening the rather weak "lack of popularity" and "security by obscurity" arguments.

Meanwhile, I now have Win7 on all my Win7 boxes in place of XP, and like it a lot -- use it all day, day after day, no reboots -- very stable. But I discovered that I still need XP for compatibility with some older apps, so I cranked up Win7's "XP Mode", which works really well -- very seamless. But then I realized I had to install antivirus in the XP-Mode guest virtual machine in addition to the antivirus in the Win7 host machine. That's a little frustrating. Two copies of anti-virus on one Windows box, and none on my Mac or Linux or Unix machines.

You know, if I worked for an anti-virus company, I'd post a reward, say $10,000 and a free Mac, to the first virus writer who uses Charlie Miller's (or any other) exploits to create and release a viable self-replicating OS-X virus. Anonymously, of course. Just to stir the pot a little, drum up some business... ya know.

Anyway, if you happen to know the number of active Macs, I'd be interested. If you want you can just FReepmail me a link or something. Thanks!

39 posted on 03/28/2010 7:34:34 PM PDT by dayglored (Listen, strange women lying in ponds distributing swords is no basis for a system of government!)
[ Post Reply | Private Reply | To 32 | View Replies]

To: Blue Highway; for-q-clinton; Swordmaker

We’ve said before, any computer can be exploited. The questions are how easy is it to package the exploit for mass effect, and how much damage you can do once you get in. But, alas, we’re still waiting for the in-the-wild viruses and worms taking down any decent number of Macs. They do tend to remain in the lab. Also still waiting for the Mac botnets.

And, no, don’t bring out the failed numbers argument. Successful viruses have been written to specifically target systems with a far lower installed base than OS X’s 30 million, more like in the thousands.


40 posted on 03/28/2010 10:15:30 PM PDT by antiRepublicrat
[ Post Reply | Private Reply | To 13 | View Replies]

To: dayglored
Anyway, if you happen to know the number of active Macs, I'd be interested. If you want you can just FReepmail me a link or something. Thanks!

It's a little under 50,000,000 right now... but that probably will be changing rapidly.

41 posted on 03/29/2010 4:02:27 AM PDT by Swordmaker (Remember, the proper pronunciation of IE isAAAAIIIIIEEEEEEE!)
[ Post Reply | Private Reply | To 39 | View Replies]

To: antiRepublicrat
And, no, don’t bring out the failed numbers argument. Successful viruses have been written to specifically target systems with a far lower installed base than OS X’s 30 million, more like in the thousands.

OSX passed the 30 million mark three years ago... and Apple has been selling approximately 10 million a year since then... Allowing for retirement and destruction of replaced machines, the current estimate is a little under 50,000,000 OSX Macs in operation.

42 posted on 03/29/2010 4:04:55 AM PDT by Swordmaker (Remember, the proper pronunciation of IE isAAAAIIIIIEEEEEEE!)
[ Post Reply | Private Reply | To 40 | View Replies]

To: for-q-clinton

One usually has to go to MSDNC to see this kind of quality reporting. Long on opinion, short on facts. Fact - many systems were beaten. Which took the longest - can’t really tell. Which leave users most vulnerable - again, can’t really tell. If nothing else, I hope the authors ax is now sharp...


43 posted on 03/29/2010 5:46:03 AM PDT by LearnsFromMistakes (Yes, I am happy to see you. But that IS a gun in my pocket.)
[ Post Reply | Private Reply | To 1 | View Replies]

To: LearnsFromMistakes
took the longest - can’t really tell.

I read that Mac OS X with Safari was the first to be beaten (at least of the computer type systems...iPhone may have been actually the first though).

44 posted on 03/29/2010 5:59:24 AM PDT by for-q-clinton (If at first you don't succeed keep on sucking until you do succeed)
[ Post Reply | Private Reply | To 43 | View Replies]

To: for-q-clinton

http://tech.blorge.com/Structure:%20/2008/03/28/macbook-air-slain-first-in-hacking-competition-os-x-not-os-god/

A little more info at this link. Not sure why they aren’t including more detail, nerds eat this stuff up...


45 posted on 03/29/2010 6:04:24 AM PDT by LearnsFromMistakes (Yes, I am happy to see you. But that IS a gun in my pocket.)
[ Post Reply | Private Reply | To 44 | View Replies]

To: LearnsFromMistakes
One usually has to go to MSDNC to see this kind of quality reporting. Long on opinion, short on facts. Fact - many systems were beaten. Which took the longest - can’t really tell. Which leave users most vulnerable - again, can’t really tell. If nothing else, I hope the authors ax is now sharp...

Yup. What I'd be most interested in learning is if any of the attacks elevated the attacker's privs to allow them to actually install software or (silently) make changes  to the existing configuration.  If it's just an overflow that crashes a browser, that's one thing. If it allws for the installation of a trojan, that's completely different. These are the types of details that would make the article actually informative, rather than just a pithy opinion piece.

Regarding it time involved for the hack, in this type of scenerio, it is really meaningless as these people come with prepared scripts and/or websites to exploit previously discovered defects. OTOH, if it takes someone 10 minutes from the start of the attack to the successful exploit, that would generally indicate the attack is impractical from an autmataed attacker's perspective.



46 posted on 03/29/2010 7:08:43 AM PDT by zeugma (Proofread a page a day: http://www.pgdp.net/)
[ Post Reply | Private Reply | To 43 | View Replies]

To: Swordmaker; for-q-clinton; LearnsFromMistakes
re: which system was compromised the quickest...

These speed competitions are exciting, and make a lot of splash, but aren't all that useful for system comparisons. Any system can be compromised, given physical access to the machine. Every system.

We all realize that in a speed competition like this, it's really about how prepared the hacker is, how quickly their script runs, etc. The simplicity or complexity of the exploit has little to do with it, since these are all scripted and practiced ahead of time. The time it takes to execute actually has very little relevance to the relative security of the system -- ANY compromise is a compromise. And every system can be compromised if you have physical access to it.

Almost every existing real virus is based on OLD exploits, in systems that aren't patched, or whose operators allow them to be compromised. Very few real viruses are based on recently discovered exploits, and those that are, are extremely newsworthy.

Speaking as a life-long (58, since 1970) computer professional with decades of experience in ALL these systems, a more meaningful speed/time-releated measurement would be this:

Starting at the date/time of the competition, how long will it take for the successful exploit to be realized in a self-replicating virus?
Right? Otherwise, who gives a damn? Seriously. We all know and agree that every system has flaws and can be compromised given physical access to the machine. What matters is whether it can be realized as a virus that can travel.

In that regard, Win7, OS-X, Linux, BSD, are all quite robust these days, and improving.

Anything less than a self-replicating virus is just wanking in the laboratory, and some marketing-driven contrived competitions based on having physical access to the box. Exciting? Sure. Meaningful? Not so much. Let's not confuse this sideshow with reality, which is tens of millions of computers in the wild, not one computer in a lab.

47 posted on 03/29/2010 7:17:15 AM PDT by dayglored (Listen, strange women lying in ponds distributing swords is no basis for a system of government!)
[ Post Reply | Private Reply | To 44 | View Replies]

To: for-q-clinton
let's see...

1. Apple fanbois (in article itself)

2. Apple zealots (in post #1)

3. Macbots (#3)

4. Swordmaker and the other Macbots (Specifc mention of fellow freeper at post #12)

So. We have 46 posts. 4 insults to people who use Apple computers. One aimed specifically at a fellow freeper. Zero similar insults aimed at MS-Windows users.

48 posted on 03/29/2010 7:24:23 AM PDT by zeugma (Proofread a page a day: http://www.pgdp.net/)
[ Post Reply | Private Reply | To 1 | View Replies]

To: LearnsFromMistakes
Thanks for the link. There was a little more information, but it was still long on rhetoric, and short on details.
49 posted on 03/29/2010 7:26:22 AM PDT by zeugma (Proofread a page a day: http://www.pgdp.net/)
[ Post Reply | Private Reply | To 45 | View Replies]

To: for-q-clinton
I read that Mac OS X with Safari was the first to be beaten (at least of the computer type systems...iPhone may have been actually the first though).

That means absolutely nothing... As I understand the rules, the time slots are drawn by lots except that last year's winner, if he is competing, always gets the first shot. Charlie Miller has been the winner for the last four years. That means that since Charlie Miler has the first 15 minute slot to make the first attempt. The rest have to wait their turn. Ergo, since he was up first, and he made his attempt at OSX, it got beaten first.

50 posted on 03/29/2010 2:25:45 PM PDT by Swordmaker (Remember, the proper pronunciation of IE isAAAAIIIIIEEEEEEE!)
[ Post Reply | Private Reply | To 44 | View Replies]


Navigation: use the links below to view more comments.
first 1-5051-71 next last

Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.

Free Republic
Browse · Search
News/Activism
Topics · Post Article

FreeRepublic, LLC, PO BOX 9771, FRESNO, CA 93794
FreeRepublic.com is powered by software copyright 2000-2008 John Robinson