![[personal profile]](https://www.dreamwidth.org/img/silk/identity/user.png){kind=small}
I posted this as a comment in a friend's entry about it and figure I may as well post it as a regular journal entry:
I saw that and I said, "Ah man, here it comes... people are going to go on and on about how OS X is the most insecure.. we'll never hear the end of this".
Well here's the thing.. just because that hacker had a ready baked exploit for safari doesn't make OS X the most vulnerable. They made it seem like he only did it in 2 minutes (on day 2) when in fact he already spent lots of time cooking that up. So it was more like, hacked in X hours\weeks plus 2 minutes to run it.
Also like in Quicktime it's applicable to wherever Safari is. Apple is already patching it. It also doesn't automatically mean there are tons of viruses and malware out there waiting for Mac users. On the one hand I'm not complacent but on the other hand I don't think the sky is falling. It wouldn't be such a big deal if it was a common occurrence in OS X just like all those patches for Windows.
Some people think the only way to be safe is to not get on the 'net. That's the same as saying the only way to have personal safety is to not leave the house. They haven't even revealed the details of said "hack". Most things like that have required that you run it and authorize it. You still can't hack it over the network and you have to be logged in.. probably with an administer account.
Now show me an article about a massive privilege escalating worm infection on OS X. Then I'll run around and proclaim the sky as fallen. Of course like with the games thing yesterday this has brought the Mac haters out in full force. Some are even thinking that you can send a rogue .exe to a Mac user and pwn them.. nevermind the fact that OS X isn't compatible with .exe's.
So yeah no system is completely invulnerable but some still have more viruses\malware\spyware than others... and generally, on OS X you don't have to worry about getting viruses.
Note: Recently there has been an advisory issued that sounds a bit like what happened.
On the other hand things like this are good because it makes things like that more visible and thus patched sooner.
I like this comment by Neil Alexander at The Register:
"The competition is made up of three computers that are as close to factory defaults as possible? Doesn't anyone realise that a very large percentage of security holes on computers come from software that users voluntarily install?
http://www.theregister.co.uk/2008/03/27/buggy_flash_menace/
http://www.theregister.co.uk/2008/03/12/march_patch_tuesday/
http://www.theregister.co.uk/2008/02/25/vmware_critical_vuln/
http://www.channelregister.co.uk/2008/03/27/firefox_security_flaws_update/
http://www.theregister.co.uk/2008/02/11/adobe_reader_exploit/
And in my opinion, even with computers that are at factory default, having a user click a link doesn't really count as hacking per-se. Let's face it; the typical person is going to be connected through one of:
1) wireless networks with no port forwarding by default;
2) other routed networks with no port forwarding by default;
3) GPRS/EDGE/3G/HSDPA networks with no port forwarding by default;
4) a firewall.
In this case, what does it matter if a port is opened here or there? There aren't really that many standard modems in use anymore where you are completely externally exposed, and if you are stupid enough to be using one without a firewall, or if you are stupid enough to permanently have your router/gateway set to DMZ, you are asking for trouble. If you are stupid enough to allow a hacker onto your LAN, ...
If a hacking competition is based on the idea that someone is going to have to physically walk up to your computer and stick a crossover cable in the side of it to do any real harm, then the competition is sorta flawed. In that case, I would be more concerned about someone breaking into my house rather than "hacking" my computer.
Similarly, a competition where people have had the time to orchestrate their attack and just execute it when they get there is equally flawed.
I'm a Mac user day-to-day. I don't believe that the system is completely secure, which is why I keep my firewall up, regularly install updates and security patches and don't set myself up for trouble. At the same time, I don't expect everything I install to be completely secure. I have had previous Windows computers that have been infected with viruses before my first logon after a fresh reformat and reinstall (just by being connected to a LAN during setup). But at the same time, I've also had Windows installs in the past that have been flawless for as long as they have been in use. Computers are inherently insecure, regardless of your operating system.
Okay, yeah. So the MacBook got beaten first, and now this has happened, the playing field is leveled a bit. The moral of the story is "use your firewall, install your updates and don't click links you don't trust". Now will the Windows or anti-Mac zealots please stop with the "take this, fanboys!" attitude? Your operating system is not perfect either, yet I do not waste my time bashing your system. Get back to me when it is and then I might be less tempted to gouge out your eyes with a screwdriver.
It seems the word "hacking" is vastly misunderstood these days."
Quote from TUAW: "The exploit was pre-coded by Miller, and two other co-workers from Independent Security Evaluators. It took several weeks to code, but isn't as headline grabbing as saying it fell in two minutes...."
I saw that and I said, "Ah man, here it comes... people are going to go on and on about how OS X is the most insecure.. we'll never hear the end of this".
Well here's the thing.. just because that hacker had a ready baked exploit for safari doesn't make OS X the most vulnerable. They made it seem like he only did it in 2 minutes (on day 2) when in fact he already spent lots of time cooking that up. So it was more like, hacked in X hours\weeks plus 2 minutes to run it.
Also like in Quicktime it's applicable to wherever Safari is. Apple is already patching it. It also doesn't automatically mean there are tons of viruses and malware out there waiting for Mac users. On the one hand I'm not complacent but on the other hand I don't think the sky is falling. It wouldn't be such a big deal if it was a common occurrence in OS X just like all those patches for Windows.
Some people think the only way to be safe is to not get on the 'net. That's the same as saying the only way to have personal safety is to not leave the house. They haven't even revealed the details of said "hack". Most things like that have required that you run it and authorize it. You still can't hack it over the network and you have to be logged in.. probably with an administer account.
Now show me an article about a massive privilege escalating worm infection on OS X. Then I'll run around and proclaim the sky as fallen. Of course like with the games thing yesterday this has brought the Mac haters out in full force. Some are even thinking that you can send a rogue .exe to a Mac user and pwn them.. nevermind the fact that OS X isn't compatible with .exe's.
So yeah no system is completely invulnerable but some still have more viruses\malware\spyware than others... and generally, on OS X you don't have to worry about getting viruses.
Note: Recently there has been an advisory issued that sounds a bit like what happened.
On the other hand things like this are good because it makes things like that more visible and thus patched sooner.
I like this comment by Neil Alexander at The Register:
http://www.theregister.co.uk/2008/03/27/buggy_flash_menace/
http://www.theregister.co.uk/2008/03/12/march_patch_tuesday/
http://www.theregister.co.uk/2008/02/25/vmware_critical_vuln/
http://www.channelregister.co.uk/2008/03/27/firefox_security_flaws_update/
http://www.theregister.co.uk/2008/02/11/adobe_reader_exploit/
And in my opinion, even with computers that are at factory default, having a user click a link doesn't really count as hacking per-se. Let's face it; the typical person is going to be connected through one of:
1) wireless networks with no port forwarding by default;
2) other routed networks with no port forwarding by default;
3) GPRS/EDGE/3G/HSDPA networks with no port forwarding by default;
4) a firewall.
In this case, what does it matter if a port is opened here or there? There aren't really that many standard modems in use anymore where you are completely externally exposed, and if you are stupid enough to be using one without a firewall, or if you are stupid enough to permanently have your router/gateway set to DMZ, you are asking for trouble. If you are stupid enough to allow a hacker onto your LAN, ...
If a hacking competition is based on the idea that someone is going to have to physically walk up to your computer and stick a crossover cable in the side of it to do any real harm, then the competition is sorta flawed. In that case, I would be more concerned about someone breaking into my house rather than "hacking" my computer.
Similarly, a competition where people have had the time to orchestrate their attack and just execute it when they get there is equally flawed.
I'm a Mac user day-to-day. I don't believe that the system is completely secure, which is why I keep my firewall up, regularly install updates and security patches and don't set myself up for trouble. At the same time, I don't expect everything I install to be completely secure. I have had previous Windows computers that have been infected with viruses before my first logon after a fresh reformat and reinstall (just by being connected to a LAN during setup). But at the same time, I've also had Windows installs in the past that have been flawless for as long as they have been in use. Computers are inherently insecure, regardless of your operating system.
Okay, yeah. So the MacBook got beaten first, and now this has happened, the playing field is leveled a bit. The moral of the story is "use your firewall, install your updates and don't click links you don't trust". Now will the Windows or anti-Mac zealots please stop with the "take this, fanboys!" attitude? Your operating system is not perfect either, yet I do not waste my time bashing your system. Get back to me when it is and then I might be less tempted to gouge out your eyes with a screwdriver.
It seems the word "hacking" is vastly misunderstood these days."
Quote from TUAW: "The exploit was pre-coded by Miller, and two other co-workers from Independent Security Evaluators. It took several weeks to code, but isn't as headline grabbing as saying it fell in two minutes...."
