Apple Becomes First Victim in Hacking Contest

On 04/01/2008 03:36 AM, "Tony Meyer" <tony.meyergmail.com> wrote:

> One of the main flaws in the reasoning (which you see in many places)
> that because the MacBook Air was 'pwned' first, it was particularly
> vulnerable is that the attacker gets to keep the computer that they
> 'pwn'. It is entirely possible that the MacBook Air was more
> desirable than the VAIO or the Fujitsu (who even knew that Fujitsu
> make laptops?) and so a significantly larger amount of time was spent
> trying to find vulnerabilities for the MacBook than the other two
> systems.
>
> (If you want to compare *operating system* vulnerability, then you
> really ought to take hardware differences out of the equation. If you
> want to do any comparison like this, then the prize for winning ought
> to be the same no matter which one is broken).

That line of reasoning is rather specious, and still means nothing when you
compare it to the fact that it took almost no time to hack into the OS via
the browser.

Where have we heard of this before?

Oh yeah, Windows *XP* five years ago. Apple does have a cavalier way of
dealing with security, and it does bite them in the keister on a regular
basis. They're just going to have to eat that big helping of crow they got
served in this, and maybe learn from it.

--
John C. Welch

On 1-Apr-2008, at 10:23, John C. Welch wrote:
> That line of reasoning is rather specious, and still means nothing
> when you
> compare it to the fact that it took almost no time to hack into the
> OS via
> the browser.

Trouble is, we don't know anything about the test, about the exploit,
about what he was able to direct the person on the other end to do,
nothing.

We don't know when or even if anyone made an attempt on the other
laptops, how many people were trying total... in short, we know
absolutely nothing about this that we could draw any conclusions from.

> Oh yeah, Windows *XP* five years ago. Apple does have a cavalier way
> of
> dealing with security, and it does bite them in the keister on a
> regular
> basis. They're just going to have to eat that big helping of crow
> they got
> served in this, and maybe learn from it.


Depending on how much stupidity was required on the part of the
operator, sure. I'm reserving judgement until I know -something-
worth knowing.

The only thing I know from this is that Vista is more secure out of
the box than XP, since the last time I heard of one of these test, XP
was pwned (a technical term) WITHOUT operator intervention. Plug it
into the net and you're infected, taken over, and have belonged all
your bases to us.

1. Re: Apple Becomes First Victim in Hacking Contest

On Apr 5, 2008, at 1:03 AM, LewisGmail wrote:
> On 1-Apr-2008, at 10:23, John C. Welch wrote:
>> That line of reasoning is rather specious, and still means nothing
>> when you
>> compare it to the fact that it took almost no time to hack into the
>> OS via
>> the browser.
>
> Trouble is, we don't know anything about the test, about the exploit,
> about what he was able to direct the person on the other end to do,
> nothing.
>
> We don't know when or even if anyone made an attempt on the other
> laptops, how many people were trying total... in short, we know
> absolutely nothing about this that we could draw any conclusions from.


One thing we do know is that the structure of the contest favored
concentrating on the MacBook Air first: you're the first to hack it,
you take it home.

The contest is run sensibly, with a non-disclosure pending closure of
the exploited hole by the supplier. Apple and the Windows folks,
probably both the vendor and Microsoft, have been fully notified of
the details of the exploits.


>
> The only thing I know from this is that Vista is more secure out of
> the box than XP, since the last time I heard of one of these test, XP
> was pwned (a technical term) WITHOUT operator intervention. Plug it
> into the net and you're infected, taken over, and have belonged all
> your bases to us.

XP with SP2 installed is much better than earlier XP in that regard.
Most of the "come in via open ports stuff" is closed in SP2, simply
because the XP firewall is on by default out of the box.

(Vista remains better than XP as you note, and Vista SP1 should be
better still.)

And note that the biggest danger by far is "connected directly to the
Internet with a routable IP" NOT "connected to the Internet through a
router doing NAT". These days, the latter is much the more common
(even on some cable systems where the cable box bridges, since the NAT
is done farther up the line in many cases--if they give you a 10.x.y.z
WAN address, that's what is happening).

"They" can't get to your machine through NAT or through the firewall
unless you do something on your machine that opens the door (like
using Safari, IE, or another browser to reach a web site).

Macs and Linux have the same benefit in the same common setup, it's
not unique to Windows.

All that said, the contest outcome should be a wake up call for
Apple. Although the biggest Safari problem currently probably isn't
this exploit, whatever it was, but the lack of anti-phishing technology.

   --John


  
  

On 04/05/2008 04:36 AM, "infonauts" <infonautssympatico.ca> wrote:

> 1. Re: Apple Becomes First Victim in Hacking Contest
>
>
> This is such a fraud. As Daniel Eran Dilger pointed out in his blog, the deck
> was stacked against Apple, and the results pretty meaningless:
>
>
> <http://www.roughlydrafted.com/2008/03/29/mac-shot-first-10-reasons-why-cansec
> west-targets-apple/#more-1675>

Not really, and the fact is, Apple does need to start being less of a blank
wall when dealing with security. Reporting security issues to them is
damnably annoying, and it doesn't have to be.

--
John C. Welch

On 04/06/2008 04:27 AM, "johnbaxterlistsmac.com" <johnbaxterlistsmac.com>
wrote:

> All that said, the contest outcome should be a wake up call for
> Apple. Although the biggest Safari problem currently probably isn't
> this exploit, whatever it was, but the lack of anti-phishing technology.

That's the biggest scam since the Piltdown Man. It's not "anti-phishing"
because you can't make such a thing. At best it's "suspicious web site"
technology.

--
John C. Welch

> Trouble is, we don't know anything about the test, about the exploit,
> about what he was able to direct the person on the other end to do,
> nothing.
>
> We don't know when or even if anyone made an attempt on the other
> laptops, how many people were trying total... in short, we know
> absolutely nothing about this that we could draw any conclusions from.

We know quite a bit. Per the rules of the contest, the target system
was set to launch Safari with a link. Last year this was scripted to
click a link in an email sent to an account, per the rules I believe
this was either scripted the same, or the URL manually entered. Per
the rules this day, no software installation was allowed no other
interaction- only clientside exploits involving reading an email or
browsing a web page (or other common activities on default software).
Thus we know that Safari was vulnerable to a remote clientside attack
if a user browsed to a malicious web page. No other actions were needed.

The other laptops were also under attack. Vista SP1 was just released,
and that slowed down an exploit that someone had prepared ahead of
time, as Charlie Miller did for the Mac. That exploit eventually
worked and was a cross-platform bug that affects Macs and Unix systems
(the author wanted to crack Vista, and thus didn't attempt to use the
exploit on other systems).

Ubuntu could have been hacked, but it does seem no serious efforts
were made since the researchers with successful exploits were more
interested in the Mac and Vista.

At 2:36 AM -0700 4/5/08, infonauts wrote:
>This is such a fraud. As Daniel Eran Dilger pointed out in his
>blog, the deck was stacked against Apple, and the results pretty
>meaningless:
>
>
><http://www.roughlydrafted.com/2008/03/29/mac-shot-first-10-reasons-why-cansecwest-targets-apple/#more-1675>

For my money, Roughly Drafted long ago passed into fanboi territory.
Well documented, but the bad kind of mouth-breathing,
six-color-bleeding fan boi whose enthusiasm and bondi-colored classes
only serve to hurt the platform in general.

$.02,

--
Andrew Laurence
atlaurenuci.edu

On 4/7/08 5:21 PM, "Andrew Laurence" <atlaurenes.nacs.uci.edu> wrote:

>> This is such a fraud. As Daniel Eran Dilger pointed out in his
>> blog, the deck was stacked against Apple, and the results pretty
>> meaningless:
>>
>>
>> <http://www.roughlydrafted.com/2008/03/29/mac-shot-first-10-reasons-why-canse
>> cwest-targets-apple/#more-1675>
>
> For my money, Roughly Drafted long ago passed into fanboi territory.
> Well documented, but the bad kind of mouth-breathing,
> six-color-bleeding fan boi whose enthusiasm and bondi-colored classes
> only serve to hurt the platform in general.
>
> $.02,

Yeah...that site is more of a spinmeister collective than an honest look at
platform pluses and minuses.

--
John C. Welch

On 4/7/08 at 4:21 PM, atlaurenes.nacs.uci.edu (Andrew Laurence) wrote:

>At 2:36 AM -0700 4/5/08, infonauts wrote:
>>This is such a fraud. As Daniel Eran Dilger pointed out in his
>>blog, the deck was stacked against Apple, and the results pretty
>>meaningless:
>>
>>
>><http://www.roughlydrafted.com/2008/03/29/mac-shot-first-10-reasons-why-cansecwest-targets-apple/#more-1675>
>
>For my money, Roughly Drafted long ago passed into fanboi territory.
>Well documented, but the bad kind of mouth-breathing,
>six-color-bleeding fan boi whose enthusiasm and bondi-colored classes
                                                                 ^^^^^^^
Glasses? :)

>only serve to hurt the platform in general.

And yes, I have to agree; while Roughly Drafted does indeed
document its articles, and I would consider using some of the
sources it quotes as primary sources in my own writings, there's
no way I'd ever cite one of RD's articles myself if I wanted to
be taken seriously. The often strident tone and inflammatory
artwork (like the picture of the Hindenburg with the Zune logo
Photoshopped on the side) don't just abandon any pretense of
journalistic integrity, they curbstomp it; even if the article
itself supports its conclusion, the impression given is someone
who seeks out the worst news on whatever he's arguing against,
and overlooks (if not actively ignores) evidence against the
article's thesis.


Travis Butler
tbutlermac.com