Mac security eh?

dragon300zx

So David your lovely macs are perfectly secure eh?

http://blog.washingtonpost.com/securityfix/2006/08/hijacking_a_macbook_in_60_seco_1.html

That's right guys. They hacked and took complete control of a macbook in 60 seconds.

Here's a quote:

" ........ultimately decided to run the demo against a Mac due to what Maynor called the "Mac user base aura of smugness on security."

"We're not picking specifically on Macs here, but if you watch those 'Get a Mac' commercials enough, it eventually makes you want to stab one of those users in the eye with a lit cigarette or something," Maynor said. "

:rofl:rofl:rofl:rofl:rofl:rofl:rofl:rofl:rofl:rofl:rofl:rofl:rofl

bwg

...it eventually makes you want to stab one of those users in the eye with a lit cigarette or something

lol

bwg

*warning* language

http://video.google.com/videoplay?docid=-3100406487608693182&q=%22make+the+switch%22

DavidTO

dragon300zx wrote:

So David your lovely macs are perfectly secure eh?

Hey, don't misquote me.

DavidTO

And, it's a false alarm. Sheesh, talk about smug, the minute some bozo configures his Mac to be vulnerable, you all jump on the bandwagon!

macfixit.com wrote:

Wireless driver security flaw affects Macs -- but not with native hardware Another false alarm. Sci-Tech discusses a wireless driver vulnerability that affects both Macs and Windows systems -- but only when faulty third-party hardware is added. "The researchers demonstrated the vulnerability at a computer-security conference, showing how to take complete control of a MacBook from Apple Computer Inc. But the two researchers, David Maynor, 28, and Jon Ellch, a 24-year-old who prefers to go by his hacker handle Johnny Cache, said the technique will work on an array of machines, including those that run Microsoft Corp.'s Windows and the free Linux operating system. 'The problem itself isn't really an Apple problem,' said Maynor, a researcher at SecureWorks Inc., a network-monitoring company. 'This is a systemic problem across the industry.' [...] The MacBook used in the demonstration was not using the wireless gear that shipped with the computer. Instead, they used a third-party wireless card that they declined to name"

dragon300zx

DavidTO wrote:

And, it's a false alarm. Sheesh, talk about smug, the minute some bozo configures his Mac to be vulnerable, you all jump on the bandwagon!

But it is still a security issue for Apple to deal with. And it goes to show that the more mac tries to make its self seem more superior and becomes more popular the more hackers are going to "stab one of those users in the eye with a lit cigarette or something".

DavidTO

dragon300zx wrote:

But it is still a security issue for Apple to deal with. And it goes to show that the more mac tries to make its self seem more superior and becomes more popular the more hackers are going to "stab one of those users in the eye with a lit cigarette or something".

Second part's very true. First part...you can't even buy a Mac without a wireless card , so why would you ever put a 3rd party in? Seems to be a very small issue.

EDIT: The G5 desktops (you know that ones that will be replaced in 4 days ) do not have built in wireless, so MAYBE there you've got a point, but who's gonna put wireless in a G5? If it's a workstation, you're gonna want gigabit...I dunno, seems like a non-issue to me.

wxwax

bigwebguy wrote:

*warning* language

http://video.google.com/videoplay?docid=-3100406487608693182&q=%22make+the+switch%22

claudermilk

bigwebguy wrote:

*warning* language

http://video.google.com/videoplay?docid=-3100406487608693182&q=%22make+the+switch%22

:lol4 That one is bookmarked.

...it eventually makes you want to stab one of those users in the eye with a lit cigarette or something

Yep.

What is the phrase I'm searching for? Oh yeah: "pride goeth before the fall" or something like that. It's ugly then the house of cards comes tumbling down. BTW, what do you guys that fall under the "smug users" banner who've been pounding on XP users for so long expect?

peestandingup

This has been blown WAY outta proportion. This isnt a hack of the OS, its the wireless driver (which Apple didnt produce) and is a general problem with wireless networks across the board. Second, they had to physically install a root kit onto the MacBook to make this work. Not to mention, its a third party wireless card & not the one that was built into the MacBook. Plus, they didnt even perform it live, they showed a video of the hack being done.

Not to say this isnt a legitimate concern, but its a concern that the entire WiFi industry needs to fix, not Apple. So everyone needs to dig deeper in this & see what exactly it is before ranting about Apple being unsecure & pointing fingers at Mac users.

Not to say Macs cant be breached in some way, but this sure aint it. These guys clearly had motives since they used a MacBook & they have done these kinds of "hacks" on Apple stuff before. Sorry to disappoint all you XP users. Next!

mercphoto

DavidTO wrote:

And, it's a false alarm. Sheesh, talk about smug, the minute some bozo configures his Mac to be vulnerable, you all jump on the bandwagon!

And this has ALWAYS been my point about Mac versus Windows. Mac's ship by default with the equivalent of all doors locked. Windows ships by default with the equivalent of unlocked doors and expects the user to lock things down. Silly, stupid.

Wow, you leave the front door to your house unlocked, intentionally, and then you are surprised that a burgler walks in and takes your television? And this somehow points to a Mac vulnerability equal to that found on Windows? I guess when you're a Windows user you grasp at whatever straws you can find.

Linux at work, Mac at home, life is good.

DavidTO

Interesting take on this I found on macintouch.com:

Robert Ahrens wrote:

I, like many others, viewed the video posted by the Washington Post. But unlike many others, I didn't stop at the "hey, they used a third party card" part.
If you carefully watch, Maynor goes to the Dell, which he identifies as the "attacking" machine, and proceeds to set it up as a wireless Access Point (AP). You will have noticed, of course, his earlier statement that it is not required that the target be associated with an AP?
So why, then, does he proceed to go to the Mac, and open a terminal shell, from which he checks to see if the Mac has picked up the IP from the AP? When he confirms that it has, (Funny, but this is the same IP he had earlier noted would be the IP it would use - sounds like this demo was prepped ahead of time) he leaves the Terminal window open and returns to the Dell, from which he now runs his "exploit".
Upon connecting to the shell on the Mac, he changes to a directory on the Mac's desktop (called "remote", how obvious) and proceeds to create, open and delete several files on the Mac's desktop.
One of the files, he creates on the Mac, and calls "password", and populates it with content ("This is a secret password!") which he then proceeds to open from the Dell so the content is displayed on the Dell's screen. Odd how this seems alarming, but it is only an unencrypted text file...
At no time does he complete any task from the Dell that would have required higher privileges than user level on the Mac, nor does he ever claim to have gained elevated privileges.
His demo never actually remotely connects to the Mac, thus does not prove that it is possible. He does not prove that he can gain elevated privileges on the Mac, either, by performing an admin or root level task.
When he runs his "exploit" it is merely an ".ssh" file, and is run against a computer that is already attached to the attacking computer.
This sounds like a simple publicity stunt. Any script kiddie can attack a computer if he has keyboard access.
At no time does he note what settings are on the Mac, nor what kind of account is logged into it either. Is it a user account, or an admin account? Is automatic joining of open wifi networks enabled? It sounds like it, since he does not ever show a dialog box asking permission to join an open network. So either the Dell's network was an open one, and his Mac was set to automatically connect to it, or it was already set up on the Mac as a trusted network!
This demonstration of a perported "hack" is flawed, skewed towards sensationalism, and an obvious attempt (successful, I might add) to garner publicity and notariety for the authors.
Maybe there is a possible vulnerability here, but it is obscured by the flawed presentation of this demo.

Mongrel

http://blog.washingtonpost.com/securityfix/2006/08/followup_to_macbook_post.html

"During the course of our interview, it came out that Apple had leaned on Maynor and Ellch pretty hard not to make this an issue about the Mac drivers -- mainly because Apple had not fixed the problem yet. Maynor acknowledged that he used a third-party wireless card in the demo so as not to draw attention to the flaw resident in Macbook drivers. But he also admitted that the same flaws were resident in the default Macbook wireless device drivers, and that those drivers were identically exploitable. And that is what I reported.
I stand by my own reporting, as according to Maynor and Ellch it remains a fact that the default Macbook drivers are indeed exploitable."

colourbox

Given the hoops they had to jump through to get this done, I'd put it in the same class as the other Mac security threats that have been shown but also known to not exist in the wild. Demonstrated to be possible, but not probable...only a proof-of-concept. If you can't take this down to the coffee shop and use it against a stock Mac, then it still pales in comparison to the known, existing, devastatingly effective, and ready-to-use threats on the Windows side.

I have no problem with them specifically using a Mac for the demo, even though I'm a lifetime Mac user. Too many Mac users are too arrogant about this subject and I don't mind them getting a cautionary reminder once in a while.

gus

colourbox wrote:

Too many Mac users are too arrogant about this subject and I don't mind them getting a cautionary reminder once in a while.

b..b.b.b..b.b..bb..but without them ...whom would we bait

DavidTO

gus wrote:

b..b.b.b..b.b..bb..but without them ...whom would we bait

I 'spose you'd have to get a life...

gus

DavidTO wrote:

I 'spose you'd have to get a life...

Ta darrrrrrrrrrrrrrrrrrrrrrrr

System

Mac haters are so sad and pathetic.

DavidTO

gus wrote:

Ta darrrrrrrrrrrrrrrrrrrrrrrr

Gus, you are so easily amused. Go watch the ants.

marlof

truth wrote:

Mac haters are so sad and pathetic.

Agreed. The same goes for the lovers though. Both the Mac and the Win lovers.

gus

DavidTO wrote:

Gus, you are so easily amused. Go watch the ants.

When they start doing laps of the room stamping their feet & screaming i will

DavidTO

gus wrote:

When they start doing laps of the room stamping their feet & screaming i will

When they do that, break out your new macro lens and shoot a few. I'd like to see that!

colourbox

New interesting article...

"Pretty soon any debate with Microsoft over security can be ended in one round when Apple stands up, says 'launchd,' and sits back down."

And of course this one, which hasn't been mentioned in this thread yet...
MacBook wireless driver exonerated in Wi-Fi hack

DavidTO

colourbox wrote:

New interesting article...

"Pretty soon any debate with Microsoft over security can be ended in one round when Apple stands up, says 'launchd,' and sits back down."

And of course this one, which hasn't been mentioned in this thread yet...
MacBook wireless driver exonerated in Wi-Fi hack

What I understood of the first was interesting...as for the second, yeah, what a bunch of hooey that whole WIFI vulnerability thing was. They're just jealous.

peestandingup

colourbox wrote:

And of course this one, which hasn't been mentioned in this thread yet...
MacBook wireless driver exonerated in Wi-Fi hack

I mentioned it in my post on page 1 & knew about it the day this "hack" came out, while places like Cnet had headlines on their front page like "MacBook HACKED!". Just makes websites like that look foolish.

Those 2 guys are completely full of it. They did this stuff before on Macs & now they are trying to say they used a MacBook just because?? Yeah, right. Their whole setup was total BS from the start. It would be like me leaving the front door to my house wide open, hanging a big neon sign out on the lawn that says "No one is home, door open, please take what you want!" and going on vacation for 2 weeks, then coming home to a ransacked house & saying "Holy Sh*t! My house was robbed!! POS door didnt keep the bad guys out!!"

marlinspike

This one is my favorite
http://video.google.com/videoplay?docid=-6692797252263641017&q=mac+commercial
You can't help but feel sorry for the guy.

bigwebguy wrote:

*warning* language

http://video.google.com/videoplay?docid=-3100406487608693182&q=%22make+the+switch%22

claudermilk

marlinspike wrote:

This one is my favorite
http://video.google.com/videoplay?docid=-6692797252263641017&q=mac+commercial
You can't help but feel sorry for the guy.

lol4
I don't care who you are, that right there is funny.


...and so it continues...:duel