Look, any technology is exploitable, from lowly soda machines to lofty government servers. Any suffeciently clever and motivated person(s) can eventually break into anything.
My problem is with the position foisted on the public that macs are bullet proof. And don't try to parse that that image is not promoted. It is. And it is a dangerous position to embrace.
Everyone should assume that there are security vulnerabilities with all technology. And I would say that windows users may have a mental advantage at this point in time because they basically realize that, while the mac community continues to hide their heads in a false sense of security and deny and downplay exploits. The coming year or two is going to be a sad wake up call for many who sit on their imaginary ivory towers of "security".
Welcome to the real world. Mac is vulnerable. We all are.
Few years ago MS paid Borland, its old rival in compilers and other development tools area, a hefty sum of a hundred million dollars ($100,000,000.00 - pinky by the mouth:-). Both companies made a huge deal about it in PR. Well, in the end a poor management lead Borland out of the game. Also, MS lured away Borland's head guy, who ended up creating no less than .NET itself - for MS!
Hey Nik,
If we're going accurate, Anders Hejlsberg created C#, not .NET.
Wow, imagine that. You configure a machine in a way that its easily hacked, and then shout "Look, the Mac is vulnerable!".
According to the news articale I read, it was a zero day exploit. That's not configured to be hacked, that's a vulnerability in the OS. (What, a UNIX OS with a security problem? Surely not?)
I know people here who run machines with pretty close to the usage paradigm of having random users with low privlidge accounts. These accounts are routinely compromised as the users insist on doing inanely stupid things, largely with PHP.
And yet, the actual server has only been compromised twice.
1. By a known exploit that hadn't been patched properly (yawn)
2. By a determined hacker, who actually attacked an interaction between several scripts. He is now where he belongs. In prison.
Compromised twice isn't bad for a public facing server sat on a heavily attacked domain (cam.ac.uk), with random user accounts.
But it's not running Mac OS....
The target machine here was not openly configured to be compromised.
Take Shay's point. Apple + the user community has deluded itself into believing that they're secure. They're not.
Complacency is far more dangerous than any single technical vulnerability.
Maybe I'm just in a snarky mood this morning:): PC user for many years, never got it with any virus, trojan, worm. It all came down to using what little brain cells I had to to not click on, download, install, open anything that came down the pike. And paying attention to what was going on etc. etc.
None of that has changed just because my main computer is a Mac. I like the Mac better because I like the OS and I do feel it is a much more stable platform and more fun to operate. So am I more complacent? Nope ,I don't trust anything/anyone that much.
Hmmm...$150 million invested by Microsoft in Apple, a company worth several billion at the time. Mathematically, 150 mil was but a drop in Apple's buckets of billions. Since the amount was far too small to "own" or even influence Apple in any significant way, the money was strictly a exercise between Microsoft and Apple that came out of the PR budget, probably. And the story goes that when Microsoft sold their Apple shares, the shares had gone up in value so Microsoft made a profit on their "bailout" ! Hardly a charity case.
Hey Colourbox and Peestandingup, un-bunch the panties. The comment about Gates and Apple WAS A JOKE!!!!! It was a dig at Andy since he stated Gates-never. Do I think Gates helped Apple, YES. Do I think Gates was getting something out of the deal, Yes. After all, Gates is a far cry from stupid.
At the time it was reported as a bailout - the DOJ had to approve the "investment" and part of the reasoning was that Apple was at a crucial time in the company. Jobs was quoted as saying (quote not verbatim) without the 150 million, the company would probably not survive. I also think MS agreed to continue to develop Office for mac for at least 5 years, at which time it was expected Apple would have their legs under them.
Greg "Tis better keep your mouth shut and be thought of as an idiot than to open your mouth and remove all doubt"
Yep, yep, nothing's completely secure. Mac's just MORE secure. Out of the box more secure. And stable. And pretty. And it has the power of a UNIX terminal under all that. Shay could geek out all day long on a Mac, and not miss his Windows machine at all.
And Sid, Macs have still managed to defy viruses, as you so quaintly put it, as there still is no viruses for OSX. Not a single one. Just some virus software which does more damage than the threat of a virus. Yeah, one of them was mistakenly identifying files as being infected and deleting them. Ouch. I'd rather ride bareback, myself!
The article isn't about viruses, but about a hack that someone used to promote privileges of an account. This isn't a stranger that hacked into the system, but someone who was given an account that managed to escalate his privileges. Serious stuff, no doubt, but actually of very little concern to me.
Yep, yep, nothing's completely secure. Mac's just MORE secure. Out of the box more secure. And stable. And pretty. And it has the power of a UNIX terminal under all that. Shay could geek out all day long on a Mac, and not miss his Windows machine at all.
And Sid, Macs have still managed to defy viruses, as you so quaintly put it, as there still is no viruses for OSX. Not a single one. Just some virus software which does more damage than the threat of a virus. Yeah, one of them was mistakenly identifying files as being infected and deleting them. Ouch. I'd rather ride bareback, myself!
The article isn't about viruses, but about a hack that someone used to promote privileges of an account. This isn't a stranger that hacked into the system, but someone who was given an account that managed to escalate his privileges. Serious stuff, no doubt, but actually of very little concern to me.
With all due respect, I'm afraid you're getting a bit carried away by the marketing BS.
Hey Nikolai,
Actually that wasn't ME that said it...I just quoted what was on that site:
"That link at the bottom of my post says this at the beginning:"
The actual solution is, in fact, quite simple: step out of the sterilized room and join the rest of the world. It's pretty nice out here.
Uh..this confused me because as far as I know...I am already with the rest of the world when it comes to the internet.
Unless you were talking about getting a Windows machine....no thanks! :puke1 :gun2
If we're going accurate, Anders Hejlsberg created C#, not .NET.
But his work does seem to be good.
Luke
Hey, long time no hear, how've you been?
Since we're going to be accurate:-)... C# was not created from scratch. It was based on almost 10-year old and rather secret project for a compiled language named COOL (it went through the various stages and was going to create a competition to Java). When Anders joined MS he brought the intimate knowledge and huge experience in component-based development environment, with RTTI (reflections) and event delegations (esp. multicast), complete with fine two-way IDE. At some point the idea of a CLR built into OS came up (thus avoiding VB's major pitfall) - and that's how .NET apparently was born.
It all has no relation to photography (or even PC vs Mac issue:-), however... :
"No ports open" would mean you'd have to use telepathy to make your posts on dgrin or even browse it (HTTP, port 80); carrier pigeons to deliver your emails (SMTP: port 25) and receive it (POP3: port 110); and so on and so forth.
not exactly, because those are all initiated by the user. "No ports open" is normally understood to mean "for externally-iniated communications." I can lock the door to my car but still get out - it means that the carjackers can't get in.
Good thanks, I've been insanely busy though. Some people liked some of the stuff that I've been doing on information/cognitive modelling, so I've had to write a paper for that (first one to a major journal :).
Then came a conference and papers on (ironically) security usability, where I demonstrated how to wreck computer security by manipulating cognitive traits and bypassing all this nasty hacking stuff... Then the same happened on stuff that I've been doing building cognitive models of why developers build security mistakes in the first place. The question is now to evaluate whether I'm right, and if so what can we do about it?
Somewhere in amongst all this mess, I've been attempting to do a degree and occasionally earn money to eat
So yeah, it's been a generally fun time, but with far too little sleep.
How's tricks in your world? I've seen a few of the photos you've posted. Had to do any more of those, oh so hard work, car shows?
Since we're going to be accurate:-)... C# was not created from scratch. It was based on almost 10-year old and rather secret project for a compiled language named COOL (it went through the various stages and was going to create a competition to Java).
You know it's odd... This has to be about the 9th entirely orthognal explanation of the origins of C# and .NET that I've heard
I suspect that they all have a grain of truth in them.
I went to a talk by a bunch of the designers of C#, who discussed another language X# that had inspired it as well... I was kind of inclined to believe them... I suspect it came from all over the place, that would certainly be normal for serious language design. The guy is certainly talented, and hasn't made many of the mistakes that were made in the original design of Java.
There are also distinct syntax traits of VB in there as well 'foreach' and properties.
Who knows who they think is going to use Lambda expressions, I think they're way cool, but then I would
When Anders joined MS he brought the intimate knowledge and huge experience in component-based development environment, with RTTI (reflections) and event delegations (esp. multicast),
Though, they weren't exactly new to MS, given their spats with Sun over Delegates and Java....
complete with fine two-way IDE.
Again, the IDE looks to my mind more like Visual Studio than it does like Delphi.
I understand some of the Windows Forms stuff in Vista (XAML) looks quite a bit like the Delphi designers though.
At some point the idea of a CLR built into OS came up (thus avoiding VB's major pitfall)
Appartently from a discussion of how to avoid a lot of the problems with arbitrary extensions to distributing VB components that MS were experiencing in their MTS product. COM only goes so far, and when you start hacking chunks of its binaries to get it to push out, it's probably time to move on....
- and that's how .NET apparently was born.
Like all successful systems, tangled origins
I agree with you though, there's no doubting that Anders is a good guy, probably one of the most talented serious industrial language designers out there at the moment. There are a lot of them kicking around academia to, most of the work on the design of C# 2.0 came out of the building next door to me as I type this. Impressive people, just don't get them talking about maths, your head blows up fair soon after they move to larger sheets of paper, or start compaining that the greek alphabet only has ~60 characters
It all has no relation to photography (or even PC vs Mac issue:-), however... :
Oh well, maybe it's at least fractionally sane then... I'm not so worried about being OT in a Mac/PC warfare thread...
Whereas Mac users for a very long time have been proud of the fact that there were no easy exploits or security holes in the OS and not a single virus found in the wild, those days are gone. This year there has seen at least two verified viruses, and there have been several other security flaws and gaping security holes found in OS X, prompting the release of 10.4.5 as well as patches to its related applications.
While none of these viruses are prolific or as damaging as nearly all of the new Windows viruses discovered each day, it does require that the potentially justified previous smugness of Apple users now take a back seat to either silence or a confused look, as their Windows-using counterparts look at them and say, "See, I told you so."
Simply stated, they're wrong. No viruses. There are two pretty useless Trojan Horses, which I'll give you, but they're not such a much. In any case, measure that against 60k+ viruses on Windows, and I'd settle for what I've got any day of the week, buster.
Microsoft Windows XP Professional with all vendor patches installed and all vendor workarounds applied, is currently affected by one or more Secunia advisories rated Highly critical
This is based on the most severe Secunia advisory, which is marked as "Unpatched" in the Secunia database. Go to Unpatched/Patched list below for details.
Currently, 28 out of 130 Secunia advisories, are marked as "Unpatched" in the Secunia database.
The Secunia database currently contains 0 Secunia advisories marked as "Unpatched", which affects Apple Macintosh OS X.
This is based on the most severe Secunia advisory, which is marked as "Unpatched" in the Secunia database. Go to Unpatched/Patched list below for details.
Currently, 0 out of 66 Secunia advisories, are marked as "Unpatched" in the Secunia database.
"Despite traffic that peaked at over 30Mbps, mostly comprising web exploit scripts, ssh dictionary attacks and scanning tools and including two denial of service attacks, the Mac mini was not breached and remained up throughout the 38 hour duration of the test. The system received half a million requests, with 400 login attempts via ssh."
"Despite traffic that peaked at over 30Mbps, mostly comprising web exploit scripts, ssh dictionary attacks and scanning tools and including two denial of service attacks, the Mac mini was not breached and remained up throughout the 38 hour duration of the test. The system received half a million requests, with 400 login attempts via ssh."
This is called fuzz testing, it is generally regarded to prove close to nothing.
Wow, imagine that. You configure a machine in a way that its easily hacked, and then shout "Look, the Mac is vulnerable!". What a dweeb. Anybody can break into a home if the owner starts unlocking the doors.
How's any of this different than the comparison between Windows and Mac
OS again?
It's all a matter of balancing convenience with security as supplied and trusting
the end user to maintain or improve. In the case of the end user, they will
almost always choose convenience over security.
Moderator Journeys/Sports/Big Picture :: Need some help with dgrin?
I dunno, really. I have no idea why anyone would write a virus in the first place.
A large number of them are currently being written to gather 'swarms' of machiens that can then be sold on to the spammer network, for some absolutely patehtic sum. I've heard $10 per day quoted.
Hence many of the virus writers tend to be from contries were this amount of money is actually useful.
Also used for this purpose are Trojan Horses...
Interestingly, we have now moved away from worms that are unleashed to randomly destroy, to targetted attacks used by proffesional criminals. A trend I gave a talk predicting in 1.5 years ago (and it turns out I was very slow to the game )
The WMF exploit was the first serious case of this.
Why would they bother putting effort into writing a virus for an OS that only has a 5% market share ?
Indeed, there is also little financial incentive
-> There are a large number of soft easy targets (Windows machines with clueless users who are easily fooled and are using out of date releases that they haven't updated)
-> Apple's penetration into the server market is small, so there's no real interest in attacking that for its associated value. One hopes that servers are harder to break anyway, as the admin staff hopefully know something
-> It doesn't have the sheer geek interest of trying to attack Linux
-> Large numbers of people don't hate Apple as much as they hate MS
Heterogeneous environments are good, they make the attackers work harder, unfortunately 5% hardly counts as heterogeneous.
Comments
Thanks! I've been inspired by yours:
Cheers!
Hey Nik,
If we're going accurate, Anders Hejlsberg created C#, not .NET.
But his work does seem to be good.
Luke
SmugSoftware: www.smugtools.com
According to the news articale I read, it was a zero day exploit. That's not configured to be hacked, that's a vulnerability in the OS. (What, a UNIX OS with a security problem? Surely not?)
I know people here who run machines with pretty close to the usage paradigm of having random users with low privlidge accounts. These accounts are routinely compromised as the users insist on doing inanely stupid things, largely with PHP.
And yet, the actual server has only been compromised twice.
1. By a known exploit that hadn't been patched properly (yawn)
2. By a determined hacker, who actually attacked an interaction between several scripts. He is now where he belongs. In prison.
Compromised twice isn't bad for a public facing server sat on a heavily attacked domain (cam.ac.uk), with random user accounts.
But it's not running Mac OS....
The target machine here was not openly configured to be compromised.
Take Shay's point. Apple + the user community has deluded itself into believing that they're secure. They're not.
Complacency is far more dangerous than any single technical vulnerability.
Luke
SmugSoftware: www.smugtools.com
None of that has changed just because my main computer is a Mac. I like the Mac better because I like the OS and I do feel it is a much more stable platform and more fun to operate. So am I more complacent? Nope ,I don't trust anything/anyone that much.
Snark off, oh good morning.
http://www.darwinawards.com/darwin/darwin2001-25.html
Portfolio • Workshops • Facebook • Twitter
Hey Colourbox and Peestandingup, un-bunch the panties. The comment about Gates and Apple WAS A JOKE!!!!! It was a dig at Andy since he stated Gates-never. Do I think Gates helped Apple, YES. Do I think Gates was getting something out of the deal, Yes. After all, Gates is a far cry from stupid.
At the time it was reported as a bailout - the DOJ had to approve the "investment" and part of the reasoning was that Apple was at a crucial time in the company. Jobs was quoted as saying (quote not verbatim) without the 150 million, the company would probably not survive. I also think MS agreed to continue to develop Office for mac for at least 5 years, at which time it was expected Apple would have their legs under them.
"Tis better keep your mouth shut and be thought of as an idiot than to open your mouth and remove all doubt"
And Sid, Macs have still managed to defy viruses, as you so quaintly put it, as there still is no viruses for OSX. Not a single one. Just some virus software which does more damage than the threat of a virus. Yeah, one of them was mistakenly identifying files as being infected and deleting them. Ouch. I'd rather ride bareback, myself!
The article isn't about viruses, but about a hack that someone used to promote privileges of an account. This isn't a stranger that hacked into the system, but someone who was given an account that managed to escalate his privileges. Serious stuff, no doubt, but actually of very little concern to me.
Dgrin FAQ | Me | Workshops
Catapultam habeo. Nisi pecuniam omnem mihi dabis, ad caput tuum saxum immane mittam
http://www.mcneel.com/users/jb/foghorn/ill_shut_up.au
Hey Nikolai,
Actually that wasn't ME that said it...I just quoted what was on that site:
"That link at the bottom of my post says this at the beginning:"
Uh..this confused me because as far as I know...I am already with the rest of the world when it comes to the internet.
Unless you were talking about getting a Windows machine....no thanks!
Apple OS X withstands hacking contest
Great then:-)
The thought never crossed my mind :-) I know it's hopeless:-)
Hey, long time no hear, how've you been?
Since we're going to be accurate:-)... C# was not created from scratch. It was based on almost 10-year old and rather secret project for a compiled language named COOL (it went through the various stages and was going to create a competition to Java). When Anders joined MS he brought the intimate knowledge and huge experience in component-based development environment, with RTTI (reflections) and event delegations (esp. multicast), complete with fine two-way IDE. At some point the idea of a CLR built into OS came up (thus avoiding VB's major pitfall) - and that's how .NET apparently was born.
It all has no relation to photography (or even PC vs Mac issue:-), however...
Cheers!
not exactly, because those are all initiated by the user. "No ports open" is normally understood to mean "for externally-iniated communications." I can lock the door to my car but still get out - it means that the carjackers can't get in.
my words, my "pro"pictures, my "fun" pictures, my videos.
There's a PC vs Mac issue? Where?
Portfolio • Workshops • Facebook • Twitter
That's right. It's a non-issue.
Dgrin FAQ | Me | Workshops
You should come to KY some time and I'll let you play around with my powermac G5.....then we'll see!
Windows 92%
Mac 4.9%
Linux 3.1 %
Good point.
Catapultam habeo. Nisi pecuniam omnem mihi dabis, ad caput tuum saxum immane mittam
http://www.mcneel.com/users/jb/foghorn/ill_shut_up.au
Hey Nik,
Good thanks, I've been insanely busy though. Some people liked some of the stuff that I've been doing on information/cognitive modelling, so I've had to write a paper for that (first one to a major journal
Then came a conference and papers on (ironically) security usability, where I demonstrated how to wreck computer security by manipulating cognitive traits and bypassing all this nasty hacking stuff... Then the same happened on stuff that I've been doing building cognitive models of why developers build security mistakes in the first place. The question is now to evaluate whether I'm right, and if so what can we do about it?
Somewhere in amongst all this mess, I've been attempting to do a degree and occasionally earn money to eat
So yeah, it's been a generally fun time, but with far too little sleep.
How's tricks in your world? I've seen a few of the photos you've posted. Had to do any more of those, oh so hard work, car shows?
You know it's odd... This has to be about the 9th entirely orthognal explanation of the origins of C# and .NET that I've heard
I suspect that they all have a grain of truth in them.
I went to a talk by a bunch of the designers of C#, who discussed another language X# that had inspired it as well... I was kind of inclined to believe them... I suspect it came from all over the place, that would certainly be normal for serious language design. The guy is certainly talented, and hasn't made many of the mistakes that were made in the original design of Java.
There are also distinct syntax traits of VB in there as well 'foreach' and properties.
Who knows who they think is going to use Lambda expressions, I think they're way cool, but then I would
Though, they weren't exactly new to MS, given their spats with Sun over Delegates and Java....
Again, the IDE looks to my mind more like Visual Studio than it does like Delphi.
I understand some of the Windows Forms stuff in Vista (XAML) looks quite a bit like the Delphi designers though.
Appartently from a discussion of how to avoid a lot of the problems with arbitrary extensions to distributing VB components that MS were experiencing in their MTS product. COM only goes so far, and when you start hacking chunks of its binaries to get it to push out, it's probably time to move on....
Like all successful systems, tangled origins
I agree with you though, there's no doubting that Anders is a good guy, probably one of the most talented serious industrial language designers out there at the moment. There are a lot of them kicking around academia to, most of the work on the design of C# 2.0 came out of the building next door to me as I type this. Impressive people, just don't get them talking about maths, your head blows up fair soon after they move to larger sheets of paper, or start compaining that the greek alphabet only has ~60 characters
Oh well, maybe it's at least fractionally sane then... I'm not so worried about being OT in a Mac/PC warfare thread...
Good to hear from you again Nik,
Cheers,
Luke
SmugSoftware: www.smugtools.com
See, I told you so.
:lol4
Catapultam habeo. Nisi pecuniam omnem mihi dabis, ad caput tuum saxum immane mittam
http://www.mcneel.com/users/jb/foghorn/ill_shut_up.au
Simply stated, they're wrong. No viruses. There are two pretty useless Trojan Horses, which I'll give you, but they're not such a much. In any case, measure that against 60k+ viruses on Windows, and I'd settle for what I've got any day of the week, buster.
Dgrin FAQ | Me | Workshops
From secunia.com, both quotes are from today:
Dgrin FAQ | Me | Workshops
"Despite traffic that peaked at over 30Mbps, mostly comprising web exploit scripts, ssh dictionary attacks and scanning tools and including two denial of service attacks, the Mac mini was not breached and remained up throughout the 38 hour duration of the test. The system received half a million requests, with 400 login attempts via ssh."
Bugs
Spiders
Flowers
This is called fuzz testing, it is generally regarded to prove close to nothing.
Luke
SmugSoftware: www.smugtools.com
"Tis better keep your mouth shut and be thought of as an idiot than to open your mouth and remove all doubt"
How's any of this different than the comparison between Windows and Mac
OS again?
It's all a matter of balancing convenience with security as supplied and trusting
the end user to maintain or improve. In the case of the end user, they will
almost always choose convenience over security.
Hey Dave,
These people that write virus get a kick of out the damage that their viruses unleash on the wider community.
Why would they bother putting effort into writing a virus for an OS that only has a 5% market share ?
David
SmugMug API Developer
My Photos
Because it's there. And no one's been successful.
I dunno, really. I have no idea why anyone would write a virus in the first place.
And really, it doesn't matter. The fact that there aren't any is good enough for me!
Dgrin FAQ | Me | Workshops
A large number of them are currently being written to gather 'swarms' of machiens that can then be sold on to the spammer network, for some absolutely patehtic sum. I've heard $10 per day quoted.
Hence many of the virus writers tend to be from contries were this amount of money is actually useful.
Also used for this purpose are Trojan Horses...
Interestingly, we have now moved away from worms that are unleashed to randomly destroy, to targetted attacks used by proffesional criminals. A trend I gave a talk predicting in 1.5 years ago (and it turns out I was very slow to the game
The WMF exploit was the first serious case of this.
Luke
SmugSoftware: www.smugtools.com
Indeed, there is also little financial incentive
-> There are a large number of soft easy targets (Windows machines with clueless users who are easily fooled and are using out of date releases that they haven't updated)
-> Apple's penetration into the server market is small, so there's no real interest in attacking that for its associated value. One hopes that servers are harder to break anyway, as the admin staff hopefully know something
-> It doesn't have the sheer geek interest of trying to attack Linux
-> Large numbers of people don't hate Apple as much as they hate MS
Heterogeneous environments are good, they make the attackers work harder, unfortunately 5% hardly counts as heterogeneous.
Luke
SmugSoftware: www.smugtools.com
See... more SMuggers need to buy Macs - it's all for the better good of society
my words, my "pro"pictures, my "fun" pictures, my videos.