Foo - RE: Are Mac's 100% secure?

Obviously not. OS X was the first to fall in the PWN 2 OWN contest.

Details on the contest:
http://news.yahoo.com/s/macworld/20080327/tc_macworld/hackersuperbowlpitsmacosvslinuxvista

News:
http://blogs.zdnet.com/security/?p=984

:roflmao: :roflmao: :roflmao: :roflmao: :roflmao:

1. The guy that did it already has experince with Mac OS hacking.

2. Even stated in the article, the glory was in hacking the Mac. The guys put in extra effort to do it. Fair competition? I don't think so.

1. The guy that did it already has experince with Mac OS hacking.

2. Even stated in the article, the glory was in hacking the Mac. The guys put in extra effort to do it. Fair competition? I don't think so.

Oh, so what you're saying is that when an OS has more people focusing on it, it's more prone to fail? Or does that only work one way?

I'm saying it can't be denied that Mac OS fell in two minutes. But it's scientifically poor to compare that to the "security" of the other OS. Would the other OS have fell within the same time if they had gotten the same attention in this competition? Probably. It's a horrible way scientifically to compare the "safety" of the different OS.

I'm saying it can't be denied that Mac OS fell in two minutes. But it's scientifically poor to compare that to the "security" of the other OS. Would the other OS have fell within the same time if they had gotten the same attention in this competition? Probably. It's a horrible way scientifically to compare the "safety" of the different OS.

I'm not sure if you're doing it on purpose or if you're really just this blinded, but you are missing the point.

The most common argument regarding windows insecurity, and it is one that i tend to believe, is that the pitfalls of windows security is because of the vastly higher number of windows users out there. Therefore, people who create viruses, hacks, malware etc are going to focus on the system that yields the most destruction and gains them the most attention. Currently, that isn't OSX.

As i've stated in the other thread, there are other reasons that Windows sucks...but they are secondary.

Didn't Vista fall too, due to an unpublished exploit in Flash?

Didn't Vista fall too, due to an unpublished exploit in Flash?

Yup. The order of failing went OSX, Vista SP1, Ubuntu.

after reading the article (and the links to "play-by-play" coverage), i don't think you can really draw any conclusions from this other than "don't visit suspicious websites."

well, that and "don't install Flash."

i think it's important to remember that none of the computers fell the first day - it wasn't until the hackers were able to take advantage of "user interaction" that they started falling.

This is a good reason to always run Firefox with Adblock and NoScript. On sites that are really notorious, perhaps consider a dedicated VM that you can roll back to a known good snapshot when it gets infected.

I wish operating systems would have a sandbox, if not a completely isolated VM, for Web browsers because they are so easy to compromise due to add ons like Flash and the like. Vista is very good in this respect, as IE7 runs in a low security mode, but this doesn't stop add-ons from being abused.

http://www.sandboxie.com/

You can use sandboxie although I almost never do. This would have saved me a lot of headaches 3-4 years ago.

Already posted, in that thread ;)...

Oh, so what you're saying is that when an OS has more people focusing on it, it's more prone to fail? Or does that only work one way?

It appears to be a one way street. All the focus for years has been on hacking microsoft stuff, once the table turns a bit, its suddenly unfair...

Good times, good times indeed.

Didn't Vista fall too, due to an unpublished exploit in Flash?

Day 1 was OS hacking only
Day 2 OS with user interaction
Day 3 was 3rd party

No one got hack day 1, all other os's were expected to fall day 3 and Osx was the only one to fall day 2. (I haven't read my diggs on day 3 yet, I tend to avoid IT news on weekends haha)

This is a good reason to always run Firefox with Adblock and NoScript. On sites that are really notorious, perhaps consider a dedicated VM that you can roll back to a known good snapshot when it gets infected.

I wish operating systems would have a sandbox, if not a completely isolated VM, for Web browsers because they are so easy to compromise due to add ons like Flash and the like. Vista is very good in this respect, as IE7 runs in a low security mode, but this doesn't stop add-ons from being abused.

I don't have the article on hand, but I believe there is a new web browser on the horizon that is supposed to be very modular and potentially "sandboxed"...making it very difficult to hack as a whole unit. As the article put it "this generation of browsers are all insecure, the next step is to look at web sites as applications and browsers as the abstraction layers" something like that anyways. Good point of view, it will be interesting to see how this works in the world of exec's needing stuff to work, period.

This is IMHO of course, but I think the security of a Web browser should be rooted in the OS layer, even perhaps the hardware layer, using the virtualization abilities of modern Intel or AMD chips. Having a modular browser is a step forward, but what really needs done is to have it completely sandboxed, either by Thinstall where any writes to the Registry or filesystem are virtualized to the app's user directory, or having a virtual machine similar to VirtualPC, with a shared directory for downloaded files.

This case, its far more difficult to try to break out of a well coded hypervisor, be it Xen, VirtualPC, or VMWare's, than to break out of any protected mode. The main reason is that a hypervisor has far less code that can be exploited than an OS and all the programs installed on it.

Even just getting code to run as a user is a significant step to getting admin or root access.