Cycling and bicycle discussion forums. 
   Click here to join our community Log in to access your Control Panel  


Go Back   > >

Foo Off-Topic chit chat with no general subject.

User Tag List

Reply
 
Thread Tools Search this Thread
Old 03-29-08, 11:34 AM   #1
BenLi
Hardrocker
Thread Starter
 
Join Date: Jul 2007
Bikes:
Posts: 1,569
Mentioned: 0 Post(s)
Tagged: 0 Thread(s)
Quoted: 0 Post(s)
RE: Are Mac's 100% secure?

Obviously not. OS X was the first to fall in the PWN 2 OWN contest.

Details on the contest:
http://news.yahoo.com/s/macworld/200...osvslinuxvista

News:
http://blogs.zdnet.com/security/?p=984
BenLi is offline   Reply With Quote
Old 03-29-08, 11:37 AM   #2
timmyquest
Banned.
 
timmyquest's Avatar
 
Join Date: May 2005
Location: Woodstock
Bikes:
Posts: 5,761
Mentioned: 0 Post(s)
Tagged: 0 Thread(s)
Quoted: 0 Post(s)
timmyquest is offline   Reply With Quote
Old 03-29-08, 11:47 AM   #3
cnickgo
Argyle Army Foot Soldier
 
cnickgo's Avatar
 
Join Date: Jun 2007
Location: Cary/Boone, NC
Bikes: Fort Gestus, 79 Raleigh Super Grand Prix, 81 Raleigh Supercourse, Mosh Lux 2* Gold, IRO Rob Roy on order
Posts: 180
Mentioned: 0 Post(s)
Tagged: 0 Thread(s)
Quoted: 0 Post(s)
1. The guy that did it already has experince with Mac OS hacking.

2. Even stated in the article, the glory was in hacking the Mac. The guys put in extra effort to do it. Fair competition? I don't think so.
cnickgo is offline   Reply With Quote
Old 03-29-08, 11:55 AM   #4
timmyquest
Banned.
 
timmyquest's Avatar
 
Join Date: May 2005
Location: Woodstock
Bikes:
Posts: 5,761
Mentioned: 0 Post(s)
Tagged: 0 Thread(s)
Quoted: 0 Post(s)
Quote:
Originally Posted by cnickgo View Post
1. The guy that did it already has experince with Mac OS hacking.

2. Even stated in the article, the glory was in hacking the Mac. The guys put in extra effort to do it. Fair competition? I don't think so.
Oh, so what you're saying is that when an OS has more people focusing on it, it's more prone to fail? Or does that only work one way?
timmyquest is offline   Reply With Quote
Old 03-29-08, 12:03 PM   #5
cnickgo
Argyle Army Foot Soldier
 
cnickgo's Avatar
 
Join Date: Jun 2007
Location: Cary/Boone, NC
Bikes: Fort Gestus, 79 Raleigh Super Grand Prix, 81 Raleigh Supercourse, Mosh Lux 2* Gold, IRO Rob Roy on order
Posts: 180
Mentioned: 0 Post(s)
Tagged: 0 Thread(s)
Quoted: 0 Post(s)
I'm saying it can't be denied that Mac OS fell in two minutes. But it's scientifically poor to compare that to the "security" of the other OS. Would the other OS have fell within the same time if they had gotten the same attention in this competition? Probably. It's a horrible way scientifically to compare the "safety" of the different OS.
cnickgo is offline   Reply With Quote
Old 03-29-08, 12:23 PM   #6
timmyquest
Banned.
 
timmyquest's Avatar
 
Join Date: May 2005
Location: Woodstock
Bikes:
Posts: 5,761
Mentioned: 0 Post(s)
Tagged: 0 Thread(s)
Quoted: 0 Post(s)
Quote:
Originally Posted by cnickgo View Post
I'm saying it can't be denied that Mac OS fell in two minutes. But it's scientifically poor to compare that to the "security" of the other OS. Would the other OS have fell within the same time if they had gotten the same attention in this competition? Probably. It's a horrible way scientifically to compare the "safety" of the different OS.
I'm not sure if you're doing it on purpose or if you're really just this blinded, but you are missing the point.

The most common argument regarding windows insecurity, and it is one that i tend to believe, is that the pitfalls of windows security is because of the vastly higher number of windows users out there. Therefore, people who create viruses, hacks, malware etc are going to focus on the system that yields the most destruction and gains them the most attention. Currently, that isn't OSX.

As i've stated in the other thread, there are other reasons that Windows sucks...but they are secondary.
timmyquest is offline   Reply With Quote
Old 03-29-08, 04:03 PM   #7
mlts22 
Senior Member
 
Join Date: Aug 2006
Bikes:
Posts: 998
Mentioned: 0 Post(s)
Tagged: 0 Thread(s)
Quoted: 0 Post(s)
Didn't Vista fall too, due to an unpublished exploit in Flash?
mlts22 is offline   Reply With Quote
Old 03-29-08, 04:08 PM   #8
BenLi
Hardrocker
Thread Starter
 
Join Date: Jul 2007
Bikes:
Posts: 1,569
Mentioned: 0 Post(s)
Tagged: 0 Thread(s)
Quoted: 0 Post(s)
Quote:
Originally Posted by mlts22 View Post
Didn't Vista fall too, due to an unpublished exploit in Flash?
Yup. The order of failing went OSX, Vista SP1, Ubuntu.
BenLi is offline   Reply With Quote
Old 03-29-08, 04:17 PM   #9
jhota
blithering idiot
 
jhota's Avatar
 
Join Date: Feb 2004
Location: beautiful coastal South Carolina
Bikes: 1991 Trek 930, 2005 Bianchi Eros, 2006 Nashbar "X," IRO Rob Roy
Posts: 1,263
Mentioned: 0 Post(s)
Tagged: 0 Thread(s)
Quoted: 0 Post(s)
after reading the article (and the links to "play-by-play" coverage), i don't think you can really draw any conclusions from this other than "don't visit suspicious websites."

well, that and "don't install Flash."

i think it's important to remember that none of the computers fell the first day - it wasn't until the hackers were able to take advantage of "user interaction" that they started falling.
jhota is offline   Reply With Quote
Old 03-29-08, 08:08 PM   #10
mlts22 
Senior Member
 
Join Date: Aug 2006
Bikes:
Posts: 998
Mentioned: 0 Post(s)
Tagged: 0 Thread(s)
Quoted: 0 Post(s)
This is a good reason to always run Firefox with Adblock and NoScript. On sites that are really notorious, perhaps consider a dedicated VM that you can roll back to a known good snapshot when it gets infected.

I wish operating systems would have a sandbox, if not a completely isolated VM, for Web browsers because they are so easy to compromise due to add ons like Flash and the like. Vista is very good in this respect, as IE7 runs in a low security mode, but this doesn't stop add-ons from being abused.
mlts22 is offline   Reply With Quote
Old 03-29-08, 08:41 PM   #11
v1k1ng1001
Gorntastic!
 
v1k1ng1001's Avatar
 
Join Date: Oct 2006
Location: United States of Mexico
Bikes:
Posts: 3,424
Mentioned: 0 Post(s)
Tagged: 0 Thread(s)
Quoted: 0 Post(s)
http://www.sandboxie.com/

You can use sandboxie although I almost never do. This would have saved me a lot of headaches 3-4 years ago.
__________________
v1k1ng1001 is offline   Reply With Quote
Old 03-29-08, 08:48 PM   #12
Maelstrom 
Wood Licker
 
Maelstrom's Avatar
 
Join Date: Apr 2002
Location: Whistler,BC
Bikes: Transition Dirtbag, Kona Roast 2002 and specialized BMX
Posts: 16,885
Mentioned: 0 Post(s)
Tagged: 0 Thread(s)
Quoted: 0 Post(s)
Already posted, in that thread ...
Maelstrom is offline   Reply With Quote
Old 03-29-08, 08:50 PM   #13
Maelstrom 
Wood Licker
 
Maelstrom's Avatar
 
Join Date: Apr 2002
Location: Whistler,BC
Bikes: Transition Dirtbag, Kona Roast 2002 and specialized BMX
Posts: 16,885
Mentioned: 0 Post(s)
Tagged: 0 Thread(s)
Quoted: 0 Post(s)
Quote:
Originally Posted by timmyquest View Post
Oh, so what you're saying is that when an OS has more people focusing on it, it's more prone to fail? Or does that only work one way?
It appears to be a one way street. All the focus for years has been on hacking microsoft stuff, once the table turns a bit, its suddenly unfair...

Good times, good times indeed.
Maelstrom is offline   Reply With Quote
Old 03-29-08, 08:51 PM   #14
Maelstrom 
Wood Licker
 
Maelstrom's Avatar
 
Join Date: Apr 2002
Location: Whistler,BC
Bikes: Transition Dirtbag, Kona Roast 2002 and specialized BMX
Posts: 16,885
Mentioned: 0 Post(s)
Tagged: 0 Thread(s)
Quoted: 0 Post(s)
Quote:
Originally Posted by mlts22 View Post
Didn't Vista fall too, due to an unpublished exploit in Flash?
Day 1 was OS hacking only
Day 2 OS with user interaction
Day 3 was 3rd party

No one got hack day 1, all other os's were expected to fall day 3 and Osx was the only one to fall day 2. (I haven't read my diggs on day 3 yet, I tend to avoid IT news on weekends haha)
Maelstrom is offline   Reply With Quote
Old 03-29-08, 08:54 PM   #15
Maelstrom 
Wood Licker
 
Maelstrom's Avatar
 
Join Date: Apr 2002
Location: Whistler,BC
Bikes: Transition Dirtbag, Kona Roast 2002 and specialized BMX
Posts: 16,885
Mentioned: 0 Post(s)
Tagged: 0 Thread(s)
Quoted: 0 Post(s)
Quote:
Originally Posted by mlts22 View Post
This is a good reason to always run Firefox with Adblock and NoScript. On sites that are really notorious, perhaps consider a dedicated VM that you can roll back to a known good snapshot when it gets infected.

I wish operating systems would have a sandbox, if not a completely isolated VM, for Web browsers because they are so easy to compromise due to add ons like Flash and the like. Vista is very good in this respect, as IE7 runs in a low security mode, but this doesn't stop add-ons from being abused.
I don't have the article on hand, but I believe there is a new web browser on the horizon that is supposed to be very modular and potentially "sandboxed"...making it very difficult to hack as a whole unit. As the article put it "this generation of browsers are all insecure, the next step is to look at web sites as applications and browsers as the abstraction layers" something like that anyways. Good point of view, it will be interesting to see how this works in the world of exec's needing stuff to work, period.
Maelstrom is offline   Reply With Quote
Old 03-29-08, 11:48 PM   #16
mlts22 
Senior Member
 
Join Date: Aug 2006
Bikes:
Posts: 998
Mentioned: 0 Post(s)
Tagged: 0 Thread(s)
Quoted: 0 Post(s)
This is IMHO of course, but I think the security of a Web browser should be rooted in the OS layer, even perhaps the hardware layer, using the virtualization abilities of modern Intel or AMD chips. Having a modular browser is a step forward, but what really needs done is to have it completely sandboxed, either by Thinstall where any writes to the Registry or filesystem are virtualized to the app's user directory, or having a virtual machine similar to VirtualPC, with a shared directory for downloaded files.

This case, its far more difficult to try to break out of a well coded hypervisor, be it Xen, VirtualPC, or VMWare's, than to break out of any protected mode. The main reason is that a hypervisor has far less code that can be exploited than an OS and all the programs installed on it.

Even just getting code to run as a user is a significant step to getting admin or root access.

Last edited by mlts22; 03-29-08 at 11:53 PM.
mlts22 is offline   Reply With Quote
Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off



All times are GMT -6. The time now is 10:37 PM.