Watch the video of the Ellch/Maynor presentation on a new method they discovered for remotely circumventing the security of an Apple Macbook computer to seize total control over the machine. For background and details, see the text below the video player for this morning's post.
Original Post -- 7:30 a.m. ET, Aug. 2:
If you want to grab the attention of a roomful of hackers, one sure fire way to do it is to show them a new method for remotely circumventing the security of an Apple Macbook computer to seize total control over the machine. That's exactly what hackers Jon "Johnny Cache" Ellch and David MaynorBlack Hat presentation on hacking the low-level computer code that powers many internal and external wireless cards on the market today. plan to show today in their
The video shows Ellch and Maynor targeting a specific security flaw in the Macbook's wireless "device driver," the software that allows the internal wireless card to communicate with the underlying OS X operating system. While those device driver flaws are particular to the Macbook -- and presently not publicly disclosed -- Maynor said the two have found at least two similar flaws in device drivers for wireless cards either designed for or embedded in machines running the Windows OS. Still, the presenters said they ultimately decided to run the demo against a Mac due to what Maynor called the "Mac user base aura of smugness on security."
"We're not picking specifically on Macs here, but if you watch those 'Get a Mac' commercials enough, it eventually makes you want to stab one of those users in the eye with a lit cigarette or something," Maynor said. "The main problem here is that device drivers are a funny mix of stuff put together by hardware and software developers, and these guys are often under the gun to produce the code that will power products that the manufacturer is often in a hurry to get to market."
Maynor said he and his colleague opted in favor of a videotaped demonstration versus a live one because of the possibility that someone in the audience could intercept the traffic sent to a potentially live target and deconstruct the attack -- possibly to use the exploit in the wild against other Macbook users.
One of the dangers of this type of attack is that a machine running a vulnerable wireless device driver could be subverted just by being turned on. The wireless devices in most laptops -- and indeed the Macbook targeted in this example -- are by default constantly broadcasting their presence to any network within range, and most are configured to automatically connect to any available wireless network.
But according to Maynor and Ellch, this attack can be carried out whether or not a vulnerable targeted laptop connects with a local wireless network. It is, they said, enough for a vulnerable machine to have its wireless card active for such an attack to be successful. That's a trivial demand, given that most wireless devices embedded in laptops these days are switched on by default and are configured to continuously seek out available wireless networks.
Because the software that powers these wireless devices operates at such a fundamentally low level of the operating system, traditional system safeguards like firewalls and anti-virus software most likely will not stop the operating system from accepting a maliciously crafted network probe from an attacker seeking to exploit device driver-specific flaws. The result, said Maynor, is that a system using poorly designed device drivers is vulnerable to compromise just by doing what it was programmed to do.
But that explanation eclipses the larger point that Maynor and Ellch said they are trying to get across: Namely, that wireless device drivers are largely developed and written by an odd mix of hardware and software developers in an environment where time-to-market often trumps any thorough code review for potential security flaws.
Apple -- like many computer manufacturers -- outsources the development of its wireless device drivers to third parties. In Apple's case, the developer in question is Atheros, a company that devises drivers for a number of different wireless cards, each designed with drivers specific to the operating systems on which they will be used.
Maynor and Ellch also found two different device driver flaws for wireless products aimed at Windows systems. This is notable because it points out a security loophole in the way that Microsoft has traditionally processed device drivers. Any time a Windows XP user tries to install a device driver, the system checks whether that driver has been "signed" or approved by Microsoft so as not to cause system stability problems. Many third-party wireless cards designed for Windows systems are not signed by Microsoft, and the system will throw up a warning to that effect any time a user tries to install an unsigned device driver.
But according to Maynor and others, Microsoft only recently began testing whether its approved or "signed" device drivers introduced unforeseen security weaknesses into the system. Microsoft is trying to rectify that problem with Windows Vista -- the next version of its operating system by only allowing the installation of device drivers that have met the company's security testing procedures.
After the demo, Ellch (who is currently pursuing his master's degree in computer security at the Naval postgraduate school in Monterey, Calif.) will talk about a new tool he's developing that can remotely scan and figure out the chipset and driver version of a wireless device on a target computer. So far, Ellch said the tool currently recognizes 13 different wireless device drivers, breaking them down by operating system and firmware version.
"I'm getting this tool to the point where it can tell you not only how many people in a room are running, say, Centrino or Broadcom devices, but that 'x' number are running them on a Windows box with a specific version of the driver," Ellch said. "The userful thing for that information is that if you have a device driver exploit and it's version-specific, you could tweak [the exploit] before you launch it."
Maynor said he and Ellch have been in contact with Apple, Microsoft and other companies responsible for vetting the device drivers that power the embedded or third-party wireless card devices meant for those systems, and that both companies are working with wireless card vendors and original equipment manufacturers (OEMs) to remedy the problems. Assuming the wireless device driver makers affected by these flaws fix the problems, it may be an uphill battle for those vendors to find an easy way for users to upgrade that software.
I should note here that while the bad guys may or may not have known about these security weaknesses for some time, there is not a single shred of evidence that these flaws have been exploited "in the wild" (as security companies like to say). That said, it might not be terrible idea to take advantage of the button your laptop that allows you to turn off the machine's constant search for wireless networks when you're not actively trying to go online.
By Brian Krebs |
August 2, 2006; 6:45 PM ET
| Category:
Latest Warnings
Previous: 'Spamford' Spins Disks at Black Hat |
Next: Follow-up to the Macbook Post
Blogs That Reference This Entry
TrackBack URL for this entry:
http://blog.washingtonpost.com/cgi-bin/mt/mtb.cgi/9085
Listed below are links to weblogs that reference Hijacking a Macbook in 60 Seconds or Less:
» Wireless Driver Vulnerabilities" from "www.averyjparker.com
There are a couple notes to pass along with regards to some pretty
serious vulnerabilities in various wireless network adapter drivers.
First, Sans has information on some Intel Centrino updates that resolve
some vulnerabilities that would affect the ... read more »
Tracked on August 2, 2006 03:17 PM
» Hijacking a Macbook in 60 Seconds or Less" from "Haiku Headlines | Headlines of Today. In 17 syllables. What more do you need?
OwnedBook in 60
Wireless exploit demoed
And, Windows not clear
read more | digg story
... read more »
Tracked on August 3, 2006 12:24 PM
» Mac users 0wn3d" from "Fritz on Fuel
Mac users have this smarmy attitude because their machines have
reportedly never been hacked. As computer security researcher David
Maynor puts it, "Iif you watch those 'Get a Mac' commercials enough, it
eventually makes you want to stab one of those user read more »
Tracked on August 3, 2006 03:09 PM
» Wireless driver security flaws demonstrated" from "League of Professional System Administrators
Brian Krebs' Security Fix blog at The Washington Post, posted an
article about wireless card security flaws. Though the article seems at
first to focus on Apple OS X products, they were only used to
demonstrate vulnerabilities found in multiple wireless d read more »
Tracked on August 3, 2006 04:35 PM
» Time-to-market and software defects" from "Meltin' Posts
A scary scenario has been exposed at BlackHat security conference by
hackers Jon Ellch and David Maynor, who however omitted details of the
security flaws. Looks like bugs in wireless device drivers are
responsible for important vulnerabilities affect... read more »
Tracked on August 3, 2006 04:37 PM
What a greta quote:
"the presenters said they ultimately decided to run the demo against a Mac due to what Maynor called the "Mac user base aura of smugness on security.""
Posted by: Slummin | August 2, 2006 08:26 AM
amanda m - you only need to have your wireless card running for it to be potentially exploited. It doesn't have to join a network. Disable the card when you're not using it.
Posted by: Brian | August 2, 2006 09:29 AM
Thank you for this article. I just went in and told my macbook to ask before joining any wireless network. I did have it set to automatically join.
Posted by: amanda m. | August 2, 2006 09:40 AM
I only insert my Wi-Fi card if I need to be on a network. Of course that doesn't solve this problem, but it does mean the notebook is not a constant target.
Unfortunately as PC card slots are reduced in number and most notebooks have built-in wireless, disabling it actually requires a thought process that most of us won't make time for.
Maybe protecting against driver hacks are the next opportunity for the firewall industry. Thanks Brian!
Posted by: OhioMC | August 2, 2006 10:52 AM
Does this security flaw affect desktop computers running on home wireless networks?
Posted by: TAC | August 2, 2006 10:53 AM
So, this actually has nothing at all to do with it being a Mac, other than an opportunity for a windows user to crack a smirk. When that smirking guy actually reads the article, he/she/it will realize that this exploit is there for whatever operating system is running on the effected hardware. It is an exploit for specific third party hardware. I guess actually this is a testament to OS 10.4, that someone has to go to such great lengths to hack it.
Good job sticking it to those stuck up Mac users!
Posted by: Jer | August 2, 2006 11:07 AM
"Still, the presenters said they ultimately decided to run the demo against a Mac due to what Maynor called the "Mac user base aura of smugness on security."
Eh? We use Mac's because they're lovely machines to work with. Smugness implies that we think we are somehow better than the people that use Windows? Well, that's not the case. We are better off than most computer users for security. Smug? No. These guys should point out the inevitable flaws in systems - not make some tired tirade against Mac users. Boring.
Posted by: Harveypooka | August 2, 2006 11:17 AM
It's worth remembering
1. There are over 25 million mac users out there. That installed base is certainly large enough to propagate an attack
2. When the Vista beta came out, to fewer than 10,000 people a virus appeared for it within a week
So much for the security via obscurity myth.
To date no virus, no worm, no malware, no spyware has been successfully launched and spread against OS X.
There ARE viruses for Word of course..but these have no effect on the OS itself and are easily removed with free software.
Hackers and script kiddies have switched in recent times to more lucrative pursuits with less malice and more profit in mind. Hence the targeting of those systems most commonly used in business. Follow the money.
If macs were used heavily in business they would likely be attacked more frequently...but it's not worth it MONETARILY.
If it were only about "hacker pride" wouldn't infecting 3 million or 5
million or 25 million users be something worth bragging about?
Posted by: PR | August 2, 2006 11:18 AM
Mac people rag on PCs because they are less secure, but that doesn't make PCs inherantly inferior. There are many aspects to consider when judging a computer or operating system. Both Mac and PC fanatics are missing the point.
Posted by: Nick | August 2, 2006 11:18 AM
Most Mac users realize that their computers are vulnerable to hackers. That is not the same thing as saying that Macs are vulnerable to viruses.
Brian, anxious to denigrate Mac security, fails to put this exploit in perspective. The target of this exploit has to be within wireless range of the hacker. Compare that to an exploit where the target has to be connected to the internet.
Posted by: | August 2, 2006 11:24 AM
Michael: They would not be doing a talk at Blackhat with the world watching if they didn't have a working exploit. If it is all bunk, their reputations are gone.
Its tough to say exactly how this attack works without all the details, however drivers are software, software is vulnerable to exploitation (i.e. buffer overflows, etc...), which leads to total system control.
This is merely a different vector for an attack.
Posted by: PaulDotCom | August 2, 2006 11:25 AM
This whole debate got me switched to Mac. There is no doubt the OSX is secure, besides being rock solid, easier to use and prettier. I don't care if the Mac gets a few vulnerabilities as I'm confident Apple will fix them swiftly. After all Apple doesn't have the huge problems Microsoft has with Windows and Office.
I'm delighted with my switch to Mac and from what I see the Mac community isn't made up of hackers and swindlers. Its made up of honest decent people like me getting on with their lives.
Posted by: Jon | August 2, 2006 11:29 AM
ever wonder why macs aren't targeted nearly as much as pcs? it's the same reason why firefox is a safer bet than internet explorer: user base. there are far more pc users than there are mac users. therefore there are going to more attacks on pcs based on sheer numbers. i myself want a macbook pro so i'm not speaking out against mac users, i just feel that this goes to show that they have a false sense of security. but then again so do all computer users.
Posted by: nhat | August 2, 2006 11:35 AM
PC users...just give it up already. No one who is "in the know" ever said Macs are completely invulnerable. The fact is, they are as invulnerable as you can get and that's all that matters. If you prefer 200,000 viruses to none (or a handful at best depending on your definition) or an OS that's much mre likely to be hacked than not, then by all means keep your Wintels. If you want a much more secure system, then get a Mac. But if you think that a single or even a handful of exploits makes a Mac as vulnerable as a PC, then your just trying to make yourself feel better about your choice to stick with a PC.
Posted by: John | August 2, 2006 11:35 AM
Let's just assume that there are fewer viruses, malware etc. for the Mac because of the much smaller userbase (I know it's not the reason, but let's just assume). At what percentage of marketshare or a what userbase number will the Mac be interesting for hackers/crackers to start writing viruses or other malware? Will it be at 20%, 25%, 40%, 50% marketshare? Who knows?
What I do know is that the Mac will not reach a significant enough increase in marketshare or userbase over the next 5 years. In other words, the Mac will remain to be uninteresting for malware writers for many years, if the criteria for writing malware is marketshare or userbase.
It's safe to buy a Mac in the next 5 years for sure. If you want to be safe and not have to deal with malware, your next computer should surely be a Mac!
Posted by: Sam | August 2, 2006 11:37 AM
What does "seize total control over the machine" mean? Does this mean they can seize control of the OS? Can they simply shut it down remotely? We need more information about what they can actually do once they "seize control over the machine."
I have heard enough hackers brag about what they can supposedly do and have it turn out to be the most trivial exploit. Tell us what they can actually do when they have control. I doubt they have full control of the Mac OS using this exploit.
Posted by: Troy | August 2, 2006 11:43 AM
What does "seize total control over the machine" mean? Does this mean they can seize control of the OS? Can they simply shut it down remotely? We need more information about what they can actually do once they "seize control over the machine."
I have heard enough hackers brag about what they can supposedly do and have it turn out to be the most trivial exploit. Tell us what they can actually do when they have control. I doubt they have full control of the Mac OS using this exploit.
Posted by: Troy | August 2, 2006 11:44 AM
you don't understand the point...when apple's user base grows, the potential for mac hackers grows. that's why firefox isn't as safe as it used to be. people continue to migrate to firefox and in turn firefox now is as much a target as internet explorer.
winblows isn't the only os dealing with security weaknesses:
http://blog.washingtonpost.com/securityfix/2006/08/apple_issues_bundle_of_securit.html
Posted by: nhat | August 2, 2006 11:45 AM
For crying out loud, John. You Mac people just don't get it. There are no hacks for Mac because no one cares about hacking Macs. Why would I design a virus that works on less than 10% of all computers? That would be dumb. The very nature of a virus means that it has to spread in the wild, and you therefore need to target the largest number of machines. How well do you think a virus targeted at Commodore 64 machines would do? Same scenario here, my friend.
Posted by: Smithers, | August 2, 2006 11:49 AM
I agree about the user-base issue. I also agree that the Mac OS has its security issues in general; this is just a consequence of Apple making the switch to Unix. Still, until things change, the Mac OS is stil the most secure OS out there. If and when things change so that the Mac becomes more of a burden to maintain than a PC, then I'll be the first to say enough is enough. Until then, I see no point in continually saying "things might get worse." When I actually see them getting worse to the point where it's a practical concern, then I'll make a move. And I'm not talking about something that affects a few dozen users before they updated their OS (as was the case with an Airport issue a while back); a proof-of-concept hack; or something someone claims to have working in a lab somewhere. Let's be realistic.
My house isn't 100% secure. If someone wants to break in, they'll get in. Does that mean I should install a security system, get a watchdog, bar my windows, etc.? I have to assess the probability of an actual break-in.
Posted by: John | August 2, 2006 12:01 PM
Oh Gee...wireless is less secure than wired. DUH! Oh Gee, if I have my computer set up to blindly connect to any network, it's a security risk. DUH! So here are my default settings for my wireless. I use a minimum of WPA personal security and only connect to specified networks by name. My wireless network is also MAC address filtered. This should be the minimum level of security used by all wireless networks. If that were the case, I'm just a little bit curious about how this hack could break in.
Posted by: Lee | August 2, 2006 12:07 PM
I'm a mac user. I'm not one of the morons that the presenters are referring to. This isn't even about a Mac. This is about Atheros, Intel, and others.
People should avoid stereotypes.
I'm at BlackHat but going to skip this presentation because it just lost merit in my eyes.
Posted by: Joe | August 2, 2006 12:08 PM
>There are no hacks for Mac because no one cares about hacking Macs. Why would I design a virus that works on less than 10% of all computers? That would be dumb.<
Yup, according to IDC, Mac's current USA market share is a whopping 4.8%, and their worldwide market share is somewhere below that of (who?) Fujitsu/Fujitsu Siemens.
Posted by: John Johnson | August 2, 2006 12:18 PM
Smithers, I do get it. As you can see in my last post, I do agree with the user-base issue. But that's only part of it...
Look at application installation as one example of security. On a Mac, in order for an application (real or malicious) to be installed, the logged-in user has to be an admin user and THEN the user has to enter the admin password for the installation to proceed. Windows makes the user an admin user by default and no password is needed. So right there, you have a major Windows security flaw. Also, by default, the Mac OS has most of its ports closed while Windows has most of its ports open.
Sure, an admin user can change these things, but for the average user, they know nothing about this.
Anyway, while market share is an issue, these things are not related to that.
Also, WHATEVER the issues are, if one system has virtually no issues while another has many, I'll go with the first system. Until things change, the reasons behind the security issues don't matter much.
To stick with car analogies as the Mac/PC debate often uses...People sometimes consider theft statistics when getting a car. If I heard that there was an increase in the number of thefts of car X in some remote part of the country and that the increase in thefts of car X MIGHT be increasing and MIGHT be spreading, would that deter me from getting car X if I really liked the car, it was everything I wanted in a car, and I never heard from anyine I know with car X that they experienced a theft? Probably not.
Posted by: John | August 2, 2006 12:20 PM
I'll be the first to call there bluff, for one to say it gives total control is highly unbelievable. A video proves nothing, just merely someone can manipulate it.
I have watched videos of the beta apple ipod videos that I would of thought where real unless told otherwise.
Sorry this just does not add up. I'll need hard proof before I belive these two clowns are out for nothing more than name recogntion.
Posted by: Michael | August 2, 2006 12:25 PM
Bear in mind that the presenters at Blackhat were more grumpy about Apple's current *marketing* push on security than they were about Apple's users.
Someone up there wrote: "I don't care if the Mac gets a few vulnerabilities as I'm confident Apple will fix them swiftly."
Apple has not done a great job of delivering working security fixes for OSX in a thorough, timely fashion. Part of their problem is that doing so would be admitting there are as many security issues as there are. Apple's PR budget is invested in not doing that.
OSX is based on freeBSD - and freeBSD is a very secure system. A lot of porn sites use freeBSD because it is so secure. So, there's money to be made on freeBSD exploits, because there are databases of credit cards at the porn sites.
Problem is, if someone develops something clever that's primarily designed to go after freeBSD and it's either trivial to include OSX in the exploit, or OSX simply is included because of the shared code base, Apple may have a long process to address it.
One possibility: the exploit doesn't take freeBSD systems down, but it does take OSX down, and it spreads as a worm.
The fix requires either boot from CD or boot to command line mode, and takes several days to emerge.
Posted by: roustabout | August 2, 2006 12:29 PM
Today, on another web site, it states:
"Apple Computer issued on Tuesday updates for its Mac OS X operating system to fix 26 security flaws, some serious."
So much for claims that Mac OSX is oh-so-perfect, and security-flaw-free.
Posted by: John Johnson | August 2, 2006 12:33 PM
The thing is, who wants to put a virus out on a system that won't spread? It won't spread not because the OS is more secure, but no one uses the OS in the first place.
Secondly, even if someone does make a virus or hack a mac. What are they going to do, shut down the system? There's hardly any software to do anything malicious anyways.
Let's take a look at one of the mac commercials. The commercial involves entertainment. The mac commercial poses a normal PC having no sorts of real, fun entertainment while a mac has video editing software of the sort. Great, you can do videos, so can the rest of the world. And guess what? The rest of the world can play the millions of "fun" games on the PC's while the mac can't.
Posted by: anon | August 2, 2006 12:44 PM
Thanks
for the warning. My husband just bought me an external wireless card
for my PC. I was not aware my PC could be hacked this way. Now I will
limit the amount of time my card stays in my PC, just as I now unplug
my network cord when not on line.
My motto: If they can't see it; they can't hack it.
Posted by: Louann O | August 2, 2006 12:47 PM
Most Mac users realize that Macs can be hacked. Their is a big difference between being vulnerable to hackers and being vulenrable to viruses.
Brian, anxious to denigrate Mac security, fails to put this exploit in perspective. The target of this exploit needs to be within wireless range of the hacker. Compare this to an exploit where the target needs to visit a website, receive an e-mail, or just be connected to the internet.
Admittedly, this exploit is potentially more subtle than a Trojan horse.
Posted by: Myles | August 2, 2006 01:00 PM
anon,
Pleaser read some of the earlier posts.
As for the other "arguments" you present, while each camp can present specific examples about the availability and quality of software that bolsters their point of view, in general, these arguments are both fallacious and about 10 years old.
Posted by: John | August 2, 2006 01:03 PM
Mac vs PC. PC vs Mac.
Nonono people.
Mac = PC. PC = Mac.
Same fnording hardware! The only real difference to the end user is the OS you slap on the thing. MacOS, Windows, Linux, BSD, what-have-you.
I just wish all the "sides" beating their chests over how superior their "side" is would just shut the hell up. Your computer is a tool. Not a lifestyle statement. Just use the tool and put it away when you're done!
Posted by: Chas | August 2, 2006 01:04 PM
>Most Mac users realize that their computers are vulnerable to hackers. That is not the
>same thing as saying that Macs are vulnerable to viruses.
Crooks don't target macs for the same reason that most game companies don't: the user base is too small to warrant the effort.
If Macs ever have a user base that's large enough to justify the effort to attack it, we'll find out how secure it is.
Posted by: kc | August 2, 2006 01:08 PM
Brian, any FBI takedowns yet?
Posted by: Pete in Arlington | August 2, 2006 01:18 PM
Mac users aren't "better" -- Macs are better.
There's a hospital where virtually no one dies of infections. Some say it's because hardly anyone goes there. They get great care there and have all the services that anyone needs. AND no one ever dies from infections. Infections just don't exist there.
There's another hospital where there is a very high infection rate and many people die there.
Many people say it's a more popular hospital and almost *everyone* goes there -- so I should go there. They have a very large support staff to fight infections and they say they can fight off their 200,000 infections that are roaming the hallways or are coming in with the people.
And the fact that so many people die there is simply because it's such a popular hospital. I guess you just take your chance at that place -- and your chances are not very good.
No thanks, I'll go to the hospital that has virtually no infections and no one dies.
I like the "better" hospital, thank you -- not the more popular one.
I like my peaceful and nice existence -- not one of fighting off all the diseases every day.
Posted by: Eliakim | August 2, 2006 01:19 PM
This comment area seems to have become a forum for MAC vs PC.
Your Point?
For $12,000 less than I could have built it with a MAC - I have a fully operational to code recording studio with which I am producing my music on a pro level without selling my home.
God bless the folks that design productivity software/hardware for PCs.
Oddly enough, a lot of the really creative people in this world aren't able to channel their energies towards making the really big money. Some of us spend too much energy being creative. I love my PCs.
Maybe if they make me enough money, I'll replace them with MACs.
Peace In Our Lifetime...
Posted by: Piperllew | August 2, 2006 01:40 PM
If Macs have 10% of the user base of Windows, shouldn't it have 10% of the number of viruses? No. It has zero. Because it is better designed. There are more Mac users than Linux users, and yet there are lots of exploits that take advantage of Linux.
And Eliakim is right: Who cares /why/ there aren't viruses. There just aren't any. That's an advantage.
And millions of people use Macs, not "nobody."
Posted by: jgn | August 2, 2006 01:51 PM
When you look at /home/ users instead of bulk corporate buyers, Macs have a much higher market share. Apple sold 15% percent of all laptops last quarter, for instance. Laptops are purchased more by individuals than by IT departments. If the know-nothing, MSCE-ridden IT departments of the world actually knew a thing or two about computers, they'd all be on Linux, Free BSD and OS X in a heartbeat.
Posted by: jgn2 | August 2, 2006 02:00 PM
Most of you users out there are assuming that Mac=osx and PC=Windows...
I have found aLinux to be very stable on my desktop and have not had
any virus or spyware trouble. Aside from that, it come with all kinds
of security features, and I don't have to pay anyone. I have open
office and even have all of my hardware supported.
Posted by: Jordan | August 2, 2006 02:01 PM
The argument that Macs are too rare to attract viruses doesn't make sense to me. UNIX and Mac are just more secure.
Apache runs a majority of web servers and a minority run on Microsoft software, yet virtually all virus attacks on web servers go after the Microsoft software, because it's vulnerable. Even though it has a smaller user base.
Posted by: Drew | August 2, 2006 02:03 PM
Why can't they demonstrate it live? They have to do it via videotape? I think that somethings fishy...
Posted by: Whatever | August 2, 2006 02:18 PM
1. Most of the know nothing IT departments are running purchased software that is certified by the vendor to run on certain platforms. If it isn't certified for Linux, FreeBSD or OS X, then very few IT managers are going to go out on the limb to try to make it work.
2. I love people trying to make healthcare analogies to IT. If I told you there is a hospital that, by design, is less susceptible to patients receiving infections, would you jump at the chance to go there? Now if I tell you that it is a psychiatric hospital (with few patients with infectious diseases), would you still be jumping? Just because the Mac is better-designed to withstand viruses and worms (something I'm not prepared to accept as fact) doesn't mean it does what I need it to do. Just like I'm not going for heart surgery at a psych hospital.
Posted by: Jim | August 2, 2006 02:29 PM
"It's worth remembering
1. There are over 25 million mac users out there. That installed base is certainly large enough to propagate an attack
2. When the Vista beta came out, to fewer than 10,000 people a virus appeared for it within a week"
sure, and guess how many people will have vista installed when its released? a lot more than 10,000. and the virus that appeared for it will already be fixed, but what about the viruses that people are coding for it and being smart enough not to release them yet? they'll be hitting alot more than 10,000 users because millions will have it loaded.
the people who are making viruses for the "obscure" vista were still making them for a larger user base
Posted by: chris | August 2, 2006 02:35 PM
Jim,
In response to your second point, of course. And I would say the same to Jordan with respect to Linux on PC. I think it's safe to say that most people are talking about the general user. Most people do basic stuff on their computer. Most people who have a PC run Windows. And so on.
I would also say that with Intel-based Macs, using Boot Camp or Parallels now gives a user the best of both worlds.
Posted by: Rich | August 2, 2006 02:39 PM
I am a (preferred) Mac user, using both OSX and XP Pro on the job. Though neither programmer nor hardware geek (most of the time), I noted the target is the Mac with Intel "core" (single or duo). Would the vulnerability be applicable to a Mac with the G5 chip and a wireless card, running v 10.4?
Just wondering.
Posted by: Glenn | August 2, 2006 02:50 PM
I switched my business from powerful Windows machines to MAC Dual Processor G5 systems in 2004. At the same time I purchased some Apple stock. I have spent 0 minutes maintaining the OS of these systems since that date. I have processed 50% more graphic-rich business content, received more customer service compliments, and reaped substantial business and investment profits as a result. Apple is a market-driven solution to the Microsoft monopoly.
Posted by: Tom | August 2, 2006 02:58 PM
Actually, one of the fundamental propositions of this supposed attack I believe is false. The default Airport card setting isn't to automatically join ANY available network, but to ask before joining an unknown network. You can however set it to join any, which you would then need to reverse in order to disable this vulnerability.
I've been wireless for almost 5 years now, and my normal setup procedures do not involve disabling the default behavior, which is to quote from the control panel for the "Automatic" setting: "Airport remembers the networks this computer has joined. If none of the remembered networks are available, AirPort will ask before joining an open network."
Posted by: Brad | August 2, 2006 03:17 PM
According to Consumer Reports, 9/2006 ed., Consumer Reports National Research Center, "State of the Net":
Viruses infect PCs at the same high level as last year. 1 in 4 had a major, often costly problem. Economic fallout per incident $109, total damage $5.2 billion.
Spyware infections, in the last six months, prompted nearly a million U.S. households to replace their computer. 1 in 8 had a major, often costly problem. Economic fallout per incident $100, total damage $2.6 billion.
My question: how much of these enormous costs have been incurred by users of Mac OS X since its release?
Should a person considering the purchase of a Mac factor in the cost of virus protection now, or should that person hold off purchasing virus protection until some virus actually affects, oh, over a dozen different Macs? What about spyware protection? Should the Mac user install what is recommended for every PC owner, two anti-spyware progroms? Or should the potential Mac owner wait until, oh, over a dozen of the 15 million Mac OS X users actually have spyware installed surreptitiously?
How many years have we heard these predictions of "Just you wait, you Mac users will get yours." I've heard the sky is falling for the four years I've been using OS X. Please, come into the sunshine. It's nice and bright and refreshing out here. When the weather changes, then I can invest in all the apps the PCs have to run to protect themselves, and the concomitant processing power those programs consume. Until then, Chicken Littles...
Posted by: WhitIV | August 2, 2006 03:22 PM
Someone wrote;
"...for crying out loud, John. You Mac people just don't get it. There are no hacks for Mac because no one cares about hacking Macs. Why would I design a virus that works on less than 10% of all computers? "
Because you would be famous beyond your little hacker imagination. Write a PC virus...who cares join the thousands! Write the first out in the wild mac virus, you're on the front page of the CNN web site!
Duh!
Posted by: jeffsters | August 2, 2006 03:56 PM
So did it work? It's 4PM on the east coast and I haven't heard yet.
Posted by: Peter | August 2, 2006 03:59 PM
Yea, these are so confident they'll only do it at home and videotape because they know in REAL LIFE situations - the Mac is pretty impervious.
Here's an analogy even the Washington Post might understand. Macs are US Army Rangers. PC's are sleepy tourists with a camcorder poking out of their bag under their feet. That's not to say you can't take down a US Ranger ever but if you're a pickpocket, who is the much, much easier target?
Is it possible somewhere on this planet there is mac user with his firewall off and his wireless left wide open? of course, there are 25 mac users but it's much harder work because there are layers of protection ... most Pc's - all protection off ... you do the math.
These guys are pulling a fast one on you - what's next, will they hack into the DOD and give you area 51 files?
Posted by: jbelkin | August 2, 2006 04:10 PM
"Apple Computer issued on Tuesday updates for its Mac OS X operating system to fix 26 security flaws, some serious."
So much for claims that Mac OSX is oh-so-perfect, and security-flaw-free.
-------------------
Uh, nobody said that.
The majority of such security flaws are in Unix utilities, many of which the average user never uses. Does it count against the platform as a whole? Sure. Does it mean a large portion of the userbase was exposed? No, because they don't utilize that utility.
Posted by: Wade | August 2, 2006 04:16 PM
John
Maybe, but when I think why the people I know, and why I am using a regular PC, I find myself using them not because of security, tech support, or the like. I use them because the market uses them. If the mac market was dominating, I would use a mac instead. There's no if, but, or and about that. Many of us (friends, family, and other people I know) don't use macs because in a way, they are useless to us. I agree that being useless to us, doesn't mean it is useless to everyone -- it's not. But the fact is, the things I want to do, the things I can do, and the things I look foward to doing on my PC, I can't do on the mac. This goes with most people I know.
People use specific OS for different situations. Here at work, we use unix for servers, while most other regular machines run windows. We had one apple machine that we purchased for one of our artist and when he left the company, the mac was up for grabs. Even though the mac machine was faster, no one wanted it. Not because they didn't know how -- they could learn -- but because their windows machines were compatible. Albeit compatible with virii, trojans, worms, and the like, but still compatible. I think that's the biggest here. Compatibility. If I can move all the programs that I'm using right now over to a mac machine w/o problems, I'd be more than happy to do so.
Posted by: anon | August 2, 2006 04:28 PM
Wanted to add
So this whole thing about security on mac/PC/etc and why one is better than the other is because of this is total BS.
Posted by: anon | August 2, 2006 04:33 PM
Hmm. 1 in 8 chance of losing $100 vs. 100% chance of spending... how much more for a Mac? I would sooner take my chances behind my router and the free AV software from my ISP.
Whatever, the choice was made to present it on Macs to show that the problem is driver-related and OS-agnostic (and because the ads ARE obnoxious. My pie charts are much more colourful than that).
It's not a Mac vulnerability, it's a wireless driver vulnerability. The choice was made to not demo it live because...
IT'S WIRELESS, PEOPLE! At a hacker conference! Using an undocumented and unpatched vulnerability!
Which, of course, will affect no one using a MacBook, because those aren't the kinds of things that will be used in wireless hotspots. And, of course, city-wide wireless networks will do nothing to increase the range of such attacks.
What I hate most about the PC vs. Mac / Win vs. Linux vs. OS X / Closed vs. Open Source security debates is the lack of scientific method to the conclusions. It's called Ascertainment Bias and I've never seen anyone involved overcome it.
Posted by: sr | August 2, 2006 04:44 PM
This argument is kind of stupid. Yeah, Windows has things on by default while OSX has it off by default. In the end, it's the intelligence of the user that matters. Right now, I think macs tend to attract smarter users. If wholesale Mac adoption happened, I'm sure there would plenty of stupid users giving admin permission to anything and plenty of stupid tech support people who tell users to turn off such and such security setting.
Posted by: tallbear | August 2, 2006 04:50 PM
actually, mac os x is more secure, not because of obscurity, but because:
1. it's based on unix and has the same system of privileges.
2. os x comes with most of its ports closed, so there are fewer doors through which an attacker can enter.
3. you have to either have admin access or enter your password before installing software.
4. offers per-user harddrive encryption (in case your computer is ever stolen.
that doesn't mean it's invulnerable. but it does mean there are fewer 'ports of entry'
Posted by: tiffany | August 2, 2006 04:58 PM
Anon...From my experience, it's just the opposite: most people don't do anything that requires Windows. The average user uses applications for e-mail, Web browsing, word processing and spreadsheets, and that's about it. That's not to say a lot of people don't need Windows for specific apps. They do. In that case, however, why not use Boot Camp or Parallels. And I would reiterate that in response to what you said: "If I can move all the programs that I'm using right now over to a mac machine w/o problems, I'd be more than happy to do so."
Posted by: John | August 2, 2006 05:00 PM
Try outfitting a series of PCs to match the hardware/software included with the Mac line and then factor in the additional costs for third-party apps to secure a PC plus the time/money involved with maintenance. You'll find that, overall, PCs will cost about the same or more.
Posted by: Jim | August 2, 2006 05:05 PM
Well, these guys are lucky they recorded this because the security update that Apple just came out with might put a wrinkle or two in their demo.
I'm interested how far they could take that vulnerability. Can they hijack the whole system or what?
Posted by: Jim Hillhouse | August 2, 2006 05:13 PM
If you feel safer using Vista or Xp, go ahead, but the warm and fuzzy feeling is the only thing you'll get.
Most universities require all Windows machines to run special security related software before you can use their networks, but require nothing for a Mac.
If you haven't used a Mac recently, go check it out. It is cheaper than a PC that has the same quality of equipment. Sure you can by a piece of crap for less, but it's still a piece of crap.
About the only thing you can't do is run all the games. of course, Kids today play flash based games on-line and don't buy games unless it's for their xbox or psp. And I expect that to change as Mac sales soar this year as people decide Macs are much cooler and work better than a PC. The enterprise wont be far behind.
Posted by: cfJeff | August 19, 2006 at 04:27 PM