Page 4 of 5 FirstFirst 12345 LastLast
Results 61 to 80 of 82
  1. #61  
    Quote Originally Posted by cmaier View Post
    ... In the end, if it takes a month to hack vista and 10 seconds to hack OS X, vista is still "less secure" because there's much more of a chance someone will actually exploit the hack. One can do far more damage/reap more rewards with a vista hack. Neither OS gives me the warm fuzzies, however.
    These contests would be better if they were "standing"....that is each contestant who breaks gets a prize and keep going......certainly cheaper than paying a bunch of cash to peeps imported into Redmond / Cupertino on H-1B Visas to sit in a room and try and figure this stuff out. Heck, MS programmers designed an "upgrade authentication system" that doesn't actually require you to own a previous OS version to do a clean install with an "Vista Upgrade" DVD. Compare their salaries to $5k or so given out once a week and you gotta come out ahead.

    I think the biggest things that came outta this year's contests are:

    1. Not only did no one win on the 1st day, but no one even bothered to enter. That's a pretty solid indicator of security.

    2. As the author of the Vista break in noted, these kinds of 3rd party invasions could easily be ported to any other OS.

    3. For those who ran off spouting about the superiority of their favorite OS, eating crow sure does suck.
  2. Minsc's Avatar
    Posts
    967 Posts
    Global Posts
    974 Global Posts
    #62  
    So if you're a Microsoft fanboy, and the home team has delivered security abominations like Windows, IE, and IIS, don't you forfeit your right to ever criticize other products/technologies?
  3. #63  
    Don't forget Office! This week's Word/ Jet vulnerability means a .mdb file can really harshen your mellow. Micrsosoft's recommendation? Call the FBI...
    Editor-in-chief, iMore
    Executive producer, Mobile Nations
    Co-host, Iterate, Debug, ZEN & TECH, Ad hoc, MacBreak Weekly
    Cook, grappler, photon wrangler.

    http://www.imore.com
    http://www.mobilenations.com
    http://twitter.com/reneritchie
  4.    #64  
    Wow, this topic certainly has the mac fanboys riled up. I guess its shakes their fundamentals, realising not only that Apple does not write perfect code, but that they have just as many vulnerabilities that MS this year, and also take longer to patch them.

    Look at Rene, for example, who is trying to turn this thread into a vulnerability p*ssing match, when he will be embarrassed to learn that Apple's vulnerability of the week also executes arbitrary code, and does not even mean you have to open up a strangely malformed word document, which anti-virus software should be perfectly able to protect you from.

    Overview

    Multiple integer overflows in libc in NetBSD 4.x, FreeBSD 6.x and 7.x, and probably other BSD and Apple Mac OS platforms allow context-dependent attackers to execute arbitrary code via large values of certain integer fields in the format argument to (1) the strfmon function in lib/libc/stdlib/strfmon.c, related to the GET_NUMBER macro; and (2) the printf function, related to left_prec and right_prec.


    Impact

    CVSS Severity (version 2.0):
    CVSS v2 Base score: 7.5 (High) (AV:N/AC:L/Au:N/C:P/I:P/A:P) (legend)
    Impact Subscore: 6.4
    Exploitability Subscore: 10.0
    http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-1391

    But dont worry, Apple will rapidly provide a patch - slower than MS though, and no-one cares about the MacOS platform in any case, so there will be no exploit in the wild.

    For proof of what happens when attackers are determined, one does not only have to look at competitions like PWN2OWN, but at the shocking inability of Apple to protect the iPhone from being hacked. Be glad desktop OSX was never as popular.

    Surur
    Last edited by surur; 04/01/2008 at 04:45 AM.
  5. #65  
    LOL. I humbly apologize for letting reality intrude on your little bash-fest.

    Pointing out a vicious exploit in the wild and actually harming execs as we speak is, of course, nothing compared to the millions of theoretical FOSS exploits we'll never have to deal with in IT.

    My bad
    Editor-in-chief, iMore
    Executive producer, Mobile Nations
    Co-host, Iterate, Debug, ZEN & TECH, Ad hoc, MacBreak Weekly
    Cook, grappler, photon wrangler.

    http://www.imore.com
    http://www.mobilenations.com
    http://twitter.com/reneritchie
  6. #66  
    Surur,

    The fact that windows users have to rely on aftermarket anti-virus software indicates my point: the plumbing is rotten.

    BTW: printf is used only to print to the console; while mac does have a console, i would imagine most programs use NSLog which, i believe, does not use printf. Some commandline utilities, particularly direct recompiles of unix code, would use it, of course. I've coded posix forever and never used the GET_NUMBER. Cocoa and Carbon provide their own frameworks for performing similar functionality, so it will be rare that these things, particularly with the appropriate format fields, occur in mac software (if ever).

    Seems to me that exploiting this on the mac would require getting the user to install a program first.
    Last edited by cmaier; 04/01/2008 at 09:10 AM.
  7. #67  
    Quote Originally Posted by cmaier View Post
    The fact that windows users have to rely on aftermarket anti-virus software indicates my point: the plumbing is rotten.
    That's quite a jump. I would say the reason is that there are more viruses in the wild. The reason there are more viruses in the wild, is because Windows is more widely deployed than Mac. More = bigger target. If Apple does unseat Windows or gets even larger, than they will probably see it too.
    "Whenever I feel like exercise I lie down until the feeling passes."
    -Robert Maynard Hutchins


    Palm Pilot 1000 -> Philips Nino -> Handspring Visor Deluxe -> Alltel Kyocera 7135 -> Cingular Treo 650 -> AT&T Blackjack II -> AT&T Treo 750 & Epix
  8. #68  
    It's not a jump at all. You are spouting conventional wisdom (which, as I already mentioned a page or two back, I largely agree with). But don't ignore the actual technical differences between these operating systems. Not all operating systems are the same.

    Quite simply, the architecture of an operating system should be such that antivirus software is not required.

    To the extent that this is not possible, antivirus should be included in the OS.

    Process separation, code segment randomization, hardware page protection, code signing, appropriate object access controls, signed pages, etc. can all be used to eliminate the need for antivirus.

    I'm not saying mac is much (if any) better than windows at this. I am saying UNIX is much better than windows at this.

    Certain things on windows, such as dll management, incorporation of user-level-code in lower levels of the OS, the central registry, and the fact that for backward compatibility reasons it still allows self-modifying code(!!!) thus blurring the distinction between code and data, all lend themselves to security problems.

    Another way to look at it: from a technical perspective, if you can crash an OS you can often exploit the crash to hack the OS. Despite the fanboy's personal anecdotes to the contrary, windows crashes a lot more than UNIX (where uptime is often measured in years). Linux crashes a lot less than windows, and mac probably crashes a little less often than vista. These crashes indicate the "goodness of the plumbing."
    Last edited by cmaier; 04/01/2008 at 09:25 AM.
  9. #69  
    What kind of machines make up the vast majority of storm ?

    The botnets are what we should all be afraid of because cleaning up a bot net is a very difficult thing to do.

    Microsoft uncorked a genie from the bottle and now we all must contend with the result as well as figure a way to stop the botnets.

    In case you don't know the answer: The vast majority of botnets are windows machines.
  10. #70  
    Quote Originally Posted by ghiscott View Post
    What kind of machines make up the vast majority of storm ?

    The botnets are what we should all be afraid of because cleaning up a bot net is a very difficult thing to do.

    Microsoft uncorked a genie from the bottle and now we all must contend with the result as well as figure a way to stop the botnets.

    In case you don't know the answer: The vast majority of botnets are windows machines.
    Um...the vast majority of Desktop PCs are windows machines. Botnets aren't mostly windows because windows is especially more vulnerable, they're mostly windows because PCs are mostly windows. Quit trying to shoehorn causes and effects.


    Anyways, there's been plenty of name-calling on both sides of this argument throughout this thread, but I don't think I've ever seen so many red herrings in one place in my life, mostly spewed from the mouth of JackNaylorPE.

    Learn some rhetoric and people might actually start listening to you instead of thinking you're an *****.
    Visor Edge + VisorPhone -> Samsung i300 -> Treo 300 -> Treo 600 -> Treo 700p -> Treo 755
  11. #71  
    Quote Originally Posted by CountBuggula View Post
    but I don't think I've ever seen so many red herrings in one place in my life, mostly spewed from the mouth of JackNaylorPE.
    If they were red herrings, Surur would have taken either of the bets. Wanna talk herrings ? I'm not the one who attempted to mislead, I am not the one who came up with "2 = all of the internet". I am not the one who came up with "120 seconds = 3 weeks and a staff of 3"

    Surur backed off both bets when asked to support his herrings. Not only that, he went off crowing about Windows superiority only to watch it fall the next day. Shoulda googled something about fat ladies singing before going off to crow.

    -Every OS can fall on any given day....get a patch on Tuesday for a Wednesday test, you are likely to do better than the guy who patching on Thursday.

    -When 3rd party programs are used to open doors in any OS, it's is extremely likely that those same tools will open doors in another OS.

    I see lots of Fanboi's on both sides crowing about IBM's report trying to prove one's superiority over the other. On one hand the Redmondites are crowing Apple had more vulnerabilities but somehow they ain't talking about the fact that in the same report, MS had a far bigger number of vulnerabilities deemed critical. There's no winner here.

    I won't defend either side on the issue other than I am tired of the reading endless posts where the pot is calling the kettle black while making believe it's own vulnerabilities don't exist.
  12. Minsc's Avatar
    Posts
    967 Posts
    Global Posts
    974 Global Posts
    #72  
    Bugs and security holes aside, the thing that turns me off of Windows is not that it's bad/sucks/whatever. I actually think Vista is fine... it's just boring. Microsoft (apparently) spent years and years developing this thing only to have it become an also-ran the day it was released. For me, there's just nothing compelling or interesting about it. It's just the same old Windows with some nifty graphics. It's well known that they base their business model on following other technologies. (they've been copying mac OS for years obviously) It's a business model that's served them incredibly well over the years, and for most of the public, it doesn't matter - they just use Windows because it's familiar and generally gets the job done.

    But like most (all?) people who hang out on websites like this, I'm a geek - and I love using and playing with technology. And since getting my first Mac a few months ago (after years of swearing I'd never cave in and get one because I hated the smug Apple fanboys), I've now got the trifecta going at home: mac, linux (ubuntu), and windows. I use all 3 regularly, but definitely prefer to use my mac or linux box. Again, not because I think windows sucks but just because it's not as fun. For that reason I prefer to hitch my wagon to platforms that are interesting and innovative.

    The frustrating thing about Windows is that it could be really impressive and innovative (Microsoft's engineers are as good as anyone's) but they're perpetually shoe-horned by the need to be backwards compatible and that really holds them back. Anyway, just wanted to throw my opinion out there minus the rhetoric.
  13. #73  
    I have other frustrations with MS and Windows:

    1. Their killer mentality. Of course I recognize this is the epitome of capitalism, crushing your opponent, but that isn't really good for product innovation. Frankly, I can't believe they got away with a lot that stuff which has been historically illegal.....for example, when competing with DR DOS, MS went to the following price structure:

    DOS & Windows $29.95
    Windows Only $44.95

    2. The Control Thing - Ya can't crow that your products are as good as anyone else's and then remove the choice from people on whether or not to have them installed. If IE, WMP, Firewall, Defender, Restore, etc is all so darn fired wonderful, give us back the option to completely uninstall them.

    3. The Planned Obsolesence Thing - Stop removing support for old / competing file formats.

    And Yes, Vista is just a blah .... has no "killer" feature or app associated with it so there's no plus to offset the inevitable performance penalty. As for the improved security crud, who cares....I wonder if they wanna compare Vista with my XP box with 3rd party AV and firewall.

    As a throwback to the original thread title, I am not much impressed with either the Mac hack or the Windows hack from the contest, I am more concerned about ones like this:

    http://www.theregister.co.uk/2008/03...ch_assessment/
    http://www.fcw.com/online/news/151854-1.html

    When the messages were opened, the code sent back the user names and passwords, which allowed access to the network. In follow-up forensics, Clem discovered that the hackers accessed sensitive information, which they encrypted as they transmitted it back to their sites.
    Seems a simple software firewall like the free ZA would have prevented the "send back".
  14. #74  
    Quote Originally Posted by CountBuggula View Post

    Learn some rhetoric and people might actually start listening to you instead of thinking you're an *****.
    Your posts are critical of other posters. My post was trying to bring the problem of botnets to the center of this discussion.

    It is true that technology companies need to improve in making their products less vulnerable. It is true that Apple and Microsoft are guilty of releasing less than perfect products on the unsuspecting (mostly) marketplace.

    The marketplace is in a mess with millions of pwned machines installed and no easy way to clean it up systematically.

    Why are we quibbling over what product is the best today? This is not a problem. The companies now have automated software updates running. They know to act quickly on new disclosures of vulnerabilities.

    Yes - M$ is the largest maketshare holder and so Microsoft is the #1 target for malicious attacks. That is no excuse for past negligence. If anything, as your company becomes a virtual monopoly, ethically, M$ company leaders should protect that market position by working to insure that the Windows OS is secure.

    I will predict that the OS marketplace (and therefore the Internet) will fragment into a roughly three way oligarchy. M$, Apple and Linux. Such an event will diffuse the efforts of malware developers and truly bring competition back to the os marketplace. We would have been better off if this had taken place back in 1995.

    I feel glad that we finally have choice again and I am delighted with each new Apple "GetAMac" commercial that comes out.
  15. #75  
    I would like to see Mac OS marketed as a stand-alone OS. I would gladly buy a copy to run on my PCs.
    Grant Smith
    A+, Net+, MCPx2, BSIT/VC, MIS

    eNVENT Technologies
    Use your imagination.
    --
    Sprint HTC Evo 4G

    DISCLAIMER: The views, conclusions, findings and opinions of this author are those of this author and do not necessarily reflect the views of eNVENT Technologies.
  16. #76  
    The only reason OS X exists is to sell Apple hardware, so there is slightly less than zero (0) percent chance they would ever sell it for commodity gear (or allow it to be virtualized on same).

    It would require tremendously more effort, tremendously higher volumes, and would tank their profit margins.

    And FWIW, you CAN buy OS X to run on a PC... just as long as it's an Apple manufactured PC...
    Editor-in-chief, iMore
    Executive producer, Mobile Nations
    Co-host, Iterate, Debug, ZEN & TECH, Ad hoc, MacBreak Weekly
    Cook, grappler, photon wrangler.

    http://www.imore.com
    http://www.mobilenations.com
    http://twitter.com/reneritchie
  17. #77  
    Quote Originally Posted by Rene Ritchie View Post
    there is slightly less than zero (0) percent chance they would ever sell it for commodity gear
    I never claimed it would happen. I stated that I would like it.

    Quote Originally Posted by Rene Ritchie View Post
    And FWIW, you CAN buy OS X to run on a PC... just as long as it's an Apple manufactured PC...
    And that is the problem... Apple-branded PCs are ridiculously over-priced. I can build what they sell for at most half of what they charge and an OS isn't worth the mark up. ;-)

    If they were to sell the OS for a reasonable price there are many people like me that would buy it.
    Grant Smith
    A+, Net+, MCPx2, BSIT/VC, MIS

    eNVENT Technologies
    Use your imagination.
    --
    Sprint HTC Evo 4G

    DISCLAIMER: The views, conclusions, findings and opinions of this author are those of this author and do not necessarily reflect the views of eNVENT Technologies.
  18. #78  
    Quote Originally Posted by gksmithlcw View Post
    If they were to sell the OS for a reasonable price there are many people like me that would buy it.
    Especially when they have "family pricing", I forget the actual numbers but just as AV and security vendors are doing, but wasn't it like to upgrade to OS X you pay a number of like $199 compared to $129 or so and then you could upgrade something like a total of 5 machines.
  19. #79  
    Remember that a fair sized chunk of the reason Mac OS X works better than windows is that Apple controls the hardware. If Nvidia and creative were allowed to run completely rampant with their driver messes on the apple platform, I'm sure mac users would find the OS a lot less stable.
  20. #80  
    If you don't care for ULA's there's Hackintosh people who try to roll their own, but in my experience Apple charges roughly the same, spec for spec, as most PC vendors. They just don't sell low end (often crippled and cr@ppy) hardware.

    Might as well license OS X Touch to Motorola for the next Crapr er... Razr. Some whiz with more skill and time than money might get it working, but their investment is far more than simple dollars.
    Editor-in-chief, iMore
    Executive producer, Mobile Nations
    Co-host, Iterate, Debug, ZEN & TECH, Ad hoc, MacBreak Weekly
    Cook, grappler, photon wrangler.

    http://www.imore.com
    http://www.mobilenations.com
    http://twitter.com/reneritchie
Page 4 of 5 FirstFirst 12345 LastLast

Posting Permissions