Re: The Myth of the secure Mac

TheLetterK <theletterk@xxxxxxxxxxxxxxxxx> wrote:

> > yes, it's in Tiger, perhaps you didn't read the Security Brief as you
> > said yesterday. It's on Page 2.
> >
> > "New-applications warning. When you open an application manually, you
> > are making an explicit choice. But when you double-click a document or
> > click a URL, you may not know which application will open it. The
> > new-applications warning alerts you before the system opens an
> > application for the first time.
> Thank you for admitting that you are a lying sack of *** oxtard. Just
> above you claimed it warned a user when they first launch a new app--no,
> it warns them when they try to run a new file.

my bad, yes, that portion is tied to new app launching from a document
correct, but the next section of the security brief covers the new
warning that you are downloading an "app", "do you want continue", which
is a more formidable barrier to any malware infiltration.

> > While I somewhat agree about the minor nature of the upgrade, it's not
> > $130, it's more like $99, free for developers, $69 for students,
> > educators.
> It's only 'free' for developers after dropping $500 on a select
> membership. They damn well better give me the upgrade for free at that
> point!

yeah, but you get lots more than just Tiger for the 2nd level
membership, the $500 is fully refunded if you take advantage of even a
few of the special deals, free tiger is just one of them.

> > http://eshop.macsales.com/item/Apple/M9639ZA/
> >
> > free for hackers:
> >
> > http://thepiratebay.org/details.php?id=3319455
> Not only are you a lying sack of ***, your a thief as well. Why am I
> not surprised?

I don't lie, nor steal, it's not my nature.

> > nobody can crack this open mac, 70.57.60.153, so your comment is clearly
> > naive.
> Noone's tried.

wrong, LOTS of people have tried, it was posted to
alt.hackers.malicious, and it appears about 40 tried to work it over,
none got in. Figures, it's running OSX Tiger Server, the most secure
mainstream Server sold today.

> > ???
> Windows presents a bigger, more lucrative target. Why bother with Macs?

that's a copout, the real reason is they can't break a mac. the proof is
all around you.

> > I think the shear scope of my security experience with these 1000++ macs
> > pales to a simple linux distro.
> Really? Well, if OS X is so fucking secure OOTB then what the hell are
> you paid to do? Stab your thumb up your ass for self-stimulation?
> Really, if what you claim is true then maintaining 1000 Macs must be an
> exercise in patiance, not mad skills. Maybe *that* explains your
> complete lack of knowledge in the field.

trivial issues such as security are already designed out of the os, I
mainly deal with wireless networks, net installs, high end publishing
training, server installs, etc.

> > There is no "spyware" in the Mac version, never has been, only some .gif
> > banner advertisements that load periodically into a window below your
> > download tray.
> Do not pass 'Know', do not collect a clue:
> http://www.spywareinfo.net/nov24,2004#macs

it was never spyware, it was adware.

"All that LimeShop does is try to encourage users to donate to LimeWire
when they purchase from our branded affiliate websites. The program does
not redirect from an affiliate link that you click on at another site.

We also offer a Pro Version of our software with Turbo Charged
performance and no bundled software of any kind for $18.88 in electronic
download or $37.50 on CD.

Thanks,
Adam Harris
Business Developer
Lime Wire, LLC."

> > If any spyware was to EVER develop, the mac community would KILL it
> > within hours.
> More like the weeks it took for the idiotic Mac 'experts' to figure out
> Limewire contained spyware.

considering it wasn't spyware, it took a few days, read the thread...

http://forums.macnn.com/archive/index.php/t-195695.html

> > but not the mac version. that wouldn't be allowed.
> Oh yes, it was the Mac version. That's why it stood out so much.

it's not a concern, it's no longer there, and was never spyware.

> > liar, you did no such thing, if so, give a quick run down of the steps,
> > i have a raw panther install right here. if you don't post the steps,
> > you are surely lying. I assume you mean "remotely", since that's my
> > argument, if you are fully in front of the ibook, that's a different
> > matter, and wouldn't be terribly surprised, but remotely no.
> 1. Plug your Mac into Linux box acting as DHCP server
> 2. Exploit the DHCP vulnerability in default Panther to forward
> authentication to the above mentioned server. Forging root
> authentication would be the goal of a malicious attacker (this can
> bypass the root login prevention OS X employs).
> 3. Play around with root.

sorry, but that was fixed years ago, you'd have to have a very early
version of an ibook with 10.3.3 or before to have that work, pretty rare
in this day and age. about 9,000,000 macs ago... nice try though!

> Want to know how this works? Panther (and Jaguar), as it shipped,
> automatically overrode user-defined authentication for authentication
> obtained via DHCP. This allows someone with any sort of unprotected
> network access to the machine to exploit this DHCP vulnerability for the
> purpose of forging root authentication. This was an exploit that would
> hit Panther or Jaguar OOTB. The vulnerability wasn't fixed until 10.3.2
> or 10.2.8, and didn't effect Tiger at all.
>
> For obvious reasons, I'm not going to be more specific.

yes, since obviously it's no longer a problem and was never exploited in
the wild. plus nobody is going to consider a "default" install on an old
machine, one that was not fully updated, so buzzzz, you couldn't show a
Mac being exploited with a default install of any version, except maybe
10.1 which would be bogus.

> > generally predictable yes, but I certainly wouldn't want to drive across
> > a bridge that was engineered to be "generally predictable".
> Well, that's what you drive across. Nothing is completely predictable.
> Especially when it comes to complex systems like modern structures.

true, but social predictability of biological creatures such as humans
is a far cry from the "engineering" of steel and concrete, that's my
point.

> > it wouldn't be announced on small geek sites like slashdot, it would hit
> > big stuff like macsurfer.com, or macfixit.com, etc.
> Most Mac users read neither on any kind of regular basis. Macfixit
> especially.

only a few hundred thousand, that's all :)

> > give it a try, but I think you'll find practically no mac user will
> > install anything if they don't know the originator. apps just aren't
> > distributed that way within the mac culture.
> Yes, they are. It's quite a bit easier to convince Mac users to try new
> software than it is Windows users. It's a function of the limited number
> of applications for the platform. Just release some rare kind of app for
> the Mac and you'll get people clamoring to try it.

then prove it, until then, what you say is simply a lot of hot air.

> > you clearly don't know what is contained in Apple's security brief,
> Your the one that claimed OS X does things that it clearly does
> not--like give the user a warning when they first open an app. I usually
> don't start something like Cyberduck by clicking on a file.

but the next section of Page 2, filters "Cyberduck" from even entering
the system, another OS security feature Linux, Windows doesn't have.

> > and
> > you've shown quite a few errors within your comments about mac security,
> Like?

Like your mistake of saying you could exploit a default install of your
ibook, you thought limewire had spyware on the Mac, which it clearly did
not, etc.

> > so while you may have some old knowledge about old school unix based
> > security, you don't understand the more advanced OS security features
> > that are standard in OSX and OSX Server.
> What advanced features? You haven't shown *a single example* of this
> 'advanced security'. You show traditional unix-style security
> precautions, or modern security precautions that *even Windows* handles.
> Not *once* have you shown any kind of unique security feature for the
> Mac. It must be quite difficult, seeing as how Apple *has no unique
> security features in OS X*. Though normal *nix security would probably
> seem new and advanced to an idiot who's been running Macs for decades.

Linux has nothing like File Vault, or system wide protected & encrypted
Virtual Memory, Private Browsing, a system wide Keychain, Safe mail
attachment handling, the way Admin users are abstracted from the System,
among many others.

> > yes, and many Linux has yet to implement...
> Like?

see above.

> > I think you'd be wise to at least look at it...
> I have looked at it, that's why I discounted it so quickly.

OSX has a better track record than Linux does in the same environment,
so by default, OSX is more secure. The security features of OSX are
chock full of benefits not present in Linux of any type.

> > it solves some of your
> > gripes, OSX is a fast developing OS,
> By who's definition? Not mine. A yearly release cycle? Are we still
> stuck in the 90's or something?

Ah, the update cycle is more like a few months, 10.4.3 should be out any
day now. MAJOR updates now occur every 18 months or so...

> > so using a version that was crafted
> > 2+ years ago, isn't very smart from a "technical" point of view :)
> Tiger offers little of interest to me. Ohh, a bad cron replacement and
> widgets. Hold me back.

And I have no problem with that...

> > Here is one for $55, live large.
> >
> > http://cgi.ebay.com/ws/eBayISAPI.dll?ViewItem&item=5824238637
> I'd rather go buy a few books on something more interesting--like
> dragonfly mating rituals.

Someday you'll move up to the cutting edge of Unix based systems, until
then, you'll wallow in the small, narrow world of Linux related systems.

this is my last post on this thread, good talking with you.

oxford

-
.

Quantcast