the exploit that wasn't



egg on the face of infoworld -

Nancy Gohring, writing for InfoWorld, delivered a misleading report
yesterday on a Mac security exploit contest held at the CanSecWest
conference in Vancouver, BC.

In her defense, it appears likely that Gohring did not write the
headline for her InfoWorld article, which described the contest winner
as being ³able to remotely break into a Mac as part of a contest
designed to illustrate security flaws in OS X.² That part was simply
wrong.

Whoever did write the headline must have been smoking weed in
celebration of 4/20, because Gohring¹s article clearly described a local
exploit. There¹s a big difference between the remote exploits that made
Windows infamous for its insecurity and a local exploit of an
application.

Gohring reported that ³contestants were invited to try to access one of
two Macs through a wireless access point while the Macs had no programs
running. No attackers managed to do so, and so conference organizers
allowed participants to try to get in through the browser by sending
URLs via e-mail.²

Opening an email URL that exposes a security flaw in Safari is both news
to report and a problem for Apple to tackle, but reporting it as a
remote exploit is inaccurate, irresponsible, and sloppy journalism,
particularly for IDG's InfoWorld, which purports to be an authority on
computing.

Gohring's Mac Security Myths.

Beyond the glaring error of conflating a remote exploit with something
that requires a concerted effort between a user acting locally on the
machine and an outside party, Gohring's article perpetuated a number of
myths about Mac security.

Gohring quoted Dragos Ruiu, the principal organizer of the security
conference, as saying, ³You see a lot of people running OS X saying it's
so secure, and frankly, Microsoft is putting more work into security
than Apple has.²

Of course, the reason why Microsoft has been forced to ?put so much work
into security¹ is because of the infamous reputation the Windows
platform has earned as a security nightmare. Microsoft was entirely
blind-sided by the Windows security crisis, and was forced to attack its
security problems out of embarrassment.

http://www.roughlydrafted.com/RD/RDM.Tech.Q2.07/616874CC-35CE-49D3-B859-C
2719B6FF352.html
.



Relevant Pages

  • Re: the exploit that wasnt
    ... Nancy Gohring, writing for InfoWorld, delivered a misleading report ... yesterday on a Mac security exploit contest held at the CanSecWest ...
    (comp.sys.mac.advocacy)
  • Re: Mandatory Security (was: Re: Another opportunity
    ... Most applications will run unmodified in system-high or single-level, but I'd be surprised if there was an applications that did not require modifications to run multi-level. ... The market for MAC security cratered due to its purchase cost and its management cost and its application cost, and the need to modify applications. ... As for OpenVMS, parts of the MAC security implementation are latent in base OpenVMS, but the administrative tools and related pieces are only available as part of SEVMS. ...
    (comp.os.vms)
  • Re: President Queeg, the mess boys ate the strawberries!
    ... In an initiative aimed at rooting out future leakers and other security ... President Barack Obama has ordered federal employees to report ... The techniques are a key pillar of the Insider Threat Program, ... Those who fail to report them could face ...
    (talk.politics.guns)
  • President Queeg, the mess boys ate the strawberries!
    ... In an initiative aimed at rooting out future leakers and other security ... President Barack Obama has ordered federal employees to report ... The techniques are a key pillar of the Insider Threat Program, ... Those who fail to report them could face ...
    (talk.politics.guns)
  • [Full-disclosure] [ MDVSA-2010:070-1 ] firefox
    ... Security issues were identified and fixed in firefox: ... Security researcher regenrecht reported (via TippingPoint's Zero Day ... Since firefox-3.0.19 is the last 3.0.x release Mandriva ... If you want to report vulnerabilities, ...
    (Full-Disclosure)