Re: the exploit that wasn't
- From: Tom Reestman <treestman@xxxxxxxxxxxxxxx>
- Date: Sun, 22 Apr 2007 23:13:52 GMT
Steve de Mena (steven@xxxxxxxxxxxxxxx) got drunk after typing this
drivel in news:462be784$0$4890$4c368faf@xxxxxxxxxxxxxxxxx
Tom Reestman wrote:
Steve de Mena (steven@xxxxxxxxxxxxxxx) got drunk after typing this
drivel in news:462bcdc6$0$4910$4c368faf@xxxxxxxxxxxxxxxxx
Tom Reestman wrote:
Steve de Mena (steven@xxxxxxxxxxxxxxx) got drunk after typing thisYou are talking about something completely
drivel in news:462b0631$0$1360$4c368faf@xxxxxxxxxxxxxxxxx
Tom Reestman wrote:
Steve de Mena (steven@xxxxxxxxxxxxxxx) got drunk after typingOne sentence of news, followed by twice as much
this drivel in news:462a664c$0$19452$4c368faf@xxxxxxxxxxxxxxxxx
DanielEran wrote:Another knee-jerk dismissal of a RoughlyDrafted artice, I see.
Instead of discussing what happened at CanSecWestThe other Mac Book Pro? It was not compromised. There were two,And what about the others? Recall that this was a FULLYWhat about the other what?
patched system.
and only one was given away.
http://www.roughlydrafted.com/RD/RDM.Tech.Q2.07/616874CC-35CE-49
D3 -B 85 9-C2719B6FF352.html
we just get yet another anti-Microsoft rant,
rehashing the same old tired myths again and again.
Yawn.
Steve
How is the following not "discusssing what happened at
CanSecWest"?
"...Gohring?s article clearly described a local exploit. There?s
a big difference between the remote exploits that made Windows
infamous for its insecurity and a local exploit of an
application."
text bashing Microsoft.
"Opening an email URL that exposes a security flaw in Safari isYes, and thats where he should have stopped. But
both news to report and a problem for Apple to tackle, but
reporting it as a remote exploit is inaccurate, irresponsible,
and sloppy journalism, particularly for IDG's InfoWorld, which
purports to be an authority on computing."
I'd say that sums it up nicely, and his taking InfoWorld to task
for its misleading headline is perfectly valid.
no....
As for the rest of the article, it goes on to bash Dragos Ruiu'sWe hear again and again how "..Unix security has
ridiculous statement (quoted in the IW article) regarding OS X
security, and does so well. It certainly does not change the
accuracy of the above.
Ruiu, as the principle organizer of the conference, specifically
brought Microsoft into a security discussion about Mac OS X. That
was about as dumb as it gets, and left the door open for
RoughlyDrafted to call it for the ridiculous statement that it
is.
been exhaustively researched by experts for
decades." Today I installed Sun Solaris 10 in a
virtual machine (Parallels) just to play with it.
I installed the 11/2006 u3 build. After it was
done it looked for updates and there were about 83
updates, the vast majority (75?) for security issues.
Steve
You do NOT measure an OS' security by how many patches there are
for it. That's ridiculous! And why act as if "secure" somehow means
that everything that ever needs to be patched has already been
patched? No one ever said that. It's yet another MS-defender
artificial contruct to detract from what counts.
MS defenders have spread this new way to "measure" security because
they lose (oh boy do they lose!) when measured by the only criteria
that counts: How many real, bona-fide attacks there have been in
the wild. All else is just statistical chest-thumping by people
trying to hide the fact that the purpose of security is to keep
your system from being attacked in the real world.
UNIX and UNIX-like systems have had something like 700 known
viruses in the wild, and I believe zero malware. MS Windows systems
have had over one hundred thousand, springing up a nine BILLION
dollar industry to keep them at bay. This industry has become so
ingrained in the MS mind-set that such users consider it "normal".
But for other operating systems it is most certainly not normal.
And, yes, those other OS's are 100% correct to tout that as a
major, MAJOR advantage. It's not their fault that MS users see it
only as a binary operation, and can't tell the difference between
high risk even with costly and CPU-sucking AV/anti-malware products
running constantly, and minimal risk even without third-party
"protection".
Even Paul Thurrot, one of the biggest MS apologists on the planet,
had this to say about it:
"It's not hard to secure a PC. But you do have to secure a PC. I
don't secure my Macs. But I don't have to secure my Macs. There's
something to be said for that. Anyway, I just felt this needed to
be said. There are plenty of good reasons to use a PC, and
certainly Windows Vista fixes a lot of problems. But Macs are more
secure than PCs. Obviously."
different - realworld vulnerabilities, which are
affected by the popularity of the target OS.
I was talking about OS design, and the comment
that ""..Unix security has been exhaustively
researched by experts for decades." from the
article and how it is beaten into repeated over
and over and Unix and OS X are *more secure OSs*.
The number of security patches, even greater
than Windows lately, refutes that. But now that
this is becoming obvious to more the goal posts
are being moved and we can only talk about real
world exploits, and not any inherent level of
security in the OS itself.
Steve
Are you trolling?
The goal posts were ALWAYS based on real-world attacks until
recently. Indeed, it's the only measure that makes any sense.
MS-defenders moved them very recently to counting patches in a
desparate attempt to paint UNIX as just as unsecure as their OS.
"Look, we issue patches, they issue patches. It's just the same!"
Please.
A few years ago no one gave a shit about how many patches there were,
they only cared (rightfully) about if their system was actually
exploited or not. Sheesh. This should be blindingly obvious.
Besides, why would you think that since UNIX has been reviewed for
decades they should somehow be "done", and never need another patch?
At least I think that's what you're implying. That's silly. The OS is
updated with features and functions all the time, new exploits can be
identified and patched. So?
As for the "popularity of the target OS", that's a crock. "Security
by obscurity" is yet another ridiculous tack for MS-defenders, and
makes no more sense than counting patches. First, it acknowledges
that UNIX-based system exploits are extremely rare compared to
Windows (which kind of refutes the "patch count" argument), but
attempts to explain it away by saying there aren't enough UNIX
systems to bother with. Heh. Tens of millions of UNIX systems (there
are over 20 million OS X systems alone) is plenty. With so much to
choose from you go for the easy target. This is common sense. Windows
is without question the easy target.
All that matters is results, the number of real-world attacks is the
only maningful measure. It makes it clear the security risk one takes
with a given platform, and that's what a potential user should be
considering. The goal post moving has all been MS whitewash, and
trips over itself anyway.
So then you would agree that Windows Vista is as
secure as OS X?
Steve
By real world results? Well, for Vista there's the Animated Curser
exploit. That's 1. Are there others? For OS X 10.4.9 I don't think there
are any (in fact, I'm not sure there are any in the wild for Tiger at
all).
So Vista is already not as secure as OS X. Cheer up, it's likely the
closest the two OSes will ever be.
--
Tom
.
- Follow-Ups:
- Re: the exploit that wasn't
- From: Steve de Mena
- Re: the exploit that wasn't
- From: PC Guy
- Re: the exploit that wasn't
- References:
- the exploit that wasn't
- From: none
- Re: the exploit that wasn't
- From: Snit
- Re: the exploit that wasn't
- From: PC Guy
- Re: the exploit that wasn't
- From: Snit
- Re: the exploit that wasn't
- From: DanielEran
- Re: the exploit that wasn't
- From: Steve de Mena
- Re: the exploit that wasn't
- From: Tom Reestman
- Re: the exploit that wasn't
- From: Steve de Mena
- Re: the exploit that wasn't
- From: Tom Reestman
- Re: the exploit that wasn't
- From: Steve de Mena
- Re: the exploit that wasn't
- From: Tom Reestman
- Re: the exploit that wasn't
- From: Steve de Mena
- the exploit that wasn't
- Prev by Date: Re: Microsoft is in deep trouble and now it is going to die
- Next by Date: Re: the exploit that wasn't
- Previous by thread: Re: the exploit that wasn't
- Next by thread: Re: the exploit that wasn't
- Index(es):
Relevant Pages
|
