Re: the exploit that wasn't

On Mon, 23 Apr 2007 01:20:39 GMT, michelle ronn
<completelyinvalid@xxxxxxxxx> wrote:

On 2007-04-22 15:40:42 -0700, Tom Reestman <treestman@xxxxxxxxxxxxxxx> said:

Steve de Mena (steven@xxxxxxxxxxxxxxx) got drunk after typing this
drivel in news:462bcdc6$0$4910$4c368faf@xxxxxxxxxxxxxxxxx

Tom Reestman wrote:
Steve de Mena (steven@xxxxxxxxxxxxxxx) got drunk after typing this
drivel in news:462b0631$0$1360$4c368faf@xxxxxxxxxxxxxxxxx

Tom Reestman wrote:
Steve de Mena (steven@xxxxxxxxxxxxxxx) got drunk after typing this
drivel in news:462a664c$0$19452$4c368faf@xxxxxxxxxxxxxxxxx

DanielEran wrote:
And what about the others? Recall that this was a FULLY patched
system.
What about the other what?

The other Mac Book Pro? It was not compromised. There were two,
and only one was given away.

http://www.roughlydrafted.com/RD/RDM.Tech.Q2.07/616874CC-35CE-49D3
-B 85 9-C2719B6FF352.html

Instead of discussing what happened at CanSecWest
we just get yet another anti-Microsoft rant,
rehashing the same old tired myths again and again.

Yawn.

Steve

Another knee-jerk dismissal of a RoughlyDrafted artice, I see.

How is the following not "discusssing what happened at CanSecWest"?

"...Gohring?s article clearly described a local exploit. There?s a
big difference between the remote exploits that made Windows
infamous for its insecurity and a local exploit of an application."
One sentence of news, followed by twice as much
text bashing Microsoft.


"Opening an email URL that exposes a security flaw in Safari is
both news to report and a problem for Apple to tackle, but
reporting it as a remote exploit is inaccurate, irresponsible, and
sloppy journalism, particularly for IDG's InfoWorld, which purports
to be an authority on computing."

I'd say that sums it up nicely, and his taking InfoWorld to task
for its misleading headline is perfectly valid.
Yes, and thats where he should have stopped. But
no....

As for the rest of the article, it goes on to bash Dragos Ruiu's
ridiculous statement (quoted in the IW article) regarding OS X
security, and does so well. It certainly does not change the
accuracy of the above.

Ruiu, as the principle organizer of the conference, specifically
brought Microsoft into a security discussion about Mac OS X. That
was about as dumb as it gets, and left the door open for
RoughlyDrafted to call it for the ridiculous statement that it is.
We hear again and again how "..Unix security has
been exhaustively researched by experts for
decades." Today I installed Sun Solaris 10 in a
virtual machine (Parallels) just to play with it.
I installed the 11/2006 u3 build. After it was
done it looked for updates and there were about 83
updates, the vast majority (75?) for security issues.

Steve



You do NOT measure an OS' security by how many patches there are for
it. That's ridiculous! And why act as if "secure" somehow means that
everything that ever needs to be patched has already been patched? No
one ever said that. It's yet another MS-defender artificial contruct
to detract from what counts.

MS defenders have spread this new way to "measure" security because
they lose (oh boy do they lose!) when measured by the only criteria
that counts: How many real, bona-fide attacks there have been in the
wild. All else is just statistical chest-thumping by people trying to
hide the fact that the purpose of security is to keep your system
from being attacked in the real world.

UNIX and UNIX-like systems have had something like 700 known viruses
in the wild, and I believe zero malware. MS Windows systems have had
over one hundred thousand, springing up a nine BILLION dollar
industry to keep them at bay. This industry has become so ingrained
in the MS mind-set that such users consider it "normal". But for
other operating systems it is most certainly not normal. And, yes,
those other OS's are 100% correct to tout that as a major, MAJOR
advantage. It's not their fault that MS users see it only as a binary
operation, and can't tell the difference between high risk even with
costly and CPU-sucking AV/anti-malware products running constantly,
and minimal risk even without third-party "protection".

Even Paul Thurrot, one of the biggest MS apologists on the planet,
had this to say about it:

"It's not hard to secure a PC. But you do have to secure a PC. I
don't secure my Macs. But I don't have to secure my Macs. There's
something to be said for that. Anyway, I just felt this needed to be
said. There are plenty of good reasons to use a PC, and certainly
Windows Vista fixes a lot of problems. But Macs are more secure than
PCs. Obviously."


You are talking about something completely
different - realworld vulnerabilities, which are
affected by the popularity of the target OS.

I was talking about OS design, and the comment
that ""..Unix security has been exhaustively
researched by experts for decades." from the
article and how it is beaten into repeated over
and over and Unix and OS X are *more secure OSs*.
The number of security patches, even greater
than Windows lately, refutes that. But now that
this is becoming obvious to more the goal posts
are being moved and we can only talk about real
world exploits, and not any inherent level of
security in the OS itself.

Steve

Are you trolling?

The goal posts were ALWAYS based on real-world attacks until recently.
Indeed, it's the only measure that makes any sense. MS-defenders moved
them very recently to counting patches in a desparate attempt to paint
UNIX as just as unsecure as their OS. "Look, we issue patches, they issue
patches. It's just the same!" Please.

A few years ago no one gave a *** about how many patches there were,
they only cared (rightfully) about if their system was actually exploited
or not. Sheesh. This should be blindingly obvious.

Besides, why would you think that since UNIX has been reviewed for
decades they should somehow be "done", and never need another patch? At
least I think that's what you're implying. That's silly. The OS is
updated with features and functions all the time, new exploits can be
identified and patched. So?

As for the "popularity of the target OS", that's a crock. "Security by
obscurity" is yet another ridiculous tack for MS-defenders, and makes no
more sense than counting patches. First, it acknowledges that UNIX-based
system exploits are extremely rare compared to Windows (which kind of
refutes the "patch count" argument), but attempts to explain it away by
saying there aren't enough UNIX systems to bother with. Heh. Tens of
millions of UNIX systems (there are over 20 million OS X systems alone)
is plenty. With so much to choose from you go for the easy target. This
is common sense. Windows is without question the easy target.

All that matters is results, the number of real-world attacks is the only
maningful measure. It makes it clear the security risk one takes with a
given platform, and that's what a potential user should be considering.
The goal post moving has all been MS whitewash, and trips over itself
anyway.

To put a hole in your argument that quantity of targets do not matter....

if you were to scan random machines on the internet for a week, how
many Unix machines do you believe you would hit?

How many OS X machines?

I would argue many Unix boxes, as many servers out there run Unix, and
they are fairly static targets.

OS X, maybe a handful of machines at best. Why? Simple, the large
portion of OS X machines out there are clients. Clients are hidden
behind at least two layers of NATs by ISPs. Client machines tend not to
stay at a single IP address that is exposed to the general internet for
a significant length of time.

However client systems are routinely infected. And my system is not
behind an ISP based NAT. What my ISP assigns is the systems real
address (though in my case the system is behind a PAT router).

Windows client machines do have a similar problem, however, they
significantly outnumber OS X machines as both clients and servers.

I do not believe that the lower machine count of OS X boxes out there
is entirely responsible for the lack of malware available for OS X.
However, I do believe it is a significant reason. An example, every Mac
machine sold comes with the firewall enabled, and has for years.

No Mac system that I am aware of ships with the firewall enabled by
default. They do ship with no services listening on the external IP
address which has almost the same effect.

This is significant. This does not make the OS secure from an internal
security standpoint, but it does cut down on the number of exposed
application ports.

I can't think of a single Windows XP vulnerability that has entered in
through the network from a listening port. At least not in a default
install. These kinds of exploits are rare these days.

If malware cannot find a host, it cannot propogate. OS X hosts are
harder to find due to scarcity. Therefore, any malware developed to
specifically attack OS X will not live for long.

Agreed.
.