Working the security drama queens.

Unless you're too busy doing the rickrolling that's so popular with the kids these days, you probably saw that a MacBook Air got hacked at CanSecWest last week.

In a repeat of last year's "PWN 2 Own" contest, organizers this time offered three different laptops running three different operating systems.

David Maynor says:

I hope this puts to rest the myth that OSX is more secure but I am sure the zealots will have a million reasons why this is a fixed or rigged contest.

Well, the Macalope for one has already acceded to his contention that Vista is more secure based on the technical merits, if not the practical ones. So the brown and furry one's not really sure what he's on about. But he's sure David will find a Slashdot comment somewhere that will validate his Artie MacStrawmanism.

There's certainly no denying that, as ZDNet's Larry Dignan says (no "Mac zealot" he), the MacBook Air was certainly the more coveted target:

[The Fujitsu running Vista and the Sony Vaio running Ubuntu] are still standing, but that may be because there's more hacker glory in taking down the MacBook Air.

Plus, you hack it, you keep it. So, sure, everyone's trying to hack the Air. (The Vista laptop was later hacked, but only after the rules were relaxed.)

But putting it all down to the Air metaphorically having a big red X painted on it is ultimately just sour grapes -- it got compromised, and that's a frowny face in the Apple column.

So the Macalope will reiterate his call -- again! -- to Apple to get more serious on security.

There are several reasons these security "professionals" are spending their waking and non-waking hours targeting Macs.

First, they're lashing out at what they think is a "smug attitude" by Apple on security. Frankly, Apple's corporate position on security is so lame that the only thing these people are basing this on is the "Get a Mac" ads. Yes, really. These people have the emotional maturity of a cup of fruit salad. That's all territory we've covered already.

Second, thanks to the resurgence of Apple, most of them have only just discovered the Mac. It's virgin territory for them and, like when Columbus "discovered" the New World, their first inclinations is to immediately start shooting the natives and giving them all kinds of horrid diseases.

Third, Apple simply has not implemented a comprehensive security policy (see: Leopard firewall, Back To My Mac defaults). It may very well be that it's easier to exploit certain vectors on the Mac. The Macalope's not qualified to make that call.

Finally -- and this is the issue that would the easiest for Apple to solve -- the members of the hacker community just don't know anyone at Apple. They know people at Microsoft because the company shmoozes the hell out of them.

If it wanted to, Apple could probably make serious inroads to this community and at least reduce its PR problem by hiring someone they know. Now, many of these people are not exactly the corporate citizen type. They often dress and smell funny and, if you've been paying attention, have the emotional maturity of a cup of fruit salad. So maybe Apple would want to poach someone from Microsoft or look to those who write about security -- your Rich Mogulls, your Ryan Naraines -- and tap someone like that. Sure, journalists still dress funny, but they fare slightly better on the olfactory and fruit salad scales.

See, the easiest thing in the world to do is to get someone who will take these people golfing and tell them "Dude, we are totally going to do that. Next release. I swear."

"Now watch this drive."

The company could defuse a large part of this without changing a line of code because it's less about the relative merits of the various platforms -- which are valid concerns -- than it is about emotion (see: salad, fruit).

And, really, this is exactly the kind of game that Apple has gotten wrong for 30 years. Shmoozing is not exactly the company's forté (just ask any Apple developer how the lunches are at WWDC).

The Macalope certainly wants to see Apple come up with a comprehensive strategy for implementing sound security in its software, he's just saying that there's more than one aspect to this issue. One requires coding, the other requires grease.

[alexcumbers]

what people are missing and does not seem to be reported is that firstly no machine was hacked remotely, i.e: on a network.

On the second day, physical access was granted to a machine, which given enough time and effort can be cracked.

also the user had to click on a link to a web site to get in, again in this day and age, no one should be dumb enough to do it.

Also, if users take security seriously, they'll lock there machine whenever they are away from it & encrypt sensitive data.

therefore, this just proves that researchers, who have not yet divulged their exploits can do it given physical access, not the same as the real world at all.

[Antimedia]

This is utterly and completely false. You have only to view the Youtube video of Miller hacking the Air to know that he DID NOT have physical access to the Mac.

The first day of the contest required that you hack the machine without any USER INTERACTION. The second day allowed user interaction, and, when the Tippingpoint employee using the Air clicked on the link sent to him by Miller, Miller gained administrative access to the AIR. IOW, he PWNED it.

If you don't think that's significant, then you have your head in the sand.

As to your silly contention that "no one should be dumb enough", the refutation of that surrounds you. Every day millions of people fall for phishing scams and malware scams and Nigerian 419 scams, the first and third completely platform independent, and click on links they should have ignored or not be "dumb enough" to click on.

We have a long way to go in security, and ignorant comments like yours don't help.

[MarkWhybird]

> "hiring someone they know"...

I hear George Ou is available ;-)

[Macalope]

That'll be the day!

[ripragged]

Mr 'Lope sir,

I respectfully disagree. Apple should follow Microsoft's security strategy only if the goal is to emulate Windows' achievements in real-world security. Comparatively speaking, Apple's approach is more successful.

CanSecWest didn't prove that OS X is less secure than Vista. Mac malware in the wild would prove that the discussion of relative security between the two platforms is a worthy topic for discussion. Currently it is not.

Just between us, I prefer measurably good results to an apparently good attitude.

[Urban Terrorist]

"They often dress and smell funny and, if you've been paying attention, have the emotional maturity of a cup of fruit salad."

You shouldn't insult fruit salad like that. It's terribly mean, and might give the fruit salad a complex.

[puiz_andras]

"So maybe Apple would want to poach someone from Microsoft"

Dear Macalope, I respect the hell out of you. But please, no more PR advice to Apple after this gem.

Yeah. Poach someone. From. Microsoft. To improve the PR on security.

Right.

Then, hire someone to handle the backdating PR problem. Maybe an accountant from Enron?

[Macalope]

Well, poaching someone from Microsoft is probably one of the horned one's wackier ideas, but Microsoft has worked these people much more effectively than Apple. It's also implemented better security on Vista than Apple did on Leopard.

I too must respectfully disagree. I have heard the argument that Mac was hacked first because MBA is more desirable machine than the other machines were. But that argument does not fly. Why? Because sooner the machine was hacked, the more prize-money the hacker got. So it would have made sense to target the easiest system, even though the hacker might receive a less desirable machine, since he would then get more money, and that extra money would buy several MBA's.

Fact of the matter is that ALL three machines were targeted right from the start. Trying to claim that Vista and Linux was ignored while everyone focused on the Mac is quite simply false.

As to the claim why security "professionals" (why the quotes BTW?) targeting the Mac... Well, this particular hacker said that he targeted the Mac because he felt it was the easiest target. He also said that he hacked the Mac that since he's a Mac-user as well and he felt that bringing that particular hole to the limelight makes OS X (which is the OS he uses) that much more secure system.

As to the other people's comments... No, hackers were not granted physical access to the machines on the second day. Rather, they were allowed to ask the operator to visit websites and receive email. On the first day only external attacks were allowed. And is it REALLY dumb to click on a link to access a website? We all do it every day. And what if some high-profile website is compromised with this exploit? It doesn't even have to be some shady website or something like that.

[Macalope]

The Macalope is *not* saying the Vista and Linux machines were not targeted. He does still think the MBA was probably more targeted than the other two, though. He even noted that it could very well just be easier to hack OS X than Vista or Linux. He thinks you're misreading some of this post.

[piercewm]

"But putting it all down to the Air metaphorically having a big red X painted on it is ultimately just sour grapes -- it got compromised, and that's a frowny face in the Apple column."

To which is anonymously replied:
"I too must respectfully disagree. I have heard the argument that Mac was hacked first because MBA is more desirable machine than the other machines were. But that argument does not fly. "

Makes total sense to me.

[Igiveup2]

It was hacked in two minutes.

[rocr69]

Freshly opened cans of fruit compote (that just fell off the truck).

[simonthediver]

Now what would have been interesting is if the prize for hacking the mac had been a Linux machine,hacking the Linux box got you a windows machine and hacking the windows pc got you a mac.

Wonder which box would have got hacked first