Comments on: MacBook Air hacked in security contest

A security company has awarded $10,000, and a free MacBook Air, to a group of security researchers who gained control of the system through a Safari vulnerability.

[nonicks]

Mac was slow to pick

>> "I think we are going to start seeing a lot more security exploits on
the Mac OS over the next few years..." Wasn't that something that
was said about the Mac a few years AGO?

Actually, it's not MS/hackers' fault that Mac took so long to become popular. Had Mac picked couple of years ago, the same would have came true then and there ;-)

I find this really amusing.

Somehow, I feel, Mac advertising capaign is like the donkey with Shrek - "Pick me, Pick me"..

Why do they forget that it took them 20+ years to reach < 15% of users.. IF Mac was really so great.

And I am certain, if not for iPod and the phenomenon it created, hardly any one would have looked back at Macs.

:-)

[keith42]

Why Miller chose to hack the Mac

"It was the easiest one of the three," said Charlie Miller, an analyst at Independent Security Evaluators (ISE), a Baltimore-based security consultancy. "We wanted to spend as little time as possible coming up with an exploit, so we picked Mac OS X."

[ranpha]

Last day....

The Vista SP1 laptop has been broken into. As usualy, Adobe Flash is the culprit. The Ubuntu laptop is still safe and sound.

[gabeheim]

Apple just got...

A big kick in the rear. A good thing, because the next version of Safari should be better. Or they may suffer humiliation they could not easily recover from. It's not just the OS anymore, it's the browser stupid. I'm wondering, however, if safari and MacOS has any of the URL protocol handler issues that MS and IE had. If not, that would at least mitigate the insecurity, just stop using safari for a while and use firefox.

[AppleSuxLeo]

Mac easiest to hack !

The security researcher who walked away with $10,000 yesterday by hacking a MacBook Air in less than two minutes said he chose to attack Apple Inc.'s operating system for one simple reason.

"It was the easiest one of the three," said Charlie Miller, an analyst at Independent Security Evaluators (ISE), a Baltimore-based security consultancy. "We wanted to spend as little time as possible coming up with an exploit, so we picked Mac OS X."

[macrhino]

Miller?

http://www.roughlydrafted.com/2008/03/29/mac-shot-first-10-
reasons-why-cansecwest-targets-apple/

[penguinhfx]

macbook hack

I am a little concerned that a browser flaw allowed the macbook
air to be hacked/owned. An extra layer of protection like
selinux/apparmor on the linux world or some sort of mandatory
access control like freebsd has might have prevented this from
happening. If the browser flaw allowed the malicious code
to exceed the privileges of a regular mac user and escalate to
root, then it should involve something more than just a browser
flaw, more like an OS X kernel flaw! It could also be that the
browser was run from an admin account with no password set to
escalate
to root privileges (the sudo su in ubuntu and mac). Or hacker
has found a way to get into the password database on mac,
(maybe pam flaws in unix??) It will be interesting in any case to
know exactly how they ran the test. If the browser was run from
an admin account with no password set to escalate to
root/administrator privileges, then all 3 notebooks are equally
vulnerable and this becomes just a PR disaster :-)

[JuggerNaut]

Looks like the Vista laptop got hacked by a Mac laptop on the last day

Here is the link...

http://dvlabs.tippingpoint.com/blog/2008/03/28/pwn-to-own-
final-day-and-wrap-up

The Ubuntu laptop was the only one not hacked at all, so maybe
Linux is the most secure of desktop operating systems :-)

[Tom Krazit]

New story

We did a new story on the Vista laptop, turns out it was an Adobe flaw.

http://www.news.com/8301-13579_3-9906001-37.html

[celticbrewer]

the point

As much as I'd like to laugh at the mac fanboys, the point here is that no OS is secure or ever will be. No, Ubuntu wasn't hacked, but I'm sure someone, somewhere can do it.
The reason certain platforms are targeted is purely numbers. Windows has the biggest install base, so that's why most people choose to target it. If Mac had the same market share, people would be targeting them and, as this contest shows, it's just as easy to hack a mac.
Technological methods aside, there's also social engineering and plain-ole phishing. Employees who write down their passwords. Disgruntled employees looking to steal from thier company, etc..

NOTHING is secure. Deal with the reality of that.

[Gayle Edwards]

Kinda, still, missing the point...

No... No, OS is impervious. But, there -are- many levels of quality, and security, to consider. Yes, anyone can "hack" any machine (especially, if they are given direct physical access to it. That is precisely why "social engineering" attacks are so dangerous to any type of PC)... However, that does not mean that all platforms are actually equal in security, or contain as many serious-flaws. And, the security-through-obscurity, and -popularity-, myths are just that... utter myths. They have been proven to hold no real bearing on inherent-security, whatsoever.


Furthermore, as to...

>> "If Mac had the same market share, people would be targeting them and, as this contest shows, it's just as easy to hack a mac"

Sorry, but that is a totally unsubstantiated statement (a complete non-sequitur, without any apparent facts, or genuine logic, to back it up). And, no serious security-research has ever shown that to be the case. So frankly, in my opinion, this entire exercise was just another, almost-pointless, exercise in publicity, and pseudo-security, nonsense. And, it certainly doesnt -prove- (or even, reasonably, demonstrate) anything.


But, as to...

>> "As much as I'd like to laugh at the mac fanboys, the point here is that no OS is secure or ever will be. No, Ubuntu wasn't hacked, but I'm sure someone, somewhere can do it"

...I think these assertions really demonstrate both, some serious, bias and ignorance about actual software "security". But, if anyone has any -real- evidence (not just unsubstantiated opinions) to back-up, what they are so, "sure" about... I (and I suspect many others) would be very interested in hearing it.


BTW...

I dont use Macs... we support various MS desktop, and server, OSes (as well as Linux, now)... but, here are some things to consider:

"Vista" is only >reputed< to be the most secure version of "Windows", yet. Frankly, just about the only things truly backing-up that assertion, at this point, are Microsofts claims, and a few thin statistics (based upon "Vistas" extremely poor market-penetration).

And...

==>"Vista", the most secure version of "MS-Windows".

==>"MS-Windows", the least secure Operating-System in common usage.

THEREFORE:

==>"Vista", the most secure version of the least secure Operating-System..?

...Hhhmmm. Perhaps Microsoft really should hope that "popularity" does become a significant factor in actual "security".