Living in denial doesn't really help anyone. Admitting that "no system can be 100 percent immune from every threat" [1] is the first step to recovery.
[1] Quoted from the "Security Advice" section on Apple's OS X Security page.
Got a tip for us?
Let us know
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
Windows has a 17 year old un-patched vulnerability
- Thread starter *LTD*
- Start date
- Sort by reaction score
Living in denial doesn't really help anyone. Admitting that "no system can be 100 percent immune from every threat" [1] is the first step to recovery.
[1] Quoted from the "Security Advice" section on Apple's OS X Security page.
The Macs in those pwn2own contests were cooperative targets. *LTD* was merely reminding you of this fact. It is not denial to do so; it is merely the truth. If the truth is not your friend, then what is? Certainly not I.
Having in-person access =/= hacking into the machine over the internet. I think the important point is that, while any computer can be physically hacked at some level, it is extremely difficult if not impossible to make a true virus run in a Unix environment. Everything you quoted assumes user interaction.
Indeed - if you have physical access to a computer, you are one step away from game over no matter how secure the system is. No one denies the existence of vulnerabilities in software and the lack of something 100%. The only people who think such a system exists are people who are kidding themselves. If it can be built by a human, another human can beat it.
In general those pwn2own contests are mostly press anyway since most people never veer beyond the headline and leading paragraph and they neglect to point out the gotchas.
In general, your system is always vulnerable under two scenarios:
1) You get physical access and you know about a vulnerability that has not been patched yet (and you know the machine is unmatched)
2) You can trick the user into doing something to their computer that they dont understand due to ignorance.
Nothing we can do will eliminate these things. As long as humans are in the picture, there will be some security risk. We can do what we can, but its never going to be 100%.
In general those pwn2own contests are mostly press anyway since most people never veer beyond the headline and leading paragraph and they neglect to point out the gotchas.
In general, your system is always vulnerable under two scenarios:
1) You get physical access and you know about a vulnerability that has not been patched yet (and you know the machine is unmatched)
2) You can trick the user into doing something to their computer that they dont understand due to ignorance.
Nothing we can do will eliminate these things. As long as humans are in the picture, there will be some security risk. We can do what we can, but its never going to be 100%.
If one believes no Mac user never ever will click on a link, then one can assume OS X is 100% safe to use. But of course that won't happen in the real world. People will click links in email, and some may someday visit a "familiar" Web site that have been recently compromised to deliver an attack on the user.
Virus? No virus exists for OS X in the wild. The example I gave made use of exploits, e.g., the 2009 Pwn2Own winner used an exploit that "allows a remote attacker to gain control of a machine when a user visits a malicious URL". A remote attacker. The attacker does not need physical access to the machine.
Exploits do exist in the real world for every OS, even OS X. Whether people choose to believe that fact or not, they do exist. Living in denial helps no one...
I've always found it humorous how quickly people need to point out the difference between viruses/trojans/worms/ect. only *after* OS X has been shown to be vulnerable in some way.
Suddenly then a trojan isn't a "real virus" (and I am not saying it is) because it requires the users ignorance to work.
Yet Windows is "riddled with viruses", forgetting the fact that nearly all modern exploits require the user to have let it in, no matter what the OS.
The bottom line is that a security vulnerability is a security vulnerability, just because it requires the idiot behind the keyboard to do something unknowingly stupid doesn't make it any less of a threat.
Suddenly then a trojan isn't a "real virus" (and I am not saying it is) because it requires the users ignorance to work.
Yet Windows is "riddled with viruses", forgetting the fact that nearly all modern exploits require the user to have let it in, no matter what the OS.
The bottom line is that a security vulnerability is a security vulnerability, just because it requires the idiot behind the keyboard to do something unknowingly stupid doesn't make it any less of a threat.
If that was the case, then why didnt he win on the first day? The reason, was because somebody (the end user) had to go to a bad site first. If you can trick a dumb end user, anything is possible - this is nothing unique to any system. Anybody is vulnerable to this - the vector matters not if you have to rely on somebody else. There are tons of commercial products that a person can use to control another machine - you trick the person correctly, you can take over without any exploits whatsoever.
The latest pwn2own was a setup - they guy went to a website that he specially built and prepared for knowing that he just had to sit down at the computer. Why? Because that is the only way for it to work.
If you'd pull your head out of the sand, you'll notice I was actually talking about Unix in general and not OS X specifically. Nor did I say that there are any viruses for Unix, as you seem to be insinuating. Read what people say first, and then make your post.
True, but this:
is not an accurate statement at all. It's not even close to accurate. Any connected system is not truly 100% safe from being hacked. Saying a system is 100% secure while connected to a network is denial. That is what localoid was referring to.
Don't worry about me. Worry about the people who believe *nix based systems offer some magical, built-in 100% immunity to being rooted. Because if they believe that's true, they actually surely do have their heads buried in the sand.
The only insinuation that occurred, occurred in your head.
I mentioned viruses because you did, simply to point out the fact that there is no virus in the wild for OS X. But, this (lack of viruses) does not mean that an OS X system can't be compromised. Someone intent on cracking a OS X system doesn't need a virus to do the job. There are other ways...
Denial or not, OS X is over 8 years old, and in all that time nobody has EVER been able to hack a Mac remotely. PERIOD.
That's quite a record.
You can say I'm not 100% safe, etc., but I've got quite a pedigree of being safe to look back on.
If you actually believe not one single networked OS X box has ever been remotely cracked you are truly living in a dream world, either that or you don't understand what "hack a Mac remotely" really means.
You should be able to find plenty more by googling the subject, but here's just a few examples:
Winner mocks OS X hacking contest
OS X Server break-in: Probably isolated, but a heads-up
Weird network activity?
SSH Hacked - Intruder
Any Mac user that naively believes "it can't happen here", in regards to an OS X system being compromised, could end up like this poor guy who wrote about his experience here @ MacRumors:
https://forums.macrumors.com/threads/342817/
Famous Last Words: "Hey -- no need to run brute force protection of some kind -- it's OS X -- it's bulletproof!"
Sadly, thanks in part to this "bulletproof" belief you're peddling, you can rest assured many novice OS X users will in the future unwittingly running SSHD, which will of course allows almost any script puppy to crack their passwords, perhaps in just a matter of seconds...
Your first example is bull. Which means there's no point in me reading your other examples. perhaps someone else can read them for me and then tell you the exact same thing.
The "experiment" was baloney. The "hacker" was given access to an SSH account, and was already logged onto the system when "hacked" the webpage. Every shipping Mac has SSH disabled.
First: That thread is ancient history in terms of computing.
Second: The OP left himself WIDE open via foolish use of ssh.
Find us a verifiable example of a modern Snow Leopard machine with all the appropriate security precautions (owned and used as a personal computer and NOT something in one of these 'hacking contests') being *successfully* hacked from a remote location. Bet you can't find even one.
In a perfect world, if "all the appropriate security precautions" are taken then few boxes would be pwned, regardless of what OS they're running.
I think you're missing the big picture. If we lived in a perfect world, filled with perfect people, that did everything perfectly, nothing bad would ever happen.
But alas, it's not a perfect world. And finding out "the appropriate security precautions" required of a given OS isn't something anyone is going to learn from 5 minutes of googling the subject. Even if luck might allow you to find the a good Web page on OS X security it's likely out of date unless it was updated that morning. But for that matter you could spend a couple of decades working as a network admin and still get rooted unless you constantly keep up with the latest exploits and security threats.
Meanwhile, in the real world:
Little Johnny slaps in his Snow Leopard DVD and installs it using defaults and ends up with a very secure system. He keeps up with updates and he has a very safe system. He's understandably impressed!
But then in a few weeks, he becomes interesting in running a Web server, and maybe making money in the Web hosting business. So, after 5 minutes of googling and research on the subject, Johnny starts opening ports and starting up all the daemons that he'll need to run Apache, PHP, Perl, MySQL, and other neat stuff. And you setup port forwarding on his router so the outside world can visit his awesome Web server. He learn a great deal of how to do all of this neat server stuff from reading a Web page full of great OS X security advice written by some dude named "t3h r0xx0rz".
Johnny downloads a bunch of groovy PHP scripts that let him do some really cool stuff. He starts learning PHP and writes his very own script to send email off his OS X server. He gets a static IP from his ISP, and he submits his site to Google's index so the whole world can find it.
Johnny calls up his friends and offers them a deal -- unlimited Web hosting with full shell access for just $5 a month. And more than a dozen of his friends jump at that opportunity of a lifetime. He's soon surprised by the number of strangers from around the world asking about getting shell accounts that must have found his site from searching the Web.
Johnny begins to dream of moving out of his mom's basement once the profits from his hosting business start pouring in. Johnny likes thinking about that idea, so he pours himself a beer, and as he sits down and relaxes. He can't help but congratulates yourself on being able to figure out how to operate a budding Web hosting company and takes pride in the fact that it only required about 60 minutes of time spent on learning everything he'd need to know to master his new vocation. He lifts his glass and toasts his new identify -- "Johnny Webmeister".
All seem well at this point. What could possibly go wrong? Little Johnny believes with all his heart what he's read and heard other say so often -- that "no one has ever hacked an OSX" box. It's obvious to Johnny that he made the right choice in regards to choosing the right OS to use, because he knows OS X is impervious to attack.
But for some strange reason, Johnny's server is boarded by all manner of script puppies and other dark forces from around the globe within just a matter of a few days. Some days later, Johnny is horrified to discover that his box has been rooted, all his MySQL databases are toast, and he soon learns his ISP has yanked his network connection because his compromised OS X box was used to send out 1,394,078 SPAM emails to various Hotmail and AOL mailboxes last week.
Making matters even worse, his imagery girlfriend calls him a loser to his face and then dumps him. The next day, Little Johnny's friends learn that Johnny has been taken away for a 30 day stay in a psychiatric hospital downtown. One of Johnny's friends, whose father is a lawyer, takes Johnny to court since he's paid for a year's worth of hosting in advance. The judge awards damages to Johnny's friend, and since Johnny has no money the judge seizes Johnny's Mac Pro and awards it to the successful litigant. As the scene fades to black we see Little Johnny in a straightjacket, all alone in a darkened room, crying out to his pet cockroach that lives underneath his bed, "They said it was bulletproof!"
This is just one type of compromises that happen all the time, largely because so many people in the OS X love to keep the legendary tale alive that OS X is bulletproof, 100% secure, and so on... blah, blah, blah.
Let's not continue to kid ourselves about OS X security. Living in denial helps no one -- Little Johnny's dream of becoming a successful Webmeister didn't have to die!
Sorry to say but all this "Mac fanboy" talk is rediculous.
I seriously never come across "mac fanboy" statements but I CONSTANTLY come across windows trolls bashing mac users etc etc talking about how OSX sucks and MS is better etc etc. Its all through the forums here. It makes me wonder why people even come here if they don't like mac.
There was an article on Gizmodo the other day about the iPad and it was constant "Mac fanboy" bashing yet not once did I see anyone on that thread talk about mac.
I also don't understand what is such a crime in liking one OS over another. People like one sports team over another and somehow thats acceptable but the second someone says they like one OS over another its a huge sin.
I seriously never come across "mac fanboy" statements but I CONSTANTLY come across windows trolls bashing mac users etc etc talking about how OSX sucks and MS is better etc etc. Its all through the forums here. It makes me wonder why people even come here if they don't like mac.
There was an article on Gizmodo the other day about the iPad and it was constant "Mac fanboy" bashing yet not once did I see anyone on that thread talk about mac.
I also don't understand what is such a crime in liking one OS over another. People like one sports team over another and somehow thats acceptable but the second someone says they like one OS over another its a huge sin.
I like this story.
Anyone who believes Mac OS X is 100% safe needs to read Apple's website on the Mac OS X page.
I'm pretty sure somewhere they say "No computer connected to the internet is 100% safe."
Also, I found this on Apple's website as well.
Always up to date.
When a potential security threat arises, Apple responds quickly by providing software updates and security enhancements that can be downloaded automatically and installed with a click.
Yup, everyone patches.
Except this hasn't happened yet.
Maybe in another 8 years. So much for the "real world."
It's obligatory for Apple to make that statement, regardless of how safe Macs are.
Who the hell actually does this? This is an incredibly implausible scenario.
Its like saying cash is dangerous, because you might take thousands of dollars out of your bank account, and travel to a developing country and lose it to an elaborate scam.
Wirelessly posted (Mozilla/5.0 (SymbianOS/9.2; U; Series60/3.1 NokiaE63-1/100.21.110; Profile/MIDP-2.0 Configuration/CLDC-1.1 ) AppleWebKit/413 (KHTML, like Gecko) Safari/413)
hmm I wonder how long until they fix it.... Or even if they think its a problem! I'm sure that unix has a few holes like this too though...
hmm I wonder how long until they fix it.... Or even if they think its a problem! I'm sure that unix has a few holes like this too though...
It's supposed to be "real world" apparently . . . even though it's hasn't happened in the "real world" yet.
I can't wait for more "real world" examples!