Domain: carrel.org
Stories and comments across the archive that link to carrel.org.
Comments · 8
-
Re:Can only guess...
security realities are blah blah blah on Windows, then we can draw similar conclusions concerning OS X.
I'm saying that you haven't disproven your arguments as equally applying to recent Windows versions. Client malware before 1995 or so was delivered almost exclusively through trojans (including bootsector etc); then there was a period of about 10 years where insecurities in networking stacks/client networking apps allowed a machine to be infected without a physical user action; and now we're edging back to where we were before 1995. Windows exploits today are mostly straight download-me trojans, with a sprinkle of browser/plugin exploits.
My opinion is that OS X is hard to remotely exploit. The fact that it hasn't been done even one single time backs that up.
I'll give you one to stop you whining. It's especially important because it describes what I've said about ethical hackers not being prepared to put their freedom on the line to impress kids. Contrary to what you think, many people care about the difference between showing that a gun can be guilt and building a gun for anyone to use.
No, it isn't. But it sure invalidates the myth that marketshare=exploits which is what practically your entire argument hinges on.
Argh. Webserver = server software. There are a few web servers most of which have administrators, many of whom will notice suspicious activity eventually. There are hundreds of millions of desktops/workstations on the net, very few of which have competent administrators. The content of an individual web server may be valuable, while the content of an individual client machine is likely not; the sum of bandwidths of web servers over time is likely not so impressive; whereas the sum of bandwidths of millions of distributed machines in a large botnet is very impressive.
Targeting a server and targeting a client are two very different goals.
. At the end of the day, the only way to prove an OS is insecure is to exploit it. Anything else is just talk. And from where I'm sitting, OS X looks pretty good.
But it's been exploited many times in proof-of-concepts. What you're asking people to do is break the law and tell the world about it like the dumbest kind of criminal just to please you - not even for financial reward. That's not going to happen.
-
Re:How is it "obvious" ?
When I published my OS X remote root (link-local remote root for the pedantic), a poorly chosen use for DHCP, Apple had advance notice of when I was going to release it, numerous avenues to attempt contact and I didn't hear one peep from Apple Legal. That this guy was suddenly chilled and can't produce evidence of it other than making vague insinuations just sounds hoakey to me.
If he doesn't feel okay about releasing details until they've patched the driver that's one thing. But insinuating that the big bad lawyers have silenced you is quite another. The only circumstance I can think of where they could actually be legitimately silenced is: they are/were being paid to do pen testing for Apple, they submitted this bug, they blabbed about it at a conference when they were under a contractual NDA, they're now claiming they didn't say enough violate the NDA and are remaining mum until the rest of the details go public.
Given the nature of this scenario (i.e. that they'd have to have violated an NDA to wind up where they are insinuating they are now), I'm not overwhelmed with trust for the researchers who are positing this security hole's existence. On the other hand, I was led on and on by Apple waiting for them to release a patch for my earlier security issue that had a similar attack vector and security impact to this posited new security hole. If these researchers are actually waiting, we may all have to sit around for a good long while before the proof is actually shown.
This dilemma is more evidence of why full disclosure is a good idea. -
Patch for quotas
Here is William A.Carrel's Patch patch for Apache 2. setup info
-
Apple is scary to criticize
I'm actually a moderately well known individual in the security community, but I'm posting this anonymously because, well, the subject line (and, I suppose, Author field).
I've been an Apple user, off and on, since the IIgs days. There's always been a good amount of zealotry about the product line, but what can you say? The gear is pretty good, and has a good reputation. Unfortunately, no small amount of that reputation is maintained through absolutely vociferous defense of any arbitrary behavior.
I'm not just talking about buffer overflows. When Apple's DHCP implementation made it trivial for anyone on the LAN (even a coffee shop wireless network) to remotely take full control of the machine, the response was not one of confident correction but defensive redefinition -- "It's not a bug, it's a feature, you unintelligent carbon rod." And when Apple became the first operating system ever to be exploitable via its generic text forms -- the response really was yet another circle-the-wagons-and-apply-the-double-standard. And in case you don't believe me about the obsessive, O'Reillyian hijinks going on here -- look at the Boingboing response to what's just an open-and-shut data/executable confusion vulnerability. "OS9 is vulnerable too" is not a defense. "But you need to GET the file first" isn't a defense either -- that is , um, sort of the point of a Trojan horse. "An antivirus company came up with this" -- no way, you mean antivirus companies actually try to find security problems? This type of alternation between non-sequitor and ad-hominem is par for course. And don't say it's always this way -- there's no other operating system vendor who either themselves or through their users reacts to security risks like this. Not Microsoft, not the various Linux distributors (who really are getting hammered), not Sun or SGI, and certainly not Theo or his security-obsessed users. Everyone else seems to have realized it's safe to openly acknowledge and repair faults. Apple is the exception. "Like pulling teeth" comes to mind.
People, this is technology, not politics, and I don't even like this kind of behavior in politics. The more apologism there is for Apple failures -- and yes, even the eternally scrappy upstart from Cupertino can screw up, just look at your Powerbook monitors -- the less likely we are to actually see what ultimately we all want, which is correctly behaving technology.
That's all I have to say on this. -
Re:wep key on receipt!
"Obviously you don't have a mac. Move mouse to corner of screen, pick WiFi connection. Move mouse back. Surf. That's it. Works flawlessly, 100% of the time." while I'll admit, that is handy.. its also the reason for this remote exploit
-
10.2.8
The security update is also available for 10.2.8. I downloaded it and installed it last night. It is apparently different than the one for 10.3.x, though, as the size is about a meg less.
The description says that it updates: "AFP Server, cd9660.util, Directory Services, fetchmail, fs_usage, rsync, System Initialization". I wonder what this does to directory services? Presumably it addresses the security issue raised earlier, but since the issue exploits a configuration that is necessary for NetInstall, I don't think that Apple could just "turn it off." I explicitly checked, but didn't see anything different about Directory Access after the update.
Anyways, it's great that Apple is updating 10.2.x machines still--apparently, they are listening and responding to criticism that they can't end support immediately after a new OS is released--part of their enterprise aims? -
Re:so, there's a hole
and a known patch is on the way.
There's a patch coming? Says who? Apple was alerted to the flaw more than two months ago, prior to the release of OS X 10.3. In that time they've put out 4 new security updates- but none of them fix this problem.
According to the latest contact between Apple and the hole's discoverer (scroll to the bottom of his page), they have no intention of fixing this.
I'm hopeful that they'll change their mind (and I expect vocal protest to push them that way), but that hasn't been announced yet. -
Re:ldap?
Can someone who's familiar with system administration on those debian boxes clarify the above statement?
Not me, sadly, but when I saw LDAP, I was reminded of the recent Mac OS X vuln. I know the details are different, but reading the linked article led me to think LDAP's not necessarily a good way to manage your priviliged accounts.