Slashdot Mirror
If You Hack NBC, You Don't Get to Meet Tom Brokaw
subgeek writes "Security Focus Online is carrying this story about the spot that Adrian Lamo almost had on the NBC Nightly News with Tom Brokaw. NBC changed their mind after they realized the possible legal implications of filming someone hack corporate systems. NBC also seemed a bit touchy that Lamo had gotten into their system so handily. According to the article, it took him about five minutes and one guessed password to get inside NBC's intranet from a computer at a Kinko's. Lamo's comment: "It was a very full service system.""
of homer...
Life is the leading cause of death in America.
Demonstrating OTHER corporations are security dumb-asses is one thing, but demonstrating THEY are security dumb-asses on nationwide television must've triggered someone's clue meter.
Learning HOW to think is more important than learning WHAT to think.
Sounds to me like they're more embarassed that he did it so easily and from such a public location. After all, he was invited by an NBC employee to attempt to hack their system.
I used to work for a television news department... this kind of thing happens all the time:
Reporter and Vidiographer are assigned some fluff or FUD piece, but come back with a story that lands a little too close for the news director's comfort... the piece gets pulled.
Lamo's lucky... with the way lawsuits and "terrorist hacker" charges are flung about nowadays, he should be thankful he's not roomin with some lifer named Bubba right about now.
The Digital Sorceress
Perhaps they just didn't want to admit that they'd been cracked by somebody with the last name of "Lame-O".
Reminds me of the great SNL skit with Nicholas Cage:
"The name is Dumass, Dumass!"
So, if this guy was able to guess someones password, I am VERY curious as to what it was. If you know anything about the person, it makes guessing easier. However, if you don't know even the owner of the account, how do you guess a good password?
My only hunch is that the password was something like 'abc123'. It cracks me up how many people have passwords such as that and are supposedly worried about security.
It is also funny to hear what some of my friends think are secure passwords. Among them being obscure Anime characters.
because he found out the great secret of TV anchors...
That's my purse! I don't know you! -- Bobby Hill
::Sigh:: you dont need to hack a system to bring a corporation to its knees, you just need to post a link on slashdot...
anyone have the text?
This is my sig. Its pathetic.
TheRegisterStoryPostedYesterdayAM
MMMmmmmmm....erotic cakes!!! Homer J. Simpson - Treehouse of Horror VI
His identity was kept secret in the TV show, but a few days after, the TV station was forced by police to reveal the identity of the guy to get him convicted. The incident got a lot of media coverage, because before that many or most had thought press has the right to protect their "sources" and do not need to reveal details about individuals.
Anyway, maybe in this Lamo case, it is more about "agitating someone to do a crime", the court might see for example that part of the motivation for breaking in some system could be the fact that he would get press coverage and fame because of it - and NBC would be to blame for agitating.... or something totally different :)
NBC seems to think that if you hide under a rock, maybe the monsters will go away.
Have these people never heard of TCP Wrappers and IPFW? I suspect not. All confidential information should be BOTH firewalled and TCP Wrappered (DENY) by default to all domains, then added on a IP by IP (or local domain) basis. I get the feeling of admins took the time to do this very basic thing, 90% of all cracks would not occur.
Burn Hollywood Burn
NBC Executive: What a coicidence! That's the exact code I use on my matched luggage!
What's the world coming to when life immitates parodies immitating life?
"Communism is like having one [local] phone company " - Lenny Bruce
I mean this is television. Maybe they took one look at him and found out he was not the buff trim hunky reality TV piece of meat that gets on TV nowadays. Maybe he has Tourette's, who knows. Why would you want to watch his interview.
Lamo: "Uh I haXord their shit in about 5 minutes it was Leet! they left a service password called PASSWORD on this gateway node and once I was there I forged an IP address or two...."
Brokaw: "ZZZZZZZZZZZZZZZZZzzzzzzzzzzzzzzzzzzzz........"
Although RIAA website was defaced yesterday, and now NBC learns it too is easily hackable, It amuses me that people keep forgetting that no MacOS based webserver has ever been hacked into in the history of the internet.
:
The MacOS running WebStar and other webservers as has never been exploited or defaced, and are are unbreakable based on historical evidence.
In fact in the entire securityfocus (bugtraq) database history there has never been a Mac exploited over the internet remotely.
That is why the US Army gave up on MS IIS and got a Mac for a web server.
I am not talking about FreeBSD derived MacOS X (which already had a more than a couple of exploits) I am talking about current Mac OS 9.x and earlier.
Why is is hack proof? These reasons
1> No command shell. No shell means no way to hook or intercept the flow of control with many various shell oriented tricks found in Unix or NT
2> No Root user. All mac developers know their code is always running at root. Nothing is higher (except undocumented microkernel stufff where you pass Gary Davidians birthday into certain registers and make a special call). By always being root there is no false sense of security, and programming is done carefully.
3> Pascal strings. ANSI C Strings are the number one way people exploit Linux and Wintel boxes. The mac avoids C strings historically in most of all of its OS. In fact even its roms originally used Pascal strings. As you know pascal strings are faster than C (because they have the length delimiter in the front and do not have to endlessly hunt for NULL), but the side effect is less buffer exploits. Individual 3rd party products may use C stings and bind to ANSI libraries, but many do not.
4>: Macs running Webstar have ability to only run CGI placed in correct directory location and correctly file "typed" (not mere file name extension). File types on Macs are not easily settable by users, expecially remotely. Apache as you know has had many problems in earlier years preventing wayward execution.
5> Macs never run code ever merely based on how a file is named. ".exe" suffixes mean nothing! For example the file type is 4 characters of user-invisible attributes, along with many other invisible attributes, but these 4 bytes cannot be set by most tool oriented utilities that work with data files. For example file copy utilities preserve launchable file-types, but JPEG MPEG HTML TXT etc oriented tools are physically incapable by designof creating an executable file. The file type is not set to executable for hte hackers needs. In fact its even more secure than that. A mac cannot run a program unless it has TWO files. The second file is an invisible file associated with the data fork file and is called a resource fork. EVERY mac program has a resource fork file containing launch information. It needs to be present. Typically JPEG, HTML, MPEG, TXT, ZIP, C, etc are merely data files and lack resource fork files, and even if the y had them they would lack launch information. but the best part is that mac web programs and server tools do not create files with resource forks usually. TOTAL security.
4> Stack return address positioned in safer location than some intel Osses. Buffer exploits take advantage of loser programmers lack of string length checking and clobber the return address to run thier exploit code instead. The Mac places return address infornt of where the buffer would overrun. Much safer.
7> There are less macs, though there are huge cash prizes for cracking into a MacOS based WebStar server (typically over $10,000 US). Less macs means less hacker interest, but there are millions of macs sold, and some of the most skilled programmers are well versed in systems level mac engineering and know of the cash prizes, so its a moot point, but perhaps macs are never kracked because there appear to be less of them. (many macs pretend they are unix and give false headers to requests to keep up the illusion, ftp http, finger, etc). But some huge high performance sites use load-balancing webstar. Regardless, no mac has ever been rooted.
8> MacOS source not available traditionally, except within apple, similar to Microsoft source only available to its summer interns and engineers, source is rare to MacOS. This makes it hard to look for programming mistakes, but I feel the restricted source access is not the main reasons the MacOS has never been remotely broken into and exploited.
Sure a fool can install freeware and shareware server tools and unsecure 3rd party addon tools for e-commerce, but a mac (MacOS 9) running WebStar is the most secure web server possible and webstar offers many services as is.
One 3rd party tool created the only known exploit backdoor in mac history and that was back in 1995 and is not, nor was, a widely used tool. I do not even know its name. From 1995 to 2002 not one macintosh web server on the internet has been broken into or defaced EVER. Other than that event ages ago in 1995, no mac web server has ever been rooted,defaced,owned,scanned,exploited, etc.
I think its quite amusing that there are over 200 or 300 known vulnerabilities in RedHat over the years and not one MacOS 9.x or older remote exploit hack. There are even vulnerabilities a month ago in OpenBSD.
Not one exploit. And that includes Webstar and other web servers on the Mac.
A rare set of documentation tutorials and exercises on rewriting all buffer LINUX exploits from INTEL to PowerPC was published less than a year ago. The priceless hacker tutorials were by a linux fanatic : Christopher A Shepherd, 3036 Foxhill Circle #102, Apopka, FL 32703 and he wrote the tutorials in a context against BSD-Mach Mac OSX.
but all of his unix methods will find little to exploit on a traditional MacOS server.
BTW this is NOT an add for webstar.. the recent versions of webstar sold for over the last year are insecure and cannot run on Mac OS 9.x or 8.x, and only run on the repeatedly exploited MacOS X.
--- too bad the linux community is so stubborn that they refuse to understand that the Mac has always been the most secure OS for servers.
BugTraq concurs! As does the WWW consortium.
Agreed. I do consulting 'rescue work' on occasion, and 90% of the places I visit have blank passwords. the remaining 9% have the default, and maybe 1% of them have decent passwords.
Although, these are all smallish companies with no IT department. I would assume that NBC has its own IT department, right?
It's ok to publicize the flaws of airport security, how easy it is to build a bomb, and numerous other cases where some psycho can be encouraged to kill hundreds of people. They do so nominally under the justification that exposing the flaws helps society (as if government can and will simply just put a stopper in the hole). However, when it comes to exposing the flaws in their own computer network they get philosophical all of the sudden. Funny how that works.
Six pack of Rockstar "Energy Drink" - $6
Network time at the local Kinko's - $2.50/hour
Getting booted from NBC Nightly News after hacking their intranet - 5 minutes effort
Scoring with the hot NBC Nightly News Producer because she's impressed with your k-r4d sk|llz - priceless
Only stupid people are more concerned with the fact that they were made to look bad than with the underlying truth. Instead of getting offended they should have put the kid in touch with their IT team. Or put him on it.
Science may someday discover what faith has always known.
The media portraits "hackers":
For his part, Lamo, who's not known for shrinking from controversy , charges the network with a failure of courage. "I can understand where they're coming from," says Lamo, in a telephone interview from somewhere on the East Coast. "But I like to think that in their place I'd take more of a risk.
Somewhere, disguised, with computer parts laying around... It seems like Lamo didn't want to give his location, yet, there were hundreds of ways to finding out.
Why speak of "hackers" like this? Are they still a sub-culture, marginalized?
Buy a Nintendo DS Lite
No, really. Given the media's track record and history of hacker over-sensationalism, this story would have been the perfect oppertunity to whip your Senator, the public and your turtle into an anti-hacker frenzy. Had this story aired, I'm sure you'd be reading Anti-hacker sediment in place of this piece your reading now. The governement would be riding the anti-hacker bandwagon with full force if they actually saw how easy it was to hack into a major corporation. They wouldn't even have to air any detail; Que darkened room, silhouette of Joe Hacker, a few comments from him about what he was doing (computer masked, of course) and that sinister Nightline narrative they use for melodrama. Toss in a few screen shots of complicated, yet meaningless clips of him navigating the network and bam-- Instant media frenzy. Who cares about Tommy boy, the fact that Lamo is willing to be used as an obvious pawn in the media spotlght is scary in it's own right. Sure, he'd have his 15 minutes... Then watch as it was used to destroy his world with laws and legistlation.
You need a FREE iPod Nano
He got into Worldcom's systems while I was working there, and it threw the entire company for a loop - out of the blue, passwords were expired en mass on various portions of the network, and a weak VPN software package was crammed down the throats of the Windows users. Thousands of people had to get it installed, and ALL of the registration and training and configurations had to be handled through a VERY small pipe. That was an interesting time... good thing I wasn't one of the people that had to rely on the VPN software to do my job.
Come to the University of Mars! Classes starting soon!
Protecting anonymous sources is one thing, but you can't hide behind that if you are witness to a crime.
"Sorry, I'm a reporter, I don't have to testify" just doesn't hold up.
legally, if they witness this guy comitting a felony, they are obligated to report him to the police, or be tried as accessories.
Teenage intruder: See? I run nmap 234.34.53.5 and I get a list of all the ports that are open on their machine. I can then do some other stuff with libpcap...
Brokaw: Wardrobe!....dammit, get this kid a large sleek trenchcoat, combat boots, and a pair of those $300 designer sunglasses. They're expecting neo, not urkel. Audio!...cue that "techno" music they listen to. (to "hacker")Okay, kid, your motivation is to disrupt The System, bring down The Corporate Machine that runs the government, and then make it with Carrie Ann Moss in a hovercraft.
Teenage intruder: But I just thought I would show you how I learned about this network vulnerability in my quest for knowl....
Brokaw: (to cameraman) Start rolling in five, four, three, two...
Ergonomica Auctorita Illico!
You mean those talking heads on TV are real people? I thought they were all synthetic actors
It would have been great if he would have gotten into the NBC Nightly News teleprompter and put at the end of Tom Brokaw's lines "...and in other news, while visiting a low-income daycare center Dick Cheney bit the head off an infant. Additionally, I am a turnip, vroom vroom."
I bet he'd say it.
see subj
Interesting? Please.
This is a verbatim repost of an old troll--which, I might add, was shot down point for point for point.
"No root user" is NOT the same thing as "always running as root".
404 Error:
He's absolutely right. Neither one of them have yet been hacked. ;)
FWIW, his website is http://adrian.adrian.org
So, maybe he doesn't get his exposé on NBC about cracking NBC's networks...
But I'll bet that ABC would be happy do do a report on cracking NBC's networks...
Where are you, Mr. Jennings...
Lamo's comment: "It was a very full service system."
Ohh, Adrian. You should change your name from Lamo to Lmao with those witty one liners!
The entire premise of "secure Mac OS" web servers is based on two factors:
It would thus be accurate to say "The Mac OS web server may be a good choice if you are clueless, do not know how to administer secure servers, and want to run an OS that is now officially obsolete."
It's ok to publicize flaws in computer networks, you just can't demonstate the flaw if doing so is breaking the law. In this case, it seems like he got permission, so I doubt they could consider this an unauthorized intrusion.
As soon as you mentioned Airport Security I remember the guy who got through with something like a box cutter and announced it. They immediately arrest the guy.
This concludes our lesson on how not to blatently compare apples to oranges.
There's probably a double standard in there somewhere, but you didn't find it.
"Communism is like having one [local] phone company " - Lenny Bruce
If MacOS is so great, why does Apple use Solaris?
Akamai. Apple's web site is distributed. When you connect to apple.com, you're actually getting www.apple.com.akadns.net, which runs on Solaris.
2> No Root user. All mac developers know their code is always running at root. Nothing is higher (except undocumented microkernel stufff where you pass Gary Davidians birthday into certain registers and make a special call). By always being root there is no false sense of security, and programming is done carefully.
Perhaps this is a philosophical nitpick on my part, but by extension shouldn't this mean that the vast majority of Windows programs should be incredibly secure? Prior to NT, all Windows developers were guaranteed that their code would be running as 'root'. That's a lot of developer-time spent in a world where everything is root. And yet, somehow, Windows still seems to have its share of security problems.
I'm not saying that Macs are as insecure as Windows boxes, just that I'm having trouble following the idea that "always being root" somehow makes programmers more security-conscious.
3> Pascal strings. ANSI C Strings are the number one way people exploit Linux and Wintel boxes. The mac avoids C strings historically in most of all of its OS. In fact even its roms originally used Pascal strings. As you know pascal strings are faster than C (because they have the length delimiter in the front and do not have to endlessly hunt for NULL), but the side effect is less buffer exploits. Individual 3rd party products may use C stings and bind to ANSI libraries, but many do not.
A buffer overflow is a buffer overflow is a buffer overflow.
If you don't check that your destination buffer is big enough to hold the contents of your source buffer, then your code becomes a bug in search of an exploit. Doesn't matter if the length is stored at the beginning, doesn't matter if you count until you find a NUL. If you copy from A to B and sizeof(B) < sizeof(A), you're just looking for trouble.
Yes, ladies and gents, sometimes size does matter...
A marriage is always made up of two people who are prepared to swear that only the other one snores.
The MacOS running WebStar and other webservers as has never been exploited or defaced, and are are unbreakable based on historical evidence.
Based on historical evidence, my backyard shed is burglar-proof.
In the ENG news business, I have never been called a "Videographer." In the news business all across America a News Photographer is called a "Photog."
I would know this because I am currently a "photog." This person has more than likely never worked in a television newsroom.
What functionality do you want.
Hmm, let's see... How about, say, multithreading? The ability to play DVDs without skipping if you so much as move the mouse?
Look, the old Mac OS had a cutting edge GUI when it came out, in 19-frickin-80-something. It had various usability innovations. But on the technical capabilities of the OS, it hasn't cut it for a long, long time.
On the March 16, 1989 edition of CBS's 48 Hours, reporter David Martin told viewers that he converted a semi-automatic rifle to full-automatic without a license, which is a felony. CBS filmed the conversion work, and broadcast part of it on the program. Unlike David Koresh, who was suspected of doing the same thing, CBS only received a letter of reprimand from the BATF.
Interesting analogies, but none quite applicable in this case, imho.
Is cyberspace inside or outside space for these purposes? I'd say most likely inside. Whenever you enter someone else's system in 'cyberspace', (ignoring the misleading qualities of the word, for the moment) you're 'inside' someone's server.
Treating these systems as storefronts doesn't quite work. For one thing, you can enter because the store owner -wants- people in his store. If you go causing problems, they have the legal right to kick you out. If you try to enter the 'employees-only' storage area, you could find yourself in trouble. If you enter after business hours, when the doors are locked, you're guilty of breaking and entering.
And not all places of business are storefronts. If you go walking in the front door of a factory, or many a suit-and-tie 9-to-5 office, you may find yourself stopped at the front desk unless you've been invited in. And if you use the delivery door in back to get to the Top Boss's office uninvited, again, you're asking for trouble.
Now, as I understand it, he was invited to try and find an insecure entrance. He was an invited guest, and the responsibility falls on the person who invited him. In every businessplace I've worked, all non-employees have had to be accompanied while visiting, for security reasons.
For his sake, I hope he had that invitation in writing. For the sake of the NBC employee that invited him, I hope that invitation was pre-approved by the employee's boss. And NBC's legal department. If the reporter gave an invitation which he didn't have the authority to give, that reporter is the one who could end up in the most trouble.
I'll save the cyberspace/real-space analogy rant for another time.
Good judgment comes from experience.
Experience comes from bad judgment.
CBS *FILMED* the conversion work - Publicized - Nothing happened
David Koresh Performed the Conversion - Demonstrated - Got into trouble
Now if they reporter had PERFORMED the conversion, I'd say you're on to something.
Are there double standards? Probably.
Did you demonstrate one? No.
Did you make the same mistake as the original poster? Yes.
Will you learn to distinguish between the two? (Insert Your Answer Here)
"Communism is like having one [local] phone company " - Lenny Bruce
Prior to NT, all Windows developers were guaranteed that their code would be running as 'root'
True...how many Windows 95-based web servers are there?
sgis ddo ekil t'nod i
I bet the hacker noticed that there's an IV going into him from under the desk, and electrodes attached to his nuts if he decides to do anything stupid.
/^[A-Z0-9._%+-]+@[A-Z0-9.-]+\.[A-Z]{2,4}$/i
why has the parent been modded as troll? It's all true, my school uses MAC OS and webstar servers and it's never been hacked (there are 10,000 people who go there as well as a large computer science department)
GoatPigSheep, the 3 most important food groups
IIRC, the (admittedly cheesy) Microsoft Personal Web Server was shipped with Win95. (Don't have any 95 boxes anymore, so won't swear to it. Win 98 definitely comes with PWS.)
Apache. (They're very open-minded. :-)
Quick check on TuCows shows 9 more web servers supporting 9x.
CNet's download.com has a whopping 192 entries in their Windows/Web Authoring/Servers area if you filter it down to Win95. But take CNet's count with a grain of salt...they don't seem to differentiate between server-support/test apps and actual servers. But I'm not gonna hunt through a list that size to get a better count.
Anyways, I think it's safe to say that, strange as it may sound, there actually are Win 9x-based servers available.
Okay, but we're starting to wander from the original "Macs are secure because they have no security" topic, which was already wandering pretty far from the "hacker denied 15 seconds of fame" topic.
I'd ask someone to mod me down, but saying "yeah, go ahead, mod this down" always seems to end up with people modding it up to +5 Insightful because it's got that ever-popular angst-driven sound first popularized by Eeyore. (Donkey. 100 Aker Woods. Cristopher Robin. Ah, never mind....)
Ahem... Okay people, listen up! My post is not insightful. It's offtopic! "Offtopic" might look a lot like "Insightful" in the moderator pulldown, but if you look really closely, you'll notice that they're spelled slightly differently. Yes, I know it's subtle...they both start with a big letter and have smaller letters afterwards. Just hang in their, kids...hopefully the next SlashCode release will have a picture-based moderation system.
A marriage is always made up of two people who are prepared to swear that only the other one snores.
In general, broadcast station teleprompter hardware itself is very old technology, with a simple serial cable to load the script (a text file with some very simple markup sequences to adjust speed, fonts, etc)
Among the cheapest "professional" teleprompters are Stewert, starting around $1K. You can throw together your own home-brew solution for a few bucks, but "real" TV stations are sticking with the old, expensive, pre-MS-Windows solutions.
Usually the producer and on-air talent will run through the script at a high speed (just barely readable without practice) shortly before going on air, so your timing would have to be just right if you want to add any extra little "suprises" with any chance of success.
It's an interesting idea, but even for a live news broadcast, it's not likely that you would slip anything through.
I do not deploy Linux. Ever.
Methinks you've got the right handle on the situation.
The internet is a public network. It's not a bunch of private, gated, security-guarded enclaves.
Public street and sidewalk. Fence with a gate (keeps children and small pets from wandering too far too fast). Screened-in front porch with screen door. Screen door to house. Main door to house. Stranger knocks on main door.
Or maybe I'm wrong and modern society has already victimized itself.
sure, it's a troll, but it's also wrong.
L L
:)
http://attrition.org/mirror/attrition/os.html#A
Sure, the MacOS/MacOSX defacements only represent 0.8% of total defacements, but they're still there
-gleam
this
Small bit of history here: at one time, a Swedish company ran a contest they named Crack a Mac, and offered about US$10K to the first person to be able to break into the system. They ran this twice, with one prize award (there was a second exploit, but the contest runners denied that the exploit happened. Nevertheless, it is accepted by most that it happened).
So MacOS/WebStar-based web servers have been hacked, but there is only one famous case. And never forget that any system is vulnerable to "social engineering" and shoddy passwords.
...to Globo (the major TV network in Brazil). No, I'm not Brazillian, but they got my name from some contacts-- long story, I don't have time to go through that.
:)
Basically, I got a call from a Producer (David Something-I-Can't-Pronounce) wondering if I'd be interested in coming down to their studio (I was in college in NYC at the time, and they're on 9th and 50-somethingth) and trying my hand at their system. I tried to borrow a friend of mines laptop so I could bring a sniffer, but I couldn't find him in time.
Instead, I went down there, "borrowed" a laptop from them, and quickly installed linux. Explaining that this is what I'd use myself, I plugged into a convenient network jack and started working.
Long story short, I chose as my victim the reporter (not the producer) who would be interviewing me later), her name was Anna Padrao Something-Begining-With-A-P. Well, her password was app426, where 4/26 was her b-day. *yawn* The only major problem was that once I was in to their BBS-like system, it was in Portugese, which I don't speak! Of course, that also let me into her email account, and she even had a shell account on their email server-- though I know she didn't even know it.
I was going to go after root next, but we had to film, so we stopped there. We filmed the whole segment, but then some higher-up though it'd embarass the network too much, so it was pulled. I still have a copy-- kinda cool to see your own voice subtitled in Portugese
-- Is "Sig" copyrighted by www.sig.com?
Maybe if I had taking 3 seconds to read his post instead of trying to be clear, I would have understood.
Will you learn not to be such an asshole when you post? Yes, The asshole thing isn't working out, I was really insulting with some Ned Flanders guy (Nice guy, tries to be disarming) and I realized that this was getting out of hand.
I guess I always admired guys who were harshly insulting when I was a kid, because I could never do it myself. I figure I'll tune down the harshness and hatefulness and try to exercise insightful irony (much harder to do)
"Communism is like having one [local] phone company " - Lenny Bruce
Not intended to be a troll - but it was a response to what was effectively a troll. The limited functionality claim was effectively made by the message I responded to: no command shell, no security permissions (all code running as root). So, it seems like the way to hack it would be to find an ISP foolish enough to use it, get an account, and take it from there...
I'll add another limitation, which is no multithreading. I can't imagine a Webstar server doing a good job of being a web application server, i.e. where it's doing something much more substantial than serving static pages. I'll admit I haven't tried it. But I've done a fair amount of server-oriented system level coding, and am very familiar with concurrency issues and the various kinds of APIs on multiple platforms, and cooperative multitasking is not going to cut it in any kind of high-demand situation.
For some testimonials, try this page: "iTools/Apache has been much more reliable than WebSTAR. WebSTAR used to tank (especially on the SSL side) twice a month at least. Under heavy load the SSL side tended to crash"; or, "I had...the same 'tanking' problems which [put me] twice a month in front of the computer to fix what had to be fixed."
4D even promoted WebStar v4.5 as "more stable" - an interesting tacit acknowledgement. Perhaps Mac vendors are just more honest... BTW, WebStar V is multithreaded, so clearly 4D are aware of the problems inherent in the prior Mac architecture.
Whether there is one Mac webserver or one hundred million, secure is secure is secure.
I think you're missing the logical point on a number of fronts. The Fort Knox example is actually a good one - no-one knows how secure it is in reality, because it hasn't suffered any serious attacks. For all we know, it might have a horrible Achille's heel. You can only make claims and assumptions, and "impenetrable" is a clearly invalid claim. Impenetrable to what? The U.S. Army? A fleet of killer radio-controlled vehicles?
As I said, you could have made a claim about the security of Windows, back around '96, and the empirical evidence would not have disagreed with you, simply because net hackers were not yet seriously targeting Windows machines. Similarly (almost conversely), the fact that you didn't succeed in cracking WebStar means very little. Without a hacker population attacking WebStar with the same gusto that they attack Windows and Unix servers, the empirical evidence is of limited value.
That all said, I'm perfectly willing to concede some basic points: a biggy is that use of the Pascal string convention is certainly less likely to suffer from buffer overruns than the C convention, and that's a major source of holes right there. I'm not saying that Webstar isn't more secure in general or by default than your average C-language web server on Unix - it may very well be. But so what? It's a bit like saying that living in Siberia, you're less likely to be mugged. True, but irrelevant to most people.
Beside, a big problem with the original message I responded to was the implication that other servers couldn't be configured to be as secure. That, I dispute strongly. None of the servers I maintain have ever been hacked, even when boxes on either side of them have been. I know of many other servers that have never been hacked. The way to be secure is to have an understanding of what makes you secure, and to act on that, not to blindly purchase something because it says "secure" on the box, shut your eyes, and hope for the best. I've maintained secure Windows servers, secure Linux servers, secure BSD servers (various flavors). I'm tempted to say something like "software doesn't make boxes insecure, people make boxes insecure." It's close to the truth.
It was really the entire combination of specious claims and invalid assumptions that caused me to react to the original message.
One would think that here of all places, at least the moderators would know that public belief in 'security by obscurity' is just another crackpot notion, to be taken as seriously as the idea that Microsoft makes secure operating systems. They could have delayed the broadcast, fixed the holes, hired Lamo or a competent security firm to make sure there weren't any more, and publically thanked him for giving them a security wakeup call.
Tech Public Policy stuff
While it MIGHT make sense in the case of computer security to always publicize everything (though I would argue this in some cases), the reverse is often true in the real world. That Joe Schmoe can pull a machine gun and kill 50 people at locations all across the country isn't the result of a bug that can be practically fixed. Maybe we can hire enough security people to stop those same psychos at a handful of locations, but the fact remains that we simply CANNOT do it at enough locations to make a difference. It is NOT economically feasible. Therefore publicizing it does not help; all it does is give inspiration to those few crackpots in this country. Do you really want to tell me that the media didn't play a huge role in the string of massacres that happened? Please. Before you shoot off at the hip and nit pick, think about what you are saying. The media has made numerous stories that practically give a recipe for the terrorists and/or pyschos, and often glean information that a terrorist could not get (by using press credentials to extract information from supposedly respectable anonymous sources in mid level government and what not). Some things are better off left unpublished, unhyped, and undescribed. Perhaps the evil doers can obtain that same data themselves, but there is a difference in the inspiration (i.e., they would have to think of it themselves), the ease of the data collected, and so on. Not publicizing it makes a difference and this case is easily demonstrated empirically.
Oh yeah, and the fact that Lamo's case might be an apt example of where obscurity by openness works only strengthens my argument.
Yeah sure. Columbine and similarly modelled attacks happened within weeks of each other. This of course was just chance, right? And man, our security is so much better now for all of the coverage of the flaws in high school security. Pfft.
Real World != Computer Security.
Besides the fact that this stream of invective is pointless and demonstrates your insecurity, you could not be further from the truth. If you wish to compare resumes, education, intelligence, information sources, or what have you, then please step to the plate.