Slashdot Mirror
FBI Agent Talks Crime, Macs
hype7 writes "There's an article at SecurityFocus describing a visit an FBI agent to Washington University. His visit was ostensibly about computer security and the general public's complete lack of any idea on computer security whatsoever: 'I have spent a considerable amount in the computer underground and have seen many ways in which clever individuals trick unsuspecting users. I don't think most people have a clue just how bad things are.' His talk ranged from some of the pranks he's seen played on unsuspecting users, to Eastern European extortion of big banks." WeakGeek added, "FBI security guys are using Macs because, 'those machines can do just about anything: run software for Mac, Unix, or Windows, using either a GUI or the command line. And they're secure out of the box.' Another good quote: 'If you're a bad guy and you want to frustrate law enforcement, use a Mac.'"
More good quotes:
"If you're a glutton for punishment type of guy and you want to frustrate yourself, use a Windows based PC."
"If you're a script kiddie and you want to get caught, use a Windows based PC."
"If you're a bad guy and you want to frustrate law enforcement, use a Mac."
Hmm. Not *precisely* the kind of publicity the Mac folks were probably looking for, but with their marketshare almost any publicity is good publicity. I just think it's cool that all the FBI Infosec guys are on OS X. Makes me feel good about my migration to the platform as well (as soon as Apple posts the much-awaited G5 price adjustment).
I don't quite understand how people are good at mining data off of *nix but not off of a Mac though -- that part didn't make too much sense. I find it hard to believe that the people they were referring to were on OS9, and if they were on OSX then the boxes basically *are* *nix machines...
dmiessler.com -- grep understanding knowledge
I am not really surprised that the FBI security guys use OS X boxes. Years ago I remember another government agency with a three letter acronym that used NeXT boxes it seemed almost exclusively from the situation rooms right down to the secretaries (at least in Langley).
Visit Jonesblog and say hello.
...what about BeOS? BSD?
Gee, I wonder how all these horrible viruses, worms, etc. can spread so fast.
. . . most ordinary computer users have no idea about what security means. They don't practice secure computing because they don't understand what that means.
Oh. *smacks head*
----
"Ours was a free culture. It is becoming much less so."-Lawrence Lessig
Steve Jobs is smarter than Bill Gates. Not only is he giving discounted hardware and software to educational institutions k12 on up, he's found another entrance vector through which to enhance the brainwashing - send in an Agent with a "Macs are more secure, too" line.
Shoulda taken the blue pill.
I guess that explains why they use Macs in Hackers.
Buckethead
I would not trust an "out of the box" install of any OS.
I can see the headline on drudge now, "Terrorists Prefer Apple"
It's always been my experience that the guys are hot on Windows, pretty good on *nix, but very very few know anything about Macs -- my guess because of their law enforcement background, where they used and were trained on PCs.
A predominant amount of their work seems to be recreating or capturing MS Outlook mailboxes (looking for the smoking guns). They aren't as cluey on Eudora (presumably because most corporate enterprises don't use it).
Small market share means that the majority of people focus on the system(s) that form the majority of OS/apps used -- a trait which appears to extend to law enforcement and makers of forensic programs. But the really good professionals are always interested in asking "so just how does this work on a mac" and discussing the similarities/differences...
1) Watch TV (lord knows what . . .)
2) drink some booze and hang with the buddies
3) read about Internet Security so he doesn't go around speading some damn garbage around to everyone else.
Numbers one and two likely describe your average user, number three is generally the type of person reading slashdot. I guess we need to get security "cool" now for people to take notice.
----
"Ours was a free culture. It is becoming much less so."-Lawrence Lessig
They're only secure because, with such a minimal share, nobody cares about breaking into one.
Bullshit. Market share has nothing to do with it. There's at least as many Apache-based servers out there as IIS, but there are like 2 Apache worms.
And frankly, there are enough Mac-haters around that surely some would like to take Apple down a peg via a virus or some sort of exploit in OS X. How come it's never happened? How come in three years there hasn't been a single OS X virus discovered?
Apple have had several fixes just in the last few months fixing remote root access vulnerabilities.
Yeah, and the difference is, they were found and fixed without being maliciously exploited. Most of them were very unlikely to be exploited anyway, or were found in services that were off by default. The last one I heard about would allow a brand new machine to get owned if a rogue DHCP server happened to be sitting on the LAN. Yeah, that's likely to happen.
Contrast this with Windows, where shit is wide open by default, and the first anyone hears about a hole is usually when it has already brought the internet to a crawl. Not that patches for exploits do any good when people don't apply them-- I just took a look in my firewall logs, and I'm still getting Nimda and Code Red infection attempts.
But how many of the holes were nt for services that come disabled by default? How many Mail.app exploits? How many required physical access to the computer to exploit?
One of the nice things about the Mac is that most of the services are shipped off by default - like SSHD. So even if a hole is discovered in a service, not EVERYONE is going to be vulnerable by default without taking specific action.
"There is more worth loving than we have strength to love." - Brian Jay Stanley
In theory you are right, the vunerabilitys in Outlook could apply to any Unix mail client. In practice they don't though. All unix mailers that I know of (pine, mutt, kmail, and so on) do not by default run programs they get from email. You might be able to configure kmail to do so, but it isn't the default. I'm sure that some mailers considered it, but once outlook got exploited a few times they re-considered. (I have no idea why Microsoft still hasn't).
If that isn't enough for you, most unix systems allow the sysadmin to prevent the user from running arbitary programs. If the sysadmin didn't install it you can't run it, (just mount /home and /tmp with -noexec) after which time you just make sure that the installed mail clients don't allow scripts. Okay, it is slightly more complex than that, but a good sysadmin can deal with it. AFAIK, Windows doesn't have this ability so an admin can't lock things down this way.
... to that PC World bonehead who wrote an article about OS X being "just as insecure as Windows" because somebody discovered a remote exploit (where "remote" meant "on the same lan as your machine").
I don't recall his name, but I remember the sensationalist tone of his article, the minimal facts, and the gloating that Windows was no longer alone in being vulnerable. It's probably asking a bit much for him to read the article without his "I Love Windows Blindly" hat on, but maybe he (and others whose love of bashing the Mac seems to exceed anyone else's love of anything, including the so-called "Mac zealots") might be begin to accept reality.
is that they are technologically impaired halfwits. If they would accually take the time to hire *real* computer experts, maybe they would have a little bit more success in stopping something.
In the past, I could send them detailed logs, including TCP dumps, of people controlling DDOS networks, threatening people, bragging about committing DDOS. And nothing would happen. More recently, a friend of mine had serious threats to her and her child from a stalker - who authorities proceeded to track to Atlanta. But they seemed to miss the fact that he was repeatedly coming from a dialup IP address in Toronto.
Law enforcement on the internet needs to be put into the hands of a capable multinational group with laws that are defined to cross boarders. Until then, DDOS kiddies will still be running around quite loudly proclaiming their existance.
.
Time to strike up the drumbeat:
1. Windows defaults to let users run as root. Neither Mac OS X nor Linux do that.
2. (already noted) Macs ship with most ports shut down.
3. BSD has been combed over for years, and many eyes have searched for vulnerabilities. A lot have already been solved. Nobody can look at Windows code.
4. Macs have fewer application vulnerabilities (because unlike Windows, most applications can't make root system calls and run programs as root (for example, MS Outlook).
Sorry to be repetitive.
I'm a senior admin with a big company, specializing in Windows based systems. My day to day PC is a 15" Powerbook. I can use the Microsoft RDP client to log into any of the Win servers, SSH to log into the Unix stuff and can pretty much do my job with no hiccups or workarounds. The only exception is that Entourage has weak MS Exchange support, so I'm typically using webmail. With Fink installed I have basic tools like nmap and ethereal at my disposal. My only real gripe is that Apple and Broadcam don't open up access to the network hardware.. Being able to put my NICs into promiscuous mode would be a big help. There's a workaround - I could get an Orinoco or Aironet PCMCIA card.. but I'd prefer to use the integrated hardware.
As far as Linux distros go, Yellow Dog Linux runs very nicely on most older Macs.. but as of yet there is no support for the Radeon 9600 in my book. Text is fine for most stuff but I'd love to run KDE or Gnome in Yellow Dog.
Anyway, I think Apple's got a real opportunity. The Virginia Tech cluster shows their potential and this article is good PR, despite the "frustrate law enforcement" comment. Seeing a room full of Powerbooks at NASA was pretty cool, too.
I love how people always seem to think that there are fewer vulnerabilities simply because the mac has a much smaller market share. Sure, it makes sense unless you're actually paying attention. Yes, Apple has had to issue some security updates recently. No, Mac OS X is not perfect. But it beats the hell out of operating systems that ship with holes so big you can drive a truck through with room to spare.
The first thing you have to do when you install the OS is create a user account and a new password. Macs ship with most services disabled by default, and they've got a point-and-click firewall that can be enabled in a matter of seconds. Macs are not secure because no one uses them. They are secure because they do not make the same common mistakes that Microsoft seems to do constantly. They're secure because you don't hear about huge break-ins, loss of data, or life-threatening situations caused by failed security systems. And they're secure because the folks that depend most upon security seem to turn their head more and more these days towards that odd fruit on the other side of the fence. The fact that Apple has issued patches recently is not a red flag. Everyone has to patch their OS. It would be a red flag if they hadn't patched it in a timely manner, like some others that we always seem to hear about.
Of course, they're expensive as all hell, and their isn't enough software for them, but that's another story. ;-)
I have spent a considerable amount in the computer underground and have seen many ways in which clever individuals trick unsuspecting users. I don't think most people have a clue just how bad things are.
Seriously, to me this sounds like sensationalism. Like, a good sound byte to attract attention. If you tell people that things are worse than they could ever imagine, you're not going to do much except scare people. And most of the time it's not that bad.
I'd like to think that (like most slashdotters) I'm not unaware of what goes on in the "computer underground". I'm not in it, but it's not like I'm ignorant of the fact that it exists. The tools on packetstorm are enough to scare any non-tech person into submission, if they knew what they could do, yet I don't lose sleep over it.
I'd like to think that, while there are lots of "dumb" users out there, there are a lot of us tech guys, the guys behind the switches and administering the servers, who are looking out for them, much like shepards.
There are a couple of simple rules to follow:
1.) If it's on the internet, it can be hacked.
2.) If it's backed up, it can be restored.
3.) If it's patched, it's less likely to be exploited.
4.) Ease of use and security are inversely proportional.
I don't resent people like my mom who wouldn't know spyware from cookware. I do what I can for her, computer wise. And she cooks for me when I come home. I consider it an even trade.
~Will
sig?
Sorry, what consolation prize do we have for our departing guest?
m l
Honestly, the security by obscurity thing has been disproven so many times, in so many ways for Mac OS X that I find it impossible that you're unaware. Granted, Mac OS X has security issues patches, but don't make me get into the horrid falacy: "macs are just as insecure as any other OS." They are, by design, far more secure. The exploits possible on a PC are not possible on a Mac due to Outlook, IE, messenger services, etc.
Seriously. Thanks for a good laugh. In case you're missing out on the needed information, here it is. This article sums it up very well.
http://www.theregister.co.uk/content/4/34554.ht
"Politicians find new names for institutions which under old names have become odious to the people."
I'm sitting here in front of my PC with a G4 Mac keyboard and 6 button MX700 wireless logitech mouse. ;-)
PSA -- Mac keyboards are very handy on a PC. They will detect in XP as a Mac USB Keyboard, and will run without having to install any additional drivers.
The only unfortunate thing, Mac designed them for little girl's fingers, so there are no gaps between the function keys. But the feedback is amazingly light, lighter than any PC keyboard I tried during my visits to CompUSA and MicroCenter. Not bad, at all, for $60. There is also no funky side-crunch. You know, like on the MS ergonomic keyboards from a couple of years ago. You can hit any part of the key and it still presses silently and smoothly.
My next plan is to put a couple of blue LEDs under the acrylic on the bottom. Since it's clear, it should illuminate very well.
"If you're a bad guy and you want to frustrate law enforcement, use a Mac."
Nice try Mr. FBI man! This is just a thinly veiled plot!
1) Tell public to use FBI to foil law enforcement.
2) ???
3) Profi^WProsecute!
Someone hand me my tinfoil hat, I'm off to search for nsa_key in Darwin.
~Dalcius
Rome wasn't burnt in a day.
Back when I was a youngster and I did things that were in a legal "gray area", I almost always used a Mac. FWB's Hard Disk Toolkit included transparent HD encryption.
LK
"Hi. This is my friend, Jack Shit, and you don't know him." - Lord Kano
"...I was trying to plan simultaneous suicide explosions in separate third world countries using the advanced CAJ (Computer-Aided Jihad) program that comes standard with Windows XP, when all of a sudden the computer was like, beep-beep-beep-beep-beep, and I was like, what in Allah is this? And I lost all the plans. It was going to be a really good terrorist strike too! Now I use a Mac. Apple: bringing you the user-friendly tools you need to exterminate all Jews and Crusaders!"
...but just because it's open source does not just mean that it's "secure". Actually... because some software is hacked and patched and exposed to a massive amounts of people... it gets more focus and makes it better software. Perhaps a mac *is* more sercure becuase open source software is made and used by more "hakers"... but that remains to be seen. And no I don't care what you think. Thanks, have a great day. The more you hack me the more I find out.
||| I still can't believe Parkay's not butter.
from post: "WeakGeek added, "FBI security guys are using Macs because, 'those machines can do just about anything: run software for Mac, Unix, or Windows, using either a GUI or the command line. And they're secure out of the box.' "
from article: "many of the computer security folks back at FBI HQ use Macs running OS X, since those machines can do just about anything: run software for Mac, Unix, or Windows, using either a GUI or the command line. And they're secure out of the box."
The post quote implies that all FBI computer security agents, or at least the majority, use Macs. The second quote, from the actual article, implies that only some unspecified number of FBI computer secuirty agents use Macs. Please don't butcher wuotes to mislead.
Vote for Pedro
If you're a bad guy and you want to frustrate law enforcement, use a Mac.
I am an expert witness who works against these (FBI) guys in criminal cases. They have a whole division of the D.C. computer forensics office dedicated to Macs. A stock question they ask in trial is "OK, general computer forensics dude, what percentage of your time is spent working with Macs?" For most general security experts, this is 10-20%. Then they pull somebody out who does nothing but analyze Macs.
who are those slashdot people? they swept over like Mongol-Tartars.
apple has been doing unix since 1996, NeXT has been doing it since 1988.
Apple has also been doing unix since 1987 (if I have my years correct) with it's first release of A/UX, a product they supported for almost 10 years afterwards, and through three versions. If that's counted along with their work on NeXTSTEP->OSX, then that's 17 straight years of UNIX experience within the company.
Also don't forget Apache runs on multiple platforms and when made from source, might have countless build variationst. That alone makes many exploits much, much harder to pull off since even if you do manage to overflow a buffer, you can't count on the memory layout being the same.
It's not too unlike how genetic variation limits the spread of real viruses.
First, I read this article when it came out and was noted on macintouch. It is obvious that the author has respect for the FBI agent. And if you read articles posted on securityfocus, this is not always the case when it comes to people in the government.
Macs are shipped with a relatively high level of security in that things (servers/daemons) are turned off by default.
The most significant security hole in OS X (IMHO) for a non-server perspective was the DHCP hijacking. This was a local subnet potential exploit that one should take very seriously, but not one to affect most people.
It is very likely that the FBI agent computers that run MacOS X are used for things like e-mail, web browsing, generating documents (Word and Acrobat), PowerPoint presentations, and other normal business applications. There is also the probability that they are used to run more specialized Window and Unix based applications.
Duh, the agent said that MacOS X was used because they can run these types of programs. One computer, many applications. Side-note: I use OS X because I have to use MS Office, Acrobat, Illustrator, X11, Motif, OpenGL, write programs in C/C++ using X11, OpenGL, and X11, perl, Tkl, as well as others. I want one computer to use, not two or three.
Going back to security, the last significant Mac based problem was the Autostart worm that went around some years ago. This flaw was due to QuickTime automatically starting an application when a CD was inserted in one's computer. This is no longer a problem, AFAIK.
I work in a heterogeneous computer environment. Windows (95 to XP), UNIX (IRIX, Solaris, HP-UX), Mac (OS 9 to X), and VMS (sob). Except for VMS, the Mac OS based systems are the easiest to maintain with regard to network security.
Finally, the FBI needs to get more experience with HFS+ file systems. If they the requisit experience and knowledge, then says to me that the FBI agents using OS X are using their systems to do more mundane things like generating documents, reading e-mail, etc... Then again, this might be a lesson that others should consider.
I always knew there was a connection between Wendy's and the FBI.
Quick! - what's the FBI's number -- I found them in my very own company! -- I always knew the graphics department were up to no good -- dressing above their income in those european clothes - and insisting on only using Macs - and I've seen them, caught them! making websites!
I'd tell the server guys but they use Linux so you can't trust them not to 0wn your box...
In-fact they could be watching what I'm typing right now... AHHH... one's walking over this way...
[good - I hid under my desk and he seems to have gone away... I think I'll make a break for it]
If this message gets through the web of proxies set to trap and stop my messages... send help..
Well, to actually implement a semi-global keylogger in OS X is trivial. You simply put an appropriate .bundle in ~/Library/InputManagers . No root required. Every subsequent program opened will (attempt) to link and run this code. Since .bundles can be versioned, you can even make a platform-specific version.
:)
But then, it's not hard on Windows either.
The trick is in somehow getting the user to install it (usually by running a helper program). In this, OS X mail clients are extremely uncooperative. Pretty much every mail client (including Mail.app), is very clear about what you are getting (and doesn't hide extensions, that's a big one!). Further, when you try and take an attachment it gives you a clear warning of what you are about to do, and makes the default action to save.
So, you don't need root to do it, but fooling your users (especially without some kind of macro in the mail) is much harder on the mac side, because the users get more prompting on the proper response to untrusted email attachments.
It's amazing how far a dialog box will go, eh?
Slashdot. It's Not For Common Sense
You might want to check out this nice UNIX family tree..
You can easily see who's related to who. I might note that Solaris is much further from what we modernly call BSD than some of the others you named. I won't speak of IRIX, but AIX is a weird kind of BSD variant, as is HPUX. OSX is very very close to FreeBSD.
Slashdot. It's Not For Common Sense
The rest of the *NIX development world would be much nicer if they adopted a similar scheme.
Standard shared object libraries in OS X are just that, and are subject to all the pitfalls normally found... ohh.. except one. Since Apple uses a two-level namespace scheme, you see name collisions less. Oh, and they do prebinding very aggressively.
It's pretty much a superior setup to the average linux world. But then, we paid for something besides just iCandy, right?
Show me a reason why OS X should have ldd when the superior otool exists. C'mon! To make you feel more comfortable? To make you feel more loved?
Dude, if you're a developer doing cross platform development, then turn around and complain how annoyed you were at not finding ldd, discontinue cross-platform development. If you can't even be bothered to check the unix rosetta stone for something that simple, then you're not the kind of battle-hardened, talented person that is required to do real cross-platform development.
Perhaps you were just porting? Still no sympathy. Learn your target platform. It's not even like it's hard anymore! You have libtool, autoconf and automake these days. Cross platform development is actually feasible these days, albeit difficult!
Even with services running, it's harder to break into a mac. Apple's security update scheme is extremely aggressive. This is especially true when dealing with holes in trusted services like SSH and Apache.Slashdot. It's Not For Common Sense
My question; If the Computer Security team at the FBI uses alot of Macs, wouldn't you think they know them well enough to hack them??
Ernie Dambach
"It is no small thing to celebrate a simple life -Tolkien
"This is false. 'ldd' does NOT run the program you give as an argument. As a proof of that try running 'ldd' on a graphical program (like xclock). Also 'ldd' works on shared libraries too."
/bin/ls' or if on FreeBSD 'ktrace ldd /usr/bin/true'. You'll see:
/usr/src/libexec/rtld-elf/rtld.c on FreeBSD, probably somewhere like that on most Linux distributions too.
Run most Linux distributions 'strace ldd
fork() = 3828
rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0
--- SIGCHLD (Child exited) ---
wait4(-1, [WIFEXITED(s) && WEXITSTATUS(s) == 0], WNOHANG, NULL) = 3828
and
97444 ldd CALL fork
97444 ldd RET fork 97445/0x17ca5
97444 ldd CALL wait4(0xffffffff,0xbfbff580,0,0)
97444 ldd RET wait4 97445/0x17ca5
respectively, well after the ldd binary is loaded (you can see it in the full strace/ktrace output).
From FreeBSD's ldd:
case 0:
if (is_shlib == 0) {
execl(*argv, *argv, (char *)NULL);
warn("%s", *argv);
} else {
It runs the binary with a special environment variable which tells the dynamic loader to just spit out the library list. The code that does that is in
In regards to shared libraries, it uses dlopen instead of running the library - on FreeBSD.
"FBI security guys are using Macs because, 'those machines can do just about anything: run software for Mac, Unix, or Windows"
And i was thinking bad guys always used 3D interfaces with lots of moving things in the background typing commands like "send worm" "hack 127.0.0.1" etc.
42 + 1 = 42
Well no wonder I am considered a security threat just for using Macs!Once at ASU, I was using their mac terminals to get some new VIS images of Mars. I overheard the security guys saying: "oh come on, these kiddies were weaned on windows; none of them know UNIX!" Being a long time mac user, I (stupidly) said "I know UNIX!" And was labeled a security threat. (Fortunately, they were out of the "I am a security threat" Tshirts that day)
10 Bits= $.25
100 Bits= $.50
110 Bits= $.75
1000 Bits= 1 byte
"If you're a bad guy and you want to frustrate law enforcement, use a Mac."
If I was a law enforcement offical and I wanted to give a bad guy a false sense of security. I would recommend a partially closed source OS that appears to be very secure. However, it could possibly have an NSA/FBI backdoor. Then at a big security convention I would say that said partially closed OS would frustrate law enforcement!