Slashdot Mirror
Large Prize Offered For Writing Mac Virus
Mordant writes "Some experienced Mac developers are offering a $25K prize to the first person to successfully infect two 'naked' Internet-connected Macs running stock Apple software. The best part is that if any Symantec employee succeeds in infecting the Macs, the prize goes up to $50K (Symantec has been fanning the flames of totally bogus "Macs aren't more secure, it's just that Windows is a bigger target" technical-equivalence propaganda)!" Update: 03/26 20:24 GMT by Z : Well, that was quick. Jack Campbell has cancelled the contest, after he "...was contacted by a large number of Mac users, and Mac software professionals who shared their thinking with me about the contest."
for days when someone suceeds at this. Never dare someone to do stuff like this, it is just too tempting of a target.
well. the contest is REALLY about finding a remote exploit hole in a mac.
because that's what it burns down to, making it self replicating wouldn't be much of an addition.
but why bother.. just send a chain letter with an executable for mac.. that amounts to what is some of windows viruses nowadays anyways(and that's what all symbian viruses are and they're getting awful lot of attention - they're just self replicating 'mailers' that the user needs to install themselfs).. and points out that a system that has no holes doesn't really protect you from everything(it doesn't protect the user if the user WANTS to install the software, which many do).
world was created 5 seconds before this post as it is.
A computer is only as secure as its user. Are they going to man these two naked Macs with total noobs, to make it a fair contest?
I am calling bullshit on this obvious lie. You had a clean instal, behind a firewall, with all the service packs installed, and in just 10 minutes after that with a direct connection to the net, someone infected it with spyware? That has to be bullshit.
I have been running Windows 2000 for years, and there is no spyware. And I am not doing anything special. I make sure to fdisk the mbr before an instal, just to make sure someone did not hide something on the hard drive before the instal. I do the instal off-line. Add a software firewall, then connect through a router to the net to get the service packs. I have never had any spyware on my system ever. I disable active-x from IE, and when I did my instal the only net protocol I install is tcp/ip, I do not instal the other 2- client or file & printer sharing.
Come on, when will all this anti-windows BS stop? The only reason people can hack it is because users don't instal service packs and because they open links in emails that use active-x. I gaurentee if those two problems are resolved, it will become 99.9% harder to infect a machine- a hacker would not just be able to run software, he would have to know your system and activly fight to get in, which would be too much work for him.
Rosco: "If brains were gunpowder, Enos couldn't blow his nose."
In particular, appfolders have had some pretty nasty broken-by-design security exploits like the URL handler variants where an internet enabled DMG would self-mount itself into the filing system and automatically reconfigure URL schemes in Safari, all without the user doing anything other than visiting a web page. I think (hope) they fixed that but it was still several months until all the holes and variants of this technique were "fixed" (really just hacked around). The help system exploits Apple suffered were similar in nature.
Essentially, Apple haven't proven themselves any more skilled at designing secure desktops than Microsoft have. That said, this sort of competition is fairly pointless: being able to "infect" a machine with no action taken by the user boils down to finding buffer/heap overflows and the like in running software. Many viruses propogate with a bit of help from the user, even if all that involves is surfing the web.
Apache is more popular for Internet facing web servers monitored by Netcraft. Is it more popular in total?
Yes.
Which version of Apache is more popular than IIS? IIS 4.0 runs on NT 4.0. IIS 5.0 runs on W2K. IIS 6.0 runs on W2K3. All run on x86. That's it. Apache, OTOH, runs on Solaris, IRIX, HP/UX, Linux (all gazillion varients of it), and even Windows. It runs on Sparc, Itanium, x86, MIPS, etc. Then there's two major code threads. With how many releases within each thread?
There are two and only two versions of Apache. There's Apache version 1, and Apache version 2. There are numerous revisions to each version, because of bugfixes. Moving from Apache 1.3.32 to Apache 1.3.33 doesn't work like it does with Microsoft. First, when I say I'm using Apache 1.3.33, you know what what patches have been applied and whether or not I'm up to date. With IISv5.0, you don't know what patches have been applied that Microsoft didn't bother telling you about. You can't know without running a diagnostic tool on your webserver what version it really is, assuming Microsoft wrote such a tool. Furthermore, each numbered revision of Apache will be better than the others. 1.3.33 fixes something wrong with 1.3.32. New features are in Apache2.
So when you say "Apache" has more marketshare than IIS you're making a specious argument as malware is highly dependent on a specific implementation. There's 3 implementations of IIS. There's literally hundreds if not thousands of implementations of Apache. So I ask: Which implementation has a higher marketshare than IIS?
You have it completely backwards. IIS has an unknown number of versions, as patches to IIS could possibly be applied in any order, if they're applied at all, and there's no easy way to tell. You could look at the DLL version numbers IIS uses, I suppose. There are exactly two implementations of Apache. It runs identically on all of those archetectures you mentioned. Microsoft traded away ease-of-administration with their patch system, but didn't get anything in return. They actually made the security problem worse by doing so.
Sending an executable as a mail attachment is easy, but fooling a user into launching is is much harder on the Mac than it is on Windows.
Unlike Windows, the MacOS uses filesystem embedded filetype and resource fork information to determine what kind of file a file is. You can't just change the filename into photo.jpg or letter.doc to make the attachment look like a photo or a word document. If it is an executable, the Mac will show it as such.
This means you will have to convince the user that the ececutable in question comes from a trusted source and that it is safe to launch. Even then, MacOS X will open a dialog that explains to the user that this is the first time this application is about to be launched, that it might be dangerous and then ask if the user wants to proceed. At that point most Mac users will cancel if they are not sure what this application is and where it came from.
But even if they proceed to launch the application, then the application still won't be able to install anything on the user's machine. If it tries to do that, the user will again be notified that some software is about to be installed and that an administrator password is required to do so.
Somebody would have to be incredibly naive to ignore all the warnings and still proceed.
This type of attack is rather unlikely to be successful in causing a spreading of the trojan. The propagation mechanism is far too weak. The news about such an attack will be all over the net before the trojan had a chance to propagate.
If anybody is to succeed with an attack against the Mac, it would have to be an exploit of some security flaw in the OS or in a privileged application.
the macintosh asterisk mailing list http://www.astm
Tried to install any applications lately (like, say, OpenOffice)? The installer demands administrator access, and will REFUSE to continue unless it gets it. Even if you're only going to install it into /tmp or $HOME to check it out.
Try to compile F95 in GCC? You might be instructed to download a DMG of "up to date" cctools. But when you mount the drive, you get an installer, and this installer also demands administrator access, presumably so it can stomp on the tools already installed. And it's non-obvious where you go to get the source that will compile on the Mac so you can install it in a place of your own choosing.
Mac users are slowing being trained to be as dumb as MSWindows users. When the pretty little dialog asks for the administrator password, just provide it, otherwise you won't be able to play, and the maintainers of that package will mock you. Caution? What's that? Prudence? Soooo old-school. Paranoia? Get a life!
There's not much difference between being trained to grant a program administrative status every time it asks for it and running as the administrator all the time. It just adds a ten-second delay before your machine is compromised, and people can point at you and wonder aloud why you didn't _know_ what the program was going to do before it did it.
I'm not giving up my Mac in favor of anything out of Redmond. I just want a stick I can beat developers with when they write installers that demand administrative access and refuse to go further until they get it. If the user declines to give the administrative password, then let them choose where to install your software, and give them a README on what they can do "by hand" to integrate your software. IF they so choose.
Pick One: http://www-rohan.sdsu.edu/~stremler/sigs/sigs.html (Note - disable Javascript first!)
The conclusive evidence is that OS X is a flavour of *BSD.
This is a meaningless statement. It is unclear what bearing the BSD heritage has on the ability of OS X to thwart the kind of trojan/malware attacks that Windows users are subjected to.
If that doesn't strike you as conclusive, then feel free to explain how it is that Apache running on *BSD has such a better security record than IIS running on Windows
Without knowing which versions of Apache, BSD, IIS and Windows you are referring to, it is impossible to establish whether your assertion that the Apache/BSD combo is more secure than the IIS/Windows combo is actually true.
And even if it were universally true, it is unclear what bearing any purported security benefit of Apache/BSD over IIS/Windows has on the ability of OS X to thwart the mostly email-propagated attacks that Windows users are subjected to.
That certainly strikes *me* as being a pretty compelling counterargument to the greater market share theory of hacker victimization, anyway...
If you think a non-sequitur based on unsubstantiated premises qualifies as a "compelling counterargument" of any sort, I suppose.
Which may or may not be do to Windows market share. It may also not have to do with any one factor. The problem I see is when Windows zealots use the market share argument exlusively to defend Windows.
I'm really trying to extract your point from your post and not having much success.
How is Classic MacOS and DOS less secure? DOS had zero internet connectivity out of the box. Even if you added a TCP/IP stack there were no services you were going to run on DOS. If you ran Windows 3.1 or something you could run Netscape I think. But then, here we are with Windows (actually, DOS) again with about the same market share as Windows has today and no rampent network exploit problem. So again, I'm not sure what your getting at.
The fact that Windows is exploted is proof that it is insecure. That is my point. Speculating that Linux or Mac would be just as insecure if they had the same market share is just speculation. It also ignores the possiblity that a system that was easier, or even as easy, to exploit as Windows but had a smaller market share might also be exploited. So the fact that Linux and Mac exploits are not a pandemic does not mean that they are just as insecure as Windows. It's not "fact-free hystrionics", it's just observation and logic.
Now if you think Linux is insecure because Windows is exploited maybe you can elaborate on why that is so I can better understand what your getting at. If on the other hand your arguing something else, please don't confuse it with my argument because you make me feel like you are'nt really paying attention to what I am saying.
Kind Regards
"A few great minds are enough to endow humanity with monstrous power, but a few great hearts are not enough to make us w
Unless you're a dirt-poor college student or someone who just graduated a few months ago, $50K really isn't that much when compared to your salary.
Hell, some idiot who barely knows how to cobble together some ActiveX controls in the Visual C++ IDE can make that sort of money as an annual salary. To someone who has been out in the real world for more than a couple of years, $50K represents maybe 9 months salary--which is hardly worth getting fired from your job for.
It is not correct, however, to blame Apple for the bugs in Apache. When people rant about bugs in IE, they blame Microsoft and the IE developers. When people rant about bugs in firefox, they don't complain to Torvalds, do they?
This competition was about the bugs on Macs, and the accusations that Macs are as vulnerable as Windows PCs. Third party software is not "Macs." The competition compares OS X and Windows, not OS X with [product] and Windows with [product.] However, it would be valid to blame vulnerable first-party software - such as Finder, or IE.
im in ur
"Somebody would have to be incredibly naive to ignore all the warnings and still proceed."
Yes, and if ignorance really was bliss, the world would be one hell of a lot happier then it actually is.
I'm an IT consultant.
I've watched countless users sit there and click though endless dialogs warning them about how they're about to unleash bubonic plague upon the world or whatever. These people regard warnings as a hassle, something to be dismissed as quickly as possible. They do not regard them as an actual warning. Warnings are something that apply to other people.
If you change the default button to be the "safe" option, they click-and-close, try again and click-and-close, try again and click the other button and continue. They don't do this by reading the dialogs, they do this because if it didn't work the first two times they tried the first button, then it must be the other one.
If you require users to enter in "please destroy all my data" on the keyboard before running something, they will happily do that, to. While asking me why it asks them that.
If you require them to type a password, they'll type that in upon request, too. Look at how successful phishing scams are.
If all this fails to get some badware on the computer, users will seek out things like "Hotbar", "Gator", "Comet Cursor", "Bonzai Buddy", and so on, and try to install them.
People just don't want to have to think. That's the ultimate problem.
There's no doubt that the average MS-Windows system, as deployed, is hideously insecure. However, experience has shown me that even if you lock the system down well, users will still try and destroy it.
I've found the only way to keep users from compromising the security of their system is to remove their ability to do so. Then they just complain to me constantly that they cannot install all their badware. But then I can just tell them "Tough!".
dragonhawk@iname.microsoft.com
I do not like Microsoft. Remove them from my email address.
I hate to break it to you, but there's very little that Apple (or Mircosoft, or Linux, etc) can do to prevent many types of viruses, since they are installed by the user themselves. Think about a traditional virus that infects a binary and is run when the program is run. Or a trojan program that does bad things to your system. Good file permissions can prevent the spread of such viruses and limit their damage, but they aren't that hard to write. I've even seen prototypes for a shell script virus (in an educational setting, and non-destructive except for polluting your shell scripts). There's very little technically that anyone can do to prevent a shell script virus, at least not without making the system difficult to use (or radically redesigning the system, which will probably have other drawbacks).
Now, if you're talking about worms, yes most spread through security holes in the system, and those can be fixed. But there are many classes of malware where the security "hole" is the human doing work. And those are very hard, if not impossible to prevent.
"Save the whales, feed the hungry, free the mallocs" -- author unknown
Wow, gone for a few minutes and you miss a lot.
Jack has been active lately. He is notorious in the Mac Community.
Everyone should read my article on his company and past in the Mac Community. It's called: Catch Me If You Can Part II: The True Story Behind MacMice
Make sure to also see the about section to gain clarity on who writes Jackwhispers and why.
Yell & scream & rant & rave... it's no use... you need a shaaaave ~ Bugs Bunny
Unless you're a dirt-poor college student or someone who just graduated a few months ago, $50K really isn't that much when compared to your salary.
To someone who has been out in the real world for more than a couple of years, $50K represents maybe 9 months salary--which is hardly worth getting fired from your job for.
Wow, man, you need a good dose of the real world. For your sake I hope you don't get it, though. (The average salary in the US is $37,000. Hundreds of millions of us would strongly disagree with your assertion that "$50K really isn't that much".) In your case, maybe your stock options are worth more than $50K, but judging from your description of how stock options work I doubt it.
Nice theory, but here's a few more points for you:
Postscript has been around two decades now, and AFAIK the only "virus" ever reported written it couldn't do anything but reset your Apple Laserwriter password. If you think you can write a Postscript program which reformats my hard drive, talks to my mail client, or even just brings up a dialogue box on my screen that says "Hi, I'm PostScript!", you're welcome to start hackin' now.