Yes, but that was academic, not in the wild and it was intentionally limited to prevent it from spreading. It was made to be a non-functional exploit, just a proof of concept.
And does any of that somehow make it not a remote exploit?
Show me an exploit or evidence of a box exploited. If you have an exploit that you have reported, tell me about the existence so I can confirm it in the next security update. I know maybe none of these is possible, but you'll forgive me for being skeptical especially given some of the other comments you have made here that don't speak to your credentials (like the shell comment).
I haven't done any OS X vulnerability research myself yet. And by agreement, I'm not allowed to share the exploits I have from others, or else I would have reported them to Apple.
I have done some other work that might make me credible, if you have other examples. Some people think that the books I've worked on, speaking engagements, running vuln-dev, work at SecurityFocus, vulnerabilities found, etc.. demonstrate some degree of credibility.
BTW, here are a couple of other examples that I just happened to see today:
You can't logically prove a negative. What amount of time is sufficient to show something won't ever happen?
Exactly. So which one proved something?
Remote "shell" exploit? Why would it be a shell exploit, necessarily?
It's a very common infosec term, it means an exploit that provides a remote shell or equivalent. As opposed to a flaw in RSH, if that's what you were thinking.
I certainly think it is likely there are remote exploits for OS X out there.
Of course there are. Several have been published, and I know of several more private ones.
The point you are missing is that while the original test was somewhat useful, the very poor articles about the original test spread misinformation and FUD that did more damage than the original test did good. It is those articles that this challenge was designed to rebuke and it has done that much at least.
On the contrary, I think it was very clear that the article linked intends to imply that this new test somehow demonstrates that the original test was flawed. The latest test does nothing of the sort. It was very clear to me in the original article in its original form that shell access to a nonpriv account was provided.
The second challenge debunks nothing. One challenge gave shell access, the other didn't. Only one of those actually ended up demonstrating a result.
Not to mention that the second challenge was pulled early, and not that I expect someone to give away a remote shell exploit for free to prove a point.
You get paid no matter how you do on the audit, right?
If I were your competitor, and i wanted your code that badly, I would have already disassembled it by now. If it's Java, I would have had a really easy time of it.
Standard author contract says that the author warrants that their writing is original, factual, etc... and that the author will pay for as many lawyers that the publisher feels their need should there be legal trouble. So there's not a lot of risk for th publisher, and not a huge amount of incentive to spend a lot of effort fact checking. There's still the risk that the author goes bankrupt, and the publisher is back to paying for their own lawyers still, I suppose.
My publisher does some checking for plagarism, since that has come up a couple of times.
I'm aware of what the linked article says. My comment is in relation to the Slashdot headline, which is incorrect about it being the first virus, and hence this is not the 20th anniversary of viruses.
I did mail daddypants before the article went live, too. Didn't seem to help.
The Bush administration has been warning of a digital Pearl Harbor for years.
You mean Richard Clark, appointed by Clinton, as mentioned in the article you link to?
The best solution is to go back to the policies of Clinton's presidency. Let us, the people, take care of our own security without government intrusion, as is our natural right and privilege.
We believe that there's one God (the father), so anyone else's concept of God would neccessarily be a variation on that. We believe people will be judged according to what they knew and what they intended. I.e. if you live in a culture sure that you have no chance to be exposed to the true gospel before you died, that will be taken into account.
Do you not agree that stealing would still be amoral even if it were legal?
I do. That's because my beliefs include a moral system where that is also forbidden.
I also believe that drinking, smoking, and drugs are immoral. For a lot of the rest of the world, that flucuates with the laws at the time.
To say that legality and morality are the same is incorrect.
Yes and no... you're missing one of my points. Laws are simply another morality system. They are an interesting one, since they are supposed to be designed by man, and seperate from church. Yes, I agree with you that laws are distinct from..let's call it a "higher" moral system. So there are lots of things that are legal that many religions would consider immoral. Premarital sex, for example (assume you're old enough to be legal.)
But don't you agree that laws are their own moral system? I.e. a set of standards that people are expected to abide by, lest there be punishment?
If it's not clear from the thread, I see the difference between religion and philosophy to be the origin. Laws of God vs. the laws of man.
"If you're stupid enough not to believe in God's laws, then perhaps you ought to burn in Hell for all eternity".
But that is little threat to an unbeliever, isn't it?;)
but why oh why do some faiths insist that the un-chosen, or the un-saved have to burn in their hell?
I don't know. We believe that everyone gets their shot eventually, and it's just a matter of which heaven you go to. Hell, as traditionally thought of, is there, but you have to pull some very specific major sins to get there. Murderers don't go there, for example. I'm LDS, if you're curious.
Interesting. Yes, if you had a sufficiently large group of people, I could see coming up with a useful moral code. Maybe lost continent/another inhabited planet kind of thing. I probably don't have any other useful opinion to add to this branch of the discussion at this point, without reading up on the philosophical history mentioned.
Do they have anything useful to say as to how humans have arrived at the set(s) of moral codes we use now?
The question was whether religion was necessary for morality. The answer is that, reardless of how things happened to have developed here. the isn't any reason that religion is required. A person raised in a box shielded from all religious principles is just as capable of developing a moral code from his experiences as anyone else. I don't see how your argument makes religion necessary for morality.
You're right. My earlier question had to do with addressing whether religion is the basis for our current moral codes (or more specifcally, I had laws in mind.) But I did ask about neccessity. As you point out, you could in fact have a moral code that consists of nothing more than "it's immoral to wear clothes". Such an independant code would not be useful not accepted in the world once he got out of the box, but it could be done.
Perhaps I'm being too broad, but I'm talking about things like "assuming all people are equal."
Also, in many countries, most current legal protection was introduced by the Romans and strongly influenced by Napoleon. Should people who disagree with the ethics of the Romans and Napoleon not have a claim to legal protection?
I think they should still be afforded legal protection. Perhaps if one is the kind of person who thinks that anti-evolutionists don't deserve modern medicine, they might disagree.
I personally think the consequences of this argument are stupid (of course one should avail him/herself of modern medicine)
Indeed.
but there's still a valid criticism of people who don't believe in evolutionary theory: it's a very succesful theory that's at the basis of most of modern biology, as is evidenced by the availability of very potent drugs against all kinds of diseases.
Look at the undertone of the original message I replied to; I'll paraphrase: "If you're stupid enough to not believe in evolution, then perhaps you ought not to benefit from it, i.e. die". It seemed to me a rather intolerant and cruel message.
I wondered what perhaps someone from the opposite extreme might think, with an equally intolerant and cruel intention. "If you're stupid enough to not believe in God's laws, then perhaps you ought to try anarchy, i.e. get carjacked and killed."
I find both extremes distasteful.
FWIW, I tend to assume that evolution would be the method that the creator used to create life on the Earth, so I don't really see the debate.
But your whole life has been influenced in some way by the religious beliefs from the last howevermany thousand years. How would you create a moral system that doesn't somehow incorporate that when trying to get to a natural moral code by inference, extrapolation, voting, or any human-controlled mechanism?
Yes. Take your examples down a couple of pegs from killing and stealing. Which, BTW, some small percentage of people will do regardless of how immoral, illegal, or punishment worthy it is. Now, imagine it's something illegal, but light punishment and you rarely get caught. You have speeding, jaywalking, etc...
How many more people will do the thing if they know they won't get caught? How many more would do it if it's immoral, but not illegal? (I'm mixing multiple morality systems here, but that's the state we live in.)
Look at the examples of underage drinking and sex. Pretty universally considered illegal and immoral (by definition, due to the word "underage".) Your church doesn't want you doing it, nor your state, nor your parents.
Would it get worse, significantly, if there were no rules nor stigma against it?
What are the reasons the rules get ignored? Lack of respect for the authority? Disbelief in the "wrongness" of it? Lack of belief in getting caught or punished? Any chance in any of the scenarios that the kids still believe they are doing "wrong", and proceed anyway?
From a theoretical viewpoint, one could make the argument that people will be moral because it ultimately benefits them, golden-rule style.
In practice, I think just about all of recorded human history demonstrates that people never live up to such an ideal. And that workable societies are based on systems of laws with consequences (i.e. punishment.) If that's true, then what kinds of moral codes will we end up with?
So I see that exactly as equivalent to "Because King Bob said so" or "High-Jurist panel of 20 said so".
This, I think, is mainly a matter of personal viewpoint (i.e. do you think that there is a significant difference between a morality that admits being derived by man and one that claims to have a higher source; is that higher source something that makes it significantly different to you?)
In my case, I have a religious belief I subscribe to, part of which dictates that our doctrine is of course the most correct moral code. That doesn't preclude other morals systems from having some or none of it, or even being contrary. So I don't deny the existance of other moral codes, clearly they exist. I simply believe that they are informed by the original/correct moral code.
There I think that you've broadened the definition of religion to include anything that is the basis for a moral code. Religion is usually defined a bit stronger than that as it tries to unify the origin and intent of the universe together with a morality. Also, I think it's a bit disengenuous to people who really believe in their religion because it's reduced to an irrational set of morals, without the faith aspect that many people seem to profess who are religious.
I don't mean to imply that a religion is JUST a moral code. I personally believe it is much more than that, a superset. I meant to point out that whatever moral codes we have now (laws, etc..) are based on past or current religious beliefs of right and wrong. I also suspect that one could not now arrive at a workable moral code for a society that wasn't based to some degree on those same religious beliefs. Therefore, whatever system of legal protections we enjoy, we have past religious beliefs to thank.
And that someone not availing themselves of such protections because they are areligious makes just as much sense as suggesting that someone who is religious or anti-evolution not avail themselves of modern medical technology.
If I say that I think it's OK to steal, and someone else says that it's wrong because God says it's wrong, and then I say that there's no such thing as God, what is the rebuttal?
The same as if someone says they don't recognize the authority of whatever unit of society is trying to impose the rule, I suppose.
I don't behave in a moral fashion because I'm afraid of God, I behave in a moral fashion because to do so benefits society and therefore myself.
Certainly one can derive greater personal benefit by breaking the rules to one's advantage than they can by taking a share of benefit by playing along? Isn't it the fear of punishment (in both cases) that enforces the rules, to whatever degree that people follow them?
Flexibility is strength in this constantly changing world, which is why static ideas like religious beliefs are so out of sorts with our modern perspective on reality.
Are all religions static? Don't new ones crop up from time to time?
They simply have no space in a modern, advanced society based in mutual respect.
So, I'm curious how you arraived at your pro-and-con list for the benefits vs. the harm that religion does in current society. Hvae you written them down somewhere, or is there a study or thesis I could have a look at?
Slashdot Mirror
Um, I'd hesitate to call anything that requires you to be in my building (30') "remote"
;)
"Remote" is exploit terms has to do witht he access method, not physical distance. And you think Bluetooth only works at 30 feet, hm?
Also, this vulnerability had already been patched by Apple (patches for 10.3 and 10.4) long before the "remote bluetooth exploit" was announced...
Before it was annouced to the public via patch. How do you think Apple was notified? And none of that changes the fact that it was a remote exploit.
Have any others?
None that I can share. Though, see that eEye has pre-announced a couple of iTunes remotes today.
Yes, but that was academic, not in the wild and it was intentionally limited to prevent it from spreading. It was made to be a non-functional exploit, just a proof of concept.
0 7a.html0 7b.html
And does any of that somehow make it not a remote exploit?
Show me an exploit or evidence of a box exploited. If you have an exploit that you have reported, tell me about the existence so I can confirm it in the next security update. I know maybe none of these is possible, but you'll forgive me for being skeptical especially given some of the other comments you have made here that don't speak to your credentials (like the shell comment).
I haven't done any OS X vulnerability research myself yet. And by agreement, I'm not allowed to share the exploits I have from others, or else I would have reported them to Apple.
I have done some other work that might make me credible, if you have other examples. Some people think that the books I've worked on, speaking engagements, running vuln-dev, work at SecurityFocus, vulnerabilities found, etc.. demonstrate some degree of credibility.
BTW, here are a couple of other examples that I just happened to see today:
http://www.eeye.com/html/research/upcoming/200603
http://www.eeye.com/html/research/upcoming/200603
The second challenge showed that the articles about the first challenge were a bunch of crap. Each proved something.
So you think that disagreeing with an article constitutes some sort of useful infosec proof. I see.
I've seen published remote vulnerabilities, but not any published remote exploits, except maybe the Safari one. Can you point me to some?
The recent worm, I believe it was dubbed Inqtana? Contains a remote bluetooth exploit.
Not to question your credibility or anything, but I sort of have questions... about your... umm, credibility here.
So, tell me something that would theoretically demonstrate credibility, then.
You can't logically prove a negative. What amount of time is sufficient to show something won't ever happen?
Exactly. So which one proved something?
Remote "shell" exploit? Why would it be a shell exploit, necessarily?
It's a very common infosec term, it means an exploit that provides a remote shell or equivalent. As opposed to a flaw in RSH, if that's what you were thinking.
I certainly think it is likely there are remote exploits for OS X out there.
Of course there are. Several have been published, and I know of several more private ones.
The point you are missing is that while the original test was somewhat useful, the very poor articles about the original test spread misinformation and FUD that did more damage than the original test did good. It is those articles that this challenge was designed to rebuke and it has done that much at least.
On the contrary, I think it was very clear that the article linked intends to imply that this new test somehow demonstrates that the original test was flawed. The latest test does nothing of the sort. It was very clear to me in the original article in its original form that shell access to a nonpriv account was provided.
Turns out he didn't get permission from the university to run a hacking challenge, and had to pull it. Whoops.
The second challenge debunks nothing. One challenge gave shell access, the other didn't. Only one of those actually ended up demonstrating a result.
Not to mention that the second challenge was pulled early, and not that I expect someone to give away a remote shell exploit for free to prove a point.
You get paid no matter how you do on the audit, right?
If I were your competitor, and i wanted your code that badly, I would have already disassembled it by now. If it's Java, I would have had a really easy time of it.
More evidence to support my claim that the publisher considers their butt to be pretty well covered.
Standard author contract says that the author warrants that their writing is original, factual, etc... and that the author will pay for as many lawyers that the publisher feels their need should there be legal trouble. So there's not a lot of risk for th publisher, and not a huge amount of incentive to spend a lot of effort fact checking. There's still the risk that the author goes bankrupt, and the publisher is back to paying for their own lawyers still, I suppose.
My publisher does some checking for plagarism, since that has come up a couple of times.
I'm aware of what the linked article says. My comment is in relation to the Slashdot headline, which is incorrect about it being the first virus, and hence this is not the 20th anniversary of viruses.
I did mail daddypants before the article went live, too. Didn't seem to help.
Not the first virus. It's the first PC virus, meaning IBM PC running DOS.
The Bush administration has been warning of a digital Pearl Harbor for years.
You mean Richard Clark, appointed by Clinton, as mentioned in the article you link to?
The best solution is to go back to the policies of Clinton's presidency. Let us, the people, take care of our own security without government intrusion, as is our natural right and privilege.
Hm.
We believe that there's one God (the father), so anyone else's concept of God would neccessarily be a variation on that. We believe people will be judged according to what they knew and what they intended. I.e. if you live in a culture sure that you have no chance to be exposed to the true gospel before you died, that will be taken into account.
Do you not agree that stealing would still be amoral even if it were legal?
..let's call it a "higher" moral system. So there are lots of things that are legal that many religions would consider immoral. Premarital sex, for example (assume you're old enough to be legal.)
I do. That's because my beliefs include a moral system where that is also forbidden.
I also believe that drinking, smoking, and drugs are immoral. For a lot of the rest of the world, that flucuates with the laws at the time.
To say that legality and morality are the same is incorrect.
Yes and no... you're missing one of my points. Laws are simply another morality system. They are an interesting one, since they are supposed to be designed by man, and seperate from church. Yes, I agree with you that laws are distinct from
But don't you agree that laws are their own moral system? I.e. a set of standards that people are expected to abide by, lest there be punishment?
If it's not clear from the thread, I see the difference between religion and philosophy to be the origin. Laws of God vs. the laws of man.
;)
"If you're stupid enough not to believe in God's laws, then perhaps you ought to burn in Hell for all eternity".
But that is little threat to an unbeliever, isn't it?
but why oh why do some faiths insist that the un-chosen, or the un-saved have to burn in their hell?
I don't know. We believe that everyone gets their shot eventually, and it's just a matter of which heaven you go to. Hell, as traditionally thought of, is there, but you have to pull some very specific major sins to get there. Murderers don't go there, for example. I'm LDS, if you're curious.
Interesting. Yes, if you had a sufficiently large group of people, I could see coming up with a useful moral code. Maybe lost continent/another inhabited planet kind of thing. I probably don't have any other useful opinion to add to this branch of the discussion at this point, without reading up on the philosophical history mentioned.
Do they have anything useful to say as to how humans have arrived at the set(s) of moral codes we use now?
The question was whether religion was necessary for morality. The answer is that, reardless of how things happened to have developed here. the isn't any reason that religion is required. A person raised in a box shielded from all religious principles is just as capable of developing a moral code from his experiences as anyone else. I don't see how your argument makes religion necessary for morality.
You're right. My earlier question had to do with addressing whether religion is the basis for our current moral codes (or more specifcally, I had laws in mind.) But I did ask about neccessity. As you point out, you could in fact have a moral code that consists of nothing more than "it's immoral to wear clothes". Such an independant code would not be useful not accepted in the world once he got out of the box, but it could be done.
Perhaps I'm being too broad, but I'm talking about things like "assuming all people are equal."
Also, in many countries, most current legal protection was introduced by the Romans and strongly influenced by Napoleon. Should people who disagree with the ethics of the Romans and Napoleon not have a claim to legal protection?
I think they should still be afforded legal protection. Perhaps if one is the kind of person who thinks that anti-evolutionists don't deserve modern medicine, they might disagree.
I personally think the consequences of this argument are stupid (of course one should avail him/herself of modern medicine)
Indeed.
but there's still a valid criticism of people who don't believe in evolutionary theory: it's a very succesful theory that's at the basis of most of modern biology, as is evidenced by the availability of very potent drugs against all kinds of diseases.
Look at the undertone of the original message I replied to; I'll paraphrase: "If you're stupid enough to not believe in evolution, then perhaps you ought not to benefit from it, i.e. die". It seemed to me a rather intolerant and cruel message.
I wondered what perhaps someone from the opposite extreme might think, with an equally intolerant and cruel intention. "If you're stupid enough to not believe in God's laws, then perhaps you ought to try anarchy, i.e. get carjacked and killed."
I find both extremes distasteful.
FWIW, I tend to assume that evolution would be the method that the creator used to create life on the Earth, so I don't really see the debate.
But your whole life has been influenced in some way by the religious beliefs from the last howevermany thousand years. How would you create a moral system that doesn't somehow incorporate that when trying to get to a natural moral code by inference, extrapolation, voting, or any human-controlled mechanism?
Yes. Take your examples down a couple of pegs from killing and stealing. Which, BTW, some small percentage of people will do regardless of how immoral, illegal, or punishment worthy it is. Now, imagine it's something illegal, but light punishment and you rarely get caught. You have speeding, jaywalking, etc...
How many more people will do the thing if they know they won't get caught? How many more would do it if it's immoral, but not illegal? (I'm mixing multiple morality systems here, but that's the state we live in.)
Look at the examples of underage drinking and sex. Pretty universally considered illegal and immoral (by definition, due to the word "underage".) Your church doesn't want you doing it, nor your state, nor your parents.
Would it get worse, significantly, if there were no rules nor stigma against it?
What are the reasons the rules get ignored? Lack of respect for the authority? Disbelief in the "wrongness" of it? Lack of belief in getting caught or punished? Any chance in any of the scenarios that the kids still believe they are doing "wrong", and proceed anyway?
From a theoretical viewpoint, one could make the argument that people will be moral because it ultimately benefits them, golden-rule style.
In practice, I think just about all of recorded human history demonstrates that people never live up to such an ideal. And that workable societies are based on systems of laws with consequences (i.e. punishment.) If that's true, then what kinds of moral codes will we end up with?
So I see that exactly as equivalent to "Because King Bob said so" or "High-Jurist panel of 20 said so".
This, I think, is mainly a matter of personal viewpoint (i.e. do you think that there is a significant difference between a morality that admits being derived by man and one that claims to have a higher source; is that higher source something that makes it significantly different to you?)
In my case, I have a religious belief I subscribe to, part of which dictates that our doctrine is of course the most correct moral code. That doesn't preclude other morals systems from having some or none of it, or even being contrary. So I don't deny the existance of other moral codes, clearly they exist. I simply believe that they are informed by the original/correct moral code.
There I think that you've broadened the definition of religion to include anything that is the basis for a moral code. Religion is usually defined a bit stronger than that as it tries to unify the origin and intent of the universe together with a morality. Also, I think it's a bit disengenuous to people who really believe in their religion because it's reduced to an irrational set of morals, without the faith aspect that many people seem to profess who are religious.
I don't mean to imply that a religion is JUST a moral code. I personally believe it is much more than that, a superset. I meant to point out that whatever moral codes we have now (laws, etc..) are based on past or current religious beliefs of right and wrong. I also suspect that one could not now arrive at a workable moral code for a society that wasn't based to some degree on those same religious beliefs. Therefore, whatever system of legal protections we enjoy, we have past religious beliefs to thank.
And that someone not availing themselves of such protections because they are areligious makes just as much sense as suggesting that someone who is religious or anti-evolution not avail themselves of modern medical technology.
If I say that I think it's OK to steal, and someone else says that it's wrong because God says it's wrong, and then I say that there's no such thing as God, what is the rebuttal?
The same as if someone says they don't recognize the authority of whatever unit of society is trying to impose the rule, I suppose.
I don't behave in a moral fashion because I'm afraid of God, I behave in a moral fashion because to do so benefits society and therefore myself.
Certainly one can derive greater personal benefit by breaking the rules to one's advantage than they can by taking a share of benefit by playing along? Isn't it the fear of punishment (in both cases) that enforces the rules, to whatever degree that people follow them?
Flexibility is strength in this constantly changing world, which is why static ideas like religious beliefs are so out of sorts with our modern perspective on reality.
Are all religions static? Don't new ones crop up from time to time?
They simply have no space in a modern, advanced society based in mutual respect.
So, I'm curious how you arraived at your pro-and-con list for the benefits vs. the harm that religion does in current society. Hvae you written them down somewhere, or is there a study or thesis I could have a look at?