Until I ask them what's to stop someone from standing in line with a large rucksack filled with explosives during say, the day before Thanksgiving? How about three people. One in the front of the line, one in the middle and one further back?
I love the look of fear and horror on peoples faces when I pose that question.
Anyone who hasn't though of that is a moron.
So do you have an idea of how many of those people we're dealing with?
Hint: it's the same number of people who feel much safer because of all the additional "security precautions."
So, should we educate them all and say, hey, you're far more likely to die falling off a ladder putting up Christmas lights than you would from a terrorist attack? Should we explain to them that we wouldn't be any fundamentally less secure if we had basically zero security at airports? (By the way, we do need to prevent things like guns and explosives from getting on the planes themselves - of course, that's another problem entirely and isn't related to ID.)
I guess my question is, how do you tell people that it would have been acceptable to DO NOTHING with regard to air security after 9/11, and actually have them believe you?
The problem is that someone falling off a ladder putting up lights is a tragedy. But no one (except friends and loved ones) cares. But when 20 or 200 or 2000 or 20000 people die at once, and when they die because someone who doesn't even know you HATES you with such fervent passion that they're still willing to kill you even after living in your own society for months or years, that bothers people. I don't think many people realistically, personally fear being killed by a "terrorist". They just want society at large to be protected from them.
But we're safe because they ask for ID and run you through a metal detector, they tell me.
But only after you've been standing in line, I reply.
Yes, the sterile area is a big thing. But there's nothing stopping someone from doing exactly what you've suggested against any number of soft targets, like, say, the Mall of America or numerous other locations. The point with airline security is still really keeping the PLANES secure, for better or worse, and that doesn't just include the cockpit only or preventing planes from being used as missiles.
It's about the perception of security, and people demanded it.
Do you really think the government - no matter who was in office - could have gotten away with making NO CHANGES to air security after 9/11?
Can you imagine how that would play in the press, or if there was ever any other event, ever? Look at me with a straight face, and tell me that they could have reasonably done nothing to improve security, either real or perceived, or a combination of the two.
I disagree that investigators must have ID to start with for an investigation. Let them start with nothing other than the facts of the crime. The core of the matter is that we're allowing our government to assume we are criminals, which is evil and the basis of a police state. By default, the government does NOT need to know who I am or what I am doing. However, we've raised two generations of SHEEP who submit to whatever the government says without question, and who do not know what freedom is.
Then, by all means, fly without ID, as you are legally allowed to do.
The problem is that it is human nature to assume someone is trying to hide something when it, well, looks like they're trying to hide something. So in the system at large, this means that they take greater precautions with someone who, for whatever reason, doesn't want to present any identification to fly.
This isn't about sheep or some higher-level conspiracy to keep people under the thumb of a fascist police state. These were reasonable regulations, which are exceedingly imperfect, to make air travel as safe as possible, and to make people feel it is as safe as possible - which is a huge component of this, by the way, since people not living in fear of air travel is, in its own right, an important social and economic factor.
Not your fault that people are afraid of something that will statistically have a far less chance of affecting them than dying of a toenail fungus or a drunk driving crash? Of course it's not. But do you actually expect the government to be the entity to somehow convince people that there's nothing to worry about while at the same time making NO CHANGES to airport/airline security? People DEMANDED change, and whether it's security theater or not, "people" wouldn't have accepted anything less than some "action" - read: changes - on the airport security front.
People can talk about reinforced cockpit doors and Israeli airlines all they want, but the fact is that the only response the government could have had - no matter who was in office - was a real, perceived, or a combination of both, "increase" in security at airports and on airlines.
So sorry. We can't show you that piece of legislation. It's a matter of national security.
That's because there is no "legislation" that says you must show ID. The legislation, in effect, is "the TSA can set guidelines for security in airports." The TSA, in turn, has security directives, some of which are secret because they pertain to security procedures and processes which they don't want people who would intend to circumvent them knowing about. Further, it's already been determined several times over the course of this that you can fly without IDif you submit to the standard "intensive" search that anyone pulled out of line gets. I fully realize some people will still think that's unacceptable, but the point is that you can fly without ID with the standard "intensive" search.
You can fly without ID. You could when Gilmore's case started, and you still can now. In fact, here's how. In fact, Gilmore's own site tells you how, in the form of the court decision specifically authorizing it.
The exact wording:
The identification policy requires airline passengers to present identification to airline personnel before boarding or be subjected to a search that is more exacting than the routine search that passengers who present identification encounter.
The very page describing the case says that he would have been allowed to travel at SFO without ID if he submitted to a search. That alone devastates the "secret ID law" claim, as allowing him to fly without ID, search or not, would have been in violation of that law.
First of all, his primary question is: Do citizens currently need to show ID in order to travel in their own country?
The answer is a resounding "no". He is free to travel by foot, bike, motorcycle, car, boat, or other device himself while not violating applicable pedestrian or traffic laws, or by bus or train, entirely anonymously.
Further, in his quest to "expose" this situation, he found at one of the largest airports in the country, San Francisco International Airport, that he WAS indeed allowed to fly without ID (if he submitted to a search).
Claims variously made by privacy advocates assert that showing ID is worthless; that the September 11 hijackers all had valid, government issued photo ID. Sure they did. But some form of identification, fake or not, gives authorities a place to start in an investigation, rather than nothing at all.
But please, even in light of that, remember: he WAS allowed to fly with no ID at SFO, and chose not to. I expect that he thought he'd find he would be denied everywhere, but then still chose not to fly at SFO simply because he didn't want to be searched and so it wouldn't stop his little "Achtung! Papers, please!" stunt before it started. That's his choice. And if you'd argue against a search, then you might as well argue against ALL security measures at airports.
There are some discrepancies here, most likely because of lack of communication or lack of proper specific words used to define things. First, TSA directives are secret. But they're not "laws". That's why they're called security "directives". These directives instruct the airlines and airports in terms of how to handle security; they're not arbitrary requirements that passengers must submit to or know about ahead of time: they are guidelines and directives for the handling of security issues, some routine and some special or time-specific, within airport and airline processes. That's the TSA's job. And didn't some call for the federalization of airport security?
I'm glad he's asking these questions, but I wish he'd be less sensationalistic and tinfoil-hat about it - especially since his primary claim is that he can't travel anonymously, which is not only tremendously wrong considering there are so many other public and private means to travel with no ID, but also because he would indeed have been able to fly with no ID.
Yes, all the 9/11 hijackers had valid IDs. So what? The ID requirement doesn't pretend to "prevent" issues; it's simply a place to start for investigators AFTER an incident, regardless of whether the IDs were real or fake...enabling investigators to get a list of names (again, real or not), issuing agencies for the IDs, and sometimes even pictures (which are many times real, even if the ID itself is fake). This information could be critical to an investigation when other lives may be at stake.
But, in any event, he already found he could travel by plane, without ID.
Don't know yet, but given that the 2007 North American International Auto Show is this week, we might be hearing more. And given that these will all be available for model year 2008, which will occur mid to late calendar year 2007, we'll have to hear something about price pretty soon. GM knows it has to be cost-competitive. And, frankly, buyers need to know that spending a little more up front will be better for everything from the environment, to fossil fuel foreign policy, to their pocketbooks. But even though compact fluorescents are provably less expensive over their lifetime than incandescents, it's still tough to convince people to change.
Company Vice Chairman Robert Lutz said in a statement that more than half of Americans live less than 20 miles from their workplace.
Is this actually true? I would like to ask Mr. Lutz for a cite or three to back this assertion.
Is this really that hard to believe? It seems reasonable that more than "half" of Americans live less than 20 miles from work.
The US Census Journey to Work: 2000 notes that "average travel time to work was about 26 minutes in 2000." This means that unless people are driving faster than an average of 46 miles an hour for their entire work commutes, which I find unlikely, Americans are, on average not going farther than 20 miles. Granted, this still would be an average, but other data in this publication, while all focused on times and not distances, would appear to support the claim that a good chunk of Americans are fairly close to work. Also, given the average radii of suburban areas around city centers, and the massive growth of office parks around the outside of cities, it's not at all surprising to me that "over half" of Americans live within 20 miles of work. Out of curiosity, why did this strike you as so surprising or unbelievable?
Also coming from GM in model year 2008 is the full hybrid GMT900 truck platform [1, 2, . This encompasses the Chevy Tahoe and Suburban, the GMC Yukon and Yukon XL, and the Cadillac Escalade and Escalade ESV, among others. The hybrid uses the GM/DaimlerChrysler Advanced Hybrid System 2.
The hybrids will feature:
- 5.3L FlexFuel Vortec V8 (able to run using E85, a blend of 85% ethanol and 15% gasoline) - Active Fuel Management (AFM)/Displacement on Demand (DOD), disabling cylinders as needed for cruising - Two 30kW electric motors inside of the same physical space as the normal automatic transmission - A continuously variable automatic transmission - Conventional 110VAC power outlets on board - Hybrid system derived from the advanced system on already in use on GM's Allison transit buses
This advanced hybrid system, while not plug-in, will be offered on all model year 2008 GM full size SUVs, as well as pickups and fleet vehicles. The expected fuel economy gain is 30% over today's figures on the gasoline/FlexFuel-only AFM variant, approaching 30mpg for city driving. That's a damned good improvement. And when used with FlexFuel, they're using less fossil fuels - even including the fully burdened fossil fuel costs of ethanol - than Prius and Civic hybrid drivers, in addition to contributing to lower overall greenhouse gas emissions. As the process efficiency increases over the next few years, these numbers will improve.
Whether or not one likes or dislikes SUVs, or thinks people should be able to be told what types of vehicles they should or shouldn't be driving, or think subjective judgments can be simplistically made about what other people "need" or don't need, it's still an excellent step forward. While the Volt is very interesting (conspiracy theorists: think of some way the Volt is really still a GM plot to "keep electric vehicles down" or to assist big oil) and using centralized power generation and leveraging the existing electric grid and production capacity is a necessary step to the future, the full hybrid SUVs will be one of the big things that people buy in the short term, not to mention being one of the major things - if not the thing - that may make or break GM in the next decade.
Actually, you are completely, categorically, and 100% wrong.
Apple did NOT give anyone any order, court, legal, threat, or otherwise, with anything having to do with the wireless issue.
In fact, your entire timeline, and nearly everything in your post, is completely wrong.
Brief summary:
- The exploit was shown at Black Hat and demoed on a MacBook with a third party wireless card first. Apple was NOT informed of the issue. - The issue affected numerous 802.11 chipsets, drivers, and multiple operating systems, including Mac OS X, Windows, and Linux. - He "went quiet" because the Washington Post unleased a firestorm of bad press against ONLY Apple. This issue affected basically every platform and was a serious, general 802.11 vulnerability, but the Washington Post story and nearly all press coverage, especially mainstream press coverage, made it appear to be only an Apple issue, and often made no reference to multiple other platforms being affected. This was extremely embarrassing for SecureWorks, which claimed to be a responsible enterprise security company, so they probably told him to STFU, since he was doing his presentations under their name. Apple DID NOT do anything to force or otherwise or prevent him from talking. If they did, it would be easily provable. And no, there aren't any "gag orders" or any other such things. - He didn't "reappear" and "tout it for an Intel chipset" (???). He showed it at Black Hat, and demoed it on a MacBook (with a third party wireless card). There were no "restraining orders", and your order of events shows you have no clue what you're talking about. - Apple was the FIRST commercial vendor to patch this issue (partly because of the huge amount of negative attention that all the stories that made it look like only an Apple issue created). Only Linux drivers were patched sooner.
The reason you can't give any citations is because you're totally wrong, and your entire premise is wrong. Not only that, you CAN give advance warning anonymously. Further, Apple doesn't threaten people who tell it about security vulnerabilities. In fact, it routinely credits people - including some who remain anonymous or operate under pseudonyms - in its technical documents about security updates. Every security update has numerous people credited for providing information about security issues. There is NO CASE where Apple has taken ANY court action, ever, against someone who has reported a security issue. None. I know you're thinking "but, but, but, some blog told me this" or "I think I read such and such somewhere." No. There has never been any case of that, at all. Apple HAS sued to keep its future products and confidential information secret, but has NEVER taken any action for people reporting or disclosing security issues, period.
So basically, your entire argument, while being wrong to begin with, is still shattered because Apple has never taken any such action, in this case, or any other. Responsible disclosure to the vendor is the way to go.
Here's what really happened, from a post I wrote up about this yesterday, actually:
At the Black Hat Briefings in Las Vegas, Jon "Johnny Cache" Ellch teamed up with former SecureWorks researcher David Maynor to warn of exploitable flaws in wireless device drivers. The presentation triggered an outburst from the Mac faithful and an ugly disclosure spat that still hasn't been fully resolved.
Um, yeah, because nearly all of the news coverage of the vulnerability didn't describe it as the general 802.11 vulnerability that it was, affecting multiple chipsets and drivers and multiple operating systems, including Windows, Mac OS X, and Linux; it described it, and indeed trumpeted it, as vulnerability that affected Apple MacBooks and Mac OS X, with most articles making at best a passing reference that it could affect other platforms, if they even said that. Stories ran under headlines like "MacBook hijacked in 30 seconds -- wirelessly", and made it appear to be exclusively an Apple problem.
One problem in this debate is that often, either side will make it seem like an all-or-nothing proposition; that it's either "full disclosure on day one" (or in this case, "day 0";-), or it's feebly report to the vendor and wait helplessly while the faceless vendor takes months to respond, if it even responds at all.
There actually is a middle ground.
Some say, "Hey, these vulnerabilities exist whether they're reported or disclosed or not," just as MOAB says in its FAQ. But the problem is that they overlook the practical side. Sure, the vulnerabilities, and maybe even working exploits, exist, but as long as they're hoarded (and not used) by very small and tight-knit groups of people, they're not getting actively exploited in the wild across massive userbases. Could high value 0day exploits perhaps be used for isolated penetration? Sure. But could they be used (for any period of time) for a mass-spread worm or other malware? Nope. It'd be hours before security firms and/or vendors identified the issue.
So when you choose to disclose previously undocumented issues before giving the vendor any chance to respond, which some claim they're doing to improve security, there is a greater chance of exploit across a much wider base of users, which can have a much wider and catastrophic impact. Some say that as a sysadmin, they'd want to know about such vulnerabilities so that they can protect and mitigate themselves. But other than for high value targets and corporate or government espionage - which can perhaps have their own channels for "earlier" disclosure when identified by entities like US-CERT or Information Assurance agencies - I don't see how people can reasonably expect to be targeted by extremely valuable and as-yet-undocumented vulnerabilities. It's a point of pride - and sometimes money - to sit on such vulnerabilities.
The bottom line is that the vendor should always be informed in advance, if there is any real concern about security on the platform, and not just ego stroking or slapping down "fanbois". How long in advance and how long a vendor should be waited on is somewhat subjective, of course. Also, no one's saying that an "independent" "security researcher" is beholden to a corporate interest. But then they shouldn't operate under the guise of responsibility or the feigned notion of wanting to "improve security", when some persons' mechanisms for disclosure are nothing more than PR attempts, or another notch in the bedpost (hmm, or probably NOT a notch in the bedpost...)
Because every time someone finds a security issue in OS X we have the same outburst from the Mac users, mostly in the form of personal attacks on the submitter. You think anybody wants to report an issue in OS X in the future? Is it worth 10000 angry emails, including death threats.
This argument is bogus.
People who don't sensationalize things don't get "10000 angry emails", and your death threat comment is laughable. No one's going to kill anyone for reporting a legitimate security vulnerability (and maybe - *gasp* - even doing it responsibly), and no, Mac "zealots" aren't "just that crazy".
Which was as I understand it true, and that was also the news.
Well, not really. It was only "true" with the third party wireless card, since that's all they were able to demo it with, yet all the news coverage made it look like any MacBook was instantly and easily remotely ownable, which is also false.
Where is the news of reporting about Windows, Solaris, Linux, OpenBSD or 802.11 security issues. The users of those technologies know they are vulnerable to attacks and take caution not to get hacked (Even home users with whatever knowledge they have).
No, that's not why there was no coverage. There was no coverage because Brian Krebs at the Washington Post is absolutely obsessed with "proving" that Mac OS X is "insecure" and his sensationalistic reporting was the beginning of the massive news coverage - initiated by his own coverage - that followed.
For years we have heard that it's next to impossible to take a Mac (It would be something like the mother of all hacks). Turns out the Mac had just the same issue as everybody else. Go figure.
I've never heard anyone worth listening to - including, and especially, Apple itself - say that Mac OS X is unhackable or invincible. And this news coverage wasn't highlighting the fact that, "Hey, this is a cross platform issue that also affects Macs," it was written with the sole purpose of conveying that Macs and Mac OS X are "insecure", that this was a huge and serious vulnerability (that, from the article and to almost all ordinary readers would appear to affect ONLY Apple), etc.
But it sounds like you're ok with lopsided and unfair news coverage like that because of what you say below:
Maybe Apple (And the users) should tone down the talk about their non-hackable system, if they do the media will find something else to write about.
Considering Apple has never said or done this or made this claim, I don't know where this sort of statement comes from. When Apple has commercials like the Mac and the PC and the PC has a cold, that's perfectly fair advertising as far as I'm concerned: it is 100% accurate to say that Windows is generally plagued with massive amounts of viruses, spyware, and other malware, while Mac users generally never have to worry about anything like that at all - and that is 100% true, and has been for the over five years since Mac OS X has been out. If it's more important to you do teach people a "lesson" who enjoy using Mac OS X because it actually gives them less real problems in real-life usage situations, then more power to you, I guess.
No, it's not true and that's what the exploit shows. There's a perception that they are invulnerable because there's just not that many exploits in the wild, but that's clearly false. They are vulnerable. Arguably not *as* vulnerable as a comparable Windows system, but vulnerable nonetheless.
No, it is true. Security isn't just whether or not exploits can or do exist. Security is a much larger issue, which includes how often people in real-life, practical, day-to-day usage situations are actually affected by issues that cause compromises, data loss, recovery and remediation time, and so on. To date, Mac OS X has required virtually none of these, and asserting that it's only because of marketshare is false. This is also not "security through obscurity"; Mac OS X has been out for over five years, and has high market penetrations in "target rich" environments, such as academic, research, and other institutional settings. They do indeed receive scrutiny - no, not as much as Windows, and not as much as open source OSes such as Linux - but plenty of scrutiny nonetheless. These claims that the only or primary reason Mac OS X hasn't been significantly affected to date are only because of marketshare are bogus, not to mention unprovable.
And this rtsp exploit doesn't "show" anything. There have been NUMEROUS other exploits that can affect Mac OS X (and Windows, and other OSes) in a similar way simply by just visiting a malicious web site. Some of these have been SPECIFICALLY targeted at Mac OS X, and have allowed arbitrary code execution simply by visiting a malicious web site. Are these vulnerabilities severe? Yes. Am I saying this is a good thing? No. I'm saying this is NOTHING NEW, and doesn't prove anything other than Mac OS X, like any other operating system or large software product, has bugs, some of which can be exploited as vulnerabilities. No sensible person claims otherwise. What matters is how Apple responds to the issue.
No, this is twisting my words and attacking a straw man. Small marketshare does not equate to lack of software. [...]
No, I'm not saying you said that, and not doing the strawman thing at all. What I'm saying is exactly what I said: that the "Macs have only been relatively trouble free because of low marketshare" is virtually identical to the "Macs have no software [presumably because so few people use them]" argument: they're both at the same time false and passively insulting, as well as untrue.
But marketshare does contribute to how fast a virus propagates. There's a critical mass associated with epidemics and virus propagation. Too few and the incidences get caught within the first few systems. It's ridiculous to claim that userbase and marketshare is not important.
Wow. I didn't. I said: "Sure, [low marketshare] doesn't hurt, and probably helps a great deal." Elsewhere, I have said the same thing. Marketshare is absolutely a great protector against the kind of critical mass it's relatively much easier to accomplish on Windows.
But that is not the only thing that protects the platform! There are other factors as well, such as Mac OS X shipping in a reasonably secure state by default, and not providing facilities and vectors for spread of malware as easily and sometimes ridiculously as they have on Windows. Does this mean it's impossible on Mac OS X? Of course not.
But I also take issue with this use of "from remote" in security nomenclature in general. There is a HUGE difference between a worm that spreads and/or owns machines completely remotely and externally, with no user interaction of any kind, and someone having to visit a malicious web site (and yes, I know there is precedent for inserting something into, say, advertising on popular sites). As we sit here and talk about this rtsp exploit, dozens (hundreds?) of affected Windows machines at my location alone are being cleaned up from the latest completely remote and automated Windows worm.
Many of the Mac faithful believe that their systems are largely invulnerable to viruses and exploits because that's what the Mac ads said.
But that's also mostly true.
Sure, MacOSX is not currently a worthwhile target because they are just not that many.
Ah, marketshare. This actually seems to be the 21st century version of the "Macs have no software" argument. After "Macs have no software" lost its steam (or people saw it as the crap that it was), the new thing is "Macs really are insecure - in fact, possibly horribly insecure - and the only reason you've been almost literally untouched for over five years is because your platform was so boring and your userbase so small."
It is not only marketshare that protects the Mac platform. Sure, it doesn't hurt, and probably helps a great deal.
As the userbase grows, however, it will be a target and it will be a BAD thing if all these users don't take appropriate precautions.
Ok, now we get to the meat of the discussion. So, what precautions, exactly?
if you're arguing that users should have, e.g., antivirus software instead of thinking that it's ok to run without because there are "no Mac viruses", or that pressure from an informed userbase will change a vendor's attitude and response to security, I guess I would agree (save for the fact that, to date, AV software on Mac OS X has literally done more harm than any malware has, with the 3 separate instances of false-positive problems doing anything from alarming users and having them do things like reinstall their OS when nothing is actually wrong, to actually quarantining critical pieces of the OS (like the swap file), thus crashing the computer and making people further believe that something is wrong or that they're "infected" when in fact they're not). Also, chances are, most things covered by MOAB wouldn't be covered by AV or anti-malware software anyway, so, from that perspective, how would changing a typical user's "attitude" help this situation?
People thinking that the Mac platform is "more secure" (overall, correctly) is mostly a PR and marketing win for Apple. The only thing I see changing a user's "attitude" doing is getting people to reconsider their decision to perhaps switch to Mac OS X because they're fed up with all the spyware and malware they deal with on a daily basis on Windows. And, for whatever it's worth, I think that's unfair.
Isn't the real issue how many people are *actually affected* by issues in the day to day, real-life use of their computer?
At the Black Hat Briefings in Las Vegas, Jon "Johnny Cache" Ellch teamed up with former SecureWorks researcher David Maynor to warn of exploitable flaws in wireless device drivers. The presentation triggered an outburst from the Mac faithful and an ugly disclosure spat that still hasn't been fully resolved.
Um, yeah, because nearly all of the news coverage of the vulnerability didn't describe it as the general 802.11 vulnerability that it was, affecting multiple chipsets and drivers and multiple operating systems, including Windows, Mac OS X, and Linux; it described it, and indeed trumpeted it, as vulnerability that affected Apple MacBooks and Mac OS X, with most articles making at best a passing reference that it could affect other platforms, if they even said that. Stories ran under headlines like "MacBook hijacked in 30 seconds -- wirelessly", and made it appear to be exclusively an Apple problem.
While this was made clear in their demo, they chose to demo on a MacBook with a third party wireless card whose identity was hidden - because of "responsible disclosure" - but then in the next breath tell Brian Krebs at the Washington Post that the MacBook's own integrated wireless is exploitable in the exact same way. How is that "responsible disclosure"? And to top it off, we have a SecureWorks "Senior Researcher" saying that he wants to fix Mac users' "smug" attitude about security (and this helps Mac OS X security in a meaningful way how?) and that many of these people apparently need lit cigarettes jammed into their eyes (to paraphrase). Even if said in jest or in fun, how is that professional? How does that do anything to better Mac OS X security?
How would a change in "user attitude" change the actual security situation on Mac OS X? I don't see a change in user attitude changing anything. Many Windows users know, at least marginally, that they are the target of innumerable attacks and thousands of pieces of malware. How does that change in any meaningful way the security situation on Windows?
More to the point: how does the press making a general and serious 802.11 vulnerability affecting numerous chipsets, drivers, and operating systems appear as only a MacBook problem serve a meaningful, or even truthful or accurate, security purpose?
For Ellch and Maynor, the controversy offered a double-edged sword. In many ways, they were hung out to dry by Apple and SecureWorks, two companies that could not manage the disclosure process in a professional manner. In some corners of the blogosphere, they were unfairly maligned for mentioning that the Mac was vulnerable.
No. They were maligned for saying they espoused "responsible disclosure", even carefully hiding the third party wireless card, but then saying that the MacBook's integrated wireless was vulnerable in the same way. NO OTHER AFFECTED VENDOR OR OS was treated that way. Only Apple.
They were maligned for being party to a Washington Post article that made outrageous accusations, like alleging that Apple "leaned on" them to not show this exploit, when there is no proof of that whatsoever.
They were maligned because after working with Apple engineers for almost a week at Black Hat, they could not provide any information directly to Apple on how, precisely, Apple's integrated drivers were vulnerable. Should they "do Apple's work for them"? No. But these weren't hobbyists. These were people presenting under the guise of an enterprise security company with responsible disclosure, and when you unleash a firestorm of bad PR on one and only one company's new flagship consumer portable, you'd better be prepared to have a little higher degree of interaction with that one vendor.
However, security researchers who understood the technical nature--and severity--of their findings, Ellch and Maynor were widely celebrated for their work, which was the trigger for the MoKB (Month of Kernel Bugs) project that launched with exploits for Wi-Fi driver vulnerabilities.
I'm sure many people on slashdot agree with this kind of reasoning, but I don't see why, considering it's logically inconsistent.
Why should technology benefit only "the people" and not "the government"?
Technology is a "force multiplier" for ordinary people and for our own convenience. Why should law enforcement/government be artificially hindered or prohibited from using technology in certain ways? What is the threshold? How many cameras is too many? When is it not acceptable for law enforcement/government to use a particular technology? When is it ok to use a camera? Say, a police dash camera? A telephone? The internet? A database? A computer? Google? Public records searches?
To say nothing of demands from people of all levels of government to become more modern, save taxpayer money, use resources more efficiently, and so on. But I suppose this is an argument that can't be won on slashdot, unless you take the "We're {becoming/already are/etc.} a police state" position.
Technological advancement cuts both ways. It makes things easier, and not just the things you want to do.
Re:rushed fixes, and untested at that
on
Month of Apple Fixes
·
· Score: 3, Informative
Ugh.:-(
APE isn't going to be necessary for ANY fixes from Apple. Apple will release their fixes in due course, and they'll be like all their previous fixes have been: normal updates to the OS that come down via Software Update, etc.
But since we can't directly fix Apple's code, this is a little technical exercise that fixes them with runtime patches. One very easy way to do runtime patches and code injection such as this is to use APE.
Also, APE is *very* easy to uninstall. It has its own uninstaller right in the installer, which will, categorically and definitely, uninstall every single last thing that has anything to do with APE.
All this project is is just that: a project. The community is welcome to inspect all of the source code, and anyone is free to use these runtime patches. Yes, QuickTime, and VLC, and everything else that will be covered in MOAB will be fixed by Apple and the various applicable vendors/developers. That is not at all the point of providing on-demand runtime fixes each day, and you have apparently totally missed the point of this projects, and the post you responded to where I pretty concisely explain it.
Second bug fix already in progress...
on
Month of Apple Fixes
·
· Score: 4, Informative
Nothing is hidden, and Landon isn't trying to hide anything that's being done.
Also, these fixes are runtime fixes via APE modules. They only place they're "installed" is into APE, so they can all be easily removed/disabled at will (as can APE itself). There is nothing wrong with the principle of runtime patching, and this is really a technical exercise more than anything. But again, the code is all right there, and you can see exactly what is being done.
Re:rushed fixes, and untested at that
on
Month of Apple Fixes
·
· Score: 5, Informative
All this is a little fun exercise and a public service, if you will. Also, anyone can examine the code.
How do you uninstall these quick fixes? Simple. They'll almost all invariably be runtime fixes with Application Enhancer (APE). APE modules are just self-contained directories; nothing more. They can be unloaded on demand, and APE itself can be easily installed, uninstalled, disabled, and modules can be loaded and unloaded at will.
Also, Landon Fuller is anything but an "Apple fanboy", or in any way remotely interested in "saving Apple's rep". The idea is to look at the bugs, and see if a quick technical solution or remediation can be provided. No one has to install them. Since the code is available, anyone can see what's being done, including the rest of the community. If one wishes to wait for Apple's official patches, fine.
Aside from all of this, of course Mac OS X, like any other operating system or large software project, has bugs. Some of these bugs will enable vulnerabilities that can be exploited. I fail to see how any of this is surprising. If you're actually interested, I've summed up my thoughts on this here.
Response from Kevin Finisterre, second bug
on
Month of Apple Fixes
·
· Score: 4, Interesting
Also, the second bug was just posted a few minutes ago: a udp:// URI handling vulnerability in VLC Media Player that affects both the Mac OS X and Windows versions of VLC Media Player. While not exactly what I'd call an "Apple bug" (yes, yes, I know the FAQ says they're also looking at "popular applications" that run on Mac OS X as well), it is interesting to note that vulnerabilities in cross platform applications may transfer more easily to the Intel-based Macs running Mac OS X...
In any event, Apple's immediate technical response and longer-term strategic response to MOAB should be interesting.
In all seriousness, no reasonable person thinks that "only" Windows can get viruses.
One comment I have had (which I doubt will be approved as a comment on the blog, since - other than technical posts - lmh only seems to accept congratulatory comments), and which I am curious to have feedback on is this, below, which was in response to lmh saying:
It's a matter of time to see this getting abused in the wild. Hopefully, due to exploits being released for every critical issue, the usual 'not a problem' claims will vanish (unless the guy is a total retard).
lmh,
Of course there will be exploitable issues. It's only a matter of time to see *any* issue being "abused" in the wild. What's curious to me is you're speaking of, for instance, this rtsp issue like it's something manifestly new or unique (I know it's a "new" issue itself; that's not what I'm saying). We've seen issues to date that have allowed arbitrary code execution by a user just, for example, visiting a malicious web page. And then, Apple fixes the issue. What more do we want or expect?
I know you and others are on this kick of wanting to "prove" that Mac OS X is "insecure". But I don't know what it proves, exactly. That all large software projects and operating systems have bugs? No reasonable person says that Mac OS X is invulnerable or has no bugs. That would be absolutely ludicrous. And ordinary users don't understand anyway, even when you show them something like this.
What people do understand is machines getting hit with malware on a routine basis, or getting owned completely from remote in an automated fashion, with no user interaction whatsoever, which, as I'm sure you're aware, has happened numerous times, often with far-reaching consequences of downtime, data loss, cleanup and remediation, and recovery, on the "other" desktop platform.
The real bottom line today and ever since Mac OS X was released is this: has the Mac OS X userbase to date, or will it realistically in the future based on past performance, be affected either:
1.) in absolute numbers, or 2.) as a percentage of the total userbase
on a greater scale (or anywhere NEAR) anything we've seen affect the Windows platform?
I guess I'm curious with what your exact beef is: is it ordinary users (correctly) thinking that Mac OS X is [insert some amount here] more secure, from a practical perspective, than Windows?
Is it Apple's type/speed/thoroughness of response to security issues, once reported or revealed?
Is it Apple (again, correctly, from a practical perspective) insinuating the level of security on comparison to Windows in its commercials?
Is it Apple's legacy code, which is rife with various opportunities for exploits?
What would possibly be more productive here, and what you also didn't answer in the FAQ, is what precise actions you think Apple should be taking to remedy, for example, bugs that it is not aware of.
Should it create new teams specifically to do code audits and find vulnerabilities proactively?
Should it make public comment on security issues before it has provided a patch or fix?
Should it provide more granular separate fixes and workarounds more quickly for individual issues, instead of waiting to roll them into the next security or OS update?
Also helpful would be some kind of outline of what you believe Apple is doing *wrong*, right now, on the security front.
And yes, I could make my own list. But I'm more curious about what you think. I'm also curious whether you recognize that, while there is still a long way to go, Apple has indeed greatly improved its response to security issues in direct response to complaints and feedback it has received from the enterprise/institutional community (e.g., via Apple University Executive Forum and MacEnterprise.org)? As a direct result, Apple started making detailed reports (at last far more detailed than they were before) of each issue addressed or fixed, links to (or creates) advisories where
Nothing is going to be "inspected" by US authorities, and if anything is "inspected", it's not at-will and not arbitrary.
This is an agreement for mutual legal assistance, and is a framework for submitting legal requests and subpoenas for information about an individual via established legal channels, as well as guidelines information to which US authorities are entitled from EU air carriers.
No one automatically has access to bank records or email accounts; a legal request must still be made to a bank or internet provider. This is a framework for making such requests to EU entities by the US.
Things like email address and forms of payment are part of the almost-two-decade-old Automated Targeting System (ATS), which uses metrics to attempt to determine in an automated fashion when an individual warrants further scrutiny. This is part of larger ongoing efforts to secure the information assessed by ATS.
If an email address is available, it is part of that set of information, among numerous other pieces of information. If something triggers an additional investigation, a legal request could, for example, be made to an internet service provider for the contents of an email account. Note that this is a court-ordered action, and not unlike a similar request that could be made by US authorities to a US company or entity; the difference, again, is that there is now a mechanism for the US uniformly making and EU entities responding to such requests.
Slashdot Mirror
Until I ask them what's to stop someone from standing in line with a large rucksack filled with explosives during say, the day before Thanksgiving? How about three people. One in the front of the line, one in the middle and one further back?
I love the look of fear and horror on peoples faces when I pose that question.
Anyone who hasn't though of that is a moron.
So do you have an idea of how many of those people we're dealing with?
Hint: it's the same number of people who feel much safer because of all the additional "security precautions."
So, should we educate them all and say, hey, you're far more likely to die falling off a ladder putting up Christmas lights than you would from a terrorist attack? Should we explain to them that we wouldn't be any fundamentally less secure if we had basically zero security at airports? (By the way, we do need to prevent things like guns and explosives from getting on the planes themselves - of course, that's another problem entirely and isn't related to ID.)
I guess my question is, how do you tell people that it would have been acceptable to DO NOTHING with regard to air security after 9/11, and actually have them believe you?
The problem is that someone falling off a ladder putting up lights is a tragedy. But no one (except friends and loved ones) cares. But when 20 or 200 or 2000 or 20000 people die at once, and when they die because someone who doesn't even know you HATES you with such fervent passion that they're still willing to kill you even after living in your own society for months or years, that bothers people. I don't think many people realistically, personally fear being killed by a "terrorist". They just want society at large to be protected from them.
But we're safe because they ask for ID and run you through a metal detector, they tell me.
But only after you've been standing in line, I reply.
Yes, the sterile area is a big thing. But there's nothing stopping someone from doing exactly what you've suggested against any number of soft targets, like, say, the Mall of America or numerous other locations. The point with airline security is still really keeping the PLANES secure, for better or worse, and that doesn't just include the cockpit only or preventing planes from being used as missiles.
It's about the perception of security, and people demanded it.
Do you really think the government - no matter who was in office - could have gotten away with making NO CHANGES to air security after 9/11?
Can you imagine how that would play in the press, or if there was ever any other event, ever? Look at me with a straight face, and tell me that they could have reasonably done nothing to improve security, either real or perceived, or a combination of the two.
I disagree that investigators must have ID to start with for an investigation. Let them start with nothing other than the facts of the crime. The core of the matter is that we're allowing our government to assume we are criminals, which is evil and the basis of a police state. By default, the government does NOT need to know who I am or what I am doing. However, we've raised two generations of SHEEP who submit to whatever the government says without question, and who do not know what freedom is.
Then, by all means, fly without ID, as you are legally allowed to do.
The problem is that it is human nature to assume someone is trying to hide something when it, well, looks like they're trying to hide something. So in the system at large, this means that they take greater precautions with someone who, for whatever reason, doesn't want to present any identification to fly.
This isn't about sheep or some higher-level conspiracy to keep people under the thumb of a fascist police state. These were reasonable regulations, which are exceedingly imperfect, to make air travel as safe as possible, and to make people feel it is as safe as possible - which is a huge component of this, by the way, since people not living in fear of air travel is, in its own right, an important social and economic factor.
Not your fault that people are afraid of something that will statistically have a far less chance of affecting them than dying of a toenail fungus or a drunk driving crash? Of course it's not. But do you actually expect the government to be the entity to somehow convince people that there's nothing to worry about while at the same time making NO CHANGES to airport/airline security? People DEMANDED change, and whether it's security theater or not, "people" wouldn't have accepted anything less than some "action" - read: changes - on the airport security front.
People can talk about reinforced cockpit doors and Israeli airlines all they want, but the fact is that the only response the government could have had - no matter who was in office - was a real, perceived, or a combination of both, "increase" in security at airports and on airlines.
So sorry. We can't show you that piece of legislation. It's a matter of national security.
That's because there is no "legislation" that says you must show ID. The legislation, in effect, is "the TSA can set guidelines for security in airports." The TSA, in turn, has security directives, some of which are secret because they pertain to security procedures and processes which they don't want people who would intend to circumvent them knowing about. Further, it's already been determined several times over the course of this that you can fly without ID if you submit to the standard "intensive" search that anyone pulled out of line gets. I fully realize some people will still think that's unacceptable, but the point is that you can fly without ID with the standard "intensive" search.
You can fly without ID. You could when Gilmore's case started, and you still can now. In fact, here's how. In fact, Gilmore's own site tells you how, in the form of the court decision specifically authorizing it.
The exact wording:
The identification policy requires airline passengers to present identification to airline personnel before boarding or be subjected to a search that is more exacting than the routine search that passengers who present identification encounter.
The very page describing the case says that he would have been allowed to travel at SFO without ID if he submitted to a search. That alone devastates the "secret ID law" claim, as allowing him to fly without ID, search or not, would have been in violation of that law.
First of all, his primary question is: Do citizens currently need to show ID in order to travel in their own country?
The answer is a resounding "no". He is free to travel by foot, bike, motorcycle, car, boat, or other device himself while not violating applicable pedestrian or traffic laws, or by bus or train, entirely anonymously.
Further, in his quest to "expose" this situation, he found at one of the largest airports in the country, San Francisco International Airport, that he WAS indeed allowed to fly without ID (if he submitted to a search).
Claims variously made by privacy advocates assert that showing ID is worthless; that the September 11 hijackers all had valid, government issued photo ID. Sure they did. But some form of identification, fake or not, gives authorities a place to start in an investigation, rather than nothing at all.
But please, even in light of that, remember: he WAS allowed to fly with no ID at SFO, and chose not to. I expect that he thought he'd find he would be denied everywhere, but then still chose not to fly at SFO simply because he didn't want to be searched and so it wouldn't stop his little "Achtung! Papers, please!" stunt before it started. That's his choice. And if you'd argue against a search, then you might as well argue against ALL security measures at airports.
There are some discrepancies here, most likely because of lack of communication or lack of proper specific words used to define things. First, TSA directives are secret. But they're not "laws". That's why they're called security "directives". These directives instruct the airlines and airports in terms of how to handle security; they're not arbitrary requirements that passengers must submit to or know about ahead of time: they are guidelines and directives for the handling of security issues, some routine and some special or time-specific, within airport and airline processes. That's the TSA's job. And didn't some call for the federalization of airport security?
I'm glad he's asking these questions, but I wish he'd be less sensationalistic and tinfoil-hat about it - especially since his primary claim is that he can't travel anonymously, which is not only tremendously wrong considering there are so many other public and private means to travel with no ID, but also because he would indeed have been able to fly with no ID.
Yes, all the 9/11 hijackers had valid IDs. So what? The ID requirement doesn't pretend to "prevent" issues; it's simply a place to start for investigators AFTER an incident, regardless of whether the IDs were real or fake...enabling investigators to get a list of names (again, real or not), issuing agencies for the IDs, and sometimes even pictures (which are many times real, even if the ID itself is fake). This information could be critical to an investigation when other lives may be at stake.
But, in any event, he already found he could travel by plane, without ID.
Don't know yet, but given that the 2007 North American International Auto Show is this week, we might be hearing more. And given that these will all be available for model year 2008, which will occur mid to late calendar year 2007, we'll have to hear something about price pretty soon. GM knows it has to be cost-competitive. And, frankly, buyers need to know that spending a little more up front will be better for everything from the environment, to fossil fuel foreign policy, to their pocketbooks. But even though compact fluorescents are provably less expensive over their lifetime than incandescents, it's still tough to convince people to change.
Company Vice Chairman Robert Lutz said in a statement that more than half of Americans live less than 20 miles from their workplace.
Is this actually true? I would like to ask Mr. Lutz for a cite or three to back this assertion.
Is this really that hard to believe? It seems reasonable that more than "half" of Americans live less than 20 miles from work.
The US Census Journey to Work: 2000 notes that "average travel time to work was about 26 minutes in 2000." This means that unless people are driving faster than an average of 46 miles an hour for their entire work commutes, which I find unlikely, Americans are, on average not going farther than 20 miles. Granted, this still would be an average, but other data in this publication, while all focused on times and not distances, would appear to support the claim that a good chunk of Americans are fairly close to work. Also, given the average radii of suburban areas around city centers, and the massive growth of office parks around the outside of cities, it's not at all surprising to me that "over half" of Americans live within 20 miles of work. Out of curiosity, why did this strike you as so surprising or unbelievable?
Who Ignored the Facts About the Electric Car?
GM's EV1 -- Who Killed Common Sense?
Also coming from GM in model year 2008 is the full hybrid GMT900 truck platform [1, 2, . This encompasses the Chevy Tahoe and Suburban, the GMC Yukon and Yukon XL, and the Cadillac Escalade and Escalade ESV, among others. The hybrid uses the GM/DaimlerChrysler Advanced Hybrid System 2.
The hybrids will feature:
- 5.3L FlexFuel Vortec V8 (able to run using E85, a blend of 85% ethanol and 15% gasoline)
- Active Fuel Management (AFM)/Displacement on Demand (DOD), disabling cylinders as needed for cruising
- Two 30kW electric motors inside of the same physical space as the normal automatic transmission
- A continuously variable automatic transmission
- Conventional 110VAC power outlets on board
- Hybrid system derived from the advanced system on already in use on GM's Allison transit buses
This advanced hybrid system, while not plug-in, will be offered on all model year 2008 GM full size SUVs, as well as pickups and fleet vehicles. The expected fuel economy gain is 30% over today's figures on the gasoline/FlexFuel-only AFM variant, approaching 30mpg for city driving. That's a damned good improvement. And when used with FlexFuel, they're using less fossil fuels - even including the fully burdened fossil fuel costs of ethanol - than Prius and Civic hybrid drivers, in addition to contributing to lower overall greenhouse gas emissions. As the process efficiency increases over the next few years, these numbers will improve.
Whether or not one likes or dislikes SUVs, or thinks people should be able to be told what types of vehicles they should or shouldn't be driving, or think subjective judgments can be simplistically made about what other people "need" or don't need, it's still an excellent step forward. While the Volt is very interesting (conspiracy theorists: think of some way the Volt is really still a GM plot to "keep electric vehicles down" or to assist big oil) and using centralized power generation and leveraging the existing electric grid and production capacity is a necessary step to the future, the full hybrid SUVs will be one of the big things that people buy in the short term, not to mention being one of the major things - if not the thing - that may make or break GM in the next decade.
Actually, you are completely, categorically, and 100% wrong.
Apple did NOT give anyone any order, court, legal, threat, or otherwise, with anything having to do with the wireless issue.
In fact, your entire timeline, and nearly everything in your post, is completely wrong.
Brief summary:
- The exploit was shown at Black Hat and demoed on a MacBook with a third party wireless card first. Apple was NOT informed of the issue.
- The issue affected numerous 802.11 chipsets, drivers, and multiple operating systems, including Mac OS X, Windows, and Linux.
- He "went quiet" because the Washington Post unleased a firestorm of bad press against ONLY Apple. This issue affected basically every platform and was a serious, general 802.11 vulnerability, but the Washington Post story and nearly all press coverage, especially mainstream press coverage, made it appear to be only an Apple issue, and often made no reference to multiple other platforms being affected. This was extremely embarrassing for SecureWorks, which claimed to be a responsible enterprise security company, so they probably told him to STFU, since he was doing his presentations under their name. Apple DID NOT do anything to force or otherwise or prevent him from talking. If they did, it would be easily provable. And no, there aren't any "gag orders" or any other such things.
- He didn't "reappear" and "tout it for an Intel chipset" (???). He showed it at Black Hat, and demoed it on a MacBook (with a third party wireless card). There were no "restraining orders", and your order of events shows you have no clue what you're talking about.
- Apple was the FIRST commercial vendor to patch this issue (partly because of the huge amount of negative attention that all the stories that made it look like only an Apple issue created). Only Linux drivers were patched sooner.
The reason you can't give any citations is because you're totally wrong, and your entire premise is wrong. Not only that, you CAN give advance warning anonymously. Further, Apple doesn't threaten people who tell it about security vulnerabilities. In fact, it routinely credits people - including some who remain anonymous or operate under pseudonyms - in its technical documents about security updates. Every security update has numerous people credited for providing information about security issues. There is NO CASE where Apple has taken ANY court action, ever, against someone who has reported a security issue. None. I know you're thinking "but, but, but, some blog told me this" or "I think I read such and such somewhere." No. There has never been any case of that, at all. Apple HAS sued to keep its future products and confidential information secret, but has NEVER taken any action for people reporting or disclosing security issues, period.
So basically, your entire argument, while being wrong to begin with, is still shattered because Apple has never taken any such action, in this case, or any other. Responsible disclosure to the vendor is the way to go.
Here's what really happened, from a post I wrote up about this yesterday, actually:
At the Black Hat Briefings in Las Vegas, Jon "Johnny Cache" Ellch teamed up with former SecureWorks researcher David Maynor to warn of exploitable flaws in wireless device drivers. The presentation triggered an outburst from the Mac faithful and an ugly disclosure spat that still hasn't been fully resolved.
Um, yeah, because nearly all of the news coverage of the vulnerability didn't describe it as the general 802.11 vulnerability that it was, affecting multiple chipsets and drivers and multiple operating systems, including Windows, Mac OS X, and Linux; it described it, and indeed trumpeted it, as vulnerability that affected Apple MacBooks and Mac OS X, with most articles making at best a passing reference that it could affect other platforms, if they even said that. Stories ran under headlines like "MacBook hijacked in 30 seconds -- wirelessly", and made it appear to be exclusively an Apple problem.
http://abcnews.go.com/WNT/story?id=2771492&page=1
One problem in this debate is that often, either side will make it seem like an all-or-nothing proposition; that it's either "full disclosure on day one" (or in this case, "day 0" ;-), or it's feebly report to the vendor and wait helplessly while the faceless vendor takes months to respond, if it even responds at all.
There actually is a middle ground.
Some say, "Hey, these vulnerabilities exist whether they're reported or disclosed or not," just as MOAB says in its FAQ. But the problem is that they overlook the practical side. Sure, the vulnerabilities, and maybe even working exploits, exist, but as long as they're hoarded (and not used) by very small and tight-knit groups of people, they're not getting actively exploited in the wild across massive userbases. Could high value 0day exploits perhaps be used for isolated penetration? Sure. But could they be used (for any period of time) for a mass-spread worm or other malware? Nope. It'd be hours before security firms and/or vendors identified the issue.
So when you choose to disclose previously undocumented issues before giving the vendor any chance to respond, which some claim they're doing to improve security, there is a greater chance of exploit across a much wider base of users, which can have a much wider and catastrophic impact. Some say that as a sysadmin, they'd want to know about such vulnerabilities so that they can protect and mitigate themselves. But other than for high value targets and corporate or government espionage - which can perhaps have their own channels for "earlier" disclosure when identified by entities like US-CERT or Information Assurance agencies - I don't see how people can reasonably expect to be targeted by extremely valuable and as-yet-undocumented vulnerabilities. It's a point of pride - and sometimes money - to sit on such vulnerabilities.
The bottom line is that the vendor should always be informed in advance, if there is any real concern about security on the platform, and not just ego stroking or slapping down "fanbois". How long in advance and how long a vendor should be waited on is somewhat subjective, of course. Also, no one's saying that an "independent" "security researcher" is beholden to a corporate interest. But then they shouldn't operate under the guise of responsibility or the feigned notion of wanting to "improve security", when some persons' mechanisms for disclosure are nothing more than PR attempts, or another notch in the bedpost (hmm, or probably NOT a notch in the bedpost...)
Because every time someone finds a security issue in OS X we have the same outburst from the Mac users, mostly in the form of personal attacks on the submitter. You think anybody wants to report an issue in OS X in the future? Is it worth 10000 angry emails, including death threats.
This argument is bogus.
People who don't sensationalize things don't get "10000 angry emails", and your death threat comment is laughable. No one's going to kill anyone for reporting a legitimate security vulnerability (and maybe - *gasp* - even doing it responsibly), and no, Mac "zealots" aren't "just that crazy".
Which was as I understand it true, and that was also the news.
Well, not really. It was only "true" with the third party wireless card, since that's all they were able to demo it with, yet all the news coverage made it look like any MacBook was instantly and easily remotely ownable, which is also false.
Where is the news of reporting about Windows, Solaris, Linux, OpenBSD or 802.11 security issues. The users of those technologies know they are vulnerable to attacks and take caution not to get hacked (Even home users with whatever knowledge they have).
No, that's not why there was no coverage. There was no coverage because Brian Krebs at the Washington Post is absolutely obsessed with "proving" that Mac OS X is "insecure" and his sensationalistic reporting was the beginning of the massive news coverage - initiated by his own coverage - that followed.
For years we have heard that it's next to impossible to take a Mac (It would be something like the mother of all hacks). Turns out the Mac had just the same issue as everybody else. Go figure.
I've never heard anyone worth listening to - including, and especially, Apple itself - say that Mac OS X is unhackable or invincible. And this news coverage wasn't highlighting the fact that, "Hey, this is a cross platform issue that also affects Macs," it was written with the sole purpose of conveying that Macs and Mac OS X are "insecure", that this was a huge and serious vulnerability (that, from the article and to almost all ordinary readers would appear to affect ONLY Apple), etc.
But it sounds like you're ok with lopsided and unfair news coverage like that because of what you say below:
Maybe Apple (And the users) should tone down the talk about their non-hackable system, if they do the media will find something else to write about.
Considering Apple has never said or done this or made this claim, I don't know where this sort of statement comes from. When Apple has commercials like the Mac and the PC and the PC has a cold, that's perfectly fair advertising as far as I'm concerned: it is 100% accurate to say that Windows is generally plagued with massive amounts of viruses, spyware, and other malware, while Mac users generally never have to worry about anything like that at all - and that is 100% true, and has been for the over five years since Mac OS X has been out. If it's more important to you do teach people a "lesson" who enjoy using Mac OS X because it actually gives them less real problems in real-life usage situations, then more power to you, I guess.
No, it's not true and that's what the exploit shows. There's a perception that they are invulnerable because there's just not that many exploits in the wild, but that's clearly false. They are vulnerable. Arguably not *as* vulnerable as a comparable Windows system, but vulnerable nonetheless.
No, it is true. Security isn't just whether or not exploits can or do exist. Security is a much larger issue, which includes how often people in real-life, practical, day-to-day usage situations are actually affected by issues that cause compromises, data loss, recovery and remediation time, and so on. To date, Mac OS X has required virtually none of these, and asserting that it's only because of marketshare is false. This is also not "security through obscurity"; Mac OS X has been out for over five years, and has high market penetrations in "target rich" environments, such as academic, research, and other institutional settings. They do indeed receive scrutiny - no, not as much as Windows, and not as much as open source OSes such as Linux - but plenty of scrutiny nonetheless. These claims that the only or primary reason Mac OS X hasn't been significantly affected to date are only because of marketshare are bogus, not to mention unprovable.
And this rtsp exploit doesn't "show" anything. There have been NUMEROUS other exploits that can affect Mac OS X (and Windows, and other OSes) in a similar way simply by just visiting a malicious web site. Some of these have been SPECIFICALLY targeted at Mac OS X, and have allowed arbitrary code execution simply by visiting a malicious web site. Are these vulnerabilities severe? Yes. Am I saying this is a good thing? No. I'm saying this is NOTHING NEW, and doesn't prove anything other than Mac OS X, like any other operating system or large software product, has bugs, some of which can be exploited as vulnerabilities. No sensible person claims otherwise. What matters is how Apple responds to the issue.
No, this is twisting my words and attacking a straw man. Small marketshare does not equate to lack of software. [...]
No, I'm not saying you said that, and not doing the strawman thing at all. What I'm saying is exactly what I said: that the "Macs have only been relatively trouble free because of low marketshare" is virtually identical to the "Macs have no software [presumably because so few people use them]" argument: they're both at the same time false and passively insulting, as well as untrue.
But marketshare does contribute to how fast a virus propagates. There's a critical mass associated with epidemics and virus propagation. Too few and the incidences get caught within the first few systems. It's ridiculous to claim that userbase and marketshare is not important.
Wow. I didn't. I said: "Sure, [low marketshare] doesn't hurt, and probably helps a great deal." Elsewhere, I have said the same thing. Marketshare is absolutely a great protector against the kind of critical mass it's relatively much easier to accomplish on Windows.
But that is not the only thing that protects the platform! There are other factors as well, such as Mac OS X shipping in a reasonably secure state by default, and not providing facilities and vectors for spread of malware as easily and sometimes ridiculously as they have on Windows. Does this mean it's impossible on Mac OS X? Of course not.
But I also take issue with this use of "from remote" in security nomenclature in general. There is a HUGE difference between a worm that spreads and/or owns machines completely remotely and externally, with no user interaction of any kind, and someone having to visit a malicious web site (and yes, I know there is precedent for inserting something into, say, advertising on popular sites). As we sit here and talk about this rtsp exploit, dozens (hundreds?) of affected Windows machines at my location alone are being cleaned up from the latest completely remote and automated Windows worm.
Which is a preposterous statement giving your
Many of the Mac faithful believe that their systems are largely invulnerable to viruses and exploits because that's what the Mac ads said.
But that's also mostly true.
Sure, MacOSX is not currently a worthwhile target because they are just not that many.
Ah, marketshare. This actually seems to be the 21st century version of the "Macs have no software" argument. After "Macs have no software" lost its steam (or people saw it as the crap that it was), the new thing is "Macs really are insecure - in fact, possibly horribly insecure - and the only reason you've been almost literally untouched for over five years is because your platform was so boring and your userbase so small."
It is not only marketshare that protects the Mac platform. Sure, it doesn't hurt, and probably helps a great deal.
As the userbase grows, however, it will be a target and it will be a BAD thing if all these users don't take appropriate precautions.
Ok, now we get to the meat of the discussion. So, what precautions, exactly?
if you're arguing that users should have, e.g., antivirus software instead of thinking that it's ok to run without because there are "no Mac viruses", or that pressure from an informed userbase will change a vendor's attitude and response to security, I guess I would agree (save for the fact that, to date, AV software on Mac OS X has literally done more harm than any malware has, with the 3 separate instances of false-positive problems doing anything from alarming users and having them do things like reinstall their OS when nothing is actually wrong, to actually quarantining critical pieces of the OS (like the swap file), thus crashing the computer and making people further believe that something is wrong or that they're "infected" when in fact they're not). Also, chances are, most things covered by MOAB wouldn't be covered by AV or anti-malware software anyway, so, from that perspective, how would changing a typical user's "attitude" help this situation?
People thinking that the Mac platform is "more secure" (overall, correctly) is mostly a PR and marketing win for Apple. The only thing I see changing a user's "attitude" doing is getting people to reconsider their decision to perhaps switch to Mac OS X because they're fed up with all the spyware and malware they deal with on a daily basis on Windows. And, for whatever it's worth, I think that's unfair.
Isn't the real issue how many people are *actually affected* by issues in the day to day, real-life use of their computer?
At the Black Hat Briefings in Las Vegas, Jon "Johnny Cache" Ellch teamed up with former SecureWorks researcher David Maynor to warn of exploitable flaws in wireless device drivers. The presentation triggered an outburst from the Mac faithful and an ugly disclosure spat that still hasn't been fully resolved.
Um, yeah, because nearly all of the news coverage of the vulnerability didn't describe it as the general 802.11 vulnerability that it was, affecting multiple chipsets and drivers and multiple operating systems, including Windows, Mac OS X, and Linux; it described it, and indeed trumpeted it, as vulnerability that affected Apple MacBooks and Mac OS X, with most articles making at best a passing reference that it could affect other platforms, if they even said that. Stories ran under headlines like "MacBook hijacked in 30 seconds -- wirelessly", and made it appear to be exclusively an Apple problem.
While this was made clear in their demo, they chose to demo on a MacBook with a third party wireless card whose identity was hidden - because of "responsible disclosure" - but then in the next breath tell Brian Krebs at the Washington Post that the MacBook's own integrated wireless is exploitable in the exact same way. How is that "responsible disclosure"? And to top it off, we have a SecureWorks "Senior Researcher" saying that he wants to fix Mac users' "smug" attitude about security (and this helps Mac OS X security in a meaningful way how?) and that many of these people apparently need lit cigarettes jammed into their eyes (to paraphrase). Even if said in jest or in fun, how is that professional? How does that do anything to better Mac OS X security?
How would a change in "user attitude" change the actual security situation on Mac OS X? I don't see a change in user attitude changing anything. Many Windows users know, at least marginally, that they are the target of innumerable attacks and thousands of pieces of malware. How does that change in any meaningful way the security situation on Windows?
More to the point: how does the press making a general and serious 802.11 vulnerability affecting numerous chipsets, drivers, and operating systems appear as only a MacBook problem serve a meaningful, or even truthful or accurate, security purpose?
For Ellch and Maynor, the controversy offered a double-edged sword. In many ways, they were hung out to dry by Apple and SecureWorks, two companies that could not manage the disclosure process in a professional manner. In some corners of the blogosphere, they were unfairly maligned for mentioning that the Mac was vulnerable.
No. They were maligned for saying they espoused "responsible disclosure", even carefully hiding the third party wireless card, but then saying that the MacBook's integrated wireless was vulnerable in the same way. NO OTHER AFFECTED VENDOR OR OS was treated that way. Only Apple.
They were maligned for being party to a Washington Post article that made outrageous accusations, like alleging that Apple "leaned on" them to not show this exploit, when there is no proof of that whatsoever.
They were maligned because after working with Apple engineers for almost a week at Black Hat, they could not provide any information directly to Apple on how, precisely, Apple's integrated drivers were vulnerable. Should they "do Apple's work for them"? No. But these weren't hobbyists. These were people presenting under the guise of an enterprise security company with responsible disclosure, and when you unleash a firestorm of bad PR on one and only one company's new flagship consumer portable, you'd better be prepared to have a little higher degree of interaction with that one vendor.
However, security researchers who understood the technical nature--and severity--of their findings, Ellch and Maynor were widely celebrated for their work, which was the trigger for the MoKB (Month of Kernel Bugs) project that launched with exploits for Wi-Fi driver vulnerabilities.
Yes. It was great that the
I'm sure many people on slashdot agree with this kind of reasoning, but I don't see why, considering it's logically inconsistent.
Why should technology benefit only "the people" and not "the government"?
Technology is a "force multiplier" for ordinary people and for our own convenience. Why should law enforcement/government be artificially hindered or prohibited from using technology in certain ways? What is the threshold? How many cameras is too many? When is it not acceptable for law enforcement/government to use a particular technology? When is it ok to use a camera? Say, a police dash camera? A telephone? The internet? A database? A computer? Google? Public records searches?
To say nothing of demands from people of all levels of government to become more modern, save taxpayer money, use resources more efficiently, and so on. But I suppose this is an argument that can't be won on slashdot, unless you take the "We're {becoming/already are/etc.} a police state" position.
Technological advancement cuts both ways. It makes things easier, and not just the things you want to do.
Ugh. :-(
APE isn't going to be necessary for ANY fixes from Apple. Apple will release their fixes in due course, and they'll be like all their previous fixes have been: normal updates to the OS that come down via Software Update, etc.
But since we can't directly fix Apple's code, this is a little technical exercise that fixes them with runtime patches. One very easy way to do runtime patches and code injection such as this is to use APE.
Also, APE is *very* easy to uninstall. It has its own uninstaller right in the installer, which will, categorically and definitely, uninstall every single last thing that has anything to do with APE.
Also, there is nothing wrong with APE, and here is a very detailed explanation of exactly what APE is and what it does.
All this project is is just that: a project. The community is welcome to inspect all of the source code, and anyone is free to use these runtime patches. Yes, QuickTime, and VLC, and everything else that will be covered in MOAB will be fixed by Apple and the various applicable vendors/developers. That is not at all the point of providing on-demand runtime fixes each day, and you have apparently totally missed the point of this projects, and the post you responded to where I pretty concisely explain it.
See here for details.
Uh...then look at the source code yourself.
Nothing is hidden, and Landon isn't trying to hide anything that's being done.
Also, these fixes are runtime fixes via APE modules. They only place they're "installed" is into APE, so they can all be easily removed/disabled at will (as can APE itself). There is nothing wrong with the principle of runtime patching, and this is really a technical exercise more than anything. But again, the code is all right there, and you can see exactly what is being done.
All this is a little fun exercise and a public service, if you will. Also, anyone can examine the code.
How do you uninstall these quick fixes? Simple. They'll almost all invariably be runtime fixes with Application Enhancer (APE). APE modules are just self-contained directories; nothing more. They can be unloaded on demand, and APE itself can be easily installed, uninstalled, disabled, and modules can be loaded and unloaded at will.
Also, Landon Fuller is anything but an "Apple fanboy", or in any way remotely interested in "saving Apple's rep". The idea is to look at the bugs, and see if a quick technical solution or remediation can be provided. No one has to install them. Since the code is available, anyone can see what's being done, including the rest of the community. If one wishes to wait for Apple's official patches, fine.
Aside from all of this, of course Mac OS X, like any other operating system or large software project, has bugs. Some of these bugs will enable vulnerabilities that can be exploited. I fail to see how any of this is surprising. If you're actually interested, I've summed up my thoughts on this here.
Kevin Finisterre, security researcher, founder of Digital Munition, and co-presenter of the Month of Apple Bugs, has also responded on the SecurityFocus focus-apple list to some of my concerns, expanding on some of the motivations and reasoning behing MOAB (followup).
Also, the second bug was just posted a few minutes ago: a udp:// URI handling vulnerability in VLC Media Player that affects both the Mac OS X and Windows versions of VLC Media Player. While not exactly what I'd call an "Apple bug" (yes, yes, I know the FAQ says they're also looking at "popular applications" that run on Mac OS X as well), it is interesting to note that vulnerabilities in cross platform applications may transfer more easily to the Intel-based Macs running Mac OS X...
In any event, Apple's immediate technical response and longer-term strategic response to MOAB should be interesting.
(Disclaimer: I am the story submitter.)
In all seriousness, no reasonable person thinks that "only" Windows can get viruses.
One comment I have had (which I doubt will be approved as a comment on the blog, since - other than technical posts - lmh only seems to accept congratulatory comments), and which I am curious to have feedback on is this, below, which was in response to lmh saying:
It's a matter of time to see this getting abused in the wild. Hopefully, due to exploits being released for every critical issue, the usual 'not a problem' claims will vanish (unless the guy is a total retard).
lmh,
Of course there will be exploitable issues. It's only a matter of time to see *any* issue being "abused" in the wild. What's curious to me is you're speaking of, for instance, this rtsp issue like it's something manifestly new or unique (I know it's a "new" issue itself; that's not what I'm saying). We've seen issues to date that have allowed arbitrary code execution by a user just, for example, visiting a malicious web page. And then, Apple fixes the issue. What more do we want or expect?
I know you and others are on this kick of wanting to "prove" that Mac OS X is "insecure". But I don't know what it proves, exactly. That all large software projects and operating systems have bugs? No reasonable person says that Mac OS X is invulnerable or has no bugs. That would be absolutely ludicrous. And ordinary users don't understand anyway, even when you show them something like this.
What people do understand is machines getting hit with malware on a routine basis, or getting owned completely from remote in an automated fashion, with no user interaction whatsoever, which, as I'm sure you're aware, has happened numerous times, often with far-reaching consequences of downtime, data loss, cleanup and remediation, and recovery, on the "other" desktop platform.
The real bottom line today and ever since Mac OS X was released is this: has the Mac OS X userbase to date, or will it realistically in the future based on past performance, be affected either:
1.) in absolute numbers, or
2.) as a percentage of the total userbase
on a greater scale (or anywhere NEAR) anything we've seen affect the Windows platform?
I guess I'm curious with what your exact beef is: is it ordinary users (correctly) thinking that Mac OS X is [insert some amount here] more secure, from a practical perspective, than Windows?
Is it Apple's type/speed/thoroughness of response to security issues, once reported or revealed?
Is it Apple (again, correctly, from a practical perspective) insinuating the level of security on comparison to Windows in its commercials?
Is it Apple's legacy code, which is rife with various opportunities for exploits?
What would possibly be more productive here, and what you also didn't answer in the FAQ, is what precise actions you think Apple should be taking to remedy, for example, bugs that it is not aware of.
Should it create new teams specifically to do code audits and find vulnerabilities proactively?
Should it make public comment on security issues before it has provided a patch or fix?
Should it provide more granular separate fixes and workarounds more quickly for individual issues, instead of waiting to roll them into the next security or OS update?
Also helpful would be some kind of outline of what you believe Apple is doing *wrong*, right now, on the security front.
And yes, I could make my own list. But I'm more curious about what you think. I'm also curious whether you recognize that, while there is still a long way to go, Apple has indeed greatly improved its response to security issues in direct response to complaints and feedback it has received from the enterprise/institutional community (e.g., via Apple University Executive Forum and MacEnterprise.org)? As a direct result, Apple started making detailed reports (at last far more detailed than they were before) of each issue addressed or fixed, links to (or creates) advisories where
"Mutual legal assistance" is a generic term for this type of arrangement, and doesn't speak to the balance of such agreements.
Guess I'll be the lone dissenting view, here...
Nothing is going to be "inspected" by US authorities, and if anything is "inspected", it's not at-will and not arbitrary.
This is an agreement for mutual legal assistance, and is a framework for submitting legal requests and subpoenas for information about an individual via established legal channels, as well as guidelines information to which US authorities are entitled from EU air carriers.
No one automatically has access to bank records or email accounts; a legal request must still be made to a bank or internet provider. This is a framework for making such requests to EU entities by the US.
Things like email address and forms of payment are part of the almost-two-decade-old Automated Targeting System (ATS), which uses metrics to attempt to determine in an automated fashion when an individual warrants further scrutiny. This is part of larger ongoing efforts to secure the information assessed by ATS.
If an email address is available, it is part of that set of information, among numerous other pieces of information. If something triggers an additional investigation, a legal request could, for example, be made to an internet service provider for the contents of an email account. Note that this is a court-ordered action, and not unlike a similar request that could be made by US authorities to a US company or entity; the difference, again, is that there is now a mechanism for the US uniformly making and EU entities responding to such requests.