First of all, it should be no surprise that virus protection companies are the ones who are the most vocal about these potential Mac OS X vulnerabilities. Without Mac viruses, they have no product to sell to the increasing numbers of Mac users.
Leap-A (the iChat worm) is essentially an executable disguised as a JPEG image file and requires the potential target user to manually accept the file download and then manually open the executable. Even Symantec classes the malware as a low threat because it doesn't automatically infect other's machines. The company says it has seen less than 50 infected machines.
The second piece of Mac OS X malware, Inqtana.A, is a Java-based "proof of concept" that exploits a vulnerability in the Bluetooth implementation in versions of Mac OS X that haven't been updated with security patches (specifically, Mac OS X 10.4.0). Inqtana.A exploits a vulnerability whereby it causes the affected machine to automatically send an Object Exchange (OBEX) Push request to any other system listening over Bluetooth. To spread, the targetted user must manually accept the data transfer. Again, this threat does not automatically infect other's machines.
Additionally, this potential Bluetooth exploit was actually documented way back in May 2005 and Apple issued a security update in June 2005 that closed the hole (Apple Security Update 2005-006). Apple also integrated that security change into all versions of Mac OS X starting with v10.4.1.
The worms that have made headline news, and now seem almost commonplace for Windows users, are the ones that spread without any user interaction due to the poor default configuration and automatic code execution of Windows -- they can infect millions of machines on the internet in hours.
The only relevant part of the article comes at the very end:
"Many viruses and worms, for instance, don't exploit security holes in operating systems. Instead, they use what are called ''social engineering'' techniques to trick users into doing things that they shouldn't do, like unwittingly installing programs."
"Rather than weaknesses in operating systems, such approaches exploit ''a bug in peoples' brains, which is much harder to patch,'' Mr. Cluley says."
Leander Kahney of Wired echos exactly my sentiments on these events:
By the way, the Safari vulnerability talked about in the above Wired article can be attributed to poor program defaults (along with poorly tested code for backwards-compatibility to Mac OS 9) and can be completely avoided by disabling the "Open safe files after downloading" preference in Safari. Keep in mind that Safari is just an application program which runs on Mac OS X and is not integrated into it in the way that Internet Explorer is integrated into Windows. Even if this vulnerability could not mitigated by a simple preference toggle, you could just uninstall Safari (a matter of simply dragging its icon into the trash) and install a different web browser in its stead (such as Mozilla Firefox). That's something you just can't do with Internet Explorer or other parts of Windows.
And in response to all the smug Windows apologists who think these recent developments prove that no operating system is truly safer than another and the number of exploits for an operating system are directly proportional to market share, I have this to say:
There were approximately 16,000 new viruses that targetted Windows XP in 2005. There have been 2, count them, 2 pieces of malware that targetted Mac OS X since 2001 (when Mac OS X was originally released). Taking market share into account (Windows XP at roughly 80% and Mac OS X at roughly 4%), we can extrapolate that there should have been 20,000 new viruses across all operating systems in the last 12 months (16,000 / 80%). At this rate, Mac OS X should have had 800 new viruses in the last 12 mo
I would also like to propose a separate extension for gay porn (.gay)
That way I could block it in my browser, and never have to see accidental gay porn sites again.
That's a great idea!
While we are at it, let's create a.goatse TLD, that way I don't ever again accidentally see another goatse picture.
Come think of it, we should just create TLDs for anything that anyone might consider offensive, it would make the Internet a wonderful place where you can only get inoffensive things. Just think of it, all you would have to do is block:.spam,.drugs,.abortion,.warez,.botnet,.republican,.msie-exploits,.music...
What's to stop people from ignoring these new TLDs and just continue with their paid for domain names, you say? We would create laws that make it illegal to post goatse pictures at any site that is not.goatse, of course. These types of laws have worked wonderfully in the past, especially in locations where U.S. law does not apply.
(This post not intended for the sarcastically-impaired).
Macintosh computers using Intel microprocessors do not use Open Firmware. Although many parts of the IO registry are present and work as expected, information that is provided by Open Firmware on a Macintosh using a PowerPC microprocessor (such as a complete device tree) is not available in the IO registry on a Macintosh using an Intel microprocessor.
After the switch to "Unix-based" Mac OS X, the Mac platform seemed to be just now stabilizing. I was planning to become a "switcher" myself with the purchase of a Mac Mini this month. At work, I had been planning to pitch the replacement of several ancient Win98 PCs with Macs. Kiss those sales goodbye, Apple.
With this announcement, I definitely won't be buying a Mac for at least 2 years now because I have to wait for the Mac-tel systems to come out and then wait for the inevitable kinks to be ironed out.
This is the ultimate Whiskey Tango Foxtrot moment in computer history.
By looking at the timing results for their fastest algorithm (algebraic manipulation), it appears that adding a single PIN digit increases the calculation time 10-fold.
Just by making the pin 8 digits, this crack would take over 12 minutes.
And then there's this little tid-bit:
"Note that the attack, as described, is only fully successful against PIN values of under 64 bits. If the PIN is longer, then with high probability there will be multiple PIN candidates, since the two SRES values only provide 64 bits of data to test against. A 64 bit PIN is equivalent to a 19 decimal digits PIN."
As Dvorak can no longer "credibly" write about how Apple and the Macintosh are dying, he has found a new target: the gaming industry. If he really wanted to pick something that really is dying, he should have went with BSD. Because as we all know, even Netcraft has confirmed it.
Tim's Law of Social Interaction: Nothing good will come of a conversation that starts with: "Here, smell this."
Seeing as that's my only social law, it's easy to see why I'm 35, single, and dateless for almost 12 years.:^)
I was going to mod you funny, but I thought I'd respond by pointing out a programmer "working on simulating nationalism and religious strife and their effects on planetary economies" for his own personal enjoyment doesn't help.;)
At 1024X768 this "High Definition" television can not fully render neither of the two High-Def resolutions of 720p (1280x720) nor 1080i (1920x1080 interlaced).
Maybe that is true for later versions of the toy, but my cousin's Teddy Rukspin would happily play and "sing along" to cassettes of Michael Jackson and Madonna.
"Conceding" is not a legal act. If it is shown that Kerry actually won (before Bush's second term officially starts), then he is our President Elect. Unless, of course, he refuses the position. Would Edwards then become President? What if he refuses also?
I believe it all to be academic at this point, however.
I suggest you start your own gas company and sell for $1.25
Don't forget the state and federal taxes you'll have to pass on to your customers... over $0.40 a gallon (at least in Colorado).
[sarcasm]It's not like "they're screwing you" with crazy, unjustifiable taxes. If you really think that "Big Government greediness" is to blame, start a revolution.[/sarcasm]
Perhaps that last interrogative should read, "Were there cave men at the other end of history that couldn't wait to get their hands on the latest in pretty, useless, time-sucking objects?".
Slashdot Mirror
First of all, it should be no surprise that virus protection companies are the ones who are the most vocal about these potential Mac OS X vulnerabilities. Without Mac viruses, they have no product to sell to the increasing numbers of Mac users.
Leap-A (the iChat worm) is essentially an executable disguised as a JPEG image file and requires the potential target user to manually accept the file download and then manually open the executable. Even Symantec classes the malware as a low threat because it doesn't automatically infect other's machines. The company says it has seen less than 50 infected machines.
The second piece of Mac OS X malware, Inqtana.A, is a Java-based "proof of concept" that exploits a vulnerability in the Bluetooth implementation in versions of Mac OS X that haven't been updated with security patches (specifically, Mac OS X 10.4.0). Inqtana.A exploits a vulnerability whereby it causes the affected machine to automatically send an Object Exchange (OBEX) Push request to any other system listening over Bluetooth. To spread, the targetted user must manually accept the data transfer. Again, this threat does not automatically infect other's machines.
Additionally, this potential Bluetooth exploit was actually documented way back in May 2005 and Apple issued a security update in June 2005 that closed the hole (Apple Security Update 2005-006). Apple also integrated that security change into all versions of Mac OS X starting with v10.4.1.
The worms that have made headline news, and now seem almost commonplace for Windows users, are the ones that spread without any user interaction due to the poor default configuration and automatic code execution of Windows -- they can infect millions of machines on the internet in hours.
The only relevant part of the article comes at the very end:
"Many viruses and worms, for instance, don't exploit security holes in operating systems. Instead, they use what are called ''social engineering'' techniques to trick users into doing things that they shouldn't do, like unwittingly installing programs."
"Rather than weaknesses in operating systems, such approaches exploit ''a bug in peoples' brains, which is much harder to patch,'' Mr. Cluley says."
Leander Kahney of Wired echos exactly my sentiments on these events:
http://www.wired.com/news/columns/0,70257-0.html?t w=wn_index_25
By the way, the Safari vulnerability talked about in the above Wired article can be attributed to poor program defaults (along with poorly tested code for backwards-compatibility to Mac OS 9) and can be completely avoided by disabling the "Open safe files after downloading" preference in Safari. Keep in mind that Safari is just an application program which runs on Mac OS X and is not integrated into it in the way that Internet Explorer is integrated into Windows. Even if this vulnerability could not mitigated by a simple preference toggle, you could just uninstall Safari (a matter of simply dragging its icon into the trash) and install a different web browser in its
stead (such as Mozilla Firefox). That's something you just can't do with Internet Explorer or other parts of Windows.
And in response to all the smug Windows apologists who think these recent developments prove that no operating system is truly safer than another and the number of exploits for an operating system are directly proportional to market share, I have this to say:
There were approximately 16,000 new viruses that targetted Windows XP in 2005. There have been 2, count them, 2 pieces of malware that targetted Mac OS X since 2001 (when Mac OS X was originally released). Taking market share into account (Windows XP at roughly 80% and Mac OS X at roughly 4%), we can extrapolate that there should have been 20,000 new viruses across all operating systems in the last 12 months (16,000 / 80%). At this rate, Mac OS X should have had 800 new viruses in the last 12 mo
Both. Adam worked for Jamie so technically it was Jamie's 'bot--but both worked on it.
Well, it appears that Konqueror now passes as well (not too surprising considering that Safari is based on Konqueror's KHTML rendering engine).
That's a great idea!
While we are at it, let's create a .goatse TLD, that way I don't ever again accidentally see another goatse picture.
Come think of it, we should just create TLDs for anything that anyone might consider offensive, it would make the Internet a wonderful place where you can only get inoffensive things. Just think of it, all you would have to do is block: .spam, .drugs, .abortion, .warez, .botnet, .republican, .msie-exploits, .music...
What's to stop people from ignoring these new TLDs and just continue with their paid for domain names, you say? We would create laws that make it illegal to post goatse pictures at any site that is not .goatse, of course. These types of laws have worked wonderfully in the past, especially in locations where U.S. law does not apply.
(This post not intended for the sarcastically-impaired).
-Mike
So the logical conclusion is to destroy it before the US even has a chance?
You forgot the part which will make your patent easily sail through the USPO:
"on the Internet"
-Mike
Fricken Laser; shark mounted.
-Mike
Macintosh computers using Intel microprocessors do not use Open Firmware. Although many parts of the IO registry are present and work as expected, information that is provided by Open Firmware on a Macintosh using a PowerPC microprocessor (such as a complete device tree) is not available in the IO registry on a Macintosh using an Intel microprocessor.
-Mike
With this announcement, I definitely won't be buying a Mac for at least 2 years now because I have to wait for the Mac-tel systems to come out and then wait for the inevitable kinks to be ironed out.
This is the ultimate Whiskey Tango Foxtrot moment in computer history.
-Mike
By looking at the timing results for their fastest algorithm (algebraic manipulation), it appears that adding a single PIN digit increases the calculation time 10-fold.
Just by making the pin 8 digits, this crack would take over 12 minutes.
And then there's this little tid-bit:
"Note that the attack, as described, is only fully successful against PIN values of under 64 bits. If the PIN is longer, then with high probability there will be multiple PIN candidates, since the two SRES values only provide 64 bits of data to test against. A 64 bit PIN is equivalent to a 19 decimal digits PIN."
-Mike
As Dvorak can no longer "credibly" write about how Apple and the Macintosh are dying, he has found a new target: the gaming industry. If he really wanted to pick something that really is dying, he should have went with BSD. Because as we all know, even Netcraft has confirmed it.
-Mike
-Mike
-Mike
-Mike
At 1024X768 this "High Definition" television can not fully render neither of the two High-Def resolutions of 720p (1280x720) nor 1080i (1920x1080 interlaced).
-Mike
CALL ENDED.
Maybe that is true for later versions of the toy, but my cousin's Teddy Rukspin would happily play and "sing along" to cassettes of Michael Jackson and Madonna.
-Mike
I believe it all to be academic at this point, however.
What, no execution?
I'm moving to international waters... who'll join me!? We can even raise the old jolly roger. ARRR!!!
Don't forget the state and federal taxes you'll have to pass on to your customers... over $0.40 a gallon (at least in Colorado).
[sarcasm]It's not like "they're screwing you" with crazy, unjustifiable taxes. If you really think that "Big Government greediness" is to blame, start a revolution.[/sarcasm]
-Mike
Fred posted his hardware specs on April 20th in this thread on the Information Week forums.
-Mike
Perhaps that last interrogative should read, "Were there cave men at the other end of history that couldn't wait to get their hands on the latest in pretty, useless, time-sucking objects?".
Oh, wait... they had cave women.