Zombie Macs Launch DoS Attack 757
Cludge writes "ZDNet has a story (and several related articles) about how Symantec has discovered evidence of an all-Mac based botnet that is actively involved in a DOS attack. Apparently, security on the exploited Macs (call them iBots?) was compromised when unwary users bit-torrented pirated copies of iWork 09 and Photoshop CS4 that contained malware. From the article: 'They describe this as the "first real attempt to create a Mac botnet" and note that the zombie Macs are already being used for nefarious purposes.'"
Re:Sigh (Score:2, Insightful)
I can almost hear the words of denial from the Mac Fanboys already. I can't hear the exact words, but I can sense the general whine.
Like any other UNIX OS, OSX is less vulnerable to such attacks than Windows, but it's far from immune. The truth is that a Mac is less likely to be targetted because it's a minority operating system.
If your intention is to create a large botnet, you are of course going to target the most popular operating system. Rightly, or wrongly, by most metrics, Windows is the most popular OS. That's why people rarely bother try to create a botnet from macs.
I suspect that this botnet has been created by a geek that is sick to death of uneducated Mac fanboyism, and in a small way, I have respect for that.
A small part of me wants OSX to become a majority OS, just so I can see Mac fanboys eat their own words!
OSX is a reasonable operating system whose reputation is ruined by technologically uneducated users :(
Re:Sigh (Score:5, Insightful)
What the hell are you talking about?
Malware ie: trojans have been around for ages. This has nothing to do with the overall security of the OS and everything with the security threat the user is to themselves.
Hey, what a surprise (Score:5, Insightful)
If a user is tricked into installing malware on a machine, the machine is infected with malware.
It's a shame people think Macs are somehow magically protected against viruses and other nasty computer stuff, merely by virtue of the manufacturer and operating system. It's probably more of a shame that Apple has, in the past at least, marketed Macs as being (more?) immune to viruses than PCs - something which somewhat true, but only for statistical reasons.
It's like STDs - if you're careless and go sticking your junk everywhere without taking precautions, you'll probably catch something cruel, eventually.
Re:FUD (Score:5, Insightful)
Sounds like someone has their panties in a twist. You might forget that strict permission levels don't imply security when the person behind the keyboard is an idiot.
Re:Sigh (Score:2, Insightful)
Technologically uneducated users? Can you explain to me how, at the last developer's conference I attended for an open source CMS, Apple users outnumbered IBM clone users by probably 3 or 4 to 1?
People who speak in generalities and think only in generalities. Problem is, that's not how the world works.
I've got your denial right here. (Score:5, Insightful)
Purposefully installing malicious software does not indicate a vulnerability. The user intentionally installed a piece of software that is doing exactly what it is designed to do.
There isn't an operating system on the planet that can protect you (or itself) from fraudulent user activity.
Re:May I be the first to laugh (Score:3, Insightful)
I'm a user who doesn't run applications downloaded from completely untrustworthy sources like pirate p2p networks and you're correct -- I don't need a virus or malware checker.
Fixed that for you.
Re:FUD (Score:2, Insightful)
Essentially, this makes it impervious to viruses. Even trojans are thwarted because smart users (Mac users) don't execute programs they don't know the origin of.
No computer system can withstand prolonged exposure to idiot owners. Macs are no exception. Your statement only confirms that :D
Re:Sigh (Score:2, Insightful)
This is simply unproven for all the reasons outlined in your post. Until you see *UNIX widely deployed as a "desktop" OS, all claims that UNIX is inherently more secure than Windows are nothing but untested theories.
Wake me up when *UNIX has 50% of the desktops and then we can debate which operating system is more secure.
Re:May I be the first to laugh (Score:4, Insightful)
Sorry, how does conficker spread again?
Re:May I be the first to laugh (Score:3, Insightful)
How would they even know what to learn in the first place?
And rightfully so. If the damn thing needs that much care and feeding, it is defective and should be returned!
in other news bullet placed in gun actually fires (Score:2, Insightful)
That must mean that apple's Remote Desktop is a huge vulnerability. Giving the attacker complete control of the victims system, and the ability to execute remote code! Oh the horror! Oh the humanity!
Re:I've got your denial right here. (Score:4, Insightful)
They didnt purposefully install the malicious software
That would be like saying IE is safe, and its the users fault for purposefully clicking the "Install ActiveX" button that happened to install malware.
If the operating system was as safe as the crazy fanboys claim, it wouldnt have been able to install malware in the first place.
Not that im claiming that *any* OS is safer than any other, im justing saying OSX did NOT protect the user.
Re:I've got your denial right here. (Score:5, Insightful)
Re:I've got your denial right here. (Score:5, Insightful)
Re:I've got your denial right here. (Score:2, Insightful)
Which is exactly how most Windows users get infected with malware, as well.
Re:B-b-b-but... (Score:2, Insightful)
No exploits necessary when the user download and willingly installs the application.
Instant Karma... (Score:5, Insightful)
No, the funny part is that the users who torrented and installed pirated copies of iWork 09 and Photoshop CS4 got exactly what they deserved. Instant karma.
Quality of posts (Score:5, Insightful)
It's a shame that the level of intelligence and knowledge of the posters to Slashdot seems to still be in decline.
I would think that anyone who wants to use this "revelation" as some kind of troll against OSX would at least be able to differentiate between a virus and a trojan.
There's a decent chance there will be some kind of unpatched OSX vuln that will be exploited ala what you see on a Windows machine, but until then you should just stew in silence and wait for your opportunity to post your "See OSX is no better than Windows" messages and then you wont look like such ignorant fools.
If you can install software on a computer, you can install software that is malware as well. I doubt anyone can fault Apple for allowing end users to install software that they choose to install.
Re:Hey, what a surprise (Score:5, Insightful)
Correct me if I'm wrong, but a trojan doesn't qualify as a "security issue" on the part of the OS. If a trojan succeeds in compromising the system, it's the fault of the user, not the OS.
Re:I've got your denial right here. (Score:2, Insightful)
Does your operating system phone home to the maker of every installer (independently of where the untrusted installer says to phone home) to check that it is indeed what it purports to be?
If so, then that's not a computer, that's a videogame console whose manufacturer has a stranglehold over what software you're permitted to run on it.
Are they any different? (Score:2, Insightful)
"Two things are infinite: the universe and human stupidity; and I'm not sure about the universe." Albert Einstein. "You make your choices and you take your chances," P.T. Barnum.
Re:Linux. (Score:5, Insightful)
Except this isn't a Virus. It is a Trojan.
Any OS can be infected with a Trojan even Linux.
I find it anoying that under Linux most software really expects to be installed as root.
Maybe there needs to be a new level called app for applications but then you have to problem of libraries.
Re:I've got your denial right here. (Score:5, Insightful)
They totally intentionally installed the software. You can't make a machine Malware proof without also making it software proof.
The whole notion of "Malicious Software" is a marketing creation for the sole purpose of making money off people who would rather spend money on software to watch their back than learn (bother) to help themselves.
Anyone who tells you different is confusing the issue. OS X has plenty of problems, this isn't one of them.
Re:Hey, what a surprise (Score:5, Insightful)
Also, like all linux distros, in order to do any real damage on a mac, you need to enter an admin password
Please stop repeating this fallacy! First, on a single-user system (e.g. the vast majority of home computers), the end user has rights to all the interesting data files (songs, pictures, documents, etc.), so anything running as the user can do significant local damage. Sure, the OS and apps may be protected, but that isn't really what the end user cares about (since that's all easily replaced). However, since the goal of most viruses/worms/trojans is to control the computer for distributed and untraceable nefarious purposes (and not have the owner notice), they don't do that anymore. They cause the computer to join botnets, connect to master control servers, and wait for instructions. Sending spam, scanning other systems for vulnerabilities, hosting fast-flux phishing sites, etc. don't require elevated privilege.
...uneducated Mac fanboyism... (Score:5, Insightful)
I suspect that this botnet has been created by a geek that is sick to death of uneducated Mac fanboyism, and in a small way, I have respect for that.
No, it wasn't. This botnet was created by a computer criminal who saw an opportunity to capitalize on people who install pirated software either because they are to clueless to know the risks or because they have deluded them selves into thinking it is riskless act. The lesson we can all learn from this is the following:
"If you download pirated software off the internet and install it on your computer you run the risk of installing along with it carefully crafted malware that your security software or whatever other precautions you are taking may not be able to protect you against."
Note that this basic lesson is true on all incarnations of Mac OS X, Windows, Linux or any other network enabled operating system you can download pirated software for.
Now please crawl back under your rock and learn to write better trolls...
Re:Sigh (Score:5, Insightful)
Re:Instant Karma... (Score:5, Insightful)
"They" got what they deserved? More like we, the internet public at large that has to suffer through botnet DoS attacks, got what we didn't deserve.
Re:Sigh (Score:5, Insightful)
I'm just guessing, but I think when he said "Technologically Uneducated Users" he was talking about Mac users, not developers. You might have missed the last 25 years where Macs claim to be more user friendly and cater to a less technologically inclined user-base, lending significant support to his suggestion. In short, not all Mac users fit that profile, but the ones that do are contributing to the negative image that OSX and Macs in general enjoy among a significant portion of the populace. Think "AOL", except replace the service itself with something worthwhile, and decrease the percentage of "Technologically Uninclined/Uneducated" users in the user-base from >99% down to about 80% or less.
More importantly, however, I think that he was implying that the users that claim that Macs are completely impervious to malware and that therefore Mac users need not take any precautions against infection are making the Mac community, and by extension the Mac OS, a laughing stock of the computer technology community. In short, the OS is technologically impressive in many ways, but a vocal portion of the users frequently make claims about it that are factually impossible and socially irresponsible. Not that this is exclusive to Mac, just better advertised and frequently sanctioned by the manufacturer.
Re:A matter of time (Score:3, Insightful)
In my experience, it's less common for them to pass a virus in an actual software installer; instead, they slip it into the corresponding keygen. By the time someone has spent an hour installing Photoshop, they usually don't think twice about double-clicking a little keygen.
Wait, did I say that out loud?
Which is why most smart TPB users run the keygens in a virtual Windows instance they keep around just for the occasion. I know viruses, trojans and other malware has been a feature of the Warez scene almost since the beginning but I find it strange if it is true that actually integrating malware into installation packages is something botnet constructors rarely. By the time you have been so clever as to take all that trouble to set up a VM to run you keygen do you think twice about the malware being integrated into the Photoshop installer? I'm sure some security expert can explain why this is a dumb way to spread your malware but at first glance it seems like a pretty obvious way of spreading malware to me.
Re:Sigh (Score:1, Insightful)
Unfortunately Macs are now IBM clones
Re:I've got your denial right here. (Score:3, Insightful)
Regardless of what operating system you're on, there's this little feature called code signing.
If Apple actually signed everything they make, including the Setup/Installer packages, and drummed just that one little piece of security into their users then this type of malware-embedded-in-Apple-software attack just wouldn't be possible.
Re:I've got your denial right here. (Score:2, Insightful)
Re:Instant Karma... (Score:1, Insightful)
But I thought Macs were supposed to be virus-proof? That's what many slashdotters have been telling me over the last several months, in efforts to get me to dump my buggy PC. Could they have been... (shocking)... wrong? ;-)
Re:Sigh (Score:1, Insightful)
As for numbers at a conference, Apple users have already proved (in general, by their purchase) that they're willing to spend large amounts of cash to make themselves feel like they're different or special. I'd say that puts them high up the list of people who'd pay to go to a conference (rather than just staying at home, you know, actually coding).
Re:Sigh (Score:2, Insightful)
I don't know whether it is a double standard or what, but I believe that the difference is that once you have a Windows machine compromised at this point you may just as well reformat the entire thing.
Here users installed software that does something illicit, users were tricked into installing the software, but the trick was social, not technical.
This is not an Active X that became part of the OS because a user visited a cracked web-page. This is a user downloading and installing an application that does a bunch of unadvertised stuff.
Of-course IF the user is running with Admin privileges, then he also might as well reinstall the OS, at this point all bets are off. To me the difference is that user installed something himself, he was not under impression that there was no installation - there was an installation with full user participation.
Re:It should be noted (Score:4, Insightful)
That is very true, Free and Open Source from signed repositories is the safest way of getting software.
Besides, you must behave different if you are going to install some weird binary from the Internet (which is not the case with Windows or Mac). That will scare off the newbies and more advanced users will know of dangers anyway. So the impact from similar malware in Linux will be limited, not to mention various distributions, DE's and suchlike.
Re:Instant Karma... (Score:1, Insightful)
No you idiot, they didn't, they will be losing a pittance of their bandwidth most likely, and mybe nothing else besides, the people suffering are companies the botnet will attack.
This is why, for example MS blocking security patches for pirated copies of windows is frigging retarded.
Re:Instant Karma... (Score:4, Insightful)
Anyone who says Macs are virus-proof doesn't have a clue as to what they're talking about.
Macs ARE harder to inject viruses into because the limited privilege escalation system used by Macs (and Linux) reduces the opportunities to run processes as root.
On pre-Vista Windows boxes, most people ran their default account with godlike administrator privileges. It's either that or:
Run a restricted account
Any time you want to install software
DO:
log out of your restricted account
log into the admin account
install the software
then go back to your restricted account.
REPEAT
After doing this about 5 or six times, you get frustrated and switch the "Administrator" flag on your restricted account and thus leave yourself open to attack any time you download something (or navigate to a malware page if you're running IE).
The vector for infection for this botnet was escalating privileges to install CS 3. It only happens once, and only happens briefly, but once is all you need!
Re:Instant Karma... (Score:5, Insightful)
This ain't a virus. This is a program, just like any other that you download and run.
Not to say that Macs are "virus-proof" - they aren't. But short of downloading pirated software and running it, there haven't been any attacks so your friends here on Slashdot are still giving you good advice.
Re:Sigh (Score:3, Insightful)
Until you see *UNIX widely deployed as a "desktop" OS, all claims that UNIX is inherently more secure than Windows are nothing but untested theories.
Dammit, I was going to utterly avoid these threads, but here goes anyhow.
Your statement is totally incorrect. Any OS may in fact be much safer than the others without being as widely distributed. It's not fair to claim that only xx,xxx PC's with xyxyxyxyx OS were infect this year as compared to xx,xxx,xxx,xxx with Windows. It is CERTAINLY valid to say that y% of PC's with xyxyxyxyx OS were infected compared to xx% with Windows.
Windows does make itself a bigger target by having a larger user base, and it's also likely a bigger target as many of the users of Windows are much less likely to know what to do to secure their OS compared to someone who chose to install a Unix based OS for example.
So either start using your head as was intended, to think and to use logic, or happily pop it back in the sand like a good ostrich.
Re:I've got your denial right here. (Score:3, Insightful)
what about one that warns you when "photoshop" starts accessing the internet or schedules itself to start regularly, the tech is already there in UAC,apparmour,SELINUX,etc. Sure when many programs insist on updating themselves it gets more complicated, but surely pirates aren't going to want thier photoshop phoning home anyway.
Botnet is a botnet (Score:5, Insightful)
Re:Hey, what a surprise (Score:3, Insightful)
Yes that's correct - by definition a trojan is malicious software disguised as legitimate software. But what's your point? Who said there was a "security issue" with Mac?
90% of the problems on Windows are attributed to users installing malicious software. This is what Mac users go about claiming they are immune to, which is ridiculous.
Claiming to be immune to trojans is like claiming your OS is incapable of running software that can send an e-mail, afterall, that is all some trojans do (ie spam bots).
Re:I've got your denial right here. (Score:4, Insightful)
So wait, let me get this straight ... You think that if a user installs an ActiveX, and clicks through the three or four warnings and clicks it takes to get it installed, that the OS is the problem? Please tell me thats not the case, cause if it is, you are an idiot.
The are only two choices here:
1) Let people install software from wherever they want, just like most OSes do it.
2) Only let users install apps approved by the OS vendor, like the iPhone.
So in case 1, the OS is the problem because the user did something stupid even after several warnings.
And in 2, the vender is a complete and total prick who you hate because you can't install any random shitty app that creates the situation in #1.
You know, either way, you're still an idiot.
What OS do you know of that the user can't install malware in? Linux? Nope, can install malware there too.
Get a clue.
Re:I've got your denial right here. (Score:3, Insightful)
They didnt purposefully install the malicious software. That would be like saying IE is safe, and its the users fault for purposefully clicking the "Install ActiveX" button that happened to install malware. If the operating system was as safe as the crazy fanboys claim, it wouldnt have been able to install malware in the first place.
No, because in most cases that means the ActiveX applet exceeded the security permissions it was given through some exploit. Whether it's an ActiveX sandbox, Java applet, a privilege escalation exploit, circumventing file system/SELinux permissions and so on isn't really relevant, that's not the user's fault. If they run without permission by playing a video/music file, opening a document with macros, looking at the mail in Outlook and so on, that's not the user's fault. But imagine the two following situations:
a) I recieve a malware script/executable that'll trash my documents
b) I write a script/executable to manipulate my documents
c) I send the script/executable in b) to myself ona different machine
By what logic would you like the operating system to work? "I can't let you do that, Dave. It might destroy your documents"? They're both the same as far as the computer knows. They run with the permission I give them and manipulate only files they're allowed to. Where I got them doesn't really matter, as long as I command them to run. Take a gun analogy - if the gun backfired and hurt you or if it started shooting without pulling the trigger, you could blame the gun. But if you point the gun at your own foot and pull the trigger, don't blame the gun for hitting you.
Re:Sigh (Score:2, Insightful)
Apple users have already proved (in general, by their purchase) that they're willing to spend large amounts of cash to make themselves feel like they're different or special.
The same could be applied to Windows users. In general, by their purchase, they've proven that they're willing to spend small amounts of cash to make themselves feel like they're different or better than Linux users.
Or Photoshop users. They've proven that they're willing to spend large amounts of cash to prove they're different or better than Gimp users.
Look, Gimp isn't Photoshop. I like Linux, and I like open source, and I use Gimp myself -- but I'm not a graphic designer, and Gimp is definitely missing large amounts of functionality that Photoshop has.
The same can be said about OS X vs Windows. Whether that functionality matters to you is a different matter -- like I said, I use Gimp -- but to pretend that Windows (or even Linux) is always just as good as OS X is just as ignorant as claiming that Gimp is always just as good as Photoshop.
I'd say that puts them high up the list of people who'd pay to go to a conference (rather than just staying at home, you know, actually coding).
I suspect that's why you're at home coding, rather than at work coding.
Communication is at least as important, even as necessary, as "actually coding", for anything beyond a one-man project.
Face-to-face meetings, and whiteboards, and projectors, can help to get a lot done in a short amount of time. While email and IM may be more efficient in some ways -- certainly it's cheaper than actually going to a conference -- I have definitely had the experience where I tried to communicate an idea back and forth with a developer via a board system (may as well have been email), and we just did not understand each other for several months. He flew out, and within one or two days, we were on the same page.
Before I had a real programming job, with a team of more than one, I had the same illusion you did, that this was all about code, and that a Mac is just a waste of money. I had some other assumptions, too -- that Windows was absolutely unworkable, that Javascript is a crappy language (and that HTML/CSS was a mess)...
Then I got into the real world.
HTML/CSS has a few messy implementations, but it's a fine technology in its own right. Javascript is an excellent language. And communication is as important as code -- indeed, I would cite communication skills above coding skills on my resume.
Now, frankly, you are just a troll, and probably not worth all that effort. But I see a bit of myself in you. Maybe you'll learn something today. Maybe someone else will.
If so, notice how that happened without any actual coding. Not counting <quote> tags, there isn't a line of code in this post.
Re:Instant Karma... (Score:5, Insightful)
Re:Instant Karma... (Score:5, Insightful)
That's the same story for most Windows malware.
Re:Instant Karma... (Score:5, Insightful)
Mod this up. The strongest attack vector is the social engineering vector.
Re:Instant Karma... (Score:4, Insightful)
Except they probably don't even realize it.
And everyone else gets to suffer for it.
Re:Instant Karma... (Score:5, Insightful)
That won't help in this case (Score:3, Insightful)
Regardless of what operating system you're on, there's this little feature called code signing.
If Apple actually signed everything they make, including the Setup/Installer packages, and drummed just that one little piece of security into their users then this type of malware-embedded-in-Apple-software attack just wouldn't be possible.
But these people were downloading a cracked version of the software (just not entirely in the way they expected). So they would expect that this would fail a validity test.
Obviously code signing would help in the user expected that whatever they were installing was totally genuine.
Re:Instant Karma... (Score:5, Insightful)
You make a good point except for the fact that if I just hide malware in the installation file, neither of your tactics are secure. The user is the weakest link in most attacks.
The users is a weak link in many security chains, but a hard one to exploit on a large scale. OS X and Linux do better on security partly because of market share, but largely because most malware is spread by automated worms and the fewer and more hardened services running by default on OS X and Linux machines provide a much harder target.
For trojans such as we're discussing, no OS has a good solution in place, excepting maybe SELinux or the like which is fairly limited and hard to use because it really isn't in high demand so developers don't target it.
Social Engineering (Score:4, Insightful)
Re:Instant Karma... (Score:1, Insightful)
Comment removed (Score:4, Insightful)
Re:Sigh (Score:4, Insightful)
I think that "IBM clone" pretty much a meaningless term, these days, don't you? Especially since Macs have switched from PowerPC (actually made by IBM, as I'm sure you know) to Intel (whose chips no longer bear much resemblance to the IBM chips of the past). Hell, Macs don't even use BIOS's anymore. Hell, IBM doesn't even make desktop pc's anymore. Anyway, sorry, this is way too persnickety, but these mac/pc/secure/insecure flamewars get my hackles up.
Re:Instant Karma... (Score:5, Insightful)
You have a point, but most malware doesn't need to run as root to do its job, so really getting access at all is "game over". Protecting root doesn't mean much when root isn't the target . . .
Re:Instant Karma... (Score:2, Insightful)
"No, the funny part is that the users who torrented and installed pirated copies of iWork 09 and Photoshop CS4 got exactly what they deserved. Instant karma."
So if I steal (OK, "bit-for-bit copy") a car and it steers into a pedestrian through a deliberate alteration in the vehicle that I copied, that's Instant Karma.
No, if you bit-for-bit-copy a car, and that car had some kind of mechanical defect that caused you to run into a building, THAT would be instant karma.
Re:Hey, what a surprise (Score:3, Insightful)
It doesn't imply that Macs are immune, it flat-out says that there aren't any viruses out for Macs and this is completely true. The ad truthfully states there are a ton of viruses for Windows and none for the Mac.
Is there malware out for the Mac? Sure there is, there's always been malware for the Mac in some form or another, but so far there is nothing that can be installed without the user's cooperation. User-installed malware is called a trojan horse, remote-installed malware is called a virus. If the ad claimed there is no malware for the Mac then I'd definitely agree that Apple is making false claims.
There are idiots on all platforms that will blindly install malware and you really can't point a finger at any operating system manufacturer. People have to be able to install software that does useful things like connect to the internet and that means that they will also be able to install malware. What's important is that the operating system provide as much protection from remote attacks and make it easy to recover from a malware infection.
Re:Instant Karma... (Score:4, Insightful)
Certainly for a lot of it, but I wouldn't say most. Just from my own experience cleaning up people's PCs, a lot of it is IE-targeting drive-by malware. Obviously the number of Mac trojans like this one in the wild is much smaller than the number of similar Windows ones. That's a practical difference, not any kind of baked-in protection. You can call it security by obscurity if you want. But that situation isn't going to change for a long time, if ever.
As to whether MacOS is *theoretically* safer than Vista with UAC turned on and Firefox as default browser, I don't know. Probably not. I do enjoy not having to put up with two or three dialogs and a screen dimming every time I delete a shortcut from the start menu. If you can handle running an XP box and keeping it clean, there's your Windows solution. For people who can't be trusted to do so, as well as people who can't stand constantly being interrupted when doing mundane things like enabling Wi-Fi, there's OS X.
Re:Instant Karma... (Score:3, Insightful)
... and no-one said Macs were trojan-proof, nor even virus-proof - just that there's a lot less attack vectors than Windows, and a lot less attackers.
Any system is going to be vulnerable to maliciously crafted & targeted code that is willingly (if unwittingly) run by the user.
Re:Instant Karma... (Score:1, Insightful)
Dude, seriously - take a break from 4chan.
Re:Instant Karma... (Score:2, Insightful)
The solution? Log in as admin and fix it.
Nope.
runas /user:administrator cmd
cacls <filename> /E /G Everyone:W
Now you see why the average windows user just runs as administrator.
Under OS X, you just type username and password of an administrator upon installation (and that only of SOME applications - you can install most of them just locally) and there is no file permission problem as you are running the application as a non-admin user.
Roberto
Re:Instant Karma... (Score:4, Insightful)
Do you know what OS the creator of that attack uses himself? He runs OSX on a MacBook Pro. It puts a rather interesting spin on the conclusion you want to draw.
Re:Instant Karma... (Score:3, Insightful)
http://developer.apple.com/opensource/index.html [apple.com]
When you post your sources, you practice security through peer review. The ones who do security through obscurity are the guys up in Redmond.
Also, don't kid yourself, IE8 fell on it's first attempt too. It just so happens that Miller got the first try in the contest and who could blame him for wanting the Mac hardware over the PC hardware.