MacBook Hacked In Contest Via Zero-Day Hole in Safari

EMB Numbers writes "Shane Macaulay just won a MacBook as a prize for successfully hacking OS X at CanSecWest conference in Vancouver, BC. The hack was based on a Safari vulnerability found by Dai Zovi and written in about 9 hours. CanSecWest organizers actually had to relax the contest rules to make the hack possible, because initially nobody at the event could breach the computers under the original restrictions. 'Dai Zovi plans to apply for a $10,000 bug bounty TippingPoint announced on Thursday if a previously unknown Apple bug was used. "Shane can have the laptop, I want the money," Dai Zovi said in a telephone interview from New York. TippingPoint runs the Zero Day Initiative bug bounty program.'"

switcher

[BorgCopyeditor]

that's it! I'm switching back to Windows!

Re:

[anonymous_but_brave]

Lets see how quickly Apple responds to this hack. I recall an Ubuntu vulnerability [securityfocus.com] being patched within the week that it was reported - I don't think Apple (or MS for that matter) could respond so quickly.

Re:

[Anonymous Coward]

It's pretty difficult to fix a bug for which no details are available. As of yet zero information has been released other than that a "JavaScript" flaw in Safari was used in the exploit. The Ubuntu flaw you reference was reported directly to Ubuntu with all the information necessary to fix it. We'll start our timing from when Apple is informed of the details, shall we?

Re:

[gerrysteele]

Don't they read teh internets like us too?

Re:

[Mister Whirly]

"Apple-users and -developers exclusively use the proprietary Elitistnet"

Shhhh, you aren't supposed to tell non-Mac users of it existence!!

Re:

[Paradise Pete]

Lets see how quickly Apple responds to this hack.

Well in the nightly Webkit builds the javascript engine has been overhauled, so chances are it's "already" fixed, in a sense. Up until now it's looked like Apple's been prepping that for a Leopard release, but maybe this will prompt them to move it up.

By the way, those Webkit nightlies are really looking strong. [ajaxian.com]

Re:

[alittlespice]

it's not a story if it's not hacked, so they made it easier to hack? wtf?

Explanatin of rules relaxation

[Overly Critical Guy]

CanSecWest organizers actually had to relax the contest rules to make the hack possible, because initially nobody at the event could breach the computers under the original restrictions.

In other words, nobody was able to remotely hack the machine, so they allowed for local exploits, which someone used in a Safari URL.

Expect Apple-haters and other FUDmeisters to completely ignore the difference, like InfoWorld did yesterday in their breathless headline about "remotely breaking in."

Re:Explanatin of rules relaxation

[DECS]

InfoWorld Publishes False Report on Mac Security [roughlydrafted.com]

"Nancy Gohring, writing for InfoWorld, delivered a misleading report yesterday on a Mac security exploit contest held at the CanSecWest conference in Vancouver, BC.

"In her defense, it appears likely that Gohring did not write the headline for her InfoWorld article, which described the contest winner as being "able to remotely break into a Mac as part of a contest designed to illustrate security flaws in OS X." That part was simply wrong.

"Whoever did write the headline must have been smoking weed in celebration of 4/20, because Gohring's article clearly described a local exploit. There's a big difference between the remote exploits that made Windows infamous for its insecurity and a local exploit of an application."

More info under a series of subheadings:

Gohring's Mac Security Myths
Microsoft's Security Embarrassment
Mac OS X and Security
The Mac Minority Malware Myth
Why Macs Aren't Sending You Spam

So, if I reaf TFA correctly:

[noewun]

The machine couldn't be hacked, so they relaxed the rules so it could be? I wish they'd been more explicit as to what 'relaxing the rules' meant. But maybe that would've spoiled the story.

Re:So, if I reaf TFA correctly:

[richdun]

If I recall correctly, originally the requirement was remote access, but when that went nowhere, they allowed entrants to submit URLs that would be navigated to via Safari. Check out Engadget for more details...

Re:So, if I reaf TFA correctly:

[RalphBNumbers]

As I understand it:

The rules originally required getting a user shell on a macbook connected to a wireless router without any other access, or getting a root shell under the same conditions on a second macbook without using the same bug.
The prize was the macbook(s) you hacked.

But they decided not enough people were interested, so 3Com added a $10,000 bounty for a winning bug.

But no one could crack it, so they set the machine up to visit malicious web pages submitted by email.

Then someone found a bug in Safari, and successfully crafted a webpage to exploit it to get user shell access.

Admin user or regular user?

[goombah99]

I wish they would say if the user that safari was running under was admin or regular. If it was admin then this is even less of a hack than it already is. Also I wonder if they disabled the safari feature to automatically "open safe files after downloading". That option puts a lot of trust in other programs not to have holes. indeed it's not really safe at all. Only stupid people or people that don't do stupid things leave it on.

Bottom line no remote hacks.

Re:

[realthing02]

Bottom line no remote hacks under their rules

corrected.

The prepositions are killin' people around here.

Regular User

[Anonymous Coward]

It appears on the Cansec website that the contest was for shell access on a regular users account.

2007-04-20-14:54:00.First_Mac_Hacked_Cancel_Or_All ow
Just to review the rules, the first box required a flaw that allows the attacker to get a shell with user level privilages. The second box, still up for grabs, requires the same, plus the attacker needs to get root.

http://cansecwest.com/ [cansecwest.com]

Re:Admin user or regular user?

[Tickletaint]

From one Mac user to (presumably) another, please get your head out of the sand. These "stupid people" to whom you refer you might otherwise know as "The Rest of Us." It doesn't matter how technically competent you are, we are all "stupid" every now and then—or do you only ever visit the same two or three well-known sites every day? Even if you do, how can you be sure they haven't been compromised by, say, some sort of injection attack? Or even by an unscrupulous advertiser in an iframe?

And why on earth does it make a difference whether the user account was admin or regular? If an intruder has access to your personal documents, you're just as fucked either way.

Re:Admin user or regular user?

[geekoid]

because you can encrypt your personal documents, and if many users are on it only one of them gets hit.

However, if someone has access to root, they can do a lot more malicous things. bots, keloggers, etc...

Re:

[Tickletaint]

(1) FileVault won't help you here, since an intruder gaining Safari's privileges (e.g.) has access to everything Safari has access to, namely, your entire home directory. Besides, do you encrypt your entire home directory?

(2) You don't need root to launch an application (like a bot) or even install a keylogger (suid isn't set for KeyboardViewerServer, for example).

Re:

[Greyfox]

Third thing I did on both my macs (After dragging terminal to the dock and the MS demo apps to the trash can) was download and install Firefox for OSX. Not that I'd let my guard down because of that.

Hmm... the way Apple packages apps it'd be pretty easy, I think, to run the web browser in a chroot jail. You can probably still get out of a chroot jail but it'd make compromising anything important on the system that much harder.

Re:

[dr.badass]

Third thing I did on both my macs (After dragging terminal to the dock and the MS demo apps to the trash can) was download and install Firefox for OSX.

The little birdie network is saying that the hole is actually in the Java plug-in, so Firefox with Java enabled has the same problem.

Re:

[bynary]

Soooooo...is it a problem with OS X or a problem with Javascript? I read that the same vulnerability exists for FireFox on Windows [com.com]. Seems to me like this has little, if anything, to do with Mac OS X specifically.

Re:

[Tickletaint]

Interesting that your sig:

You are coming to a sad realization. Cancel or allow?

skewers that very behavior of Safari you describe [third-design.net]. Of course, if you have "open safe files after downloading" turned off, it's even more obnoxious—you have to find the file on your desktop and open it manually. Exactly the sort of repetitive task I thought my computer should be doing on my behalf.

Re:

[NickFitz]

...you have to find the file on your desktop and open it manually. Exactly the sort of repetitive task I thought my computer should be doing on my behalf.

Or you could double-click on the file's icon in the Safari downloads window. If you really want to examine it in the Finder, then you can click on the magnifying glass icon to view it.

Exactly the sort of task your computer does on your behalf :-)

Re:

[Tickletaint]

Sweet, thanks for the tip. I don't know why I didn't think to try double-clicking.

Will it still pop up that annoying confirmation dialog on disk images and zips? Because I think we can all agree that's just another way, when the inevitable happens, to shift blame to the user.

Re:

[NickFitz]

IIRC the icon didn't do anything on the early versions of Safari - the double-click behaviour was introduced either with Tiger, or perhaps on one of the Panther versions. (I could never work out why it didn't do anything on the early versions - it seemed such an obvious thing.)

It doesn't display the confirmation dialog on my machine, although it's possible I disabled that myself.

The "never opened before" dialog is good.

[Kadin2048]

I'm not exactly sure what the default settings are like, because honestly it's been years since I've used a Mac that was in its out-of-the-box, default state, but the way I have it right now, the only warning I get is when I'm about to open an application that's never been run before.

This, IMO, is a Good Thing. It's only a half a second delay when I really do want it to launch a new application, and it's a nice heads-up that the computer is doing something that I've never done with it before. More than once

Re:

[kybred]

Turning off the 'open safe files' prevents drive-by downloads from being automatically executed.

Re:

[Locklin]

Can you easily run safari as admin on osx? Why would this be possible? If it is, thats a security vulnerability in it's self.

It should never be easy for the user to do something completely stupid, otherwise they will!

You are about to send your credit card information over an unencrypted channel Cancel or allow?

Re:So, if I reaf TFA correctly:

[Phil246]

The Register is a little more informative in that regard, from http://www.theregister.co.uk/2007/04/20/pwn-2-own_ winner/ [theregister.co.uk]

The pwn-2-own contest got off to a slow start on Thursday. The rules originally mandated an exploit that required no action on the part of the user. The reward for a successful hack was the machine that had been compromised. Conference attendees were underwhelmed, reasoning a Mac exploit that required no end-user interaction could be sold for upwards of $20,000. Things changed significantly on Day 2. That's when Tipping Point upped the ante with its promise of a $10,000 bounty. Contest organizers also relaxed the rules so exploits could include malicious websites that attacked Safari.

no such thing as a white hat...

[Animaether]

...is there?

I mean - I can only assume this was a 'white hat' hackers conference, given there was actual publicity given and a public bounty and such. But then things like these pop up?

"'Shane can have the laptop, I want the money,' Dai Zovi said in a telephone interview from New York"
"Conference attendees were underwhelmed, reasoning a Mac exploit that required no end-user interaction could be sold for upwards of $20,000."

Makes me think.. black hat, white hat.. what's the difference these days? I thought a white hat hacker was the 'good guy' (albeit still a hacker).. the kind of person who hacks for fun / curiosity.. the kind of person who notifies the developer of the bug or, at least, just makes the bug known to the world at no charge. Not the kind of person who hacks, then scours the 'security conferences' for a bounty, and when that bounty is lower than what they could get off of actual 'bad guys', complain that the bounty is too low. To me, that just sounds like the person is a black hat, but dons a white hat on top in an attempt to fool us into thinking they're white hat.

Re:no such thing as a white hat...

[ancientt]

Okay, maybe a black hat tendency, but there might be alternatives.

There are plenty of security companies out there legitimately trying to sell their software, plenty of people who would love to be the only ones who have a defense against some secret hack. If you want me to spend time finding a vulnerability and then into writing an exploit, my time would not come cheap. I'm not even talented in that direction. Imagine that you're a security researcher who gets paid for your time investigating and resolving potential security breaches, what kind of payoff makes it worth investing your time in that gamble? It has to be a pretty penny or else you're better served doing what you do for a living.

"Give me the money" is a legit response when you've invested your time and effort into something with that as your goal. If he'd said "I don't hack for fun or evil, I only did this for the contest and expect to be given what I was promised" then I don't think you'd have the same take. There is a good chance that is exactly what he meant too. You might be shocked to learn that a lot of us who are considered computer geeks are not the world's foremost verbal communicators.

I love my job, but I won't work here long after they stop paying me.

Re:

[doggo]

"You might be shocked to learn that a lot of us who are considered computer geeks are not the world's foremost verbal communicators."

Well, only if you disregard grammar, spelling, and vocabulary.

Re:

[tqbf]

These are some of the top security researchers in the country. Do you know what security research bills for? Why does he have to work for you (or "the developers" --- those altruists!) for free?

Re:

[tqbf]

What an asinine comment. The people who write viruses create viruses. The people who find vulnerabilities don't create vulnerabilities.

Warez-R-who???

[Crash Culligan]

The Register: reasoning a Mac exploit that required no end-user interaction could be sold for upwards of $20,000

Wait, wait, wait, wait. Where does one go to sell operating system exploits? And how hard would they be to shut down?

We may be onto something here: there may be a social solution to a technological problem.

Re:

[Divebus]

Relaxed rules = they gave out the root password and let them sit at the keyboard for a while.

The Register is more informative.

[twitter]

I wish they'd been more explicit as to what 'relaxing the rules' meant. But maybe that would've spoiled the story.

They allowed user activity, aka he browsed to a site he created for the purpose. It seems this is not a full auto worm type exploit of the kind common in the Windoze world. See here [theregister.co.uk]. It's hard to say if the problem was javascript of something like Flash called by it.

All the M$ tools are going to be underlining their popularity arguments and slinging mud at all the more secure OS. Even

Karma be dammned

[The Bungi]

It says a lot about you and about Slashdot that you can hop on an article about someone hacking OS X, do your "M$ Windoze" routine and then get modded up for it. Seriously though, I'm sure that once Taco figures out his MySQL problems he'll have a tasty Microsoft FUD story for you to comment on. I suggest you wait for that?

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[LordSnooty]

If you're talking about Vista, maybe it makes more sense from their perspective to sit on the exploits until Vista is more widespread, if they can keep a secret that long.

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[jdbartlett]

Is greater market share the only reason penetration of a system is attempted? No, of course it's not; but a vulnerable system with greater market is more appealing when planning a malicious attack.

Notoriety is pretty low down on a penetration expert's priorities, especially if he's targeting Windows (imagine the headline: "Shock! Horror! Windows MAY be vulnerable!") Even in the case of this competition, I'd be surprised if any of the entrants believed they would gain fame/infamy outside a niche maligned

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[NickFitz]

To the asshole that follows me around modding all my posts down: Keep wasting your mod point shithead. I've got more Karma than you'll ever have mod-points.

It's actually a swarm of mod-bots doing it.

Zero Day misnomer

[Gary W. Longsine]

Smarter botnet herders may protect their zero-day exploits and use them sparingly, as you suggest. Within the past year, more than once, zero day exploits were discovered in the wild by security researchers. In one case the exploit discovered was apparently directed at a single user in a U.S. Federal government agency, suggesting that at least some of them do just that.

In my expeience, managers of large organizations do not take Zero Day risks seriously, and often don't really understand them. The ris

Re:

[biftek]

The intent was always that the rules would be progressively relaxed - see http://www.securityfocus.com/archive/142/464216/30 /0/threaded [securityfocus.com] from last month.

Konqueror

[Anonymous Coward]

Safari's rendering engine is based on KHTML. So is Konqueror affected by this flaw as well?

Re:

[Fooker]

Thats a good question. There's a good chance it could be. Then again with the speed that updates/patch's/fix's come out for Linux, if it does it'll be fixed in a relatively short time.

Re:

[Tickletaint]

Why say "Linux" rather than open source? KHTML has nothing to do with Linux. Anyway, from what I've been reading, it seems more likely related to a bug in JavaScriptCore [webkit.org], derived from KJS and which is also open source.

By the way—

updates/patch's/fix's

Should be "update's," for consistency.

Re:

[Mike Buddha]

Yeah, that's why I always refer to the platform as Linux-Perl-BASH-Apache-Xwindows-KDE-GNOME-GNU-Pyth on-Emacs-XEmacs. See if you just say 'Linux' then nobody knows what the hell you're talking about, and the purpose is to communicate, right?

Re:

[makomk]

Safari's rendering engine is based on KHTML. So is Konqueror affected by this flaw as well?

It could be, though IIRC most of the past security holes have only affected one and not the other, for some reason.

Re:

[TheRaven64]

WebKit was forked from KHTML and developed internally at Apple for about a year before Safari was released. Then the patches were all sent back in one big lump. During this time, the KHTML team cleaned up the code a lot, and had to go to a lot of effort to re-import all of the WebKit patches (some weren't needed, since the same functionality had been re-imported). This continued in the run-up to OS X 10.4, where large blobs of patches were released in one go, making it very hard for the KHTML team to kee

Re:

[failedlogic]

Wonder then if the flaw is fixed in latest Konquerer, that Webkit is also safe. I'm using Webkit and its a whole lot faster than Safari so I'm using it almost exclusively.

Re:

[99BottlesOfBeerInMyF]

Safari's rendering engine is based on KHTML. So is Konqueror affected by this flaw as well?

That is a possibility, but it is a lot less likely than most people would assume. The reason for this is that what most people think of as a Web browser (like Firefox) can be broken up into multiple parts, only one of which is shared between Konquerer and Safari. Both browsers separate the HTML rendering from the application, file handling, and GUI, so that the former can be used by other applications as well. Writing a Web browser that runs on OS X, using the included development tools can be done withou

OT: Discussion2 down?

[pintpusher]

I'm using discussion2 and my floating bar and the expand comment links aren't working. anyone else see this?

Also getting 503's for my personal page. huh.

OT: Same here.

[Kadin2048]

Yes, I got the 503 "Service Not Available" error on the personal page (~/Username) also. Maybe they're doing work on the database or something, and don't want the extra load...? When I saw that, I was actually a little surprised that comments were working at all.

Re:

[pintpusher]

right. time for bed then. 'night all

Re:

[ystar]

me too, on osx (firefox). hope its something easy to fix on /.'s side

disconnected computer in a box attempt

[timmarhy]

was the macbook actually running any services that were listening on the network? if so what where they. it easy to claim security when all your ports are closed up. but it also means your useless, like a computer in a box.

Re:

[Anonymous Coward]

You know, a Macbook isn't supposed to be a network server, but a client computer. It's a frigging LAPTOP. Which port DO need to be listening on the network for a client computer to be 100% useful to the average user? Not that many...

Read a better article than the one linked.

[Anonymous Coward]

The MacBook was actually only hacked because they lessened the rules and actually had someone open Safari and use a malicious website. No ports were closed nor was the firewall running.

This seems a little sensationalized...

[Rod76]

I'm a Mac user and as such I'm not claiming invincibility although the "Unix" like foundation makes me more secure its still the end user's responsibility to not run as admin or God forbid root. Not to mention using a good firewall or correctly configuring the one that's already built in is vital and just practicing caution on the web. That aside I just don't think this is entirely honest, I wish they would disclose all the variables involved to include all settings used. But as others here have said considering Apples foresight using open source means the between Apple and the Konqueror devs this will be quickly addressed. But my gut feeling here is that something stinks in Denmark!

Re:

[Tickletaint]

You don't need root to rm -rf ~.

Or to osascript -e 'tell application "Mail" to send contents of folder "~" to everyone in Address Book'.

Re:

[blibbler]

From the article it appears they used the default settings that came with the machine. They later allowed people to send them URLs that they would load into Safari. It sounds like the reason they did not release the settings used was to keep this exploit contained, and that they will provide the settings to Apple.
I have been a dedicated mac user for more than 10 years, but I find it ludicrous that people believe that macos is invulnerable or any discovered exploits must be fake.

So not the OS then!

[Goth Biker Babe]

So they couldn't get in directly and had to use a hole in an Application. Just remind me how many holes have IE and Firefox had in the past?

OS-X is essentially BSD with a second layer on the top being the frameworks from Next and Apple and the applications. If they find vunerabilities in the lowest layer of code then Linux is in trouble too because there's an awful lot of shared code there. Anyone remember the ssh hole which allowed you to root a box? So the issue would be in the Apple provided layers.

A

Re:

[feranick]

What does Firefox have to do with it? I hope you are not saying that IE AND Firefox are equally responsible for the security problems under Windows...

BSD

[Coolhand2120]

Pretty sure BSD is Unix, not Linux. Funny it's called OSX, it ought to be called OSomeone else made this shit.

'X' marks the spot.

[Kadin2048]

Funny it's called OSX, it ought to be called OSomeone else made this shit.

Well, I always assumed that part of the reason for calling it "OS X" (instead of MacOS 10) was because the 'X' references the 'X' in NeXT, who did a lot of the work on what we now call Darwin. So they were the "someone."

Why are you annoyed?

[MarkByers]

> I get anoyed at people saying how secure OS-X is or Linux or what ever.

Why do you get annoyed? Does it make you feel inferior or something?

Here's a quick lesson: learn to ignore it and get on with your life. If you don't have the time figure out Linux, or you don't have the money to spend on a Mac, no-one will begrudge you that. Just be proud with what you have and don't let anyone get you down. Seriously, it's not worth getting annoyed over.

Re:

[MarkByers]

> Maybe you didn't notice, but she's a Mac user.

I don't see how that changes my advice. I wasn't specifically my advice at her. My point was that you should not get annoyed by what other people say... about your operating system, your car, or anything. Who cares. Getting annoyed about things like that is pointless and achieves nothing.

Re:

[Anonymous Coward]

OS-X is essentially BSD

No, it's not. OS X has some modified BSD user land tools and that's the only thing they truly have in common.

Um, no.

[eli pabst]

If they find vunerabilities in the lowest layer of code then Linux is in trouble too because there's an awful lot of shared code there.

What are you talking about? There really shouldn't be any code overlap between Linux and OSX in terms of the operating system itself. Linux is complete rewrite of Minix and isn't derived from any of the Pre-OSX Mach kernels. In fact I don't think OSX could legally incorporate any of Linux code as it would violate the GPL license.

The only time you see exploits common to both OSes is in userland applications that are common to both OSes (like openSSH).

Re:

[TheRaven64]

Both Linux and OS X have imported BSD code from the 4BSD era, although I am not sure how much remains in either. Both have taken code from FreeBSD and NetBSD more recently. While Linux as a whole is GPL'd, some contributions are BSD or MIT licensed, or even public domain, and so could make their way into OS X. While code can't flow from OS X directly to Linux, or vice versa, code can flow from a common source into both.

Interestingly, there are a few files I've read in the Linux sources licensed as 3-cla

Re:

[Greyfox]

I don't let my choice of operating system lull me into a false sense of security. I just enjoy being able to use my system without living in a constant state of fear.

My room mate's windows box stopped talking to the network again last night. She's got at least three or four different security or anti-spyware applications running on that thing. She just upgraded one of them and it apparently conflicted with another one and so her network stopped working. First thing out of my mouth when she tells me this i

Re:

[gordo3000]

if she needs 4 av/anti-spyware programs then your room mate is just computer illiterate, it's not a question of accepting something for a safe browsing experience.

tell her to get rid of all her anti spyware and anti virus programs and just get AVG which will work more than well enough. I've had it on computers for the last couple years and never had a problem with either spy ware or a single virus.

Its a common warning with any AV program that installing it with another AV program installed can cause system

Re:

[Alcoholic Synonymous]

The general problem is that Mac users literally think they are invulnerable. Not usually because they are, but because noone really targets them.

They also make an artificial distinction between the OS and the application, when a compromise is a compromise. They make the same distinction between root and users accounts. True, a direct root may be of much more consequence overall, but a user level compromise can reveal important data as well, specifically the compromised user's. User level access can also pro

editors ftl

[Jay Carlson]

Normally we make fun of Slashdot editors for not being able to spell simple English terms familiar to a mass audience correctly. They loose there audience when they do that. Usually they can get their terms of art correct. Not this time.

Guys, it's spelled "0day", and it has been since before you l33ch3d Karateka on a catfur. Do have some sense of perspective.

Re:

[Anonymous Coward]

Normally we make fun of Slashdot editors for not being able to spell simple English terms familiar to a mass audience correctly. They loose there audience when they do that. Usually they can get their terms of art correct. Not this time. (Not a sentence)

Guys, it's spelled "0day", and it has been since before you l33ch3d Karateka on a catfur. Do have some sense of perspective. (Question mark?)

See me.

Re:

[Jay Carlson]

They loose there audience when they do that.

[...]See me.

I can't believe my TAs for Intermediate Slashdot Trolling For The Playstation Generation are actually deducting points for such an accurate depiction of them.

Re:

[Jay Carlson]

you missed "spelled" , which should be "spelt"

Orthographic reform, do you speak it?

I'll show you a Royale.

Re:

[WhatAmIDoingHere]

Don't forget to remind the editors to tighten up there spellud.

You've got an excuse for "Spelled/Spelt" but what about everything else? When you're slamming the editors for misspelling common simple words, and in your post you do the exact same thing.

I think you should step away from the keyboard and reevaluate your life.

Re:

[Psychotria]

"Spelled" is perfectly acceptable. Go read the Oxford Dictionary... If you're going to correct somebody, at least make sure you're correct yourself.

Re:

[1u3hr]

Normally we make fun of Slashdot editors for not being able to spell simple English terms familiar to a mass audience correctly. They loose there audience...

Re:

[Aladrin]

Oddly enough, the distinction isn't so fine as you make it sound.

http://dict.die.net/hacker/ [die.net]

2. One who programs enthusiastically (even obsessively) or who
enjoys programming rather than just theorizing about
programming.

8. (Deprecated) A malicious meddler who tries to discover
sensitive information by poking around. Hence "password
hacker", "network hacker". The correct term is cracker.

http://dict.die.net/cracker/ [die.net]

jargon An individual who attempts to gain unauthorised
access to a computer system. These individuals are often
malicious and have many means at their disposal for breaking
into a system.

While it is expected that any real hacker will have done some
playful cracking and knows many of the basic techniques,
anyone past larval stage is expected to have outgrown the
desire to do so except for immediate practical reasons (for
example, if it's necessary to get around some security in
order to get some work done).

So while most hackers are crackers, most crackers are not hackers. (Sort of like 'all panthers are cats, but not all cats are panthers.')

Hey, good!

[Tickletaint]

As a longtime Mac user and a fan of Apple products in general, I'd like to congratulate the winner of this contest. Too many Mac users now seem lost in willful ignorance of the fact that tasteful, thoughtful design alone doesn't render a system bulletproof. Thus, I applaud any honest efforts to increase the public awareness that yes, shit-happening potential exists, even on a Mac.

(I said honest efforts. That guy who claimed the AirPort hack is still a raging tool.)

Another point to emphasize—and which,

Re:

[kms_md]

This basically explains what happened. Anyone who reads it and continues to claim anything from "the Airport hack didn't exist" to "Maynor and Ellch faked the demo" is, frankly,to use your language, a raging tool.

referring to someone as a "tool" and then linking to george ou's blog is rich indeed.

heh

[Danzigism]

I think another very simple factor to take in to consideration is that there aren't hundreds of thousands of Romanians who are out there trying to hack OS X.. they're targeting Windows.. if people actually gave a shit about hacking a Mac, then there'd probably be a lot more vulnerabilites.. just because there's hardly any hacks, doesn't mean OS X is unhackable.. it just means people don't care..

You know that is a fallacy, right?

[geekoid]

It is a fallacy, because it would mean that OSX was developed with the same people whodeveloped Windows. USed the same management team, and made all the same decesions. None of which is true.

They're different, so you can't compare them like that.

Also, it is very obvious that if someone did find an exploit, they would be on the front page of every geek site on the web. So anyone doing it for ego would spend all their time trying to break OSX in some meaningfull way, which this wasn't.

Re:

[TheRaven64]

It's not just ego. Even for a 'white hat,' there are a lot of companies wanting to sell antivirus and similar products to Mac users, but failing because there is no perceived need. They would pay quite well for someone who can demonstrate that OS X is insecure enough for their software to be a good investment.

Privilege separation

[BlueParrot]

This is why your browser ideally shouldn't be able to read your entire home directory. People talk about running as admin or not, but your most sensitive data is your personal files that you have read access to as your limited user. Running as admin or root is bad mainly because it can open security holes which can cause further mischief, but if your most personal information, and your most important files, are right there for your browser to read, it won't matter if the exploit hits the kernel or simply yo

Re:

[dioscaido]

This is what IE7 does on Vista. Even though with UAC enabled it's always running as a limited user, it goes one step further and strips itself of access to the system -- it can only read from and write to the temporary cache folder. It's a interesting approach that makes fly-by installs through vulnerabilities much less likely.

there are some weird things in Safari...

[lixlpixel]

Safari lets you include local files, for example...

i told apple (and got a lame reply that it would be fixed eventually) month ago, yet it still works.

see http://destabili.zation.eu/ [zation.eu] for a quick harmless example that can check what applications you got installed.

and then there is a way to crash Safari which exists for more than a year - again i had an email conversation where they wanted more info and crashreports - yet nothing was ever done about it.

http://lixlpixel.org/safaricrash/ [lixlpixel.org] and follow the instructions - but make sure you don't have any important tabs open...

Re:

[Jeffrey Baker]

Wow, those are very serious bugs. A website could include items out of your cache, then post the contents back to itself. Or it could run a local DoS by including /dev/tty. This class of bugs was reported in Mozilla way back in 2001 and fixed in various stages most recently in 2004. That WebKit doesn't recognize the severity of this problem says a lot about that project.

What I want to know

[HairyCanary]

How was the machine configured relative to an off-the-shelf OSX installation?

While I understand that for the purposes of the contest it might have been necessary to reduce those protections, I think that before something becomes "news" we should know what the real risk is.

Does this hack require the user to manually disable protections the OS ships with, or manually enable services that default to off? The article seems light on detail.

Safari ships with VERY bad defaults

[argent]

There's no reason to reduce the default permissions to open up all kinds of potential for security holes in Safari, thanks to Apple's poor choice of defaults.

To increase the security of Safari significantly:

* Turn off 'Open "safe" files after downloading'.

This option shouldn't even be there. If Apple wants to make it easier for the user, Safari should provide a download manager that makes it convenient for the user to request that files be opened with safe applications.

* Change the FTP: URI handler in Launc

Re:

[argent]

But implementing these would hose the user experience for any system.

Not at all, it would improve it considerably.

What exactly is the difference between what Safari does with "Open Safe files after downloading" and what IE or FireFox does with their download managers?

Internet Explorer is the poster child for "bad defaults".

Firefox isn't perfect, but it's better than Safari. When I download a file in Firefox or Camino (which is a better example) it saves it to disk, and keeps a reference to it visible in the

Not the OS's fault

[jaavaaguru]

s/Windows/Internet Explorer/ - let's see more people switching to Firefox

Re:

[i kan reed]

Yes, it's several hundred dollars worth of hardware. I can still find uses for old Pentium one machines for running a network raid drive.

Re:

[Tickletaint]

What? Who gives a shit about Windows? Any vulnerability is bad news; don't trivialize it with your "oh but M$Windoze!1!!" because, in all honesty, whatever flaws exist in Windows have zero relevance to me as a Mac user.