“To maintain public confidence in its operating system, Jobs & Co. should consider hiring a security czar,” Arik Hesseldahl writes for Forbes. “The second potentially major Mac security incident in as many weeks has thankfully been debunked. Earlier this week I wrote a blog entry about a Mac Mini owner in Sweden who configured his machine as a server and challenged hackers to gain access to it. The Mini was — as hackers like to say — ‘owned’ only 30 minutes after the challenge started. By ‘owned,’ I mean rooted… If your Mac is connected to the Internet all day, as mine is, you can see the fright such news might generate… That is, if it were true. It turns out the original reports weren’t forthcoming with all the facts. The person who “rooted” the Mac already had a user name and password, as if he were a regular day-to-day user. In fact, having an account on this Mac was a prerequisite to taking part in the challenge. From there, the person used some method — most likely having to do with weaknesses in the Unix underpinnings of the Mac operating system — to gain escalated access.”
“These kinds of ‘privilege escalation’ vulnerabilities have cropped up on the Mac over the years and date back decades to FreeBSD, the variant of Unix on which Mac OS X is based. But remember, you can’t take advantage of this type of vulnerability unless you already have access to the machine — which implies having been given permission for that access in the first place,” Hesseldahl writes. “The pseudo break-in and misleading reports didn’t sit well with Dave Schroeder, a network systems engineer and Mac enthusiast at the University of Wisconsin in Madison. He’s been outspoken on the issue of Mac security, portraying recent reports as overblown. So he set up his own challenge, inviting the world to hack a Web page — the very page he used to tell the world about the challenge — running on a Mac Mini he set up as a Web server… For 38 hours, nothing worked. The Mac Mini held its ground against the worst that the multitudes could throw against it. The contest ended earlier than originally planned and even appears to have gotten Schroeder in trouble with his employer, since it wasn’t sanctioned by the university. I’m hearing he may face some kind disciplinary action. The University of Wisconsin apparently isn’t interested in such a real-world ad-hoc test, no matter how successful and harmless it proved to be. Schroeder wasn’t available for comment.”
“Uninformed media sources will do what they do best — sow fear, uncertainty, and doubt [FUD]. And the first time a really big Mac security incident occurs it will cause some people who are considering a Mac over a cheaper Windows-based system to change their minds,” Hesseldahl writes. “Vulnerabilities in Windows are so common they don’t really make the news anymore. But a large-scale, widespread incident on the Mac could badly wound Apple’s reputation. It’s for this reason that I think the time has come for Apple to consider doing what many other companies like IBM and Oracle have: create a position of chief security officer.”
Full article here.
Advertisements:
• Apple’s brand new iPod Hi-Fi speaker system. Home stereo. Reinvented. Available now for $349 with free shipping.
• Apple’s new Mac mini. Intel Core, up to 4 times faster. Starting at just $599. Free shipping.
• MacBook Pro. The first Mac notebook built upon Intel Core Duo with iLife ’06, Front Row and built-in iSight. Starting at $1999. Free shipping.
• iMac. Twice as amazing — Intel Core Duo, iLife ’06, Front Row media experience, Apple Remote, built-in iSight. Starting at $1299. Free shipping.
• iPod Radio Remote. Listen to FM radio on your iPod and control everything with a convenient wired remote. Just $49.
• iPod. 15,000 songs. 25,000 photos. 150 hours of video. The new iPod. 30GB and 60GB models start at just $299. Free shipping.
• Connect iPod to your television set with the iPod AV Cable. Just $19.
Related MacDailyNews articles:
Apple Mac remains ‘unhacked’ as University of Wisconsin’s Mac OS X Security Challenge ends – March 08, 2006
Mac OS X ‘unhacked’ over 24 hours and counting in genuine security challenge – March 07, 2006
University of Wisconsin launches bona fide Mac OS X Security Challenge – March 06, 2006
Mac OS X ‘hacked in under 30 minutes?’ Why Mac OS X security is all the rage recently – March 06, 2006
Spate of recent Mac security stories signal that Microsoft, others getting nervous – March 06, 2006
Apple Mac OS X clearly offers superior security over Microsoft Windows – March 02, 2006
Apple Mac OS X has a lot more vulnerabilities than Windows XP? – February 28, 2006
Enderle: Security vendors see Apple as next big opportunity – February 28, 2006
As Apple Mac grows in popularity, will security issues increase? – February 27, 2006
The Idiot’s Guide to Mac Viruses For Dummies 101 – February 24, 2006
Wired News: ‘Mac attack a load of crap’ – February 22, 2006
Report: Apple developing fix for automatic execution of shell scripts – February 21, 2006
Ars Technica: Fears over new Mac OS X ‘Leap-A’ trojan pointless – February 20, 2006
Atlanta Journal-Constitution asks: Is ‘Mac virus’ all just propaganda from Mac haters? – February 20, 2006
Mafiasoft: Microsoft to charge $50 per year for security service to protect Windows – February 07, 2006
ZDNet Australia publishes latest Mac OS X security FUD article – January 26, 2006 (Kotadia)
IDC: Apple Mac 2005 U.S. market share 4% on 32% growth year over year – January 20, 2006
Analysts: Apple Mac’s 5% market share glass ceiling set to shatter in 2006 – January 09, 2006
ZDNet Australia publishes latest Mac OS X security FUD article – September 09, 2005 (Kotadia)
Joke of the month: Gartner warns of Mac OS X ‘spyware infestation’ potential – March 30, 2005 (Kotadia)
Symantec warns about Mac OS X security threat – March 21, 2005 (Kotadia)
Apple should really hire Bill Joy (BSD Super Guru)…
http://en.wikipedia.org/wiki/Bill_Joy
So that little Mac Mini is the hero of the day. This basically goes to prove that thousands of hackers just coudn’t hack the Mac – one that was more open than most users’ will ever be.. Those idiots in Sweden need to have their balls toasted and fed to the swine.
Damn fine idea.
The Joy of Macs it is then…
I agree with the sentiments, but the problem is that newspapers and on-line reports always prefer the sensational news. If you then factor in the issue that some publishers have links with Apple’s rivals and some are generally anti-Apple, how do you stop them writing untrue articles ?
‘Fifteenth new Windows vulnerability this week’ isn’t much of a headline, but ‘First Mac virus strikes’ is such a sexy headline that some news organisations have already run on three occasions. One day it might actually be true.
Can I have that job? that would be nice. Not a lot of work.
AlanAudio,
If that happened, what kind of news story would it be or look like if they didn’t get a quote from the “Apple Security Chief”. Right now it seems like all that they get is a “No Comment” from some no named Apple press person. It just doesn’t sound athoritative. To add to that the reporter doesn’t feel like they even have to include that in thier article other than to print Apple said no comment. A quote from the Security Chief would be different, and the would look irresponsable if they didn’t include it as long as the Security Chief doesn’t say no comment.
Wasn’t he writing for BusinessWeek, not Forbes?
MDN is getting sloppy again.
Maybe the Maytag repairman could apply. I hear he’s bored over there.
I agree with the author. I also feel embarrassed about all of MDN’s taunting and shameless whistling past the cementary about Mac’s bulletproof security at every turn, that they post this up without any ‘take’. The silence is very telling.
Of course OSX is great, and very secure, right up to the moment that someone finds a way in, and with history as a guide, this usually is the way it goes, pride before the fall.
Home land security should hire Schroeder and have him run a project to test security of various OS.
AlanAudio: when FUD gets published, at least they can have an “official” response and crisis control.
Otherwise its mainstream media vs. mac users, blogs and rumor sites, making mac users look like Jobs-worshipping reactionary fanboys.
You are right about media being biased, but Apple still needs a point person for this.
Caesar, Kaiser, Czar – still has a nasty connotation to me.
I’m offended. What with the class action lawsuits and all; I’ve been very busy repairing our mediocre products.
MDN word: know as I know ’cause I got one of those POS washers
Pat – why do you have no confidence in:-
1) the ability of Apple to rapidly fix any exploit that may happen to arrive
and..
2) the Mac community’s greater resilience, awareness and intolerence of malware?
Good luck to al these hackers who have already wasted their time. In fact it’s doing the WinBox world a favour as they’re not sending out their venomous code while they waste their hours on OSX.
For goodness sake let’s praise something decent and not behave -through FUD- as though OSX is already at the level of Windows…IT ISN’T AND IT NEVER WILL BE.
So far, the media has jumped on just about anything even remotely related to security issues in OS X – it hasn’t had to be “widespread” or “large-scale” for multiple outlets to go screaming into the night waking people up with their sky-is-falling mentality before learning that it was just their own ceiling paint starting to peel. And, of course, that’s not newsworthy, so they don’t bother to correct themselves, or even acknowledge that they were possibly just overstating things.
How about “Grand Pubah”?
chief security officer….LOL
I can see the headlines….
Apple is being accused of not thinking differently as ads look very similar to the Maytag commercials.
WABOS [What a bunch of sh…]
Look, the Mac is a machine, its inevitable that its gonna crash sometimes, get a virus sooner or later, etc. The point is, by the time it does get a virus – a serious virus that actually erases somebodies hard drive, or takes down an entire local network, Windoze will already be 100 critical fatalities ahead. I’ll sure be glad when FISTA finally gets released so we can all release our sphincter muscles.
Ok ok… If Apple needs a spin doctor then put one in there, but holy crap, this whole OS X security mumbo jumbo is really out of hand. Like any responsible OS maker Apple is always releasing security updates.
I guess Apple will be damned either way – If they bury their security updates into OS Updates it’ll look like they’re not on the ball, and when they do release security updates its admitting there’s flaws.
I’m thinking back on the release of Win95 – when was that – 1997? – Anway, I’ll never forget the news flash that when Win95 went online in the Microsoft cafeteria it took their entire inhouse store down. Reports were that it costed something close to $1,000,000.00 to dig their way out. And here’s the truly amazing thing, millions of innocent computer users never heard about that, nor were they aware that they didn’t have to use Windoze in the first place, and subsequently went out and bought it and installed it. Now in my book, that’s really scary.
They should hire the Maytag Repairman.
He knows how to sit around with nothing to do.
On second thought, any civil servant will do. Government workers have sitting down and doing nothing honed to a fine art. They probably get paid more though.
According to Schroeder, it was sanctioned by the university, but it was cut off early to to excessive bandwidth utilization, and the fact that there were DDOS attacks which affected more than just the target machine. As for “Schroeder wasn’t available for comment.”, they should have tried emailing him…
Why do that when they have MDN?
InternetWeeks take on the MacMini test at
http://internetweek.cmp.com/blog/archives/2006/03/mac_passes_the.html
MDN: shot
Take your best shot
They should hire all of us here at MDN to do it. That way at least we’d get paid to sit here and talk about Apple all day instead of what we’re actually supposed to be doing
” width=”19″ height=”19″ alt=”wink” style=”border:0;” />
That’s too bad that Dave Schroeder at U of Wisconsin might get in trouble for his test (I guess we now know the REAL reason it ended early). Maybe Apple should hire him to be the Security Czar?
” The contest ended earlier than originally planned and even appears to have gotten Schroeder in trouble with his employer, since it wasn’t sanctioned by the university. I’m hearing he may face some kind disciplinary action. The University of Wisconsin apparently isn’t interested in such a real-world ad-hoc test, “
It’s a shame the University is on Schroeder’s case over this. When I first heard about this challenge, my opinion about the university actually went UP. Now, I’d like to condem them to the “rath of the Apple cult”.
Too bad they didn’t provide the email address to the university’s president. It would be good to let him know how Schroeder actully helped their image world wide, not hurt it.
“To maintain public confidence in its operating system, Jobs & Co. should consider hiring a security czar,” Arik Hesseldahl writes for Forbes.
Arik Hesseldahl writes for BusinessWeek. Would appreciate if you could make that change. Thanks.