• Explore the magic and the mystery!



  • Newsletter Issue #435

    March 30th, 2008

    THIS WEEK’S TECH NIGHT OWL LIVE RADIO UPDATE

    Have the browser wars returned? Well, at one time, Apple had Safari and Microsoft had Internet Explorer, and that wasn’t so long ago. The arrival of Firefox changed the odds considerably, and it now commands close to 18% of the world market. Today’s Internet Explorer does no better than just shy of 75%, and Safari stands above 5% — and that’s before Safari’s windows version was finalized.

    In light of these developments, it’s clear that the browser wars are back in earnest. To observe that occasion, on this week’s episode of The Tech Night Owl LIVE, The Night Owl explored the subject with Adam Engst, Editor/Publisher of TidBITS. You also heard his views about Apple’s latest version of Safari.

    On a similar front, author Steven Sande, author of “Take Control of iWeb: iLife “˜08 Edition,” described the unexpected power of this simple Web design application. He also acquainted you with a surprising use for the under-appreciated Mac mini. So if you really think the mini is suited for nothing more than low-end use, such as Internet access, email and word processing? Well, think again. During this fascinating session, Steve explained how he’d been using a bank of Mac minis as Web servers, with surprisingly compelling performance.

    In another segment, Alan Oppenheimer of Open Door Networks gave us a Mac security update. Is it time to get virus software for your Mac “” or not? I’ll cover this subject in more detail in the next article.

    And Ross Rubin, director of analysis at market research firm NPD Group, discussed the continuing spike in Mac sales and how Apple’s products compare in the marketplace with the competition.

    On The Paracast this week, we present UFO trace researcher Ted Phillips, Director of The Center for Physical Research, who speaks about his ongoing investigations of physical trace evidence in the wake of reported UFO landings.

    Coming April 6: Steve Bassett returns to The Paracast to discuss UFO disclosure and the forthcoming X-Conference 2008.

    THE NIGHT OWL EXAMINES THE GREAT MAC SECURITY FRAUD

    If you take those published reports at face value, the vaunted security of the Mac OS is just an illusion. During the annual Pwn2Own hacking contest this past week, someone easily exploited a supposedly unknown vulnerability in Apple’s Safari on a MacBook Air within a mere two minutes, earning a ten thousand dollar paycheck for his efforts.

    Now, because of a nondisclosure agreement, we don’t know just what vulnerability was present in Safari that was handled so easily, but it sounds to me like a put up job. If you believe the claim, the security flaw was so blatant that it was easily discovered, and that’s extremely unlikely.

    Consider that, on the first day of the contest, nobody could attack any of the test computers, running the Mac OS, Windows Vista, and Ubuntu Linux, remotely. Thus the original $20,000 prize went unclaimed. On day number two, the terms were relaxed, so the participants could actually work directly on the computers to locate and exploit possible vulnerabilities.

    Now that severely lessens the seriousness of the flaws, because it means that you are granted direct access to the computer you’re going to infect. That severely lessens the danger. No direct access, no exploit, at least under the terms of this contest.

    Although he’s not talking, I really doubt that security researcher Charlie Miller had a sudden flash of inspiration from upon high to access a hostile site in Safari and win his ten grand. No way could that possibly happen in a mere two minutes except by a divine or paranormal event. Instead, it’s clear to me that he had previously investigated possible flaws in Mac OS X and had discovered a security leak he could exploit on the spot when the time arrived.

    So call it a good sense of timing.

    This Academy Award winning performance certainly got the world’s attention. Apple can no longer tell us in their Mac versus PC spots that they can offer superior security to Windows boxes. Not when someone can attack a Mac in just 120 seconds.

    Or can they?

    Certainly, you can bet the companies that want to sell you Mac security software are going to extoll the virtues of the protection they’re offering you. So is it time to install malware protection? Are we ready for the scourge of computer viruses that used to be largely concentrated on the Windows platform?

    I don’t think so.

    You see, this contest and the winning exploit were nothing more than stunts! Sure, Charlie Miller is to be congratulated for his winning performance. More to the point, the information on that Safari security flaw has already been transmitted to Apple, and you can bet that they’ll fix it before long.

    What this means is that it’s highly unlikely anyone of you is in danger of being infected. Consider what you have to do. First, you have to receive a link to a malicious Web site that contains the offending code. How is that to come? In an email alerting you to a problem with your bank account, a letter from the IRS, the promise of enriching yourself with a new work-at-home scheme — Internet porn? What?

    Once you learn of this link, you have to be foolish enough to click on it to visit the offending site. One unlikely event is compounded by a second to transport you to this online den of inequity. So much for Macs being easy to exploit.

    In Miller’s case, he knew where he was going, because he planned the whole thing in advance.

    But what about computer viruses? Now that Apple is selling more Macs than ever — more than two million each quarter and growing — won’t Internet criminals decide it’s high time to move from the Windows platform and take control of your Mac?

    It sounds like a convincing theory, particularly when a security software company tells you about a new “proof of concept” virus discovered in a laboratory. They release a patch to their virus definition strings, but it makes no difference. Nobody is ever infected by the virus; it never spreads into the wild.

    This is not to say that Mac OS X is immune. Clearly it isn’t, witness the regular security updates that Apple releases. But those security shortcomings are at best theoretical. They exist, and the next Charlie Miller will no doubt exploit one at a subsequent contest. But that means little in the real world.

    How many of you have encountered a genuine, 100% pure Mac OS X virus since the operating system debuted as a public beta in 2000 and as an actual release in 2001? Precious few, and then only for a certain low-threat virus that impacted iChat a while back.

    However, that doesn’t make for a compelling headline laced with fear, uncertainty and doubt. You won’t read a story telling you that Macs really are quite safe, and that if you practice safe computing, such as not clicking on links that take you to the unknown, you should do fine.

    Some day there may be a genuine, extremely threatening Mac virus for which you’ll need powerful protection. Certainly those who publish the software that provides such protection hope it’ll come sooner rather than later.

    But I wouldn’t lose any sleep over it.

    EXPLORING APPLE’S TIME CAPSULE

    I am a preacher in one respect, and not in the same fashion as a certain controversial minister you’ve read about lately. You see, I am absolutely a devoted follower of the backup religion, and I practice it with great dedication.

    Let me explain what I mean: Every single evening, Shirt Pocket’s SuperDuper! performs a clone backup on a second drive on my Mac Pro. Both the Mac Pro and MacBook Pro get regular Time Machine backups, and I’ll get to the latest mechanism to accomplish that purpose momentarily.

    As for my Web sites, some time after midnight, the files are backed up to a secondary drive on the Web server. In addition, there is yet another backup later in the morning to another server in another state. So if the datacenter were to vanish in a sudden blaze of lightning and thunder one night, I’d still be able to lease another server and restore the files within an hour or so in order to get back online.

    As to Time Machine, back when Apple first promoted Leopard’s feature set, they promised you wireless backups to the latest and greatest AirPort Extreme. Well, that promise fell by the wayside, and then it returned in the form of Time Capsule, which went on sale in February of this year. Time Capsule is, in the flesh, a somewhat thicker version of the 802.11n AirPort Extreme. Inside are the same basic components, plus what Apple calls a “server grade” hard drive with either 500GB or 1TB capacity.

    My test unit, the $499 terabyte edition, arrived Thursday afternoon and was promptly deployed into service as the replacement for an AirPort Extreme. Typical of Apple’s wireless products, setup is far easier than the pathetic equivalents from most every other company I know about. In fact, once it was attached to my cable modem and wired network and powered on, the Setup Assistant appeared on my Mac Pro.

    Within a couple of minutes, I named the router, then the network and established secure WPA2 encryption passwords. I configured the Time Capsule to backup files from my desktop and note-book Macs, and let it do its thing.

    One cautionary note: The initial backup, which meant nearly 330GB of data from my computers, is going to be slow, and it should be done over a wired connection for maximum performance. The published reviews of Time Capsule tell you to let it run overnight without interruption, and you can take that to the bank.

    Indeed, it took just shy of 12 hours for the initial backups to complete. After that, Time Capsule performs in the same fashion as any other Time Machine backup. Your latest files are copied over every hour for the first day, every 24 hours thereafter until a week has passed, and then weekly until the drive is full.

    In my case, it’ll take a long time for the drive’s full capacity to be reached.

    To be sure, Time Capsule’s drive may not be the fastest on the planet. Certainly Wi-Fi backups even at the speedier 802.11n standard, can be poky. But you’ll never have to worry about when and how to backup your stuff ever again. What’s more, Time Machine’s science fiction-style interface will make it easy to recover the files you’ve deleted by mistake, or have become damaged.

    I do wish Apple would make it possible for Time Machine to provide a standard clone backup, and perhaps an easy method to restore your files. Right now, it requires rebooting with your original Leopard installation DVD.

    But power users aside, it’s a sad fact that only a fraction of Mac users backup their files. The reliable and seamless combination of Time Machine and Time Capsule are definitely going to improve those percentages, and the higher the better.

    THE FINAL WORD

    The Tech Night Owl Newsletter is a weekly information service of Making The Impossible, Inc.

    Publisher/Editor: Gene Steinberg
    Managing Editor: Grayson Steinberg
    Marketing and Public Relations: Barbara Kaplan
    Worldwide Licensing and Marketing: Sharon Jarvis



    Share
    | Print This Issue Print This Issue

    7 Responses to “Newsletter Issue #435”

    1. shane blyth says:

      It was obvious that the guy had setup a website first and knew exactly what he was doing.
      As you say no luck for first 24 hours till direct access was allowed. No details and nothing else to go on as to what happened. As always any systems weakest link is the guy sitting at the actual computer. Direct access like that means pretty well anything is on the cards.
      I certainly don’t see it as anything to even waste my breath on. Reality is reality. OS X in the real world is vastly superior security wise. Pull antivirus or spyware apps off any of these systems and see what happens. If they wanted to do a fair contest they should take Vista XP Linux and OSX with NO antivirus or antispyware on them. Setup as they come from the factory so to speak without any addons and see what happens then.

    2. Michael says:

      “Although he’s not talking, I really doubt that security researcher Charlie Miller had a sudden flash of inspiration from upon high to access a hostile site in Safari and win his ten grand.”

      I don’t think that really has anything to do with any concern that end-users might feel over this incident. And really they’d only have to wait until Miller was interviewed to learn how he’d broken it, wouldn’t they?

      From Computerworld:

      ” ‘We sat down about three weeks ago and decided we wanted to throw our hats into the ring,’ said Miller, referring to himself and ISE colleagues. ‘It took us a couple of days to find something, then the rest of the week to work up an exploit and test it.

      ” ‘It took us maybe a week altogether,’ Miller said.”

      They might also notice that in that interview he says they chose to break the Mac because that was easiest:

      ” ‘It was the easiest one of the three … We wanted to spend as little time as possible coming up with an exploit, so we picked Mac OS X’.”

      That really ought to give apologists for Apple pause for thought. But, human nature being what it is, one suspects some will expend a great deal of effort finding ways not to recognize what they ought to. The wilder fringe — Dan, for example — is already doing so.

      And the whole affair is nothing to be complacent about. If it were, then there would be no problem with full-disclosure here. But, of course, TippingPoint is not disclosing details of this (or the Flash problem that broke the Vista machine) for obvious reasons.

      Finally, alert end-users will have noticed this comment from Miller in that interview:

      “We were equally capable of finding [a vulnerability] in Windows if we had to.”

      One hopes that reminds them that the Net is, in and of itself, a dangerous place. Evidently, there’s nothing for Vista users to feel complacent about either. Doubtless, they can enjoy a chuckle at the thought that the Mac is currently easier to break. We, for our part, can feel grateful that we use an OS that is not a large enough and profitable enough target to attract much attention as yet. Let’s hope Apple are putting a lot of thought into making their software safer.

      Perhaps we’re all going to need to be browsing with something like this in a few years:

      http://www.cs.uiuc.edu/homes/kingst/Research_files/grier08.pdf

    3. What you write confirms what I wrote, that he planned it in advance. More to the point is the contradiction, where it is admitted that it would have been as easy under Vista. Evidently his right hand and left hand aren’t communicating.

      The fact that this little stunt doesn’t work without a hands-on also severely lessens any potential danger.

      In the end, the Mac marketshare is sufficient to justify criminal activity, but it’s still easier to take over PCs en masse, which is why billions of dollars have been lost because of malware on the Windows platform. And nowhere else.

      Apple will patch this in the normal fashion. Nobody will be hurt. End of story.

      Peace,
      Gene from his 24/7 iPhone

    4. Michael says:

      “More to the point is the contradiction”

      I don’t see a contradiction there. He says they were equally capable of doing it. (And I wouldn’t doubt that they were: I don’t think these guys deal in bravado.) But he says they went for what he thought would be the easier option — for which read would take less time and effort working on beforehand. (As it was it took them a week.) He says: “We wanted to spend as little time as possible”. I’m sure they did — doubtless, they have other things to do at ISE.

      “The fact that this little stunt doesn’t work without a hands-on also severely lessens any potential danger.”

      I think what lessens the potential danger is the lack of full disclosure. It took skilled professionals working for a week to come up with the exploit, but people of much lower calibre can make use of the exploit once it’s been found, if they know what it is. The exploit requires one to visit a website … but visiting websites is not exactly a rare occurrence on the Net. A user could, for example, run a Google search and from that go wandering just about anywhere. It’s not been unknown for malfeasants to buy the sponsored Google links, which are the ones that come up at the top of the page.

      “In the end, the Mac marketshare is sufficient to justify criminal activity, but it’s still easier to take over PCs en masse”

      I think your first assertion is debatable. In any case, it’s not merely the size of the target but the size of the “targeters” that is of relevance. There’s a new OS for malfeasants to learn; they have, moreover, actually to purchase new hardware (or go through the effort to run OS X on non-Apple hardware) before running OS X. All this is, of course, good for us as Mac users. I think your second clause is also debatable, because it puts Vista machines and XP machines in the same set as “PCs”. Now XP machines, particularly one that are not running SP2 and are unpatched are, evidently, easy to take over “en masse”. I’d say it’s not clear yet whether the same is true of Vista machines.

      “Apple will patch this in the normal fashion. … End of story.”

      Until the next one. Vulnerabilities in software will continue to be a problem for the foreseeable future. I see no reason to believe that will change any time soon.

      By the way, I think one gets a far more balanced view of the matter from Rich Mogull (linked to by Daring Fireball yesterday) than one is seeing elsewhere in the Mac blogosphere. (This perhaps because Rich Mogull knows more about these matters than some of those others.) I also agree with Rich’s conclusion — that there’s no immediate cause for panic, but that, nevertheless:

      “we, as a community, still can’t afford to be complacent. If security is a priority for us, it will be a priority for Apple.”

    5. No I think it’s clear he targeted the Mac because it has far greater headline value. Exploiting Windows is old news, you don’t get wealthy from ten grand, but a lot of headlines is a great achievement. Might even deliver some choice work to enrich the bottom line.

      As to exploiting the Mac, I’m sure you know that many of the open source underpinnings of Mac OS X have been available for years and there has been plenty of opportunity to exploit them. But it’s still evidently easier to build botnets on the Windows platform.

      But I do agree with Rich and I’ve said as much often: Don’t be complacent and practice safe computing.

      Peace,
      Gene from his 24/7 iPhone

    6. John Fallon says:

      There seem to be a lot of these issues coming up lately with Safari and QuickTime lately, though. Apple and Adobe (with the Flash exploit) maybe should spend a thought less time on glitz and ACID 3 compliance and a bit more on security.

      The heavy coverage of this is not likely to encourage the use of Safari in the Windows world.

    7. There seem to be a lot of these issues coming up lately with Safari and QuickTime lately, though. Apple and Adobe (with the Flash exploit) maybe should spend a thought less time on glitz and ACID 3 compliance and a bit more on security.

      The heavy coverage of this is not likely to encourage the use of Safari in the Windows world.

      Actually, Daniel Eran Dilger’s latest commentary on the subject suggests that the flaw may have already been fixed for the next security update. Besides, nobody is being exploited in Safari. How much money have people lost from Mac OS X malware, or the use of Apple software on other platforms?

      Just asking. 😀

      Peace,
      Gene

    Leave Your Comment