I call it first!

Flame war on! w00t!!!

Macworld 2009

MacOS X is a security joke: http://www.baboo.com.br/absolutenm/articlefiles/31739-hacking_x_2min.jpg

Go Web...sta, Go Web...sta

If Master Phreaky doesn't LAY down the LAW on this one I'll eat my Apple.

Misleading.

It's misleading to report that it took him 2 minutes when all the reports are that he worked on this exploit for weeks beforehand. Sure it took him a couple of minutes to execute it - so what?

If we really want to legitimately test the security of these 3 different OS'es - put them on the internet and increase the prize money to compete with what certain government agencies are prepared to pay for this sort of stuff.

They would ALL be knocked over within seconds.

All this comp tells me is someone who spends his time looking for and reporting vuln's found one and waited until this conference to report it.

If you agree with me, add a pointless comment below bitching about how great your choice of OS is over someone elses.

.......mine is the one with woolen mittens hanging out of the sleeves by a piece of wool.

Dan Goodin:

This is about the only report I've seen today which bothers to mention the fact that this was day two of the contest. And it's not often I remark on high-quality Register reporting these days. Kudos.

As for the contest, I'm gonna come right out and say that this is a popularity contest, not a security contest. Not to belittle the vulnerability - which obviously is pretty serious - but I guarantee that all shipping browsers have vulnerabilities this serious in them, both discovered and undiscovered. It makes sense that the most desirable machine will be most attacked, and therefore likely fall first. A pretty sweet prize.

I too await the Phreakmaster's arrival with bated breath.

TOLD YOU SO!!! TOLD YOU SO!!! ..... Eat Crow MacTards

I predicted this two weeks ago and I said then I would be saying .... TOLD YOU SO!!! TOLD YOU SO!!! ..... Eat Crow MacTards

Your OS X is a Buggy, Security Risky, Piece of Shit. Swallow that with your Crow.

My OS is great

@Eric Pinkerton

Too bad it's not 100%-proof, so I will remain carefull with what I do with it.

All programmers cut from the same (holey) cloth

If anything, this contest confirms that no OS is any safer than the others. It's the same basic education system that goes into making up the coders, whether it's Apple, Windows, Linux. Unless universities change fundamentally how coders learn about what good security coding is, and static analysis tools are used to find security flaws, etc. software such as browsers with enough complexity is always going to have lots of holes.

@ Misleading

"All this comp tells me is someone who spends his time looking for and reporting vuln's found one and waited until this conference to report it."

I was just about to post the exact same comment, but you've hit the nail on the head. Apple hacker turns up to the event with an exploit he has worked for months to discover and craft, as does Windows hacker, as does Ubuntu hacker. But Apple hacker is first in the queue, he gets his machine set up 5 minutes earlier and his exploit takes 2 minutes instead of 3.

You don't think comparable exploits can be discovered for the other OSs? You're living in la-la land.

I'll be sticking with my Mac because using OS X doesn't cause me to suffer internal haemorrhaging, unlike using XP.

Don't hate me because I'm beautiful

"Perhaps the effort was put into busting the Mac first because it was the more desireable machine?"

That's right.....

The 10k had nothing to do with it. They just wanted the Mac.

Every smart and stylish person knows this, it's obvious

End of day 2- Linux and Vista still stands!

So day 2 is over and no one was able to hack the Vista and Linux installed apps, vs 2 minutes for the Macbook.

I guess apple is the only one who is insecure by default !

Brilliant

Now that a Mac has been so publicly pwned I find it brilliant how the Mac fans have changed their tune from: "it's impossible to hack a Mac" to: "the Mac only got hacked first because it's more desirable".

With idiots like you prepared to blindly perpetuate the Apple myth it's easy to see why Steve Jobs is laughing all the way to the bank. You are an Apple marketing executive's wet dream.

OSX Is as I've always said CACKOS

Anonymous Coward:

Windows XP, you cant compare that to OSX, its been replced buddy boy. And thus far its proved far more secure than OSX. So secure the latest SP even secures it against its desktop user lol.

But come on, those people that use OSX which think its safe, or safer than Linux or fully patched Vista are the kind of people that drive a french car becuase it cam with alloy wheels, or drive an Audi becuase they pals at the graphic design shop think their chic lol

I'm 33/33/33

I'm primarily a Windows user because most people I know use Windows and i like to play many games online which the other o/s' can't offer me. But that doesnt mean I do not like OSX or Ubuntu, I regularly switch o/s' on my laptop and we have several macbooks at work that I dabble on.

As previously said, all operating systems have security flaws, Windows tends to have more out there because it's used the most by the masses, but as Linux and OSX become more popular they are getting more attention by the hacking scene to devote their efforts on it.

I think this competition was a bit flawed in that rightly as others have said people could have been sat on an exploit for weeks and put it to work on the day to claim the prize, but on the other hand we need more of these types of encouragement for security devs to find out these bugs to help make the o/s' more secure (prize money is an incentive to nearly all people!)

Paris icon? Because she could do with some lessons in keeping her personal data more secure.

@ Misleading

"All this comp tells me is someone who spends his time looking for and reporting vuln's found one and waited until this conference to report it."

Sorry, are we meant to bow our heads to the superior intellect of Mac hackers over their slow-witted PC/Linux brothers?

Yes, this probably is something he found and sat on but then the PC/Linux boys were almost sure to be doing the same thing...they just didn't have as much ease/luck finding a hole as the Mac guy.

Not misleading at all

If you would care to read TFA, you would have read that the Mac was hacked 2 minutes into dat 2, while the Windows and Linux machines were tried and tried again for the rest of the day without result.

Are you really serious they did a bad job at trying to hack the other machines, and weren't interested in the $10,000? Come on.... All machines got even attention, the Mac failed miserably (the user just had to click on a link on a webpage).

Get out of your false sense of security NOW!

Booohooo

Eat this, fanbois;

The *Microsoft* and Ubuntu boxes were still standing over *five* hours after the Mac was hacked at 12:38 local time. Fact.

Mmm, let's just say that again, The *MICROSOFT* box was unhacked *FIVE* hours after the Mac was busted WIIIIIIIIIIDE open.

You can't seriously be suggesting that none of the other contestants didn't work on finding vulnerabilities for weeks before the contest either can you?

Paris, because she knows what it's like to be busted wide open and exploited.

@ Chris

Why would anyone want to bother hacking the others when the prize has already been won?

@ all the Anonymous Cowards (surprise!)

I'm a Mac user, and I'm not pretending this is even remotely OK. It's not.

Are there mitigating circumstances? Perhaps.

Is Mac OS X a more tempting target because of how Apple promotes its security record? Maybe.

Was the MacBook Air targeted because it was a more desirable machine? ehhhhhh unlikely...

What *has* been conveniently glossed over is that this exploit is not a straightforward remote attack, but relies on a bit of social engineering to get someone to click on a link, which then opens the machine to attack.

Once again, just to calm down all the idiots on here who are already at the vinegar strokes over the fact that a Mac got hacked, I'm not saying this is OK.

And Apple need to improve their attitude to security response and patch times.

But this doesn't somehow absolve Microsoft from their shocking record of insecure software. Trying to pretend otherwise is like making someone stand in front of you on a train track and thinking that, because the train will hit them first, it somehow means you'll be safe...

That's all well and good

Anyone know of any Mac's that are part of a botnet? What about one with a virus? A keylogger or a trojan anyone?

Its good news that Microsoft have improved their security, shame that this has made little difference in the real world. The fact remains that I would be happy to put my Mac outside a firewall with no virus protection, can the users of Windows say the same?

Of course these kind of incidents are useful, and teach us not to be complacent, hopefully Apple will take note and improve things.

I never understand why people get so cross at a computer platforms.

Typical

As usual the rabid zealot mac bashing fanbois come out en-mass to spurt their jism over the web over any even minor flaw which comes up in OS X, conveniently forgetting their own platforms history, and missing the obvious in that Mac OS X is software, and that there is not a piece of software on the market, anywhere in the world, which does not contain some kind of flaw, even after bug fixes and security patches.

I so wish

I was working in PC World right now because then I could say to those muppets trying to buy a £2000 word processor that you shouldn't buy a mac because it's less secure than a HP or Compaq, or whatever.

FLAME: because I think I'm going to take a blowtorch to a granny smith

To be fair

To all those saying how the Vista and Ubuntu are still running, just remember they still likely have exploits, just that by the rules of the competition you can't use known ones (and in the interests of balance, OS-X has known exploits too...). I think what we should be taking away from this, rather than a "My penis is longer than yours" debate, is that things like firewalls are a good thing. That as IT professionals, we should not rely on the security of any single piece of kit (this includes firewalls), but take a holistic approach.

Don't fall into the Mac fanboi trap of claiming your unhackable, just limit your exposure.

For the record, I'm an OS/X, Windows (XP), Linux (Fedora/Lineo), Solaris (2.8/10), irix (6.2 iirc) and NeXTStep (And in the past VMS, RT11 and NetBSD) user at home... And I don't trust any of them to be secure... I don't trust my firewalls either (hardware and software), but I believe I've done what I can, which is what we all should do. Anyone who believes the inbuilt security on their OS is enough is an idiot (IMHO).

busting Paris wide open :) thanks 4 that

Now, this Vista machine, it did actually complete it's boot up sequence didn't it?

Safari Bug

Interesting that the hole was in Safari, which in another register report can (or cannot) be loaded onto Windows. Perhaps someone read the EULA before loading it onto the Windows machine, when updating QuickTime, iTunes etc.

Hulk?

"Trying to pretend otherwise is like making someone stand in front of you on a train track and thinking that, because the train will hit them first, it somehow means you'll be safe"

If they're The Hulk, you probably are...

Joy :D

After spending the last hour fighting a G5 over a f&$@ing Quark install this has made me soooooooo happy. Great start to the weekend.

@ Ian Davies

"Trying to pretend otherwise is like making someone stand in front of you on a train track and thinking that, because the train will hit them first, it somehow means you'll be safe..."

no but it does mean you'll be "safer" because the train would hit the guy infront at a greater speed than it will it you (assuming of course that the driver has applied his breaks before he hit the guy in front and the breaks remain on whilst the train is coming for you). Also the fact that the guy infront is probably still plastered infront of the train, it should provide adequate cusioning should you get hit as well :)

Flame: Let the apple BURN!!!!

Get a PC !

always wanted to say that

@Anonymous Coward

"...Windows tends to have more out there because it's used the most by the masses..."

Oh p-l-e-a-s-e... not that argument again. If you think the unwashed masses somehow dirty the Windows code you're beyond hope.

The number of bugs per line of code has no correlation whatsoever to how many times the compiled code is copied/sold. This is in contrast to the direct correlation between bugs/LoC and eyes/LoC.

Still not critical

The attacker actually does not open a session. It's Safari that opens a telnet on a remote host. Eventually the remote host can execute code but is on the remote host not on the Mac. Somebody calls this a flaw because via the terminal window you could run a script that asks for password but this has more to do with the moronity of the user than the platform itself.

I can see why Apple is not considering this a critical patch.

Next year I think I will take the effort to participate to the contest: it seems they have money to give away.

Paris because all I can hope is to "execute" with her remotely.

Mabuse68

So

So how the mighty god's children have fallen so quickly on the hackers field !

windows sucks, OS X sucks, linux sucks

Why can't we all just agree that computers suck.

I like my Mac but...

... I'm not so stupid as to think that it is 100% secure and completely invulnerable. For example, I can't examine the precise firewall rules currently enforced without dropping to the shell. The Mac is perceived as more secure because there are fewer viruses, worms, vulnerabilities reported. This is simply because the Mac is a relative minority in the big scheme of things.

Think of it like a Ferrari if you will. Lots of effort on presentation, performance, slickness but boy they still break down.

OK, 'nuff said, time to go Back To My Mac

(Paris, because she'd choose a Mac based on style)

Mmmm, crow. Tasty.

I'm not sure where Webster Phreaky actually lives, but I always have a mental picture of him chained to a stake in someone's back yard, like those rabid zombies in "28 Days Later".

Firefox Anyone :-)

No one even entered the contest on Day1 where the OS, Drivers or Networks Stack were up for being hacked, so why the flame war over OS X ?

The hack was targeted at the safari browser, a browser that I haven't used on my mac for a good few years due to the superior Firefox browser. In fact I don't use IE on XP or Vista for exactly the same reason.

IE = better than Safari.

Firefox = better than IE.

Firefox = best browser (cue second flame war!!!!)

@Damien Jorgensen

Huh, I thought this was about OSX Vs Linux Vs WinXP? Don't go bringing Audi's into this! ;)

Mines the one haning up in the back of an A4!

@get a PC

Yep, I did get a PC.

It runs Ubuntu Linux. Splendidly.

Ta-ta...