BTW in #4 what I was trying to hint at is that Unix's scalability and ease of automation usually beats windows or mac. In the second one I thought it was a scale of ease of use on one end with extensibility on the other end. I just thought it was something to point out Macs BSD based OS bears mentioning and kinda dosn't follow that paradigm. Again sorry

Haha! I am going to love to tell my friend who thinks it is impossible for a mac to get spyware, viruses, or hacked. He literally, thinks it is 100% impossible for those things to happen to any Mac computer.
Foolish.

Hehehehe, Roger that!

You're friend is slightly mis-informed. But only slightly.

The Mac isn't 100% bulletproof. No OS is 100% (outside of highly specialized cases which have no bearing on our discussion), though the *nixs in general are easier to lockdown than your garden variety windows box. However, while OS X isn't 100%, for the consumer, it's still far better than a windows box in most cases.

Are there viruses? VERY few, and most can do little within the system. Is it hackable? Yes, though it's still hard (like most of the others) over the network without direct intervention on the machine itself. Spyware? Not that I've heard of, though I'd imagine keyloggers do exist out there (you'd have to explicitly install them on the machine though.....which again requires physical access). Is it 100%? Hardly, but there are FAR, FAR fewer "gotchas" to avoid than on a Windows platform for the typical user.

I think we're in agreement that Linux is the most powerful....I doubt you'd find many dissenters outside of kool-aid drinking fanboys. But that power comes at the cost of usability, and usability is still paramount when you are comparing platforms in the consumer market. Which I dare say is exactly the people this little contest is trying to influence.

And no dissent here either that there are stupid computer users out there. They make up the bulk of the computing population, hence why so many machines out there are infected with spyware, viruses and other malware applications.

Yeah I totally agree with...I'm just glad your not mad at me

What makes Macs easier to keep clean? Is it a decently simple answer or is it going to be some page long crazy quantum mumbo jumbo that will melt my brain?
And I wouldnt want Carbon mad at me either, even though I dont play and games right now. Freaking ground pounding king right there.

Not from what I'm seeing. He directed the contest advisors to visit a website which contained his exploit code. He never physically had access to the machine until he remotely exploited it.

More: http://www.computerworld.com/action/...c=it_blogwatch

RAWR!

What makes Macs easier to clean? Mainly they make it harder to run "nefarious" code than Windows. Windows is built upon a legacy of non-protected architectures that give way to much access to the core of the operating system. Basically, a lot of the functionality in Windows was designed before the internet was the chief security concern, so MS left a LOT of exploitable holes (which people even now are still discovering ). And since every iteration of Windows has carried with it some of this old functionality, even newer operating systems (even Vista 32) are not immune. Vista 64 should be a little easier to "keep clean", because much of the underlying tech has been rewritten with security in mind. Not that it is impossible for a Vista 64 machine to get infected, it's just heartier than Vista 32 or XP. Microsoft has worked hard to patch these holes to protect users, but their best effort was basically to build walls around the users, rather than plug the holes and possibly break functionality.

Also by virtue of the Mac platform being a small percentage of the market, most viruses/spyware/malware out there are directed at the Windows market, which OS X is more or less immune to. If Mac were more popular, viruses/malware would start to become an issue. Hasn't really happened yet AFAIK.

I learned to build websites with notepad and I would really love to see the coding he used to exploit. It had to have some really neat sleight.

Mike your splitting hairs. So he didn't touch the keyboard.... he told them what to type .... As for the exploit stuff could be in java or activex type stuff. You know all that stuff that makes websites so pretty.....

Well, correct me if I'm wrong here, but the idea of the contest was to EXPLOIT any of the operating systems without having physical access to the machine. HOW you go about exploiting the machine and taking complete control of it remotely is completely irrelevant. The objective was/is to exploit the system and be able to read the contents of a pre-named file located on the computer's hard disk, and then presenting the contents of this file document to the contest panel.... All without consent of any given user. What difference does it make if it was html, java, php, activex, silverfish, or Walt Disney? None.

See here: The Facts!

It was just that simple and no access was required to anyone's physical machine. No splitting hairs there!!! No installers, no downloads, no exe files, no warning idiot boxes, you didn't even have to agree.

Pretty damned impressive if you ask me.

~~mike~~

What I'm saying is there is fair amount of difference between remotely hacking the box or having a user click on a link.

Sure there is. At the current level of protection, however, from any good updated operating system, it is ALMOST impossible to hack into a system without some sort of security backdoor. Especially is the case if the machine is just plugged in with nothing open i.e. Outlook, OE, IE, Opera, ..etc. where the machine is sitting there with the ports open. (Download IE 5, remove your current browsers and install it and open a page and let it sit for a few days online if you wanna see exploitability --you'll have popups everywhere) Other than running a DDOS attack with some good skills, there's not much chance of cracking into an idle system.

What I'm saying is that the system was compromised REMOTELY without having physical access to the machine. Apples or Oranges? Who's splitting hairs here?

Any hacker is going to portscan FIRST before trying to attempt anything. The reason for the portscan is to see if the user has already made the machine vulnerable in just this way... by opening something or downloading a software that already has opened a port or installed a script that overrides a firewall rule and such. Then brute forcing .... well you aren't stupid and you know the routine I'm sure.


To be contradicting, I do agree with what you are stating to be true. I know exactly what you are getting at. He did not sit down to his own machine across a network connection and force feed code to the EU machine causing it to become vulnerable enough to take control of it. I don't know anyone who can do that these days with new security implementations which do things such as block I.P. addresses after X number of failed authentications, but with ip spoofing, mac cloning and proxy servers, a password brute force can be endless. I've had to block whole continents until proper action was taken to track down a script kiddie...irrelevant.

I think, as you do, that a similar contest should be set up except the machine is turned on, plugged in, open every program that accesses anything past 127.0.0.1 and then see if it can be compromised. That would really impress the hell out of me. Then run the same contest with NOTHING open on the machine. I doubt you'd find anyone who could claim the prize.

Social Engineering is the easiest form of hacking but takes a lot longer than 2 minutes.

Well ok you understand what I'm talking about it took user input in order to compromise the machine. As opposed to hacking a listener or service across the network. which still happens.... I betif you os fingerprint a large block of IP's you can find a tonof machines still vulnerable to remote exploits....I'm not talking 0day stuff I'm old stuff and unpatched machines....

Hey! I resemble that remark.