dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
4569
share rss forum feed

scross

join:2002-09-13
Cordova, TN
reply to Badonkadonk

Re: [rant] Dont they get it - its not just the hardware

said by Badonkadonk:

What? The old semi-joke is that a parent needs to ask their kid for answers if a computer question comes up. At some point the younger and next generation (especially in fast moving technology) know more than the older generation. Especially if the older generation has constantly been training to keep up with technology.

Actually, I think your response is rude and obnoxious. I have over 30 years of experience with computers and got me EE back in '87, so I know exactly what I'm talking about when I say that times may have passed him by. It happens all the time.

Just so you know, my very computer literate teenager asks me computer questions all the time - although she will on occasion surprise and delight me by having done considerable research and footwork on her own first. Lately she's been asking me a big one, too - "Daddy, when can I get a Mac like mom has?" But most of her questions center around "What the heck is wrong with this Windows computer anyway?", and this just gets exhausting after a while. A quick perusal of the event logs suggest problems with the registry (another fine Microsoft "innovation", that was), specifically the extended locking of same, but she won't let me have access to the machine long enough to really dig into it. Instead she just curses under her breath and reboots (or tries to), which is something of a way of life for Windows users, including myself.

Just so you know, she was initially delighted with Win7, which came installed on a new laptop that we bought for her. "Great", I thought, "maybe they've actually made some real improvements there!" Her happiness lasted about two weeks - or up to about the time I started having to put patches on it.


JohnInSJ
Premium
join:2003-09-22
Aptos, CA
reply to scross
said by scross:

said by JohnInSJ:

Please name one of these platforms.

The IBM midrange and mainframe platforms are still around and still going strong, in spite of what Microsoft might have you believe; I have a long history with what used to be called the iSeries myself, and it is probably the finest platform that I have ever worked on and will ever work on, despite it being a bit long-in-the-tooth now, at least according to some people. Their AIX platforms are still around, too, although they have consolidated a lot of this stuff on POWER hardware these days, so sometimes it's hard to tell what's what. Before I worked on AIX I worked with AT&T's UNIX System V, running on their 3B2 platform at the time, but that's been ages ago now. Somewhere around here I still have a book with a bootleg copy of the early UNIX source code in it, and I have a former colleague who used to work at Bell Labs itself, for the guys who invented the C language.

Oh, ok, I have ancient systems experiences too. AIX would just be Unix. Heck, HP's MPE on the HP 3000 minicomputer was awesome back when disk drives were the size of washing machines. Without a doubt, any platform that only had to defend against local attack would indeed be far more stable. I grew up on mainfraimes & mini computers in the late 70s/early 80s too, and those things are a far cry from anything intended to be a general purpose computer on the Internet run by a home user. Ditto with embedded - most of which are going linux these days, but of course there are may other embedded OSes, of which I developed on three. The last being VxWorks, which was used on a line of HP cameras that I did some firmware work on.

You really can't compare these types of systems (either that predate the modern connected world, or are firmware based and not fungible) to a modern always connected OS running untrusted applications by untrained users who have root/admin privileges. You can harden a system, but the weak link is always at the keyboard
--
My place : »www.schettino.us

scross

join:2002-09-13
Cordova, TN
said by JohnInSJ:

Oh, ok, I have ancient systems experiences too. AIX would just be Unix. Heck, HP's MPE on the HP 3000 minicomputer was awesome back when disk drives were the size of washing machines. Without a doubt, any platform that only had to defend against local attack would indeed be far more stable. I grew up on mainfraimes & mini computers in the late 70s/early 80s too, and those things are a far cry from anything intended to be a general purpose computer on the Internet run by a home user. Ditto with embedded - most of which are going linux these days, but of course there are may other embedded OSes, of which I developed on three. The last being VxWorks, which was used on a line of HP cameras that I did some firmware work on.

You really can't compare these types of systems (either that predate the modern connected world, or are firmware based and not fungible) to a modern always connected OS running untrusted applications by untrained users who have root/admin privileges. You can harden a system, but the weak link is always at the keyboard

But indeed, no matter how old the pedigree of these systems (and they're not standing still by a long shot, but are constantly being updated in order to stay modern), all of them (including the embedded ones) are now routinely being connected to the internet - and you might recall that the internet was actually invented on some of these machines, so these predate any other internet connectivity. Yet these systems appear to have far smaller attack surfaces than anything that Microsoft produces, even if they didn't start off as hardened as they needed to be.

And before you go any further down the "you just can't compare them" road, remember that it is Microsoft that comes in and lies and says that their systems are just as good if not better than other enterprise-class systems, which is clearly not the case. And when push comes to shove, very often the only way they can get the business is by massively undercutting the initial cost of their presumed "competitors". This has become something of a running joke in the industry - Microsoft can't compete on quality so they have to compete on price - and indeed one of the easiest ways to squeeze a ton of bucks out of them is to let them know that you just aren't really that interested in their products.

The whole "end user problem" is one reason why things are today trending back to a more centralized model (browser-based, quite often), where those people who are better trained in security matters and who are more responsible than the typical end user can keep better control over things. Theoretically, that is - I'm not sure that I trust many of the folks these days who claim to be well-versed in these areas.

Badonkadonk
Premium
join:2000-12-17
Naperville, IL
kudos:5
Reviews:
·Dish Network
reply to scross
said by scross:

said by Badonkadonk:

What? The old semi-joke is that a parent needs to ask their kid for answers if a computer question comes up. At some point the younger and next generation (especially in fast moving technology) know more than the older generation. Especially if the older generation has constantly been training to keep up with technology.

Actually, I think your response is rude and obnoxious. I have over 30 years of experience with computers and got me EE back in '87, so I know exactly what I'm talking about when I say that times may have passed him by. It happens all the time.

Just so you know, my very computer literate teenager asks me computer questions all the time - although she will on occasion surprise and delight me by having done considerable research and footwork on her own first. Lately she's been asking me a big one, too - "Daddy, when can I get a Mac like mom has?" But most of her questions center around "What the heck is wrong with this Windows computer anyway?", and this just gets exhausting after a while. A quick perusal of the event logs suggest problems with the registry (another fine Microsoft "innovation", that was), specifically the extended locking of same, but she won't let me have access to the machine long enough to really dig into it. Instead she just curses under her breath and reboots (or tries to), which is something of a way of life for Windows users, including myself.

Just so you know, she was initially delighted with Win7, which came installed on a new laptop that we bought for her. "Great", I thought, "maybe they've actually made some real improvements there!" Her happiness lasted about two weeks - or up to about the time I started having to put patches on it.

Interesting. I have three kids ranging from 16 to 10 and all three of them have no problems with Windows 7. I draw my own conclusions from this . . .
--
"That wasn’t a debate so much as Mitt Romney just took Obama for a cross country drive strapped to the roof of his car." - Mark Hemingway, The Weekly Standard.

Badonkadonk
Premium
join:2000-12-17
Naperville, IL
kudos:5
Reviews:
·Dish Network
reply to scross
said by scross:

it is Microsoft that comes in and lies

This says it all. You're one of "those", so there really isn't any reasonable conversation that can be held with you.
--
"That wasn’t a debate so much as Mitt Romney just took Obama for a cross country drive strapped to the roof of his car." - Mark Hemingway, The Weekly Standard.

scross

join:2002-09-13
Cordova, TN
reply to Badonkadonk
said by Badonkadonk:

Interesting. I have three kids ranging from 16 to 10 and all three of them have no problems with Windows 7. I draw my own conclusions from this . . .

She (like me) really pushes the envelope sometimes, doing multiple things at once and sometimes switching rapidly between them, and she expects her computer to keep up with her - only it doesn't, much of the time. If your kids don't do this, well ... they are your kids, after all, so I don't know what I'd expect from them. You can draw your own conclusions from that, too.

Remember the good old days, working with those "ancient" systems, which had limited processing power and limited memory and so on, but they were still so stable and reliable and almost never rolled over on you? And today we have super-fast quad-core processors and such, with gigabytes of memory, yet I generally don't see anywhere near the stability and reliability that I saw back then. It is Windows which robs you of most of those advantages.

scross

join:2002-09-13
Cordova, TN
reply to Badonkadonk
said by Badonkadonk:

said by scross:

it is Microsoft that comes in and lies

This says it all. You're one of "those", so there really isn't any reasonable conversation that can be held with you.

I base this on first-hand experience, my friend. One of the companies I used to work for sued Microsoft over this and won. Then the CIO left for another job and his replacement eventually tried to buddy up to Microsoft again after they made him some new empty promises, despite being warned against it. He eventually got fired for this, but not before wasting a ton of the company's money.

And so it goes ...

Badonkadonk
Premium
join:2000-12-17
Naperville, IL
kudos:5
Reviews:
·Dish Network
reply to scross
said by scross:

said by Badonkadonk:

Interesting. I have three kids ranging from 16 to 10 and all three of them have no problems with Windows 7. I draw my own conclusions from this . . .

She (like me) really pushes the envelope sometimes, doing multiple things at once and sometimes switching rapidly between them, and she expects her computer to keep up with her - only it doesn't, much of the time. If your kids don't do this, well ... they are your kids, after all, so I don't know what I'd expect from them. You can draw your own conclusions from that, too.

Remember the good old days, working with those "ancient" systems, which had limited processing power and limited memory and so on, but they were still so stable and reliable and almost never rolled over on you? And today we have super-fast quad-core processors and such, with gigabytes of memory, yet I generally don't see anywhere near the stability and reliability that I saw back then. It is Windows which robs you of most of those advantages.

Maybe you need to work with her some more or get some additional training yourself. After all . . . she is your child.

Your anti-MS bias is so strong that you don't probably really understand the underlying issues. See, I did x86 chip design at the gate level, PC design at the motherboard level and software/firmware design. I understand how these things work. I don't blindly hate MS.
said by scross:

said by Badonkadonk:

said by scross:

it is Microsoft that comes in and lies

This says it all. You're one of "those", so there really isn't any reasonable conversation that can be held with you.

I base this on first-hand experience, my friend. One of the companies I used to work for sued Microsoft over this and won. Then the CIO left for another job and his replacement eventually tried to buddy up to Microsoft again after they made him some new empty promises, despite being warned against it. He eventually got fired for this, but not before wasting a ton of the company's money.

And so it goes ...

Case number and/or name?
--
"That wasn’t a debate so much as Mitt Romney just took Obama for a cross country drive strapped to the roof of his car." - Mark Hemingway, The Weekly Standard.


Count Zero
Obama-Biden 2012
Premium
join:2007-01-18
Winston Salem, NC
reply to RiseAbove
What would you change so drastically in iOS? The ONLY thing I could see myself adding that Android has is widgets on the desktop. Other than that I can't say I find any missing features. I like the notification center in iOS just fine. I might add some quick gestures to turn on/off wifi, bluetooth, Do Not Disturb - but again that's about all I can think off off the top of my head.

scross

join:2002-09-13
Cordova, TN

4 edits
reply to Badonkadonk
said by Badonkadonk:

Case number and/or name?

Dunno, that's probably been 10 or 15 years ago now, at least, and they may have settled out of court. I wasn't directly involved with it so I don't know all of the details, and what details I learned about it I heard second-hand, well after the fact. I do recall that part of it revolved around Microsoft trying to claim ownership of company code that they themselves didn't write, where the company had to step in and write code because the Microsoft products weren't up to snuff. Microsoft taking some company employees away with them may have played a role, too, but I don't really remember. I do know that Microsoft and those ex-employees were not highly thought of when I first got there, and it wasn't until we got a new CIO later (a PC guy who knew nothing else about computers - certainly nothing about the core systems we ran at the time) and several years went by before all of a sudden he wanted us to put Microsoft products everywhere (not that we didn't have enough already). He had made several expensive fumbles in the interim, and this was one of the last straws that broke the camel's back.


JohnInSJ
Premium
join:2003-09-22
Aptos, CA
reply to scross
said by scross:

But indeed, no matter how old the pedigree of these systems (and they're not standing still by a long shot, but are constantly being updated in order to stay modern), all of them (including the embedded ones) are now routinely being connected to the internet

and embedded system connected to the Internet is not the same as a general purpose computer connected to the internet. But I suspect we are going to argue this until the end of time without reaching consensus.
--
My place : »www.schettino.us


Metatron2008
Premium
join:2008-09-02
united state
An embedded system is not one where people can modify, which letting people modify can bring even linux systems down.

But coming from somebody who would rather have OSX, a system where they update security patches far less often then their linux counterparts (And get owned in competitions like own to pwn), not to mention a system that has been bogged down to where it doesn't use resources well since lion and mountain lion came out (I have specifically gone thru resources used for all 3, snow leopard was far better at resource management), I am not surprised at your obtuse remarks scross.

If you really wanted a good resourse managed OS you'd say linux.

But hell, your hate of Microsoft also seems to come from what you heard at work that you can't even give details on, that you didn't experience yourself

Which you then call 'first hand knowledge', because obviously, hearing something is the same as first hand


skeechan
Ai Otsukaholic
Premium
join:2012-01-26
AA169|170
kudos:2
Reviews:
·Clear Wireless
·Cox HSI
·Verizon FiOS

1 edit
reply to JohnInSJ
No, it's worse because companies don't bother trying to secure them. They don't take PLC/embedded security seriously. And given they run just about everything in civil infrastructure makes it an infinitely larger problem than what goes on in the desktop market. The desktop market is simply a matter of inconvenience. Imagine the consequences of shutting the recirculating pumps of a nuclear reactor off. Actually, we don't have to imagine

Just ask the Iranians about how their strategy of keeping PLCs off the web worked out.


Metatron2008
Premium
join:2008-09-02
united state
reply to Metatron2008
(this reply is to scross)

With all this said, you certainly have the same irrational hatred of Microsoft that my linux friends have.

I don't get people like you. You don't seem to understand that your embedded system, or linux systems, are only secure because you program them a certain way and then users don't get to install software.

The reason why hackers attack the microsft OS is simply due to market share. There's only about 4 versions of windows where they did redesigns:

windows 1-3.11
Windows 95-me
windows 2000/xp/nt/server to 2003
windows vista/7/8/server from 2008 onward

Pretty much the same kind of OS is on hundreds of millions of pcs, each with users capable of installing programs.

This is not the same as embedded systems. You can't fucking install apps on cars or microwaves using the same exact os on hundreds of millions of cars and microwaves.

The same with linux to a degree. Linux is safe because you yourself can modify it. You get some serious marketshare and hackers would attack it.

There are actually trojans and rootkits for linux, don't believe me, look online.

You can have your little irrational hatred of microsoft, but you try making an embedded system with the ability to install apps on hundreds of millions of microwaves and you'll have a virus issue as well.


Metatron2008
Premium
join:2008-09-02
united state
And one final thing:

The resource management of xp was decent. When they redesigned Windows for security and whatnot, the resource management of vista was horrible (After a couple service packs, not super bad)

7 was decent, but 8 actually has pretty good resource management. I hate 8, but there's that at least.


skeechan
Ai Otsukaholic
Premium
join:2012-01-26
AA169|170
kudos:2
Reviews:
·Clear Wireless
·Cox HSI
·Verizon FiOS

1 edit
The problem with XP is it didn't ship with AV and if it did, Symantec and everyone else would cry for JD intervention.

If Windows shipped with Giant's software on it, security essentials or whatever it's called, Windows security wouldn't be nearly as problematic as it appears.

There is no such thing as a secure system, whether connected to the Internet or not, so long as you have users on it, it's vulnerable. People can claim all day that one is better than the other but they all drop like flies during 0-day contests.

No OS can defend itself from a stupid user.

scross

join:2002-09-13
Cordova, TN
reply to Metatron2008
said by Metatron2008:

An embedded system is not one where people can modify, which letting people modify can bring even linux systems down.

But coming from somebody who would rather have OSX, a system where they update security patches far less often then their linux counterparts (And get owned in competitions like own to pwn), not to mention a system that has been bogged down to where it doesn't use resources well since lion and mountain lion came out (I have specifically gone thru resources used for all 3, snow leopard was far better at resource management), I am not surprised at your obtuse remarks scross.

If you really wanted a good resourse managed OS you'd say linux.

But hell, your hate of Microsoft also seems to come from what you heard at work that you can't even give details on, that you didn't experience yourself

Which you then call 'first hand knowledge', because obviously, hearing something is the same as first hand

Gee, dude, you really need to go back and reread some of what I wrote! I've never claimed to be a particular fan of Apple products, I said my wife is, and now my daughter wants to be, too. The only thing I really know about OSX is that it is derived from Unix, which has a far better historical record than anything Microsoft has ever produced. And my "hate of Microsoft" comes from having been a Microsoft customer since before you were even born; today I probably wouldn't use their products at all if it weren't for the fact that I sometimes have to for business reasons, so I keep a couple of computers around that run Windows, such as the one I'm on right now.

As far as what I "heard at work", a remarkable amount of what I heard was people saying that they wished they had Macs or Linux boxes at work like they did at home, so that they could just get things done without having to deal with a bunch of BS. The hardcore Windows folks would blow a gasket at this, of course.

I should add that my past experiences with Linux haven't exactly bowled me over, either; in fact, some of them have been downright painful. But I haven't played around with any of the most current releases yet, either. I may or may not do that in the near future.

scross

join:2002-09-13
Cordova, TN
reply to Metatron2008
said by Metatron2008:

The reason why hackers attack the microsft OS is simply due to market share.

This is a BS argument. The reason why hackers attack Microsoft is because it's such an easy target, with a huge attack surface - historically, at least (things MAY be a bit better these days). Maybe a lucrative one, too, today, but I remember the days when hackers did this just to show each other up, not for any particular gain. This crap started well before Microsoft had anything like the market share that it has today, and well before things were interconnected like they are today.

This goes back to the DOS days, in fact, and I remember running around doing emergency virus scans on various DOS PCs because of some presumed drop-dead date for a virus attack. I've never had to do anything like this on any other platform that I've ever worked on.

scross

join:2002-09-13
Cordova, TN
reply to skeechan
said by skeechan:

There is no such thing as a secure system, whether connected to the Internet or not, so long as you have users on it, it's vulnerable. People can claim all day that one is better than the other but they all drop like flies during 0-day contests.

No OS can defend itself from a stupid user.

There is no such thing as a perfectly secure system, that's true - just like there's no such thing as a perfectly trustworthy employee, even if it's the CEO (especially if it's the CEO, IMO). But some systems are fundamentally better at security than others, just as some locks are fundamentally better than others. If you're the type that just goes around leaving things unlocked, though, then eventually you'll get what's coming to you!


Thaler
Premium
join:2004-02-02
Los Angeles, CA
kudos:3
reply to scross
said by scross:

said by Metatron2008:

The reason why hackers attack the microsft OS is simply due to market share.

This is a BS argument. The reason why hackers attack Microsoft is because it's such an easy target, with a huge attack surface - historically, at least (things MAY be a bit better these days). Maybe a lucrative one, too, today, but I remember the days when hackers did this just to show each other up, not for any particular gain. This crap started well before Microsoft had anything like the market share that it has today, and well before things were interconnected like they are today.

Your age is kinda showing here. Malware's pretty big business these days and they're all about the most bang-for-their-buck in terms of coding time. True, hackers used to (and at security conventions, still do) show one another up for what they can do. However, the majority of your malware comes from folks wanting high-return, low effort jobs.


Metatron2008
Premium
join:2008-09-02
united state
reply to scross
said by scross:

said by Metatron2008:

The reason why hackers attack the microsft OS is simply due to market share.

This is a BS argument. The reason why hackers attack Microsoft is because it's such an easy target, with a huge attack surface - historically, at least (things MAY be a bit better these days). Maybe a lucrative one, too, today, but I remember the days when hackers did this just to show each other up, not for any particular gain. This crap started well before Microsoft had anything like the market share that it has today, and well before things were interconnected like they are today.

This goes back to the DOS days, in fact, and I remember running around doing emergency virus scans on various DOS PCs because of some presumed drop-dead date for a virus attack. I've never had to do anything like this on any other platform that I've ever worked on.

Not only is your age showing as Thaler said, but at conventions where hackers show each other up, like pwn to own, micorosft os's usually get hacked after the other os's are, or at the least after safari does.

Don't believe me?

»www.zdnet.com/blog/security/macb···-own/984

Macbook air falls in 2 minutes

»www.zdnet.com/blog/security/pwn2···ll/10588

pwn 2 own 2012: google chrome browser first to fall

»en.wikipedia.org/wiki/Pwn2Own

quote:
After the successful 2007 contest, the scope of the Pwn2Own contest was expanded to include a wider array of operating systems and browsers in 2008.

Outcome
The laptop running OS X was exploited on the second day of the contest with an exploit for the Safari browser co-written by Charlie Miller, Jake Honoroff and Mark Daniel of Independent Security Evaluators. Their exploit targeted an open-source subcomponent of the Safari browser.
The laptop running Windows Vista SP1 was exploited on the third day of the contest with an exploit for Adobe Flash co-written by Shane Macaulay, Alexander Sotirov, and Derek Callaway.
The laptop running Ubuntu was not exploited.
own 2 pwn 2009 outcome:

quote:
On the first day of the contest, the first contestant to be selected was Charlie Miller. He exploited Safari on OS X without the aid of any browser plugins[21]. In interviews after winning the contest, Miller stressed that while it only took him minutes to run his exploit against Safari it took him many days to research and develop the exploit he used[22]. Miller won the MacBook Air as well as $5,000 for reporting his vulnerability to ZDI[23].
Continuing the random drawing on the first day of the contest, a researcher identified only by Nils was selected to go after Miller. Nils successfully ran an exploit against Internet Explorer 8 on Windows 7 Beta without the aid of any browser plugins, winning the Sony Vaio laptop and promising his vulnerability to ZDI for $5,000. In writing this exploit, Nils had to bypass an array of new anti-exploitation mitigations that Microsoft had implemented in Internet Explorer 8 and Windows 7, including Data Execution Protection (DEP) and Address Space Layout Randomization (ASLR) [23][24].
After exploiting Internet Explorer, Nils elected to continue trying his luck with the other browsers before giving up his time slot. Although Miller had already exploited Safari on OS X, Nils exploited this platform again and claimed an additional $5,000 prize from ZDI[23][25].
After exploiting Safari, Nils moved on to Firefox and again exploited this platform without the aid of any browser plugins.

Chrome, as well as all of the mobile devices, went unexploited in Pwn2Own 2009
»downloadsquad.switched.com/2010/···tanding/

quote:
Pwn2Own 2010 is under way, and after day one of the annual security showdown the results are darn near an exact replica of last year's. Safari was the first to fall, followed by Internet Explorer 8 on Windows 7. Firefox on Windows 7 x64 was also taken down, as was the iPhone's mobile Safari. Google Chrome, however, has yet to succumb.

Once again, it's Chrome's sandbox which is making things difficult. At last year's Pwn2Own, Charlie Miller had this to say:
"There are bugs in Chrome but they're very hard to exploit. I have a Chrome vulnerability right now but I don't know how to exploit it. It's really hard. They've got that sandbox model that's hard to get out of. With Chrome, it's a combination of things - you can't execute on the heap, the OS protections in Windows and the Sandbox."
»www.washingtonpost.com/blogs/fas···log.html

quote:
The first browser to get hacked was Apples Safari. As Ars Technicas Peter Bright wrote on Thursday, the almost-current 5.0.3. version of Safari, running on an up-to-date copy of Mac OS X 10.6.6, succumbed to a malicious page written by researchers with VUPEN, a French security firm, in a few seconds.

They proved the attack by remotely launching the Macs Calculator program and writing a file to the MacBook Airs flash drive — earning them the right to keep the laptop, as per the contests rules.

Microsofts Internet Explorer 8, running on Windows 7 updated with Service Pack 1, fell later that day. Brights report notes that the IE 8 hack involved more exploits and took five to six weeks to construct, against two for the Safari exploit.

On the second day of Pwn2Own (organized by HPs Austin-based TippingPoint DVLabs subsidiary and held at the CanSecWest conference in Vancouver every year), the iPhone 4 and a BlackBerry Torch smartphone also suffered successful hacks. Although the iPhone 4 was not running Apples just-released iOS 4.3 — the contest rules only required that the target device be running software current as of the week before — the vulnerability exploited in the attack exists in 4.3, too.

Theres not much interpretation needed for these results, right? Apples Mac OS X is a dangerously insecure platform — its been successfully hacked at Pwn2Own every year since its debut in 2007 — that should be avoided if you dont want your computer to get taken over by a drive-by download.
»www.cnn.com/2011/TECH/mobile/03/···dex.html

Hacking competition leaves Android, Windows Phone 7 undefeated

pwn 2 own 2012:

quote:
At Pwn2Own, Chrome was successfully exploited for the first time. VUPEN declined to reveal how they escaped the sandbox, saying they would sell the information.[41] Internet Explorer 9 on Windows 7 was successfully exploited next.[42] Firefox was the third browser to be hacked using a zero day exploit.[43]
Safari on Mac OS X Lion was the only browser left standing at the conclusion of the zero day portion of pwn2own. Versions of Safari that were not fully patched and running on Mac OS X Snow Leopard were compromised during the CVE portion of pwn2own. It should be noted that significant improvements in the security mitigations within Mac OS X were introduced in Lion.
Except for the zero day exploit in IE9 for 2012, most hacking attempts on IE took weeks to do, and usually were based on flash exploits, while safari was always hacked first, except for the 2012 contest.

So, did you have anything on topic to say, or are you just here to bash Microsoft, no matter how wrong you actually are?


Metatron2008
Premium
join:2008-09-02
united state

1 recommendation

Which it should also be mentioned, that chrome for many years didn't get touched. Linux also never gets hacked, although linux also has really low customer base and is made by people who are usually hackers....

OSX gets creamed pretty much always, which coming from a guy talking about getting OSX while complaining about how insecure Windows is, is about the most hilariously dumb thing I've read all day.


skeechan
Ai Otsukaholic
Premium
join:2012-01-26
AA169|170
kudos:2
Reviews:
·Clear Wireless
·Cox HSI
·Verizon FiOS

1 recommendation

reply to Metatron2008
So after all that quoting we come to the most recent contest where Chrome, IE and FF all fell on zero day but Safari was left standing thanks to recent improvements? I don't really care much what things were like in 2007 and more about how they are now.


JohnInSJ
Premium
join:2003-09-22
Aptos, CA
said by skeechan:

So after all that quoting we come to the most recent contest where Chrome, IE and FF all fell on zero day but Safari was left standing thanks to recent improvements? I don't really care much what things were like in 2007 and more about how they are now.

You do recall this recent one, right? »www.theverge.com/2012/9/26/34107···-exploit - it was only a month ago.
--
My place : »www.schettino.us


skeechan
Ai Otsukaholic
Premium
join:2012-01-26
AA169|170
kudos:2
Reviews:
·Clear Wireless
·Cox HSI
·Verizon FiOS
Uh, that would be Oracle and Java runtime doesn't ship with OS X and hasn't for over a year (since 10.7.0). As far as I know, Windows doesn't ship with JRE either. In both cases, Oracle Java has to be downloaded and installed by the user just like any 3rd party application.

That's like blaming OS X and Windows for Flash vulnerabilities when Flash doesn't come installed in either OS.


JohnInSJ
Premium
join:2003-09-22
Aptos, CA
said by skeechan:

Uh, that would be Oracle and Java runtime doesn't ship with OS X and hasn't for over a year (since 10.7.0). As far as I know, Windows doesn't ship with JRE either. In both cases, Oracle Java has to be downloaded and installed by the user just like any 3rd party application.

That's like blaming OS X and Windows for Flash vulnerabilities when Flash doesn't come installed in either OS.

Browser-based zero day exploits use the browser to gain local access, and then use a local elevation to gain access. This is a real zero-day exploit. I don't "blame" anyone, the zero-day stuff is out there, and it matters little if the conduit is Java or social engineering. The OSes are as vulnerable as the user behind the keyboard is willing to make them. All of them. As soon as the user is convinced to click "allow" game over.
--
My place : »www.schettino.us


skeechan
Ai Otsukaholic
Premium
join:2012-01-26
AA169|170
kudos:2
Reviews:
·Clear Wireless
·Cox HSI
·Verizon FiOS

3 edits
Oracle Java does not ship on these systems. Java runtime is not Javascript. They are completely unrelated. Meanwhile yeah, if a user chooses to install malware, the OS will permit it. But that isn't an exploit. What you describe (user clicking install) is the system behaving as it should, installing software at the user's request. Even then, what you propose won't work with OS X because unsigned stuff won't install without additional user intervention (Gatekeeper), even more so than UAC because there is no "Allow" in Gatekeeper like there is UAC. You actually have to turn it off and then reattempt the install (or start over with the install and use a contextual selection to bypass gatekeeper when installing).


skeechan
Ai Otsukaholic
Premium
join:2012-01-26
AA169|170
kudos:2
reply to scross
An imperfectly secure system is not secure. Someone adept at picking locks can open any lock meanwhile even the worst lock is good enough to keep those who aren't adept at picking locks from getting it open.


JohnInSJ
Premium
join:2003-09-22
Aptos, CA
reply to dellsweig
And to keep this relevant to iOS... every iOS version so far has eventually be jailbroken, which means, yes, exploited to gain root. So, iOS isn't immune either.
--
My place : »www.schettino.us


skeechan
Ai Otsukaholic
Premium
join:2012-01-26
AA169|170
kudos:2
JBing requires physical access to the device.