|Home » Learning Curve » Red Hat Diaries
Why Things Don't Happen
And why they should.
Basically, if Apple can't port the Mac OS X TCP/IP stack from intel to ARM without adding the old old old decrepitly old TCP spoofing vulnerability back in, there's no hope that they will ever take security serious.
This is such a BAD idea that it is crazy. Apple really needs to get a clue about what you should use Apple Software Update for; ie NOT installing new software. First it was Safari, and now a service that allows someone - anyone - to determine the services that a computer has running?!?!?!?!
At some point Apple's software will become a HUGE problem, ala Nachi, Sasser, Blaster, etc gets a hold of it. I'm really starting to dislike their business practices with ASU....
- Don Rhodes
Right now I'd even settle for a basic EOL schedule for OSes.
I do have some serious questions on this topic of Mac OS X security. Fanboy issues and incorrect beliefs held by many about Mac OS X security aside, I think there is a problem with the way Apple security issues are dealt with, including your wireless vulnerability.
It's time people, including Apple, wake up to a lot of these issues, or there *will* be a rude awakening coming, reminiscent of the Microsoft of five years ago. It took Microsoft *years* to pull itself out of that, and it's still a work in progress.
- Dave Schroeder
As a side note I have to mention the statement that Secureworks issued clarifying the video. She forgot to mention to reporters that statement was created in cooperation between Apple PR and Secureworks PR. Although Apple PR really wanted the statement to be extended to cover any demos given in person (Krebs, anonymous Blackhat employee) Secureworks couldn't do that. Minutes after this was posted Lynn Fox started pitching reporters a story that Secureworks had changed its story based on the update. If you actually read the Secureworks statement it just covers the video and says nothing I didn't say in the video twice. I suppose her omission of this information was designed to make it appear Jon and I were frauds and thus make a big story. I suppose the headlines 'Apple asked Secureworks to clarify their video, Secureworks obliges' would not have been as sensational or given the Mac zealots ammunition to drag Jon and I through the mud for months. I also find it funny the only real news outlet that ran the Secureworks changes position story was Macworld. Here is a funny note: the guy who wrote the story, Jim Dalrymple, never contacted Jon, myself, or Secureworks for any reason during the entire fiasco. It doesn't matter much to me anymore as I have yet to meet a client of Errata Security (the company i formed after leaving Secureworks) that thinks I faked it all. Also I am in the process of writing a book about horror stories of when responsible disclosure goes wrong with Apple being the flagship issues. Everything that happened will be detailed. As far as security research into Apple I haven't done much else in the last few months and I flat out refuse to report any issues to Apple security anymore because of two things. One is that I don't trust their PR department not to try and smear me again. I feel their handling of the Secureworks statement pretty much proved this. The second reason is simple: Apple apparently has more leaks than a sinking ship. How do I know this? Several of the bloggers who were calling for my head on a platter had information I had given to just one person at Apple and that no one else knew. Its almost like pro-Mac bloggers have a hotline to the 2 or 4 person security group at Apple. If a company wants me to keep details of a vulnerability private, they can at least do the same.
- David Maynor
No one (outside of us and other OS X users with a clue) seriously gives a fuck; sad but true. If this seems familiar it's because this is the same story over and over again with Bloopertino. There isn't a problem or an acknowledgement of said problem until something bad happens, be it malware or a class-action lawsuit. Only then do the press care - long enough for a one-paragraph blip and no one is ever the wiser.
Apple is the media darling. Anything that happens on Windows is business as usual. This year is the year of Linux on the desktop. War is peace. Ignorance is strength. Freedom is slavery.
Apple is a lost cause in my book - which is a damn shame considering the potential of what OS X could have been. They're a bunch of boobs who can't find the sky from deep within their anal sphincters. /Library is still wide open for pickings. iPhones still run with root privileges by default and the best they could come up with is a total walled garden with VIP access. Their apps melt down with a simple hand-edited ipfw configuration. The market is awash in APE and kiddie-grade Applescript-wrapped garbage. And so forth.
If big shots from the ISV cohort are having a hard time getting the Bloopertino boobs to listen and fix shit promptly, what does that say about the priorities at One Infinite Bloop?
Not that I'm trying to advocate black hattery, but it seems that it's the only way for anyone to sit up and pay attention in Jonestown.
Learning Curve: Rooting 10.5.4
Industry Watch: Get Root on 10.5.4
Industry Watch: ARDAgent - Here to Stay?
Red Hat Diaries: Innocents in the Enterprise
Hotspots: SLIPOC – Root Exploit of Mac OS X
Learning Curve: ARDAgent on Snow Leopard
The Technological: Walking into an Apple Store
Digg: Get Root on 10.5.4 - It's Not Exactly Difficult
Digg: Stupid Simple Root Exploit Remains in Mac OS X 10.5.5
Hotspots: Stupid Simple Root Exploit Remains in Mac OS X 10.5.5
Rixstep/7: Stupid Simple Root Exploit Remains in Mac OS X 10.5.5