About | ACP | Buy | Forum | Industry Watch | Learning Curve | Search | Twitter | Xnews
Home » Learning Curve » Red Hat Diaries

Miller-Naraine

Can you see what's wrong with this picture?


Buy It

Try It

Miller-Naraine: Miller is of course Charlie Miller, the ISE (former NSA) hacker who first broke into the iPhone, then last year hacked a Mac at CanSecWest, then did it again this year at the same event. Naraine is Ryan Naraine, a security evangelist employed by Kaspersky Lab who finds no conflict of interest writing for ZD, perhaps the most snowed-in ignorant mainstream pro-Windows luser website in the world.

Ryan recently conducted an interview with Charlie Miller.

http://blogs.zdnet.com/security/?p=2941

Here are three more related articles by Kaspersky Lab employee Ryan Naraine.

http://blogs.zdnet.com/security/?p=2748
http://blogs.zdnet.com/security/?p=2917
http://blogs.zdnet.com/security/?p=2934

Here are some excerpts from the interview.

RN: Did you consider reporting the vulnerability to Apple?
CM: I never give up free bugs. I have a new campaign. It's called NO MORE FREE BUGS. Vulnerabilities have a market value so it makes no sense to work hard to find a bug, write an exploit, and then give it away. Apple pay people to do the same job so we know there's value to this work. No more free bugs.

RN: Why Safari?
CM: It's really simple. Safari on the Mac is easier to exploit. The things that Windows does to make it harder (for an exploit to work) Macs don't do. Hacking into Macs is so much easier. You don't have to jump through hoops and deal with all the anti-exploit mitigations you'd find in Windows.

It's more about the operating system than the (target) program. Firefox on Mac is pretty easy too. The underlying OS doesn't have anti-exploit stuff built into it.

With my Safari exploit I put the code into a process and I know exactly where it's going to be. There's no randomisation. I know when I jump there the code is there and I can execute it there. On Windows the code might show up but I don't know where it is. Even if I get to the code it's not executable. Those are two hurdles that Macs don't have.

It's clear that all three browsers (Safari, IE, Firefox) have bugs. Code execution holes everywhere. But that's only half the equation. The other half is exploiting it. There's almost no hurdle to jump through on Mac OS X.

RN: On a scale of 1-10 how impressive was the Nils' sweep of exploiting all three main browsers?
CM: I was surprised. For IE 8 I'd give him a 9 out of 10. For Safari maybe a 2. It's just too easy to pop Safari. For Firefox on Windows I give him a 10. That was the most impressive of the three. It's really hard to exploit Firefox on Windows.

RN: Really? What's the difference between what you can do on IE but can't do on Firefox?
CM: The technique he used works against IE but not Firefox. It allows you to place code in a specific spot in memory. Mark Dowd and Alex Sotirov talked about this at last year's Black Hat. You can use a technique to make .NET not opt into the mitigations and jump over hurdles easily. With Firefox you can't do that.

For all the browsers on operating systems the hardest target is Firefox on Windows. With Firefox on Mac OS X you can do whatever you want. There's nothing in the Mac operating system that will stop you.

In an earlier interview that took place before this year's CanSecWest Miller predicted how easy it would be to 'hack the Mac' - but of course he already knew at this point he'd most likely win as he was going to attend CanSecWest with a hack he already knew should work.

But there's something wrong here. Something that flies in the face of everything people have been saying and more alert people have learned. Something that flies in the face of what Bruce Schneier has been saying, what the US GAO have been saying, what Gartner have been saying, and what the EFF are now urging: please people get the F off Windows and save the Internet.

Address randomisation: this and making sure heaps aren't executable are important things in the World of Windows. They're like a 'final defence plus one' - they're good when things are so screwed up and security is so weak all the other defences (if there were any) have already been blown. The fact that such a desperate line of defence should ever be needed is unswerving testimony to the fact the rest of the system - the basic security model - is for shit. The fact Charlie Miller or that mysterious 'Nils' work on this level doesn't mean much in the bigger picture.

You're not more or less secure because of an interview. Did you think you needed all the stupid anti-malware tools Windows needs yesterday? Then you don't need them tomorrow either.

Putting an OOTB Mac online is nothing; put an OOTB Windows PC online and it's toast inside of twenty minutes. Standing there doing nothing at all it's toasted in twenty minutes. All the Ryan Naraines and Charlie Millers in the world can't ever change that. And the Ryan Naraines will still remind you of this fact anyway: they've got snake oil they want you to buy.

There's nothing wrong with randomisation. It does make hacking harder. And yet people see Windows is already getting clobbered all over the place even with such technologies in use. The bottom line for the end user hasn't changed - despite the ambitions of the Windows security cottage industries such as Ryan Naraine's Kaspersky Lab.

If you didn't need AV and anti-spyware on your Mac yesterday you don't need it tomorrow. There's nothing better the Windows security cottage industry rainmakers would love than to see all the refugees return - so they could go back to selling useless subscriptions to defence tools that demonstrably don't work and can't stop a damned thing.

Combining all the AV tools on the market the odds Joe Luser can completely clean a Windows box are less than nil. Combining all the AV tools on the market Joe Luser will still miss as many as half of them. So much for the Kasperskys of this world.

There's nothing better they'd love than to screw you out of an extra few $100 per year again, have you miserable in front of your lacklustre third grade quality PC, with its lacklustre third grade quality so-called operating system, and feeling just-totally-miserable all over again, ready again to pull out your hair, scream out your grief, and bemoan your gullibility in letting the Gateses and Naraines of this world bamboozle you one more time.

The one thing they all fear - the one thing they will fight as long as they can - is people getting smart and leaving Windows. They're out of business if enough people do that. The day Microsoft collapses (hooray) they're through. Washed up. Back on the chow line. Brother can you spare a dime. They're literally out of jobs the lot of them. Think of them as a computer age military industrial complex. They need an enemy to keep the money coming in.

Is Charlie Miller's exploit real? Of course it is. He won $5000; they don't give money like that away frivolously. Did Charlie Miller adequately explain how easy it's been to hack into these Apple devices? Yes he did. He checked changelogs for open source modules and looked for security patches Apple hadn't got around to implementing. It's almost too easy.

So are Apple lax (and smug) here? Of course they are. This site has many times pointed out where even bigger security holes can be found - yes in fully patched completely up to date systems. Do Apple do anything about these 'craters' as the author of Opener described them? No. Is there any reasonable explanation why they don't do this? Of course not. And there's no excuse for it either.

But Apple's OS is still a Unix - albeit with a lot of unwelcome beige box stuff tossed on top. Apple are essentially running 'a second system' with separate paths into their OS kernel, both through the vetted and more sturdy Unix APIs and through their questionable legacy - and often extremely insecure and wobbly - Carbon 'toolbox' APIs. This is of course not good. And to a certain extent Mac users have been lucky given these inexcusable architectural compromises.

And how about Safari letting bad code slip through and enter the kernel without authentication? For somehow in some fashion it happened. Is this good? Like heck it is. Anyone can take a good system like Unix and corrupt it, ruin it. And maybe the Safari team have in fact done something incredibly stupid here.

But are you going to go running back to Windows because of what Charlie Miller tells you and what Ryan Naraine selectively tells you? You. Gotta. Be. Kidding. Did you feel you were on the wrong platform when ZD's George Ou told you Windows had better fonts? Did you believe him? Are you really going to read ZD for all your - gasp - security news?

When you look at the mess that's the Internet out there (and all because of Windows) are you going to feel encouraged to return to the very platform that's made a full travesty of it, a platform so bad Bill Gates was forced to apologise to the world?

No you are not. Not if you have any sense about you.

Windows lusers love this kind of shit. They get in the comments threads and really live it up. They sit at home in their kevlar knickers with AK-47s strapped over their shoulders, deeply hidden in their bunkers, on vigilant watch against new and greater and more evil exploits, ready as ever to visit any one of hundreds of web resources to find out what's happened to them online today. Or completely wipe and reinstall if it gets too bad.

They run a system so totally lacking in security that the system cannot stop intrusions as they occur but only alert them after the fact their system's been trashed again - and admonish them to get out their install CDs and begin anew.

Such fun. And this is what these lusers go through on a daily basis. And any PC warrior who's ever been enticed into helping a friend of a Windows luser knows just how bad it gets. It can't get worse than that.

But the panache Unix users feel in the face of all the woes Windows lusers complain of - this really pisses the Windows lusers off. They don't get it; they haven't had the spiritual wherewithal to try any other platform; they're often too clueless and lacking in cerebral wherewithal to do it; they really don't understand how people on Unix platforms such as Ubuntu and Mac OS X can get away year after year without all the stupid antivirus and anti-spyware junk they have, they don't understand why there isn't news of major outbreaks on these other platforms; they don't understand it, it confuses them, it makes them feel inadequate and panicky, and it pisses them off - and even more when they see how chilled out and happy Unix users are.

They think this is a game. They think it's about one team winning over another. They're as close to 'congenitally stupid' as they can get without falling all the way in.

It's not about anyone winning. It's not about rooting for a platform. It's about the security of everyone on the Internet and the ability of ordinary people to embrace the Internet and its promise without the typical criminal threats hanging over their heads all the time and ruining everything for them. It's about seeing what potential the Internet has once people no longer fear it.

And in that context any Unix is essentially as good as another - for none of them are Windows.

As for that age-old monotone argument that it's only about market share and that Unix and Mac OS X will get hit just as hard (or harder) the day they defeat Windows - who the F cares? Today these Unix/Mac OS X users are a lot more secure and we all know it. The day a safe platform becomes insecure is the day to look again for an alternative. But that day isn't here and in the meantime people smart enough to be on Unix are safe (and smart) whilst Joe Lusers on Windows are the same as ever: lusers.

It might not be a game but it's a propaganda war - a war the Gateses and the Enderles and the Ous and the Naraines and others have been waging for years. ZD themselves - as many sites - are increasingly in real trouble because of the shift away from Windows because that's all they know. They're doomed because Windows - just like Microsoft - is going away, superseded by the strong Unix systems and the force that is Google (who also run Unix - everybody except Joe Luser is running Unix today thank you very much). They were too stupid - too arrogant and contemptuous - to see this coming.

ZD are doing their part - with some of the loudest but most poorly educated 'technical journalists' in the world. And we all know how loud empty vessels can become. The typical 'Mac' site won't excel at technical depth or excellence either but if you can agree you're all on the same platform at least the Kool-Aid™ won't be as toxic.

Brian Krebs doesn't believe in AV or anti-spyware for his Mac; Charlie Miller doesn't either. But of course Kaspersky's trusty employee Ryan Naraine won't remind you of that. So why should you do any differently?

There is a principle which is a bar against all information which is proof against all arguments and which cannot fail to keep us in everlasting ignorance. That principle is 'contempt prior to investigation'.
 - Herbert Spencer

See Also
Learning Curve: Windows: Give It Up, Dude!
Industry Watch: EFF: 'Avoid Microsoft Products Where Possible'
ComputerWorld: Apple's Antivirus Advice Much Ado About Nothing Says Researcher

About | ACP | Buy | Forum | Industry Watch | Learning Curve | Search | Twitter | Xnews
Copyright © Rixstep. All rights reserved.