Calendar Awards Forum Leaders List Members List FAQ
Advertisement

Reply
$ LinkBack Thread Tools
 
  #1 (permalink)   [ ]
Old 04-11-2012, 08:19 PM
8bit 8bit is a male United Nations 8bit is offline
Our sunshine is not for franchise!
Join Date: Aug 2004
Location: Carbondale, Illinois
View Posts: 8,349
  #2 (permalink)   [ ]
Old 04-11-2012, 08:57 PM
Viajero de la Galaxia Viajero de la Galaxia is a male United States Viajero de la Galaxia is offline
Joe

Join Date: May 2010
Location: United States
View Posts: 2,624
Re: Security through Obscurity.

So, while Google pays outside programmers to find security flaws in their software, Apple attacks and revokes the licenses of those who locate and report flaws?

What the hell, Apple?
Reply With Quote
  #3 (permalink)   [ ]
Old 04-11-2012, 08:59 PM
Aniday Aniday is a male United States Aniday is offline
Poignant party pooper
Join Date: Nov 2003
View Posts: 4,758
Re: Security through Obscurity.

I've been having a few conversations about this for a while.

It's fear mongering. They bring their attention to Apple and how much danger Mac users are when that isn't most of the problem.

Most of the problem is how awful Java is and how it is constantly riddled with security holes. Instead of attacking Apple, a third party in the issue, they should be asking all kinds of questions to the developers of Java. Hold them accountable for the mess they made with their crappy, insecure, cross-platform mess.

Now, it is Apple's fault for constantly taking forever with Java updates and stupidly allowing Safari to be defaulted to run any Java applet on a webpage when they know better. Updating to the patched version the same day the bloated 600,000 infection numbers come out is a little too late.

Continuing my point that this is a Java problem, we've known about these exact vulnerabilities for a while now and they weren't exclusive to OS X. Java is on every OS. Windows... Linux. Everyone uses it. It's just like flash. A third party software that has a monopoly on a market that everyone feels they need to use is going to cause problems, especially when the developers don't seem to have a good concept on security. Apple actually gave up pre-installing Flash on their OS and they almost did the same thing to Java until they reached an agreement with Sun.

Apple didn't really 'snub' anyone. The server they were routing everyone through is just further manipulation of the botnet. Sure, no harm was done, but if I was infected I would rather you just leave me alone instead of use me as an integer in your shady data gathering. Apple wanted it shut down asap. Extrapolating disrespect and putting words in Apple's mouth isn't really good journalism. Apple doesn't say much to give room for assumptions, but bloggers do it anyway. Makes for a better headline. Headline=clicks=money.

And now we have AV vendors like Kapersky furthering the scare mongering by releasing uni-task scanners and bogus sites like backtrackcheck.com that have you paste in your UUID number to see if you're infected. lol. It's bull.

You can easily check if you have it and remove it with Terminal. Which is an obvious testament to the severity and complexity of this particular piece of malware.

The habit of blog columnists to sensationalize something like this is written all over. This isn't a sign of a coming apocalypse of security on OS X. It's a sign that we shouldn't tolerate third party companies throwing the security of your computer out the window. It's unfortunate that many exploit the ignorance of computer users to get them to use/buy AV software, because that is what this has turned into.

Quote:
So, while Google pays outside programmers to find security flaws in their software, Apple attacks and revokes the licenses of those who locate and report flaws?

What the hell, Apple?
That's a separate situation. What happened is that the researcher found the bug in iOS, but instead of telling Apple about it and leaving it alone, he actually crafted his own 'malicious' app and uploaded it to the App store to see if it actually worked. Of course it did, and of course Apple found out, and of course they revoked his developer license. He broke the license agreement with the publishing of an unneeded app that exploited that bug. He knew it would happen and he didn't really care.
__________________
Last Edited by Aniday; 04-11-2012 at 09:14 PM. Reason: Reply With Quote
  #4 (permalink)   [ ]
Old 04-11-2012, 11:27 PM
8bit 8bit is a male United Nations 8bit is offline
Our sunshine is not for franchise!
Join Date: Aug 2004
Location: Carbondale, Illinois
View Posts: 8,349
Re: Security through Obscurity.

Quote:
Originally Posted by Aniday View Post
Most of the problem is how awful Java is and how it is constantly riddled with security holes.
It could also have something to do with allowing arbitrary installation and code execution without root access, which is how flashback actually does its thing.

Quote:
Instead of attacking Apple, a third party in the issue, they should be asking all kinds of questions to the developers of Java. Hold them accountable for the mess they made with their crappy, insecure, cross-platform mess.
This family of malware has been around longer than that particular vulnerability, and it will likely continue to exist beyond this patch for the above stated reason.

Quote:
Continuing my point that this is a Java problem, we've known about these exact vulnerabilities for a while now and they weren't exclusive to OS X. Java is on every OS. Windows... Linux.
Even if this was only an issue with Java, even if the OS level vulnerability applied to GNU/Linux systems, at least with a GNU/Linux system you'd have the Java patch once it's released, rather than having to wait months.

Quote:
Apple didn't really 'snub' anyone. The server they were routing everyone through is just further manipulation of the botnet. Sure, no harm was done, but if I was infected I would rather you just leave me alone instead of use me as an integer in your shady data gathering. Apple wanted it shut down asap.
Sinkholes are a common tactic in network security. Not only does it allow for this type of analysis, it routes bots away from actual botnet control centers. It isn't a situation wherein either the person with this software is monitored by Dr. Web or they are left alone. It is a situation wherein they are either monitored by Dr. Web or they contribute to the construction of a malicious botnet. By attempting to shut down Dr. Web's sinkhole, Apple has, perhaps inadvertently, strengthened this botnet.

Quote:
And now we have AV vendors like Kapersky furthering the scare mongering by releasing uni-task scanners and bogus sites like backtrackcheck.com that have you paste in your UUID number to see if you're infected. lol. It's bull.
This is... false... Not only does backtrackcheck.com not exist, it has never existed.
__________________
Don't trust the police.
No justice; no peace.
Reply With Quote
1 person liked this post: Captain Cornflake
  #5 (permalink)   [ ]
Old 04-12-2012, 03:35 PM
Aniday Aniday is a male United States Aniday is offline
Poignant party pooper
Join Date: Nov 2003
View Posts: 4,758
Re: Security through Obscurity.

Whoops. It was http://flashbackcheck.com/ instead. I was working from memory. Don't get too excited to disagree =p

Java is consistently number one in malware exploits, Flash is close behind. Am I wrong in saying that? Am I wrong when saying Java is a POS that's constantly an easy target to exploit? That's all I'm really trying to say.

I don't think it's very unreasonable to blame the source of the vulnerability instead of doing what the media does and point at Apple for anything and everything that has to do with electronics.

Drama surrounding an overseas electronics supplier! Blame Apple!!
Java trojan infecting computers! Blame Apple!

It's just to grab headlines because Apple is popular. The fault mostly rests with Java. Tertiary blame can go to Apple for not picking up the slack and patching that sooner, I never disputed that.

---------- Post added at 01:35 PM ---------- Previous post was at 01:30 PM ----------

From another Java update today. I've gotten like, three in the past week. Christ, Apple.

Quote:
Originally Posted by Apple
This Java security update removes the most common variants of the Flashback malware.

This update also configures the Java web plug-in to disable the automatic execution of Java applets. Users may re-enable automatic execution of Java applets using the Java Preferences application. If the Java web plug-in detects that no applets have been run for an extended period of time it will again disable Java applets.
Hurr durr, took you long enough.
__________________
Reply With Quote
  #6 (permalink)   [ ]
Old 04-12-2012, 03:55 PM
8bit 8bit is a male United Nations 8bit is offline
Our sunshine is not for franchise!
Join Date: Aug 2004
Location: Carbondale, Illinois
View Posts: 8,349
Re: Security through Obscurity.

Quote:
Originally Posted by Aniday View Post
Java is consistently number one in malware exploits, Flash is close behind. Am I wrong in saying that? Am I wrong when saying Java is a POS that's constantly an easy target to exploit? That's all I'm really trying to say.
No, you are not incorrect in saying that. Java and Flash are prime targets for malware in both Mac OS X and Windows NT. Where you are incorrect is in shifting the blame solely to Java/Flash, when the malware in question simply uses Java or Flash as a mode of entry, and then exploits the insecure nature of Mac OS X itself in order to actually run malicious code. Without both vulnerabilities, this malware would be harmless. What is pertinent to recognize is that Flash and Java and Mono and Silverlight, etc... will continue t0 exist. Even if those technologies don't continue to exist, some similar technologies (any technology which allows for remote execution of code) will continue to exist.
__________________
Don't trust the police.
No justice; no peace.
Reply With Quote
  #7 (permalink)   [ ]
Old 04-16-2012, 06:24 PM
John John is a male Canada John is online now
May those who accept their fate be granted happiness...
Send a message via Skype™ to John
Join Date: Jun 2003
Location: Canada
View Posts: 22,050
Re: Security through Obscurity.

Long and short of it: Macs can get malware. Assuming you don't need to use smart internet habits* or use anti-virus software** because you're using a Mac is foolish.

*Not that that'd help here, given that this is a drive-by download. But in general.
**...Not that any good A/V exists for Macs, really. And that's the problem: When these things crop up on Macs you don't have anything to turn to. Given Apple's poor history of response to security threats, that's potentially a big issue.

OSX probably is about as innately secure as Windows 7, if not a bit moreso, but as it gains users you're going to see buggy software written for it that lets attackers in (same as Windows, the vast, vast, vast, vast majority of Windows malware targets 3rd-party software) and unless Apple gets their game on about responding to it, and until A/V vendors write software for Macs that does more good than harm that's going to be a real problem.
__________________
...Those who defy it, glory!

Public Key ID: 057420A1
Reply With Quote
  #8 (permalink)   [ ]
Old 04-16-2012, 06:34 PM
Aniday Aniday is a male United States Aniday is offline
Poignant party pooper
Join Date: Nov 2003
View Posts: 4,758
Re: Security through Obscurity.

Drive-by downloads via Java or Flash are pretty easy to avoid; you don't even need good AV software.

If people can be smart enough to think of running anti-malware on their OS X install they can be smart enough to run Noscript.

Not to mention a lot of Mac AV's actually make you more vulnerable with the privileges it gives itself. I'd rather not give total admin access to my OS and file system to those who use people's fear and ignorance to get them to buy their crapware.

All you need is good security extensions on your browser and maybe ClamXav.

It's far more easy to stay safe on a Mac than Windows. But that's my personal experience, I guess.
__________________
Reply With Quote
  #9 (permalink)   [ ]
Old 04-16-2012, 07:44 PM
John John is a male Canada John is online now
May those who accept their fate be granted happiness...
Send a message via Skype™ to John
Join Date: Jun 2003
Location: Canada
View Posts: 22,050
Re: Security through Obscurity.

Drive-bys are notoriously hard to avoid. All it takes is a single malicious ad served on an otherwise trustworthy website to let one by. No-script is nice, but it also breaks about 80% of the internet and denies websites revenue.
__________________
...Those who defy it, glory!

Public Key ID: 057420A1
Reply With Quote
1 person liked this post: Viajero de la Galaxia
  #10 (permalink)   [ ]
Old 04-16-2012, 07:57 PM
Aniday Aniday is a male United States Aniday is offline
Poignant party pooper
Join Date: Nov 2003
View Posts: 4,758
Re: Security through Obscurity.

Quote:
Originally Posted by John View Post
Drive-bys are notoriously hard to avoid. All it takes is a single malicious ad served on an otherwise trustworthy website to let one by. No-script is nice, but it also breaks about 80% of the internet and denies websites revenue.
Well, Noscipt is intended to use as a gate keeper. You can choose which sites you want to trust with scripts. In tandem with Ghostery and Adblock everything is taken care of without breaking too much. I personally don't have a problem with that setup, but I understand the perspective of not wanting to dick with Noscript all the time.
And yeah, sites don't get that revenue from me and that sucks, but I'd rather stay secure. I can't do both with how the internet works now. But I wouldn't click their ads anyway...so what does it matter?

If Safari acted more like Firefox and didn't auto-run Java applets there would be a lot fewer infections. Firefox asks you about running Java regardless.
__________________
Reply With Quote
  #11 (permalink)   [ ]
Old 04-23-2012, 03:19 PM
8bit 8bit is a male United Nations 8bit is offline
Our sunshine is not for franchise!
Join Date: Aug 2004
Location: Carbondale, Illinois
View Posts: 8,349
Re: Security through Obscurity.

Quote:
Originally Posted by Aniday View Post
Drive-by downloads via Java or Flash are pretty easy to avoid; you don't even need good AV software.

If people can be smart enough to think of running anti-malware on their OS X install they can be smart enough to run Noscript.
If people ran Noscript [intelligently] and didn't execute untrusted code then virtually every operating system would be secure. Having to take such extreme precautions to stay secure, however, points to glaring security issues in the operating system itself.

Quote:
It's far more easy to stay safe on a Mac than Windows. But that's my personal experience, I guess.
Windows is another insecure operating system.

Quote:
If Safari acted more like Firefox and didn't auto-run Java applets there would be a lot fewer infections. Firefox asks you about running Java regardless.
That's great. Perhaps if that was Mac OS X' default browser, Mac OS X would be slightly more secure. Even if it were, though, it'd still be susceptible to those attacks once the applet in question is run, and it would still be susceptible to attacks through Flash, Silverlight, JavaScript, etc...
__________________
Don't trust the police.
No justice; no peace.
Reply With Quote
Reply


Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are On


Advertisement

All times are GMT -5. The time now is 09:06 PM.

Copyright © 2014 Zelda Universe - Privacy Statement -