You’d have to ask “Spyder,” the twat that’s responsible for the ILOVEYOU worm, which was one of the most pervasive worms in history. That’s what he did.
Why? Maybe it was a shamefully lazy way of keeping his process from crashing as a result of trying to reference a non-existent address. The point is that if the author had identified parallel vulnerabilities in OS X and had attempted to target them, rather than being one of the most devastating attacks in history, it would have gotten absolutely nowhere. This is a simple exercise in game theory.
Even if the script contains no counter element, the net result is the same. Melissa’s spread was virulent although it only affected people running both Outlook 97 and Word 97. A worm that relied on exploiting Apple Mail V1 and Appleworks 5 together would similarly fizzle, even if it had a larger pool of potential addresses. (Though I see Melissa was actually limited to 40.) The density of affected systems is not sufficient for a rapid spread - and the resulting window of vulnerability is necessarily too small to be worthwhile.
The contest doesn’t state how the sandbox should be broken-- visiting a website is merely one of many possible methods-- they just judge if it was broken.
The reason the website is used every year is simply that it’s the easiest way. You can prepare it in advance, and it’s a lot more “showy” to hack the machine in 10 seconds than it is to fumble around for an hour. If Apple’s security was tighter, of course, this would no longer be an option for OS X and they’d have to move on to more difficult-to-execute attacks.
Technically, my personal belief is that Windows 7 is actually less vulnerable to attack for several reasons. Microsoft has definitely (in the last 5 years) been extremely aggressive in adopting security technologies, they respond very, very quickly to reported attacks, they ensure all of their developers are going through the latest and best security training and auditing all code that ends up in their shipping products.
Again, that’s not to say Apple is pathetic or hopeless at security, just to say that Microsoft does more, and does it more consistently.
Of course, it’s hard to actually prove this in a world where Windows is attacked 100 times more than any of the competing OSes, and unfortunately we don’t have an alternate universe with equal OS marketshare available to use for an A/B test.
Let me propose an idea to you then, in order to mitigate the effects of malware, we just need to modify the marketshare of computer operating systems. We will have the US Justice Department utterly dismantle Microsoft’s virtual monopoly by requiring a significant surcharge attached to every MS Windows computer, then taking those funds to subsidize other operating system companies. We will have a group of let’s say 10 subsidized companies: Red Hat, Canonical, Attachmate, Debian Inc, Amiga Inc., Computer System Research Group Inc., Oracle, HP, IBM and Apple. The respective subsudized benefits will be inversely proportional to the marketshare of each company, until roughly speaking they all have roughly the same desktop operating system marketshare of ~9% (including Microsoft). Additionally, the bulk of the surcharge funds (70%) will go to various independent software companies to subsidize the adaptation of cross-platform code, such that their products will run on any computer. Finally, the surcharge on MS products and the subsequent subsidy will be eliminated upon the balance of the above 11 companies marketshare, plus/minus a wiggle factor of 50%. This way, no one company will be significantly bigger than any other, thus all operating systems in use across the world will be “obscure” and we will all benefit from that secure through obscurity theory. All computer viruses, worms, trojans, rootkits, adware, and miscellaneous malware will cease to utterly exist when no one operating system has enough “density” to make any spread vector viable.
Finally, the point of my whole diatribe is that, if in fact Windows OS is targeted exclusively because it is the only vector with enough “density”, then every time you choose to purchase a Windows PC, you are complicit in the worldwide cybercrime epidemic. You choose to buy Windows, therefore making the system density higher, thus enabling the criminals. Guilty. Direct cause and effect. If you simply choose to not buy Windows until its density is low enough to make malware epidemics possible then you have a real chance to end the wave of crime that we all ultimately pay for through taxes and insurance fees to fight against. The current situation is utterly distorted, shifting the true economic cost of running a Windows PC over to the general taxpayers. Also, if you oppose any aggressive governmental action to swiftly ending Microsoft’s monopoly, then you are also directly complicit in enabling cyber criminals.
So. Check and a-fucking mate, my friend.
[QUOTE=beowulff]
I’ve never heard of a jailbroken Mac.
[/QUOTE]
Whoa…seriously?? :eek: Granted, I use jailbreak.com usually for iPad/iPhone/iPod Touch systems, but I know a few folks who have their regular Mac laptops jailbroken (mostly for pirated apps). I don’t know of anyone who has a desktop system jailbroken, but I assume it’s the same thing.
As for the OP, I’ve never heard of a Mac IOS getting infected just by opening a website, but Mac viruses in general are sparse compared to Windows OS. As some folks have noted, that’s mostly because, relatively speaking, there just aren’t as many Macs out there, so hackers, especially the for profit kind, aren’t going to spend as much effort developing them.
ETA: And I have no dog in the Mac vs PC fight…most of my systems are Linux, with most of my carry around stuff being Apple (I have an iPad 2, an iPhone 4S and an iPod Touch, though I’m weening myself off of it, as the phone does everything the Touch does, including playing my Audible.com audio books, music and everything else…and that way I only have to carry the phone and iPad and I’m good to go)
And this has nothing to do with anything discussed in this thread.
If somehow you did then I beg you to reread my hypothetical fix to malware.
You see, the Microsoft apologists insist that Windows is so super duper redonkulous that it’s a victim of itself and its popularity.
So then let’s fix that.
If you carefully parse my argument it’s not an anti Microsoft or pro apple anything. It’s anti monopoly. It’s a fundamental rule of economics that free markets should not be dominated by by anyone player.
Instead if we have active government prevention of anyone company gaining more than 5 - 9% marketshare, then the density of any one OS will remain below the critical malware vector threshold, and cybercrime will cease to exist altogether.
But until government takes any kind of action resembling my hypothetical proposed scenario (notice how I also included some really small players, and some nonprofits, and some nonexistent companies…), the fact of the matter stands that if you buy Windows, and explain away the systemic malware problem as a simple issue of popularity, then you are complicit in making the problem worse by actively spending your dollars on destabilizing the system.
So one really old operating system, Unix (born 1970), benefits from having decades of engineering behind it, but another more recent OS, Windows NT and its descendants (born ca. 1990), is outmoded?
Truth is, they’re both old-school designs. As for Linux, it is not the same thing as Unix, but still, it comes from the early 90s and was not exactly cutting edge then.
Malware didn’t even exist in 1970, and sure enough Unix was insecure, by today’s standards. All of these OSes have had security bolted on retrospectively. If any of them had security “engineered in” from the start, it is more likely the ones that came later.
I’m going to respond as though this suggestion was made in earnest, although intuitively my guess would be that it’s a strict piss-take. (I hope it is, anyway.)
First, far from being apologia for Microsoft, the observation that dominant systems will necessarily be targeted by malware to the near-exclusion of minority systems is commonsensical, and understood by anyone who spends any amount of time concerned with network security. It is very easy to mistake rational comments on this topic as “playing favourites,” but it is naive and emotional to automatically do that.
If Apple (or Redhat, or whatever) provided a platform that was significantly and objectively more secure in a way that would scale up, IT professionals would move over en masse.
As for your suggestion of mandated fragmentation of the market as a security measure, you must be aware that an approach like this is a non-starter due to the benefit of the use of common systems outweighing the detriment by such a large degree. People need to work together, and that frequently means that their computers need to, as well. To provide a real benefit, you’d have to go beyond just providing different operating environments, you would have to develop separate applications from the ground up for each platform, or else you’re gong to end up with the same vulnerabilities in apps compiled to run on multiple systems. This is quite apart from the benefit passed on to the consumer through economies of scale - obviously if we developed 10 comparable systems in parallel with an expected user base of 10%, the cost to the end user would be unsupportable.
You are suggesting that people ought to incur enormous expense and absurd inconvenience in order to mitigate the problem of malware, but do you really think that the trade-off would be worthwhile? I administrate and provide support to a fifty-user Windows network. Since the beginning of 2007, I recall two instances of malware finding its way onto our network. (One of which occurred when an pushed upgrade of our AV client failed for one workstation which was running the 64-bit version of Vista, leaving the user with their pants down for months before anyone noticed.) Both penetrations were easily cleaned up. This frequency of infection is in spite of a wide-open internet policy, with no web reputation filters in place.
During the same time I have helped maybe half-a-dozen employees clean annoying spyware off their from-home laptops. It’s not the sort of problem that needs extraordinary solutions. Users need to be minimally vigilant and sensible in their habits. Of course, this is asking a lot of some home users, and caring friends ought to do their best to move those users over to less-targeted systems in order to minimize their risk. (Supporting my elderly mother got a lot easier after I set her up with a nice locked-down linux laptop that did what she needed and not a bit more.)
Ignoring the rest of your post, this is a patently ridiculous statement.
Although security is a concern to IT departments, there are many other considerations that put it pretty far down on the list. For example - does my proposed new OS support the enormous investment in software already purchased?
Our IT department moved to Macs years ago for exactly that reason. As a high tech company, there is a lot of concern about company secrets and IP. Our difficulty is that all of our instruments still run on Windows, and that’s not going to change because instrument companies assume their customers are all Windows. The fact is, few companies will switch because nobody else is switching.
Obviously, but when I say IT professionals en masse, I mean from the developer on up. If Linux was objectively significantly more secure than Windows (and not merely infrequently targeted,) developers would exploit that fir industries where security is paramount.
This is clearly wrong. Back in the days of Windows XP, I remember reading many times that OpenBSD Unix was the most secure operating system. That didn’t mean that people switched to it for desktop applications.
OpenBSD’s touted security is in large part owing to the philosophy of “nothing not necessary”. It is a great OS if you want to build a box that’s going to to quietly do its single purpose.
But that philosophy can’t scale up to general purpose. The more services you add, the more risk you have. Linus famously slagged OpenBSD for concentrating on security so single -mindedly that everything else suffered - and having lived with an OpenBSD web server I am not mystified that the entire industry has not arrayed itself around openBSD.
Is this serious? It’s beyond academic at this point that Linux is more secure. You can make the argument that windows is catching up, but Windows is new at being good. Linux has had practice. I’m not saying Linux is immune to anything, but there’s a difference between windows and linux, and it isn’t just market share. More servers run unix/linux than Windows, and the important internet infrastructure runs unix/linux, so where is all the malware for that?
The DoD uses Linux for their command and control system that runs wars, and they created a high security Linux distribution for use by telecommuters too. There’s an example of exploiting Linux for use where security is paramount. But think about that for a second. If you’re the DoD and want to create a secure system for telecommuters, you simply can’t do it with windows. You can buy windows off the shelf and try to make it more secure but you don’t have access to the underlying system. With Linux, you can build from scratch to be more secure and to fit your specific needs.
Really? But why do you think the cost is unsupportable? Macs marketshare is estimated at anywhere from 5 to 10% depending on the location [incidentally that marketshare gradient rises sharply as you approach any coffeeshop], and the marginal cost is quite minimal. For instance, I priced two decent workstations, on Dell one Apple. The price range was $5k, the price differential was ~7%. Not exactly the same hardware specs but pretty ran close. This not anywhere near unsupportable price difference, with all due respect.
I understand what you are saying, however you just have anecdotal evidence in play here nothing more.
From a statistical point it’s undisputed that Windows is penetrated more often than anything else out there, for whatever reason that may be.
And as for the supposed IT exodus away from Windows to anything else more secure… Unfortunately in my neck of the woods I can’t expect much from my IT guys. Any problem more complicated than double click Setup.exe>Next>Next>Next>Finish is a nonstarter for me. True story: the local building network switch has (had) a backup power supply whose battery took a dump. The little smart battery enclosure was beeping for weeks warning of impending doom, and the IT dept did nothing. Finally starting this year the power supply momentarily cutoff, cutting off all computers in the southeast wing of the building from any network connection, causing all engineers running their simulation jobs to lose contact with the license server, thus ending all batched jobs. Every single day. For three weeks. I wouldn’t trust these fuckers to even wash my car right. And suffice it to say that these are “Certified” Microsoft professionals. this is jut one of a million stories that I could relate around the bonfire…
No my friend, the problem with Windows insecurity is much more insidious, much more pervasive and much more fundamental.
Lousy engineering, terrible managerial decisions, government inaction to protecting the consumer, poor training, lacking education, anticompetitive business decisions are the explanation to the current worldwide cybercrime epidemic.
But I’ll play ball. Windows is simply more violated with a ten meter pole than everything else out there simply because it’s the most popular.
Then, whenever you support that popularity (actively with your dollars, or passively with your opinions) you are complicit in the wave of cybercrime by enabling an easy environment for criminals to spead their malware.
How do you justify your actions? How do you rationalize your responsibility? How do you see your actions not also have moral requirement to contribute to the end of cybercrime?
I see the destruction of the current Microsoft status quo as the solution to cybercrime. You should join me.
Not in any objective sense, though. (And I say this as a Linux nerd.) Windows compares favorably when you look at it.
Again, this is one of those things that everybody knows which isn’t actually true. Somewhere around two thirds of servers are running some flavour of Windows these days. I like running Apache under some flavour of Linux for webservers, but it’s not because Apache is more secure than ISS, it’s because I don’t think it begins to make any kind of sense to blow a chunk of your budget on licensing if you don’t need to. Neither Apache or ISS currently has any clear security advantage - although when I set up a new web server for my company in 2007 that would be processing credit card orders and dealing with sensitive information, I opted to go with ISS, because it had only three vulnerabilities identified in the five years before that, compared with more than thirty for Apache. (Which I nevertheless love and still prefer.)
Yes, and you derive real security from this approach - but that doesn’t really get you anywhere when you’re talking about rolling out a general-purpose OS.
