APLawrence.com - Resources for Unix and Linux Systems, Bloggers and the self-employed

Rotten Apples?


© March 2009 Anthony Lawrence

It's almost enough to make me a Luddite. Apple, having apparently learned nothing from last years embarrassment, gets hacked in seconds at Pwn2Own. There's a new drive-by Firefox exploit that won't be fixed until next week. We can't even trust our routers anymore because people are hacking them.

That last one is something we should have seen coming. It's apparently from brute force attacks on routers with "weak username and password combinations or exploitable firmware". I've bitched before about customers bitching at me because the passwords I put on their routers and servers are "too hard!" - how many million routers do you suppose can be logged into with "admin/admin" or something equally stupid?

The only folks who apparently learned anything were at Microsoft. The hackers said:

For all the browsers on operating systems, the hardest target is Firefox on Windows. With Firefox on Mac OS X, you can do whatever you want. There's nothing in the Mac operating system that will stop you.

Second year in a row, guys. And remember: Firefox isn't helping, but the real problem is what happens once they get the shell. Is Apple really this clueless? I guess so..

I'm not going to worry about my router because I can't even remember the user name and password I used. I have it written down somewhere (I hope). I used to not worry too much about the Mac attacks because they were Safari based - but now they use Firefox, so I'm vulnerable. Remember, this is drive-by stuff: no user cooperation needed.

Maybe it is time to switch to Linux for my desktop? Arragh.. I hate change! But unless Apple starts taking this stuff seriously, I'm going to have to.

Of course we really don't know how Linux would have done: Linux wasn't in the running this time.. Last year, only the Ubuntu machine survived, but of course that doesn't necessarily mean it would have again. Still.. I'm going to have to see serious moves by Apple if I'm going to keep using this.


Got something to add? Send me email.





(OLDER)    <- More Stuff -> (NEWER)    (NEWEST)   

Printer Friendly Version

->
-> Rotten Apples?

18 comments


Inexpensive and informative Apple related e-books:

iOS 10: A Take Control Crash Course

Take Control of OS X Server

Take Control of Upgrading to El Capitan

Take Control of Parallels Desktop 12

Sierra: A Take Control Crash Course




More Articles by © Anthony Lawrence






Thu Mar 26 17:16:22 2009: 5880   BrettLegree

gravatar
I seem to remember reading somewhere that Apple was going to do something* to address this in 10.6 - which of course, does not help us now. I wonder if they were hoping nothing big like this would happen between now and the release of 10.6.

(*some kind of enhanced sandboxing, and a few other things)

Still, I know what you mean. Maybe that's why I was once again last night reading that guide on how to install Ubuntu on a Macbook Pro...



Thu Mar 26 17:26:21 2009: 5881   BruceGarlock

gravatar
You are probably referring to ASLR (Address Space Layout Randomization) See:

(link)



Thu Mar 26 17:35:55 2009: 5882   TonyLawrence

gravatar
Yeah, I've looked at the Ubuntu/Macbook pages - seems like a lot of trouble and potential fror problems.. I think I'd just buy a Dell :-)



Thu Mar 26 17:46:35 2009: 5883   BrettLegree

gravatar
Thanks Bruce - I couldn't remember it but that's what it was.

You're right Tony - a lot of work and time. I figure at my current hourly rate (plus overhead) I'd be better off to buy a new machine myself.

Plus, then I'd still have the Mac as a Mac.



Fri Mar 27 04:53:20 2009: 5884   drag

gravatar
I donno. I would not expect miracles from Linux. I mean it's going to have the same Firefox that you get from using Windows. Of course with Linux you have had ASRL since 2.6.12, Smash Stack Protections were in GCC by default since 4.1, and that sort of thing.

As for Linux on a notebook then ya Dells are not a bad approach. I have 2 Dells and both were shipped with Ubuntu preinstalled. My Dell 1420n and my Dell Mini-9. I was a bit disappointed with the Linux compatibility of the Mini-9... It shipped with a broadcom wifi card of all things, which in my opinion is a bit of a disaster.. That was quickly replaced with a Atheros 802.11g card and that worked quite well without any intervention... plugged it in and I had a internet connection within 5 seconds of logging into my main account.

Besides the Dell other systems that are going to be very interesting are things like System76 and Zareason. But I really like System76 as a company.. at least when they were interviewed by different folks they seemed to know what they were doing.








Fri Mar 27 19:32:14 2009: 5885   NickBarron

gravatar
This is excellent. Punish abuse and assault OS X.

Apple will have to respond, though nothing will stop Apple from responding in its own time when it is ready. But they will respond.

Firefox's problems will be fixed quickly, whether part of the problem is OS X I don't know? An update to Safari may follow or be part of Safari 4. But needless to say the more people attack the platform the better keep Apple firing on all cylinders.



Fri Mar 27 19:37:42 2009: 5886   TonyLawrence

gravatar
Definitely - I suggested a while back that Apple et al. should fund an independent lab that does this kind of stuff all year long: (link)

Do it just like Pwn2Own - offer prizes, cash, recognition...







Fri Mar 27 19:40:48 2009: 5887   NickBarron

gravatar
Yes I completely agree, it is a very good idea.

How it would go down with the pundits though once they put spin on it. "Apple so concerned about security weaknesses in their products" "x number of flaws found in xyz" If you see what I mean.

But personally I think it is an excellent idea.







Fri Mar 27 19:42:28 2009: 5888   TonyLawrence

gravatar
My bet is that they'd be applauded right and left.



Fri Mar 27 20:55:41 2009: 5889   NickBarron

gravatar
Oh certainly by us yes. Hopefully the greater part of the knowledgeable community.

However the mindless tech journalists strivin to justify there existence. I have less faith in.



Sat Mar 28 11:21:43 2009: 5890   BrettLegree

gravatar
Interestingly enough, the fellow who hacked the Mac uses a Mac.

(link)






Sun Mar 29 11:47:12 2009: 5894   TonyLawrence

gravatar
I see Mozilla 3.0.8 is out this morning.. that's good.







Sun Mar 29 21:07:55 2009: 5898   TonyLawrence

gravatar
That Firefox 3.0.8 upgrade went smoothly on my Mac, but on my wife's XP it failed, insisting Firefox was running. I rebooted, it failed again, same excuse. Third time did it.. minor moments of panic before that.. must be a lock file somewhere but what cleared it?



Sun Mar 29 21:14:08 2009: 5899   NickBarron

gravatar
Odd one off perhaps or maybe a general installation issue?








Sun Mar 29 21:15:54 2009: 5900   BrettLegree

gravatar
No issues here on my Mac either, or on my Ubuntu machines.

I'll ask my wife about her Vista laptop. My work laptop is XP, but I run Firefox as a PortableApp, so I did a manual upgrade there (no problems with it) - but PortableApps seems to be pretty good in my experience.



Wed Apr 1 10:08:06 2009: 5943   TonyLawrence

gravatar
My wife watched the "60 Minutes" thing on Conficker et al. and said "Maybe I should get a Mac.."

Wow.. I think we'll tough it out till Snow Leopard just so we don't buy and then have to upgrade the OS a month later.



Wed Apr 1 10:11:35 2009: 5944   NickBarron

gravatar
Well there you go... it happens when you least expect it!



Thu Apr 2 14:25:24 2009: 5962   TonyLawrence

gravatar
Firefox 3.0.8 was completely unusable on my Mac OS X. It was slow, slow, slow, spinning beachball on everything. I figured it had tio be an add-on so started out to disable them one by one.

Luck was with me: Gears was at the top, I disabled it and Firefox is much better after a restart.

I googled around; don't see anyone else reporting that. I don't need Gears so that's the end of that..

------------------------

Printer Friendly Version

Have you tried Searching this site?

This is a Unix/Linux resource website. It contains technical articles about Unix, Linux and general computing related subjects, opinion, news, help files, how-to's, tutorials and more.

Contact us


Printer Friendly Version





Security is mostly a superstition. It does not exist in nature, nor do the children of men as a whole experience it. Avoiding danger is no safer in the long run than outright exposure. Life is either a daring adventure, or nothing. (Helen Keller)




Linux posts

Troubleshooting posts


This post tagged:

Linux

Security



Unix/Linux Consultants

Skills Tests

Unix/Linux Book Reviews

My Unix/Linux Troubleshooting Book

This site runs on Linode