GAM (The Kilted One) wrote:Nick, do me a favor and post your article source.

Cable wrote:Click on any of the examples.. you will find nearly all of them are for 10.4.x, and older OSes, and not only that most exploits are software exploits that effect multiple linux/unix distros.. that comes down to if you are running a server PATCH YOUR SOFTWARE OR RUN GOOD SH*T!

Sounds JUST like Wind... oh.. Nm.

BTW, There's a reason older versions were included in there, it's because Apple hasn't upped their version #, Where 2000/XP/Vista and their server versions are basically separate versions from each other.

Quote:

"Most Unix/Linux systems include multiple standard services in their default installation. Mac OS X often suffers from the same vulnerabilities as Unix systems, since it is based on Unix. Unnecessary services should be disabled, and all servers facing open networks should be protected by a firewall.

Server Hardening 101: Apple needs to do the same thing as Windows-based servers.

Quote:

For services which provide remote login and/or remote service, traffic cannot be simply blocked by firewalls. Buffer overflow vulnerabilities and flaws in authentication functions can often allow a vector for arbitrary code execution, sometimes with administrative privileges, so gathering vulnerability information and patching rapidly are very important. Every year, buffer overflow vulnerabilities in Unix/Linux services are found. "

Same thing as Windows, however, windows overflows usually trip a GPF and lock the server.

Quote:

To look at the real world history stats, and stats from the PRESENT you will see that OSX is thousands of times safer as a server OR workstation.

Seems to me that OSX Leopard is still version 10 of the macOS... Even new patches (and major version revisions that you have to pay for, unlike Windows where you're paying for major code-rewrites for better or worse) bring along new vulnerabilities.

Quote:

"One problem with this, say observers, is that Secunia itself includes a warning on its website, advising people not to use its statistics to compare products against each other."

"Another claimed issue is that even flaws which are listed as critical are not necessarily more likely to occur. Mac OS X, for example, was at one point cited as having a tcpdump vulnerability, but many users may have never had to approach the application. Conversely, a DirectX opening in Windows Vista could have been exposed with a WAV or AVI file, something much more likely for the average user."

First point: that's a disclaimer to protect itself from one of the historically most litigious companies in history.

Second point, just because it isn't very commonly used doesn't mean it doesn't exist. If it's there, and the server/workstation is not hardened, it's vulnerable. How many people do you know that open up their macbook box and start turning off widgets?

BTW, you posted the same paragraph twice, I don't know what you were trying to show there, but I snipped it out.

Quote:


"Moreover, categories for the operating systems analyzed are said to have been biased. Only XP Pro and Vista were counted on the Windows side, whereas all versions of Mac OS X were factored in, including server editions. There are also said to be a number of warnings mislabeled by Ou, ones which either affected all operating systems, third-party software, or Apple programs running on Windows or the iPhone. It is suggested that if all factors were properly weighed, a user of Mac OS X Tiger or Leopard would likely encounter far fewer risks than someone using Windows XP, and possibly Vista."

Actually, if you look, Server/personal/professional editions of XP/Vista have the same kernel release and version #'s with minor kernel patches making up the rest of the number. It's the same OS. Apple uses the same types of plugins just written and compiled for their OS outside of the public domain.

Again, I'd like to see the article source please.

source: http://www.sans.org/top20/

so yah, I hacked a mac... btw I was allowed to touch the keyboard... FAIL!
and the 2 minutes thing... that was after 9 hours of FAIL on the first day.

"Before you go on saying how sucky Apple is, or how Microsoft sucks too, think about this.

Hacking with physical contact is only data mining. This can happen with any computer, not just Microsoft or Apple, or Linux even for that matter. It is when there are back doors in the software that allow for others of outside influence to get access to your data that is worrying.
Computers do what they are told, implicitly."
^ Engadget

So 2000, NT, XP, and vista are not all based on the same kernal? (you said Vista HAAHAHAHAH)
I would say the transgression from 2000 to vista, is equal in time and equivalent advancements when compared to 10.0 to 10.5

I would only run a windows server IF you paid me.
and I would only run Mac OS server if you PAID for it.
Its Linux for my servers all day long.
Windows servers are secure as long as you DON'T USE THEM... I mean that seriously.. like after its set up.. DON'T TOUCH IT, don't surf the web with it.. don't try to do ten other things.

Just because MS forces their drones to rewrite the shell every few years doesn't mean its counts as a MAJOR rewrite

you end up making my point for me.. but thts nto the point anyway.. flaws do exist, we are human right? it doesnt change the fact that you are 1000 times safer on Mac OS.. I look at it like this... Windows was not designed to be ran on the internet... its BLATANTLY OBVIOUS. I HOPE WINDOWS 7 FIXES THIS PROBLEM - I really hope it does... people dont deserve this crap.

12-17 minutes to be detected and infiltrated on a fresh install of windows, and Mac OS requires physical access... I choose B.

not to mention 64 bit support... OSX is 64 bit from the ground up.. Windows 64 bit support is a joke... and drivers... there are jsut a handful.. MS needs help.. Windwos 7 is longhorn.. wich they have been working on since BEFORE vista.. complete kernal redesign... but a mistake I think they are making, and ONE of the reasons its taking so long, is the legacy spaghetti is still there.. still mucking things up, still holding back hardware AND software advancement... but whatever, as long as your old @!#$ works... oh thats right.. it DOESNT WORK ANYWAY. wtf.. whast the point? Longhorn (windows 7) will be another bandaid attempt.. if they would get their act together and make a FRESH os I wold go easier on them.. but if they keep sticking in the past, eventually thats where they will end up completely..

They actually do have a project they are runnign at some university for a complete redesign.. but they dont even want to have any direct influence as of yet.. that tells you how serious they are.. http://research.microsoft.com/os/Singularity/

"rethinking the software stack" we'll see................... (waiting for MS to make a decent fsking os here)

funny... we were on the same topic:



nd so it begins: Microsoft’s Windows 7 slips to 2010
Tuesday, April 08, 2008 - 10:00 AM EDT

"Microsoft Chairman Bill Gates’ words are being parsed for hidden meanings. According to my News.com colleague Ina Fried, Gates said this week during a speech before the Inter-American Development Bank: 'Sometime in the next year or so we will have a new (Windows) version,' Mary Jo Foley blogs for ZDNet.

"Microsoft officials are insisting nothing has changed: Windows 7 is due out roughly three years after Windows Vista’s consumer launch (which was January 2007), meaning in early 2010," Foley reports.

MacDailyNews Take: So, Gates said "2009" last week, but now it's already slipped to "2010." Please see related article: Microsoft figurehead Bill Gates sees next version of Windows ‘sometime in the next year or so’ - April 04, 2008

In an earlier report from last July, Foley explained, "Microsoft officials told MGX attendees that the company is currently internally planning Windows Seven. So far, the company has determined Windows Seven will come in both 32- and 64-bit flavors."

MacDailyNews Take: It's amazing (and sad) that Microsoft still won't be able to figure out how to do 64-bit right by 2011. Please see related articles:
• Apple does 64-bit right, Microsoft… not so much - August 03, 2007
• Apple’s Mac OS X Leopard is 64-bit done right, unlike Microsoft’s Windows Vista kludge - August 14, 2006

Also, from that earler report, Foley continues, "Microsoft officials confirmed the veracity of this Windows Seven information... Short answer: Yes, it is going to take us at least three years to release Windows Seven. Longer if it’s buggy and doesn’t hit the 'quality bar.'"

It's a good thing for Microsoft that Windows has slipped, according to Foley, "If Windows 7 were to hit in mid-2009, a number of users (especially corporate ones) would likely just wait for the next Windows release, hoping that the driver and application incompatibilities that plagued Vista might get ironed out and that changes that might introduce new problems would be kept to a minimum."

Full article here.



http://macdailynews.com/index.php/weblog/comments/16911/

Yes, I said NT/2K/XP/Vista are not all based on the same Kernel... They're based off the same programming ideals, the NT (New Technology) Kernel is evolving however, and every 5 years they manage to push out a new (and usually working) OS.

BTW, while you're on the subject: When precisely is MacOSXI Due out? And will you have to pay for minor upgrades? Windows isn't perfect, but the SP's (ie major updates) are free, OSX updates aren't so free, and the last major update behind MacOS was in 2001. You want to talk about shell re-writes? In the last 10 years, the Windows32/NT Kernel went through 5 major rewrites (ie: Win98SE/ME *and dropped*, WinNT4 SP4/2000 (Major re-code)/XP/Server 2003/Vista (XP Shell/minor kernel rewrite)/Server 2008.

As far as longhorn, no, Windows Server is Long Horn, If you were getting paid to administer a windows based network, the company would be wasting their money on you, especially if you're surfing on a server that's supposed to be locked.. because THAT'S WHAT REMOTE CONNECTIONS ARE FOR.

And BTW: Linux ain't perfect either. The only major difference between all three (and even other *nix distros) is the monkey setting it up... Hence why I said you have to harden the system against intrusions no matter which you work with.




Transeat In Exemplum: Let this stand as the example.

imho every version of OSX was a major update.

some enhancements were minor.. but I think every version was well worth the upgrade

Expose, spotlight, dashboard, finder enhancements, stacks, etc etc..

everything adds up to the awsomeness that is 10.5.. and they the next major revision will be coming out before the end of the year, it will integrate multitouch accross the platform, starting with the iMac.. they havnt needed to make a change in that reguard because the interface is near perfect as it is.

Anyone checkout gOS Space yet? it looks awesome, its an Ubuntu Linux derifitive, loaded with google and myspace apps. freaking awesome. one of the few linuxes that in a live or a fresh install ienvironment everything actually works on, flash etc..

http://dev.thinkgos.com/

Zombie Computers Decried As Imminent National Threat

http://blog.wired.com/27bstroke6/2008/04/zombie-computer.html


SAN FRANCISCO -- Gangs of thousands of zombie home computers grinding out spam, committing fraud and overpowering websites are the most vexing net threat today, according to law enforcement and security professionals.

Today's botnet herders have hundreds of thousands of computers at their command and use technically sophisticated ways to hide their headquarters, making it easy for them to make millions from spam and credit card theft. They can also be used to direct floods of fake traffic at a targeted website in order to bring down a rival, extract protection money or less frequently, used to make a political point in the case of attacks on Estonia and the Church of Scientology.

Security pros and government officials are now describing the latter attacks, known as Distributed Denial of Service attacks, as serious threats to national security -- turning packet floods against public websites into the latest face of "cyberwar" hysteria.

Hence, the appearance Tuesday of a panel discussion at the RSA 2008 security conference entitled "Protecting the Homeland: Winning the Botnet Battle," which was marked by a mix of resignation, indignation and post-9/11 rhetoric.

Ronald Teixeira, the executive director of the non-profit National Cyber Security Alliance and the panel's moderator, began the discussion by describing botnets as "one of the largest threats we face on the internet today, and they can be used to attack critical infrastructure."

The Department of Homeland Security's representative Jordana Siegel, who works on public awareness at the National Cyber Security Division, echoed the line that botnets were a imminent threat to the nation's security.

Citing the attacks on Estonia last year by Russian nationalist hackers, Siegel said botnets can "disrupt an internet-reliant society," saying that the temporary takedown of Estonian newspaper and government websites "nearly crippled the country's cyber infrastructure." Earlier in the day, Homeland Security chief Michael Chertoff leaned on Estonia as evidence of the need for a federal government "Manhattan Project" for computer security.

Siegel said the DHS is working at fighting the problem, citing the annual October National Cyber Security Awareness month, which she said helped Americans learn that "all users need to practice safe online behavior."

McAfee's Joe Telafici, a vice president in their security lab, lamented the ease with which botnet herders can abuse domain registration services and the low cost of e-mail, which make the economics of online crime very attractive.

"We are seeing a model that is so economically viable that trying to tell the kids it is a bad thing to do is bound to fail," Telafici said, suggesting that botnet herders outnumber the 15,000 or so attendees at RSA. "Even if you don't have a computer, you are paying money to someone for the cost of dealing with the security ramifications."

FBI agent Matthew Fine cited two recent takedowns of U.S.-based botnets, operations dubbed Bot Roast, as an example of how the FBI is dealing with botnets. Fine declined to speculate, however, on whether the arrests actually put a dent in overall online criminality.

"I get paid to put bad guys in jail," the flat-topped Fine said, but he noted that as soon as one botnet herder was prosecuted another takes his place.

"It is a boulder coming down the hill and I am trying to keep it from getting to the bottom," Fine said.

Fine hopes Congress will step in with tougher criminal penalties for botnet runners, but noted that judges were now handing out substantial sentences of four to five years in cases brought to them by the feds.

Ira Winkler, a security consultant known for his outspoken ways, countered that this was all just caterwauling and that if the country thought that botnets were a real problem, ISPs and individual users would be held responsible for zombie machines.

"The problem is no one is doing anything," Winkler said, proposing that users be fined or blocked if their computer is infected.

"Guess what? If your system has a bot on it, you don't get on the internet," Winkler said, summarizing his proposal.

"We need to hold people responsible when they present an imminent threat to other people," Winkler said to wide applause from the audience. He contrasted the lack of computer regulation to laws preventing unsafe cars from taking the road.

Sparing no target, Winkler went on to ridicule DHS's awareness efforts as useless, and argued that the highest levels of government don't care about computer crime, citing the ability of a Russian cyber-criminal group known as the Russian Business Network to remain free.

"When they start putting the RBN in jail, then I will be impressed," Winkler said, noting that would require the feds to put pressure on the Russian government to stop protecting the gang -- not an easy task.

Still, Winkler argues, that's doable with political will.

"When the U.S. government wants to get things done, they know how to put people in jail."

So what really is the threat to the so-called Homeland from zombie computer armies?

When asked by Threat Level, the panel came to a split decision.

"Terrorism with botnets is overrated," McAfee's Telafici said. "But if you are looking at the economic burden of botnets, we could probably do without it."

Winkler suggests that botnets could be used in tactical small attacks, including, perhaps, inflicting minor power outages.

DHS's Siegel defended the use of overheated rhetoric, saying that temporarily unavailable government or financial websites would erode public confidence.

Missing from the panel discussion was any in depth talk about real solutions.

For instance, ISPs can easily learn or be told which of their customers has an infected computer, but due to the customer support costs of cutting off a zombified user -- angry phone calls, confusion -- they tend to do little.

Also not talked about are changes in internet governance that punish known domain sellers and ISPs that favored by online criminals for their lax policies.

-----

I'll give you a hint as to how many zombie macs there are in the world... it rhymes with beer-o.

How many of them run Linux?

The answer to this and your innuendo is a further one: A pew.




Transeat In Exemplum: Let this stand as the example.