Tuesday, March 07, 2006

On hacking contests and local vulns

Now, what makes you think that your OS does not have local vulnerabilities (defined here as those that require authenticated access either physically at the keyboard or remotely via whatever remote interactive connection)? No, really?

Modern Linux distros ship with literally thousands of apps and so does OS X (and other BSDs). Do you really think that all those [often third-party] apps were coded following the latest secure coding guidelines and then audited by the secure coding experts. Hah! :-)

Winner mocks OS X hacking contest CNET News.com: "Participants were given local client access to the target computer and invited to try their luck.
Within hours of going live, the 'rm-my-mac' competition was over."

Also: "Mac OS X is easy pickings for bug finders. That said, it doesn't have the market share to really interest most serious bug finders," Gwerdna added. "

And, I totally agree with this post by the Matasano folks: "but this isn't about how talented they [the attackers who got in] are, or a statement on the security of OS X. This is really a testament to how blindly arrogant people can be about touting the security of the an operating system. "

Indeed, we live in the world where perception=reality. So, has security of Mac OS X suffered a serious blow? No, not at all. But has the perception of Mac OS security suffered? Yes, most certainly. Then see the above equation :-)

Dr Anton Chuvakin