Dailydave mailing list archives
Re: PWN to OWN (was Re: How Apple orchestrated web attack on researchers)
From: Bob Mahoney <bob () zanshinsecurity com>
Date: Wed, 21 Mar 2007 07:10:32 -0700
On Mar 20, 2007, at 6:00 PM, Dragos Ruiu wrote:
This promises to be much more fun than capturing "flags." :-) And a quantitative experiment on the real security of OSX.
I've tried a number of times to get details of actual OSX compromises in the wild, without success. I'd like to know details of a real computer being used by a real person, compromised by a real attacker. I've been told a number of times (even here) that examples exist. But I've never gotten real info. I am genuinely interested- while I use a Mac, nothing is invulnerable. It seems reasonable that such an example must exist. But I have never seen or been pointed to one. Given the sort of talent here, I'd be disappointed if no one here could beat a default install, if motivated to do so. But I'd also be disappointed if a Navy SEAL couldn't kill me with a paper clip. Serious expertise yields solid results, and I have appropriate fear and respect for true ninja skills. But ninjas aren't my threat model, so this isn't a very relevant test from my perspective. There are many detailed analyses of compromised Windows and Unix machines. Thousands and thousands. Example autopsies abound. What I'd like to see is an equally expert and detailed analysis of a real- world OSX compromise, where the attacker was not a security researcher. I keep my eyes open, and ask occasionally, but it's entirely possible I've missed the example I'm looking for. If someone can point me to one, I would be grateful and interested. There is a Secret Service presentation on Mac forensics scheduled for an upcoming HTCIA meeting in Boston. I'll be interested in hearing what sorts of numbers they have seen, and if any examples involved compromise instead of merely evidence gathering. -Bob PS: I also would like to see more OSX security presentations at conferences. But given the general orneriness of security people, is it really as simple as Apple lawyers scaring everyone off? (This is a tough crowd. I expect to be knifed in the parking lot. :-) _______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://lists.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- Re: my idea of the day, (continued)
- Re: my idea of the day Jon Passki (Mar 17)
- Re: my idea of the day Robert Graham (Mar 19)
- How Apple orchestrated web attack on researchers George Ou (Mar 20)
- Re: How Apple orchestrated web attack on researchers Daniel (Mar 20)
- Re: How Apple orchestrated web attack on researchers James Sineath (Mar 20)
- Re: How Apple orchestrated web attack on researchers Daniel (Mar 20)
- Re: How Apple orchestrated web attack on researchers Ralph Logan (Mar 20)
- Re: How Apple orchestrated web attack on researchers Matt Beaumont (Mar 21)
- Re: How Apple orchestrated web attack on researchers Mark J Cox (Mar 21)
- PWN to OWN (was Re: How Apple orchestrated web attack on researchers) Dragos Ruiu (Mar 21)
- Re: PWN to OWN (was Re: How Apple orchestrated web attack on researchers) Bob Mahoney (Mar 21)
- Re: PWN to OWN (was Re: How Apple orchestrated web attack on researchers) Adriel T. Desautels (Mar 21)
- Re: PWN to OWN (was Re: How Apple orchestrated web attack on researchers) Nicolas RUFF (Mar 21)
- Re: my idea of the day Robert Graham (Mar 19)
- Re: my idea of the day Jon Passki (Mar 17)
- Re: How Apple orchestrated web attack on researchers Thomas Ptacek (Mar 20)
- Re: my idea of the day Trey Keifer (Mar 16)