Wednesday, March 08, 2006
Mac security contests, some perspective
The story so far
One person set up a web site on a Mac and issued a challenge for people to vandalize it. The computer survived only half an hour. Someone else thought the conditions of the test were unrealistic and ran their own break-in challenge. Their Mac survived for the duration of the trial.
So, what does it all mean?
Not much.
What?!
Contests are a bad research tool and not much of a testing tool. A lot of good security people are completely unmotivated by the prospect of racing hundreds or thousands of others to a "prize" with no cash attached. So you don't benefit from their expertise, since they don't participate.
Bad people are even less motivated. If there's someone out there with a way of breaking into Macs that nobody else knows, that person can make hundreds of thousands installing spyware and stealing credit cards. That person is not going to blow his secret weapon on an unpaid contest.
The first contest suffered from testing something that isn't on most people's minds. The tester in the first contest allowed attackers to log on to the machine. It was a test of how well the Mac could protect one authorized user against another authorized user.
Isn't there any value?
We know from these tests that bad guys are aware of bugs that could let them take over your entire computer even if you don't put in your administrator password. If you were complacent and thought you could safely run strange software just because you have a Mac, well, stop thinking that.
We know that a Mac with all security patches installed can stand up to the steady acid rain of Internet attacks for almost two days if it has good passwords.
In other words, I'm still giving you the same advice as always: pick good passwords, install a firewall, keep your OS up to date, and don't feed your computer software you find in back alleys.
|
One person set up a web site on a Mac and issued a challenge for people to vandalize it. The computer survived only half an hour. Someone else thought the conditions of the test were unrealistic and ran their own break-in challenge. Their Mac survived for the duration of the trial.
So, what does it all mean?
Not much.
What?!
Contests are a bad research tool and not much of a testing tool. A lot of good security people are completely unmotivated by the prospect of racing hundreds or thousands of others to a "prize" with no cash attached. So you don't benefit from their expertise, since they don't participate.
Bad people are even less motivated. If there's someone out there with a way of breaking into Macs that nobody else knows, that person can make hundreds of thousands installing spyware and stealing credit cards. That person is not going to blow his secret weapon on an unpaid contest.
The first contest suffered from testing something that isn't on most people's minds. The tester in the first contest allowed attackers to log on to the machine. It was a test of how well the Mac could protect one authorized user against another authorized user.
Isn't there any value?
We know from these tests that bad guys are aware of bugs that could let them take over your entire computer even if you don't put in your administrator password. If you were complacent and thought you could safely run strange software just because you have a Mac, well, stop thinking that.
We know that a Mac with all security patches installed can stand up to the steady acid rain of Internet attacks for almost two days if it has good passwords.
In other words, I'm still giving you the same advice as always: pick good passwords, install a firewall, keep your OS up to date, and don't feed your computer software you find in back alleys.
# posted by Frederick @ 4:36 PM Email to a friend:
Haloscan: they provide trackback