Aaaaaand now.

Remember the Macalope had asked you to hold all your snide remarks about the lameness of the Month of Apple Bugs until, you know, the end of the month?

Well, you may fire when ready.

Or, you can just read TJ’s excellent wrap-up here.

Indeed, it does seem the Macalope may have given the MOAB folks too much credit as TJ subtly alludes. Not that it was a complete failure — some of the bugs could have been serious, if you didn’t know enough to take routine precautions. Still, Apple and the third-party vendors have patched many of the bugs — particularly the most serious one — and let’s not forget Landon Fuller’s work in providing real-time solutions to each of them. That boy deserves a hearty round of applause.

What the Macalope finds most interesting is the MOAB’s apparent belief that all the mundane tasks such as updating, giving credit and providing accurate information are for the little people, not the big swinging dicks of hacking. Weeks later, they still haven’t updated their web site to reflect patches.

Being a hacker is never having to say you’re sorry.

Clearly their intent in picking January was to try to steal some thunder from Macworld. Boy, that sure worked well, didn’t it? Remember how all those reports of bugs in, uh, VLC and, uh, FTP software the Macalope’s never heard of overshadowed the iPhone announcement? The Macalope remembers being on the showroom floor and how everyone was crowding around George Ou, who was behind glass and guarded by a security detail, just to catch a glimpse of him.

Oh, wait, that was the iPhone.

Well, the hacker crusade against Apple (or is it its customers? The Macalope’s a little unclear on that) isn’t over. Next up is the iPhone which, although no one has even held one yet and the final specs aren’t even settled, is apparently some kind of security nightmare. The Macalope supposes this is because it’s based on OS X and there was a whole month dedicated to security holes in that piece of crap.

Hmm.

UPDATE: Ah. So, it’s a crusade against Apple customers (tip o’ the antlers to Rahrens in comments).

OK. Good to know! Thanks, guys!

Trackbacks
  • MOAB…

    “Being a hacker is never having to say you’re sorry.”
    The Macalope has a good look back on the non-event that was the “Month of Apple Bugs.” Also linked is the excellent MOAB dissection by “TJ.”
    ……

  • […] The Macalope weighs in on MOAB: The Macalope remembers being on the showroom floor and how everyone was crowding around George Ou, who was behind glass and guarded by a security detail, just to catch a glimpse of him. […]

Comments
  • Se7en:

    Have some pity, Macalope :p These poor guys spent probably the latter part of all last fall/winter putting together 31 “Killer Vulnerabilities” in order to, you know, make it a whole MONTH-LONG event, make a bigger splash, etc. They probably didn’t pay attention to the actual news surrounding Apple-not just the iPhone, but the stock options, lawsuits etc.. that dominated the news cycles, even in hysterical blogger land. They probably forgot VISTA was launching as well, intent as they were on finding that “Omni/Unsanity/etc.” life-threatening security breach (and not just one, they promised a MONTH, and by golly, they were gonna deliver a MONTH’s worth) Even George Ou was distracted by more pressing issues, like the whole Voice Recognition hole in OS X…uh..Vista..and that Zero Day Word hole in Tig..uh..Office for Windows..and..

  • rahrens:

    Run over to the MacDailyNews website to this url:

    http://macdailynews.com/index.php/weblog/comments/12484/

    It seems the MOAB website is trying to hijack Safari on the Day 29 web page…

    That might be worth your attention!

  • Blain:

    Me, I’m still waiting for the Month of Security Dicks to conclude.

  • If they are trying to Hijack Safari, they didn’t do a good job of it.

    There’s a shock.

  • James Bailey:

    I posted my prediction here: http://www.macalope.com/?p=123

    How’d I do? I will give the MOAB guys credit for two fairly nasty bugs that are actually potentially remotely exploitable. One of those bugs is already fixed. The rest is more or less what I thought.

    Even I didn’t predict that the month of Apple bugs would include bugs by other companies. I guess Apple doesn’t even have 31 bugs in all of their software much less 31 exploitable bugs.

    Apple should remove the Open “safe” files after downloading option and nearly all of the Apple remote exploits go away.

  • Mike WSS:

    Well, I’m so glad that it’s all over. I can stop shaking in my boots… oh wait… that was down to an over-imbibation of wine on an empty stomach that had nothing to do with MoAB.

    As well as following Landon Fuller’s site (BTW he gives thanks to the MoAB Fixes Group at http://groups-beta.google.com/group/moabfixes/ for help. It wasn’t all his doing), I tried to keep in the loop through the Secunia advisories RSS feed at http://secunia.com/rss_feeds/ though that turned out to be quite difficult to do with some of the non-OS X revelations. In particular I hadn’t heard of Colloquy before so I almost missed that one completely which brings me to a little criticism of the above article.

    I hate it when people say stuff like “no one’s (sic) ever heard of” or ” everyone’s talking about” (This is most often said the day after something of little consequence happens in a soap opera so I’m not accusing you of doing that here) when it is patently not true and insulting too (I had heard of, even used, Transmit). Please use “few have ever heard of” or “most people are talking about” when appropriate.

    Back to the topic. You were quite right to advise holding fire on laying into MoAB because that first vulnerability in QuickTime was serious enough for Apple to issue a patch within the month so it was possible that although the next few disclosures were particularly lame, they were subtly orchestrating the month and were holding back the killer ‘we can remotely install a rootkit from a simple web page without you knowing’ bug for a final flourish. As it turns out, of course, they, like Maynor/Ellch, do not have the wit or, indeed, a killer bug.
    Meanwhile, the Secunia site has reported some other ‘not critical’ advisories on OS X (e.g. http://secunia.com/advisories/23823/) from other security hackers during the month not to mention 3 moderately to extremely critical Microsoft Office vulnerabilities (http://secunia.com/product/24/?task=advisories_2007) and even 2 for the Linux Kernel (e.g. http://secunia.com/advisories/23955/). Even-handed, me.

    Personally, I think that hardly any of the MoAB’s discoveries actually affected me because of the way my system is set up. For instance, as I listen to BBC Radio 4 a lot over the ‘net, RTSP handling defaults to RealPlayer not QuickTime.

    Although I am security conscious (I follow 2 other security sites as well as Secunia. No, neither Symantec nor McAfee, the leeches), this past month has done nothing to remove my smug smile. LMH and KF. You must try harder guys.

    @James Bailey

    The Secunia site lists 104 advisories on OS X though it does go back to 2002 and each advisory does not necessarily equate to one bug.

    (This is my first post to this site and as their are no obvious instructions on using mark-up, I haven’t. Sorry.)

  • Mike WSS:

    Whoops #1! I suppose you were referring to Rumpus not Transmit but I’m sure some people have heard of it so my point still stands.
    Whoops #2. If I post again I’ll add some whitespace between paragraphs. Apologies.

  • #1 – The Macalope was talking about Rumpus (he uses Transmit) but he’ll change the reference so as to not unduly disrespect the developers.

    #2 – The Macalope will add them for you.

  • Billy K:

    “The Macalope will add them for you.”

    The Macalope is a benevolent mythical beast.

  • TjL:

    I’m not sure what the “sic” in “no one’s (sic) ever heard of” is for.

    “No one’s ever heard of” is a contraction for “no one has ever heard of”

    As such, “one’s” is appropriate, if fairly informal conversational English grammar construction.

    Regarding the comment that “no one has ever heard of it” I think it was clearly hyperbole, but I think if you polled 1000 “regular Mac users” (excluding the zealots and the MacStrawman family), many of them would have heard of Flip4Mac and VLC, but Rumpus? I would be surprised if you found 10 who had heard of it.

  • To emphasize what TJL said, I for one have never heard of Rumpus, and I’ve tried out a lot of FTP clients of vintages ranging from dodgy to acclaimed in my sorry time. I’m sure it’s dandy software, but — seriously — no matter what exploitable flaws may abound within, I can hardly imagine a better example of “security through obscurity.”

  • Hmmm. Strangely, I completely let the MOAB slip my mind. That’s how much fear was struck into my heart. For the record, if you look, I never ever held back my snide comments. But, by about the second week of the month I completely ceded my conscious thought to wanting an iPhone.

    I don’t really think the Mac is invulnerable. I think some competent hackers could have done a better job than the self-congratulatory dolts we had on the job.

  • Matt:

    The Apple bugs shown are very embarrassing. No one could pass an upper-level CS course writing code that fails in these ways. Worse, many automated tools that Mozilla and Microsoft run catch these bugs.

    Apple really does need to recommit to security. It’s not enough to say that taking “reasonable precautions” makes Mac users secure; indeed, you could say the same thing about Windows. If Apple wants to claim that it writes more secure code than Microsoft, it should actually write more secure code.

    Note that I’m a Mac user. I have to say that Mac fan blogs are starting to annoy the hell out of me. I’ve yet to see anyone look past the attitudes of the people who did the Month of Apple Bugs to see that they found some relatively embarrassing and serious problems. Instead, I see lots of defense of Apple, but no striking Apple with the clue stick. Not to mention loads of annoying fanboyism.

    Apple, take note: your fans are going to drive the more reasonable Mac users over to Vista.

  • Mike WSS:

    Thank you, The Macalope.

    @TJL
    In my dictionary ‘no-one’ is hyphenated but I concede that ‘no one’ is correct too so I rescind the ‘sic’. (damn that wine!)

    I have been using Apple computers on and off for 25 years and I bet there are thousands of apps around that I haven’t heard of. That still does not mean that no one else has. I appreciate the usage as hyperbole but those phrases I mentioned do push my buttons I’m afraid.

    I do agree that by using the Rumpus example the MoAB team did highlight the utter lameness of their project.

    @Rob F.
    Rumpus is a FTP server not a client (See http://www.maxum.com/Rumpus/ where you will also find the name of someone was has heard of it!). It is meant as an alternative to the OS X FTP server you can enable from the Sharing preferences. Therefore it is hardly surprising that you have not come across it in your search for a FTP client.

  • Right, Matt.

    Please point to the perfect, magical operating system that has none of these issues. Because that’s what it’s really about — opportunity cost.

    The Macalope will admit that Apple needs to do a better job with security. The fact that it’s gotten by because no one’s writing exploits is not going to a comfort for much longer. Some more transparency and better response time would be nice.

    But if Mac fan blogs are starting to annoy the hell out of you, why do you read them?

  • Matt:

    Macalope,

    Thanks for a reasonable response. I agree that there’s no perfect, magical operating system. I opt for OS X because I find it easier and more enjoyable to use. I’m more-or-less aware that it’s developed using a less secure process than Windows; however, I take the appropriate precautions, so I should be okay. (Also, the lower marketshare of OS X makes it a less-attractive target for today’s mafia-linked money-grubbing bot-creating hacker.)

    However, I’m annoyed by two things: 1) Apple markets OS X as if it is a ‘perfect, magical operating system.’ Recall the ad with the PC catching a cold: we can combine a Safari-provided DMG exploit with another local root exploit and easily get into a remote Mac user’s computer (who has been lured to a ‘dangerous’ website, or who has been victimized by a legitimate website being larded with an exploit–this happened to an ad network years ago). This is no different than a broken ActiveX control being launched through a similar vector. (One difference you could argue: turning off ActiveX makes the Windows browsing experience much less pleasant). The only reason we don’t see these things on OS X is because it’s not profitable for hackers to break into it.

    2) Fanboys trust Apple too much. Of course, this is true for every operating system, but Apple’s rabid fans defend Apple from absolutely everything, whether it’s reasonable or not. More community outrage would cause Apple to start doing the right things.

    Why do I read the blogs? I’m a masochist, I think. More precisely, I don’t think it’s the blogs themselves, but the comment sections. Most bloggers are reasonable, The Macalope included.

    The MOAB really gets to me because the bugs they revealed are so glaringly dumb. There’s no excuse for them to be in OS X at all, especially not 5-6 years into its life. Microsoft has eliminated the easy, obvious bugs from Windows years ago, and it’s time for Apple to do the same. I’d love for the fanboys to look past the grating attitudes of the MOAB crew and instead focus on the bugs they revealed. These are the bugs that used to exist in Windows and MS Internet Explorer. (NOTE: I’m not saying Windows and MSIE are bug-free, just that their bugs are much, much harder to find and much, much fewer in number). If they were still present, they’d be screamed at by Mac fanboys as dangerous. I’d like the fanboys to do the same when it’s Apple making the dumb bugs–this will actually benefit us, as it should get Apple to improve the security of OS X.

  • grovberg:

    1. Thank heavens for the grammar patrol. Without you guys, our participles would be dangling all over the place.

    2. Rumpus really is quite nice, but why would anyone pay that kind of money for it with PureFTPd Manager being extremely free and extremely good?

    3. In general the whole “everybody knows about x” thing is absurd in any context. You, your friends and everyone in every forum and website you visit accounts for 0.000000001% of all sites and users out there and doesn’t mean that everyone else is attaching to the same software or meme.

  • Matt,

    “Apple markets OS X as if la la la…” as opposed to people who do ads announcing all the flaws in their products? Got it.

    I’m a Fanboy. I resent the use of it as a pejorative. I trust Apple too much? I’ve used Macs for 20 years without a single malware infection. At work I use Windows behind an industrial-strength firewalll, and those computers actually do get stuff from time to time.

    As for Apple doing the right thing, well, the company has grown by a factor of ten in market cap in the last 10 years. They aren’t in business because they like to be hugged. They’re trying to make money. And they are succeeding.

    You seem to think that we Fanboys are idiots. Mac owners tend to have more education and money, statistically, than Windows users. If Vista turns out to be more secure and stable than OS X, I might consider switching. So will a lot of “fanboys” I’ll get to use Vista at work eventually. Frankly I doubt that it will be more secure than OS X. Maybe it will be more secure than XP. Big whoop.

    As for Apple improving the security of OS X (?) I read the blogs every day. If there’s malware in the wild for OS X, why haven’t I heard of it? My Mac is logged on 24/7. Where’s my spyware, worms, viruses, mal-cros? How much better than INFECTIONS=NONE does security need to get?

Leave a Reply to Matt