To: 'hip' Re: iMac_Sux.dmg

--
Recently a reader nicked as 'hip' sent me the URL to an evil crapware file entitled 'iMac_Sux.dmg'. Here is his full message with the exclusion of the URL for downloading the file:

Wanna crash an iMac?
Just mount this .dmg file, then have a look at what MassStorageCamera is doing.
It will be consuming all RAM and processors!!

I am not providing the URL in order to avoid being accused of distributing the thing.

Thank you 'hip'! I checked out the website where the file is located and enjoyed it. I particularly enjoyed the page quotations from The Hipcrime Vocab by Chad C. Mulligan. The insights are refreshing after living amidst the Neo-Con-Job / Tea Party / FuxNews / News Corp / Rupert Murdock Regime gibberish age within the USA where intelligent thoughts and verifiable facts are out of fashion.

I ran the .dmg and it did exactly as expected, without crashing my MacBook 2 GHz from 2006-11. It also auto-opened the 'CameraWindow' application that I installed for my Canon camera. I checked through the code within the .dmg and am going to 'guestimate' that the resource scripting near the end is instructing Mac OS X to treat the entire boot volume as a camera image volume. I was too bizy and lazy to dig further.

Clearly this is a very simple call being made within the .dmg that fools Mac OS X into thinking the opening .dmg volume is a camera. Fascinating. The fault of course is in MassStorageCamera for being allowed to eat your Mac alive. As I've pointed out previously, even Intego's VirusBarrier application has race condition bugs.

My POV: I've studied coding as well as code project management. Coding these days is typically for applications, etc., that are so vast that no single human being can comprehend them. The result is coding-by-committee which in and of itself is a guaranteed mess. There is also the eternal pressure of 'Do Less With Less' from clueless biznizz management and nagging clients, none of whom comprehend the escalating difficulties of coding. Then there is the basic crappiness of the archaic coding languages we still use these days. Anything based on 'C' coding is going to have plenty of problems if only from buffer overflows, the single largest coding plague of our day. We're also stuck with ECMAScript for Internet scripting (which incorporates LiveScript/JavaScript, the JScript abomination from Microsoft and the ActiveScript mess from Adobe). Java continues to FAIL to live up to the hype, causing its own security and memory problems. Then there are the eternal security holes in PHP and SMB on and on.

I'm not at all surprised that Apple missed the bug inherent in the 'iMac_Sux.dmg' file. I can easily see them being aware of it and tossing it on the back burner if only because it does not represent a security or major crashing problem. Similar CPU and RAM devouring buggy code has been around for many years. What sucks most is when system calls can crash the entire computer. Not having an iMac around to play with, I can't verify that this file crashes the machine. But I am going to guess that with current Intel iMacs it does not.

Dr. Charlie Miller and Dino Dai Zovi have the current best Mac hacking & cracking & pwning etc. book available for Mac OS X entitled 'The Mac Hacker's Handbook'. Both of them have Twitter accounts to follow. Both are very amusing to read. Dr. Miller is brilliant at coming up with methods for testing and breaking into Mac OS X. This past spring he won yet another Pwn2Own contest. He gave a presentation at Black Hat this last week where, among other things, he revealed yet-another security hole in Adobe Acrobat and Reader.

Here is a fun interview with Dr. Miller from March:

http://www.oneitsecurity.it/01/03/2010/interview-with-charlie-miller-pwn2own/

CONCLUSION: Expect security holes. Expect coding errors. There is no such thing as a perfect coder. There is no such thing as a perfect application or operating system.

I'll also add my usual coda: The only people I've ever heard or read saying that 'Macs never have security problems' are either NEWBIES or TROLLS. One of course never takes seriously the word of either of these species of human. It is well worth keeping track of Mac security. It is also well worth sorting out Mac security FUD from FACT.

BTW: Considering all of the above, what are the chances that humans will ever create Turing Test verifiable Artificial Intelligence? Not in my lifetime! No SkyNet worries.
;-D
--

Security FAIL:When Apple Deserves A *WAKE UP!* Slap

--
Apple are pulling an 'Adobe'. Got a security problem? Sit on it.

Even worse, there's already a solution! So are Apple either (A) OBLIVIOUS or (B) LAZY or (C) STUPID or (D) DGAS? Any one of the above is worth a good *WAKE UP!* slapping.

Here is the story, as presented by SANS in their NewsBites newsletter, Volume 12, Number 3. (Emphasis is mine):

--Proof-of-Concept Code Posted for Mac OS X Flaw
(January 8 & 12, 2010)
Proof-of-concept exploit code for a vulnerability in Mac OS X has been posted on the Internet. The buffer overflow flaw affects versions 10.5 and 10.6 of the Apple operating system and can be exploited remotely. The flaw lies in the libc/gdtoa code in a variety of software products. Apple has known about the vulnerability for seven months, but has not fixed it yet. It has already been fixed in OpenBSD, FreeBSD, NetBSD, Google and Mozilla.

http://isc.sans.org/diary.html?storyid=7942

http://www.informationweek.com/news/security/vulnerabilities/showArticle.jhtml?articleID=222300150

http://www.theregister.co.uk/2010/01/12/critical_osx_security_bug/

Why this inexcusable? Because Apple incorporates code from FreeBSD and OpenBSD into Mac OS X. IOW, it is almost as easy as CUT & PASTE to repair this security hole in Mac OS X.

So what does it take to kick Apple into action? Proof-of-concept code! Let's watch how quickly Apple respond.

Cranial Cogitation:
A lot of people get upset at hackers who FUD Mac OS X, myself included. The thumb-in-your-eye juvenile arrogance some hackers spew is worthy of revulsion. Nonetheless, hackers remain a critical part of the computer community. I look at hackers as part of the essential diversity of the natural world. There is no such thing as a monoculture in nature. Without diversity, any natural system immediately fails. Similarly, without hackers, computer security would FAIL.


So thank you to hackers who take their free time to demonstrate skills in order to improve our computer community. Thank you for kicking Apple in the bollocks when they need it!

The volley is to Apple...





--

The SANS Institute sez: NSA Helping to Harden Operating Systems

--
I'm kind of surprised to read this blurb from the latest edition of the SANS NewsBites newsletter (Vol. 11 Num 92):

--NSA Helping to Harden Operating Systems

(November 7, 18 & 19, 2009)

In testimony before the Senate Subcommittee on Terrorism and Homeland Security, National Security Agency (NSA) information assurance director Richard Schaeffer said that his agency helped Microsoft harden Windows 7 and that it is also helping Apple, Sun Microsystems, and Red Hat with similar endeavors. The NSA's involvement in the development process has led to speculation that backdoors will be built into the software to allow communications monitoring and interception. The NSA refutes those claims and says it is helping develop security guidelines and checklists. Schaeffer also said that agencies can protect their systems against 80 percent of known cyber attacks by following three steps: implementing best security practices, configuring networks properly, and monitoring networks effectively.

http://www.theregister.co.uk/2009/11/19/nsa_enhanced_windows7_security/

http://www.computerworld.com/s/article/9141105/NSA_helped_with_Windows_7_development

http://www.h-online.com/security/news/item/NSA-helps-Apple-Sun-and-Red-Hat-harden-their-systems-863889.html

http://fcw.com/Articles/2009/11/17/NSA-3-steps--better-cybersecurity.aspx

[Editor's Note (Pescatore): Ah, conspiracy theories. NSA and other government agencies have been involved in developing "gold" configuration definitions for standard software and network hardware products for a long time, along with the IT industry. Hardening in this case means better configuration and minimization of unneeded services.]

You can subscribe to the SANS newsletters HERE.

My concern about this news:

If the NSA is so good at hardening operating system security, and good at protecting their systems from 80% of known cyber attacks, how come the US federal government computer system has been PWNed by China and other countries every year since 1998, including 2009?

Read THIS list from the Center for Strategic & International Studies and have a heart attack. Included on the list are:

February 2009 - US Federal Aviation Administration hacked.

March 2009 - US federal computer containing plans for the new presidential helicopter hacked.

April 2009 - The revelation that the US power grid had been hacked.

May 2009 - US Homeland Security Information Network hacked.

So where was the NSA during all this? And the NSA has what skills to offer Microsoft, Apple, Sun and Red Hat? Just asking.

More likely the NSA is supplying their experiences in security FAILure, such as sharing what hacking methods were successful against federal computers during their watch. Just saying.

You know I'm itching to point out that switching to a proven secure operating system is always helpful. For example, why are the feds still using Windows?! It boggles my mind. Windows is dead last on the list of secure operating systems. The top 3 are still:

- OpenBSD
- FreeBSD
- Mac OS X (which incorporates BSD Unix)

But I'm just some laymen guy with a few science degrees and some decades of computer experience who rants about the ridiculous state of computer security in my country.
(o_0)
--