[TETENAL]

Coming in January: "Month of Apple Bugs" - Security Fix

January 2007 will be the "Month of Apple Bugs" where every day a OS X security issue will be published. In the short term this project will decrease security for the average Mac user one of the organizers said (I guess until Apple patches all 31 bugs).

"Right now, many OS X users still think their system is bulletproof, and some people are interested on making it look that way," LMH said.

Typical smug Mac user attitude.

[Chuckit]

I eagerly look forward to seeing what they come up with. Hopefully it's less made-up than that Airport hack that was supposed to destroy Mac users' smugness.

[Macola]

If someone decided to do Windows bugs, it would probably take just a day, as opposed to an entire month.

[TETENAL]

I'm pretty sure Windows has still more than one bug.

[Macola]

Originally Posted by TETENAL 

I'm pretty sure Windows has still more than one bug.

That was my point. You could find the same number of bugs in Windows in one day that you would take a month to find in OS X.

[::maroma::]

Oh noez! The big lie has been uncovered! Mac OS X has bugs! What ever will we do??

This dude is lame.

[- - e r i k - -]

Who ever thinks Mac OS X is bulletproof?

This guy is widely discredited as one who cares less about actual security and more about grabbing attention for himself by his sensationalistic practices.

[imitchellg5]

What? My Mac isn't pefect???!!? I'm taking them back!

[turtle777]

That dude is such a lame ass. WTF ?

Why not just bash Macs outright. Loser.

-t

[frdmfghtr]

Originally Posted by - - e r i k - - 

Who ever thinks Mac OS X is bulletproof?

This guy is widely discredited as one who cares less about actual security and more about grabbing attention for himself by his sensationalistic practices.

Agreed. What good can come from revealing bugs without notifying Apple first and giving the OS X engineers time to analyze the bug and fix it?

Answer: None. If you are interested in getting the bugs fixed, you report them as soon as you have sufficient details on what causes them and under what conditions. You don't "threaten" to make bugs public knowledge on a timetable; this helps nobody except those who would exploit those bugs. Posting one per day? That's just an attempt to get people to visit the web page repeatedly, boosting ad revenue. (I can't confirm this one, since I'm unwilling to go to the website and boost the visit count.)

It's just an attention grab, plain and simple. The ONLY way you will convince me otherwise is if the bugs posted are bugs known to Apple for longer than, say, three months. And even then, the bugs have to be critical in nature, allowing systems to be compromised with no user interaction.

[Hal Itosis]

Originally Posted by frdmfghtr 

What good can come from revealing bugs without notifying Apple first and giving the OS X engineers time to analyze the bug and fix it?

Where is your proof that notification has not already been given?
Have you read every bug report submitted to Apple or something?

[CharlesS]

Did you read the article?

"To the chagrin of some security experts, however, LMH declined to give affected vendors advance noticed before posting evidence of kernel bugs on his Web site last month. Eleven of those kernel bugs were related to Apple software and applications, including a serious security hole that prompted a software update from Apple just two weeks later. As with the kernel bugs project, Apple will be given no advance notice with the Month of Apple bugs, LMH said in an interview conducted over instant message."

[Big Mac]

If this guy's finding serious OS X bugs in his spare time that highly paid Apple engineers either cannot or will not find themselves, Apple should definitely try to hire him.

[Hal Itosis]

Originally Posted by CharlesS 

Did you read the article?

"To the chagrin of some security experts, however, LMH declined to give affected vendors advance noticed before posting evidence of kernel bugs on his Web site last month. Eleven of those kernel bugs were related to Apple software and applications, including a serious security hole that prompted a software update from Apple just two weeks later. As with the kernel bugs project, Apple will be given no advance notice with the Month of Apple bugs, LMH said in an interview conducted over instant message."

Hm, okay then. (Isn't that "hearsay" evidence though? Or maybe he's fibbing!)

NEVERMIND

Interesting nonetheless... I looked at the http://kernelfun.blogspot.com/ page
and don't see a single advertisement. So whatever the motivation, I don't think
it's about "generating clicks" as some have said. I think many are overreacting.
I'd guess by March this will all just be a memory, and MacOSX will be secured.

Cheers.

[Horsepoo!!!]

Originally Posted by Big Mac 

If this guy's finding serious OS X bugs in his spare time that highly paid Apple engineers either cannot or will not find themselves, Apple should definitely try to hire him.

Personally, because the guy is such an ass about the whole thing, I think Apple should fix the bugs (if they truly are bugs or security problems), not give him credit and not pay him a dime.

[TheoCryst]

Yeah, I'd heard about this guy. If he really gave a damn about security, he'd quietly submit the bug reports to Apple instead of making them available to the public en masse. Not to mention the fact that for he has 31 bugs to release means that he's been stockpiling them for some time now.

Jack@$$.

[Gossamer]

Originally Posted by Macola 

If someone decided to do Windows bugs, it would probably take just a day, as opposed to an entire month.

Originally Posted by Macola 

That was my point. You could find the same number of bugs in Windows in one day that you would take a month to find in OS X.

No, he has 31 bugs in Mac OS X, and he's going to release one each day. He's not going to spend a month trying to find bugs.

[mitchell_pgh]

Big deal...

1) Few people think OS X is "bulletproof"

2) Finding a security bug is only a big issue if it can be implemented remotely (no physical access to the system).
EDIT: I'm not saying it's not an issue, but I'm really not worried so much about hypothetical situations where someone could hack my system if I install a trojan.

I'm guessing that it's going to be a bunch of "See, because you can fake an icon, this could be a trojan and someone could XYZ" MAJOR SECURITY BREECH!!!

[Hal Itosis]

Two (of many) possible viewpoints...

"Best-case" scenario
This LMH character does the responsible thing: he notifies Apple privately.
So what happened?... one guy submitted some reports to Apple.
QUESTION: when do those problems get fixed?
(Heck, I'll bet dollars to doughnuts that Apple already knows
about many of these bugs... without anyone telling them!!!)
ANSWER: whenever they get around to it.


"Worst-case" scenario
This LMH character goes ahead as planned: each day a new bug is published on the web.
So what happens?... the **world** learns about new bugs.
QUESTION: So, when does each problem get fixed?
ANSWER: I'll bet dollars to doughnuts that they'll move way **way** up on Apple's "to do" list.

--

Here is a comment someone made at the Washington Post article:

The smugness of all too many Mac users is relevant
because it gives Apple a motive not to pay as much
attention to security as it might - because many Mac
users will defend the company out of a misplaced
tribal loyalty rather than, as intelligent users would,
holding the company to account.

Maybe so, maybe not.

Everything isn't black or white... red state or blue state, etc.
There is a spectrum of colors and shades in anything complex.
I suspect this ill wind just might blow something good our way.

So, the sooner the better.

[TETENAL]

MOAB-01-01-2007 - Apple Quicktime rtsp URL Handler Stack-based Buffer Overflow