Contact Info

sean [at] coreitpro [dot] com gpg key

Mastodon

sc68cal on Libera

Persecution & Confusion

Roughly Drafted: Mac Shot First: 10 Reasons Why CanSecWest Targets Apple

1. Exploits discovered for the Mac have little other value outside of contests like CanSecWest. Nobody would buy the exploit Charlie Miller found, because there is no market for it.

So there is no market for an exploit against platforms that use WebKit? Because not enough people use the platform?

CanSecWest was a controlled explosion designed to demonstrate how fearsome a theoretical attack on Macs might be if there were any market to support such an event from actually happening outside of an artificial contest.

Nobody cares about exploiting Mac OS X because the marketshare is a whopping 6%. Small fry. Not even worth the time. Yet at the same time, Roughly Drafted celebrates the growth of the iPhone platform which just so happens to use WebKit too.

Roughly Drafted: iPhone Grads 27% of US Smartphone Market

Apple’s 3% US market share among all phones means the iPhone already has three times the penetration in the US, its first market, as the public 1% goal Steve Jobs set for worldwide iPhone sales by the end of 2008, even before heading into its important first holiday quarter.

So which is it? Not enough market for exploits because the market is too small, or that the platform is bigger than the big bad NPD and the evil cellphone companies want you to think?

Next issue: Roughly Drafted cries foul over CanSecWest’s usage of Windows Vista SP1, claiming that it’s not a fair fight.

The date CanSecWest is held, relative to release of security updates by each vendor, results in a variable that can have a big impact on the contest but doesn’t really say anything about the overall security of each platform. Had the contest been held prior to the release of Vista SP1 (which was released a full year after Vista arrived), it would have reflected the actual level of security Vista users enjoyed throughout 2007. Instead, it only reflects the state of Vista for users who have elected to install SP1, which has been dogged by problems of its own.

So shame on Mozilla for releasing a large update to Firefox prior to the beginning of CanSecWest in 2007.

This year, Mozilla also pushed out Firefox 2.0.013 the day before the contest, patching flaws that might otherwise have been used to attack the Ubuntu installation.

Are Mozilla and Canonical in cahoots with each other to keep Apple down? Those filthy traitors! How dare they patch their software before the event! It’s just not right! It doesn’t reflect the actual security of Firefox and Ubuntu users throughout 2008!

What about that big security update that Apple released? It was released prior to CanSecWest this year as well. I didn’t see that one mentioned in your article. You only mentioned that Apple released a patch for 2007’s CanSecWest and that was only a sentenced, compared to your condemnation of other vendors for the same practice.

This is getting to be too much. I’ll just leave you with one last quote. I’m far too confused.

10. Apple’s use of open source makes it easier for researchers like Miller to identify exploits

So which is it? Either Apple’s use of open source makes it “easier” for Charlie Miller to destroy us all or it’s part of Apple’s Open Source Assault on Microsoft.