An Ex-NSA Hacker Who Has Organized the First-Ever Mac Security Conference (vice.com) 46
Motherboard's Lorenzo Franceschi-Bicchierai spoke with Patrick Wardle, the ex-NSA hacker who's organizing a security conference exclusively dedicated to Macs. Despite what Apple has famously promoted in the mid 2000s that Macs don't get "PC viruses," Mac computers do in fact have bugs, vulnerabilities, and even malware targeted at them. From the report: "People are peeking behind the curtain and realizing that the facade of Mac security is not always what it's cracked to be," Wardle told Motherboard in a phone interview. "Any company that designs software is going to have issues -- but Apple has perfected the art of a flawless public facade that masks many security issues." Wardle would know. After hacking primarily Windows computers at Fort Meade, for the last few years Wardle been finding several issues in MacOS, so many that he considers himself a "thorn" on Apple's side. But his conference is not an exercise in shaming or finger pointing, Wardle said he hopes to educate and teach people about Mac security, especially now that so many companies are using Macs as their corporate computers.
The conference is called Objective By the Sea, a wordplay on Objective-See, the name of Wardle's suite of free Mac security products (which is itself a wordplay on Apple's main programming language called Objective-C.) It will be held in Maui, Hawaii on November 3 and 4. The conference will be free for residents of Hawaii, and for patrons of Objective-See. That's why Wardle said he can't afford to pay for all speakers to attend, but he had no trouble finding people who wanted to participate. One group that doesn't want to come to Maui, at least for now, is Apple. Wardle said he reached out to the company, essentially offering it carte blanche to talk about whatever it wanted. But the company, so far, has not responded, according to him.
The conference is called Objective By the Sea, a wordplay on Objective-See, the name of Wardle's suite of free Mac security products (which is itself a wordplay on Apple's main programming language called Objective-C.) It will be held in Maui, Hawaii on November 3 and 4. The conference will be free for residents of Hawaii, and for patrons of Objective-See. That's why Wardle said he can't afford to pay for all speakers to attend, but he had no trouble finding people who wanted to participate. One group that doesn't want to come to Maui, at least for now, is Apple. Wardle said he reached out to the company, essentially offering it carte blanche to talk about whatever it wanted. But the company, so far, has not responded, according to him.
Yes of course, Macs use Intel processors.. (Score:2)
...and you can basically use the same "god mode" hack as with any other "Pc".
Check this video out for details, but..ahem, use responsibly: https://www.youtube.com/watch?... [youtube.com]
Re:Yes of course, Macs use Intel processors.. (Score:5, Informative)
...and you can basically use the same "god mode" hack as with any other "Pc".
Any other VIA C3 based PC, you mean. This hack was possible because the C3 has an embedded low power RISC core, probably for some kind of sleep state managed mode or something. With a "hidden," or possibly malformed instruction, you can wake it up and access protected memory by sending it instructions.
The ostensible analog on the Mac side is the Intel MME. Only issue with that is the MME isn't really used on the Mac platform. It's included, but the Mac platform doesn't enable any of it's features (vPro management, mainly.)
Re: (Score:3)
Re: (Score:2)
Not likely. Likely it's access to the real CPU core, not some hidden management processor.
Yep you're right. The C3 is a RISC core with a microcoded x86 frontend. The "backdoor" was an undocumented routine left in to debug the x86 front-end.
So there could theoretically be an undocumented opcode on Intel/AMD that gets you into the underlying execution units. I'm on the fence as to whether or not AMD/Intel would leave something like that in. The C3 situation seemed to be out of laziness, they just left the instructions open on the underlying silicon. AMD and Intel seem to hold their CPU firmware fa
Re: (Score:2)
No!
VIA isn't Intel. The design of VIA C3 isn't the design of Intel processors nor AMD processors.
Re: Oh this should be good. (Score:1)
It's a nice shinier proprietary desktop for unix-alike fans. Better than KDE was back before it became fully open source*, but encouraging the same sort of nerds to use it.
(*early linux-era KDE was dual licensed- if you wanted to sell binaries you could pay for that license)
Not just Unix-like, but actual certified UNIX (Score:5, Interesting)
Coming from using Linux exclusively for 15 years, I was skeptical of the Mac sitting on my desk at my new job a few years ago. It turns out Mac isn't just Unix-like, it's actual certified real UNIX (tm). It's more UNIX than Linux or FreeBSD are.
Re: (Score:1)
Specifics would make your case a lot more than blathered antics about companies that may or may not exist, anonymously. I'm not going to argue Apple has good or even decent security, but you've demonstrated zero actual knowledge of any significant vulns / common pitfalls / security suggestions, just kind of bland toothless gripes. Of course there are gaping holes. Of course every OS has LONG KNOWN gaping holes with exceptions I can count on one hand. The point isn't n-th degree security, it's base level
Objective-C (Score:1)
Just for the record, a complete Objective-C toolchain was an installable package with Slackware 95, one of the Slackware distros of the Linux 1.x era. Objective C existed long before Steve Job's NeXT bought Apple.
What on earth? (Score:2)
Apple bought NeXT, not the other way around.
Objective-C was NeXTStep's primary supported language, and NeXT is the one who implemented the compiler in gcc to begin with (in the late 80's) which is why it was in Slackware in 1995.
Re: (Score:1)
In terms of the software culture predominant after the transaction, NeXT bought Apple. Apple had frittered away millions on a next gen Mac OS, and gotten nowhere.
Re: (Score:2)
I'm not sure how you got that from the intellectual bankruptcy of Apple's OS developers that lead to them having to buy a new MacOS from an outside company.
Re: (Score:3)
Re: (Score:2)
Slashdot - headlines that (Score:2)
Objective-C? (Score:2)
That hasn’t been Apple’s “main programming language” for some time now.
Re: (Score:2)
I'd be shocked if any significant percentage of Apple's immense codebase has been rewritten in Swift. So at least from the perspective of what language Apple uses to write its software, it almost certainly is Apple's main programming language. Well, that and C and C++.
Best sources for Mac vulnerability information? (Score:2)
At work we're expanding our support for Mac in our vulnerability scanner, over the next month or two. (Last month I wrote a bunch of code to find more Cisco vulnerabilities.)
We have out usual sources of vulnerability data, but does anyone happen to know any the are particularly good for Mac specifically? We aim to cover every CVE ever issued.
Re: (Score:2)
The https://objective-see.com/inde... [objective-see.com] site has some in the blog, talks sections.
Thanks. I'll look and maybe make a presentation (Score:2)
Thanks. I'll look that over and maybe use some of the stuff their to make a presentation for my team.
The job I really want is to be *teaching* security programmers while making very good money doing it. Nobody has that job advertised, so I'm creating it by doing weekly or twicd-weekly presentations for my time, with other people from the company also invited. Eventually people will figure out that whenever you need your security programmers trained in something, Ray does that well. :)
Hacker who organized... did what? (Score:2)
Someone spoke to hacker who organized...
Could someone shoot that hanging title?