Linked by Thom Holwerda on Mon 6th Mar 2006 15:52 UTC, submitted by netpython
Mac OS X Gaining root access to a Mac is 'easy pickings', according to an individual who won an OS X hacking challenge last month by gaining root control of a machine using an unpublished security vulnerability. On February 22, a Sweden-based Mac enthusiast set his Mac Mini as a server and invited hackers to break through the computer's security and gain root control, which would allow the attacker to take charge of the computer and delete files and folders or install applications. Within hours of going live, the 'rm-my-mac' competition was over. The challenger posted this message on his Web site: "This sucks. Six hours later this poor little Mac was owned and this page got defaced".
Order by: Score:
eMagius Member since:
2005-07-06

OS X is hardly OpenBSD. I don't recall ever saying differently. Then again, I'm not one of those "fantatics" who is out there bashing MS Windows at every turn.

Reply Score: 4

someone Member since:
2006-01-12

Had the OS in question been OpenBSD, that hacker would not have bothered in the first place...

Despite being a Mac user, I have to say OS X may very well be the least secure out of all of the *BSDs (esp. as a server)

This being said, I don't think this attack would apply to home users, especially those who have a NAT router.

Edited 2006-03-06 17:34

Reply Score: 3

hahah
by poundsmack on Mon 6th Mar 2006 16:16 UTC
poundsmack
Member since:
2005-07-13

hahaha what did you think was going to happen?

Reply Score: 4

duh
by Matt Giacomini on Mon 6th Mar 2006 16:18 UTC
Matt Giacomini
Member since:
2005-07-06

In any operating system there are security precautions you need to take when turning a machine into an internet server and expecting it to be secure.

Our company has Windows and Solaris machines in our DMZ. Do we just install windows and solaris and then throw them out in the DMZ. Hell no. You lock your systems down to the point where the one things that run on them are the services that you *require*.

There are packages and services that can be hacked in any OS, there are also unknown problems with every OS. For example we have found windows to be very secure when totally locked down, not running IIS, and only running the services we need on them.

And of course another big thing to take into consideration when locked down a system is locking down the Network, to kill anything unwanted before it gets to the system. Firewalls, screening routers and such can greatly increse your protection.

Reply Score: 5

RE: duh
by MightyPenguin on Mon 6th Mar 2006 20:40 UTC in reply to "duh"
MightyPenguin Member since:
2005-11-18

Good thing for you most hackers only care about owning machines, not crashing them. There are plenty of fun mangled packets for Windows that will cause it to blue screen.

A friend of mine was at a biz convention where everyone was on the same network. They were bored so they transmitted some of these malformed packets network-wide. Lots of PCs at the convention blue screened instantly, and I guess their booth got more customers when most of the other booths' demos stopped working ;)

Reply Score: 1

local access
by Jake on Mon 6th Mar 2006 16:19 UTC
Jake
Member since:
2006-01-08

With SSH access allowed, I'm not surprised. The only general-purpose OS I'd trust to run a shell server on the default install is OpenBSD.

If malicious users have local access, you should implement the other kind of MAC, manditory access controls. I remember a Gentoo/seLinux demo that allowed root access.

Reply Score: 2

RE: local access
by Mathman on Mon 6th Mar 2006 16:36 UTC in reply to "local access"
Mathman Member since:
2005-07-08

Misunderstood the parent comment for a second, so I'm removing mine.

Edited 2006-03-06 16:45

Reply Score: 1

RE[2]: local access
by Jake on Mon 6th Mar 2006 16:53 UTC in reply to "RE: local access"
Jake Member since:
2006-01-08

I'd trust OpenSSH on one system but not the others because of the potentially insecure software the others include. OpenBSD has a fully audited userland and employs numerous hardening techniques. OSX is a fine OS to run an sshd that always blocks users, but let them in and they'll find a way to get root.

Reply Score: 1

RE: local access
by postmodern on Mon 6th Mar 2006 21:29 UTC in reply to "local access"
postmodern Member since:
2006-01-27

Assuming they didn't just ssh brute force their way in, this would mean a fully patched OSX is crawling with local vulns. It might not be an UBBER remote buffer overflow, but it's still security, the only good vuln is a patched one.

Reply Score: 1

I admit it's true
by JustAnotherMacUser on Mon 6th Mar 2006 16:21 UTC
JustAnotherMacUser
Member since:
2006-01-08

Mac OS X is insecure.

I posted my ip address here last week and I got hacked.

Thanks for the lesson guys, I'm off to wipe my hard drive now.

Reply Score: 3

It's alright
by FrankNBeans on Mon 6th Mar 2006 16:21 UTC
FrankNBeans
Member since:
2006-01-30

I'm sure there's a very good reason why this isn't a problem. Apple fans will tell us why soon.

Reply Score: 5

OMRebel
Member since:
2005-11-14

I think OSX is a good OS, but there seems to be so many Mac users out there that take up their machines and OS as a religion, and berate and belittle every other OS out there. Seeing reality like this slapping them in the face is pretty funny. Of course, I expect to see a ton of excuses popping up now about how it's not really an exploit in OSX, it was user stupidity, blah blah blah.

Reply Score: 5

at least
by Espectro on Mon 6th Mar 2006 16:26 UTC
Espectro
Member since:
2006-02-01

he didn't sit there forever w/ the network cable unplugged, spoofing and gloating.

Reply Score: 1

Classic FUD
by barcode on Mon 6th Mar 2006 16:40 UTC
barcode
Member since:
2005-08-02

This guy intentionally allows people SSH accounts so that they might 'rm -rf' it if they can. That's the contest.

Here is the non-cache version of the URL that the author used in his article.

http://rm-my-mac.wideopenbsd.org/

The owner of the box says it is setup like "It runs a default install of Mac OS X Tiger, plus fink and some decent versions of Apache, MySQL and PHP. Software Update recently updated it to Mac OS X 10.4.5 and fixed some security issues."

So, it's a mac with 10.4.5 with 'fixed some security issues' which and what are unknown, as well as additional updates to apache, mysql, and php.

He has a web form for people to create SSH accounts in the attempt that they might totally own the box and 'rm -rf' the box, a totally devastating thing. So he opened up the security on his mac to be a web server and an SSH server. Not a really wise thing to do, but if you are participating in a security challenge you have to give people a little bait to make it worthwhile.

But to date the only thing that they have been able to do is deface the site which is run in the local user space. Not so severe after all IMHO.

ZDNet's article is completely misleading.

"It probably took about 20 or 30 minutes to get root on the box."

What root? The disabled, non-running root? If he had root, then he should have rm -rf the box. But he didn't... Why? Cause he didn't have root!!!!

"According to gwerdna, the hacked Mac could have been better protected, but it would not have stopped him because he exploited a vulnerability that has not yet been made public or patched by Apple."

Ok, some unknown 'gwerdna' guy says he got the mythical root account access using some super secret and unknown exploit that is unpublished or patched. It probably exists in a land called Narnia too...

The worst offense is this:

"Within hours of going live, the "rm-my-mac" competition was over. The challenger posted this message on his Web site: "This sucks. Six hours later this poor little Mac was owned and this page got defaced"."

This is so wrong and misleading. On the original challenge web site here is what the owner had to say"

"This sucks. Six hours later this poor little Mac was owned and this page got defaced. Good thing is it didn't get rm'd! Way to go PTP."

Exactly! It was defaced! Not rm'd. It's still up and running.

Check out his site, roam around. Read the notes and the /Idiots.

ZDNet is really being amazingly retarded lately.

Reply Score: 5

RE: Classic FUD
by Tom K on Mon 6th Mar 2006 18:55 UTC in reply to "Classic FUD"
Tom K Member since:
2005-07-06

... But it still got hacked.

That bothers you, doesn't it? It bothers you a lot.

Reply Score: 0

RE: Classic FUD
by gonsalu on Mon 6th Mar 2006 19:14 UTC in reply to "Classic FUD"
gonsalu Member since:
2006-02-21

If you had checked the after-being-hacked-posts on the rm-my-mac site, you would know that gwerdna created a file in /. I don't think you can do that with normal user permissions, but feel free to correct me.

Reply Score: 4

RE[2]: Classic FUD
by sanctus on Mon 6th Mar 2006 19:31 UTC in reply to "RE: Classic FUD"
sanctus Member since:
2005-08-31

if the owner created his and/or the other user with admin rights. Yes it is possible. But it does not give you root access.

Reply Score: 2

No kidding...
by Jack_Green on Mon 6th Mar 2006 16:42 UTC
Jack_Green
Member since:
2006-01-04

The ZDNet article is lacking many details I woud be interested in hearing. Most importantly, I would like to know what services were running, how was the computer connected to the internet (through a router or direct), was the firewall turned on, and what vulnerability was used to gain access.

I think it is important for people to exersize a little more common sense when it comes to security. First of all, don't connect your desktop machine directly to the internet! Even if it is the only computer you own, buy a router with NAT and plug that into the modem, and your computer into the router... please!

Now the article does mention that it wouldn't have made a difference if the various services that were turn on (web server, remote desktop or whatever) were there or not as they weren't used to gain access. If this is true, this is definately a problem worth getting excited about.

Reply Score: 2

RE: No kidding...
by KenJackson on Mon 6th Mar 2006 19:41 UTC in reply to "No kidding..."
KenJackson Member since:
2005-07-18

First of all, don't connect your desktop machine directly to the internet! Even if it is the only computer you own, buy a router with NAT and plug that into the modem, and your computer into the router... please!

That's good advice. But my desktop GNU/Linux machine is directly connected via a static IP address and I think I'm pretty secure. I use 'iptables' to just drop most incoming packets.

Only OpenSSH and OpenVPN are exposed, and both of those are on non-standard ports. So even if you find me and scan me for all open ports, you won't know what services you've found.

Reply Score: 1

RE[2]: No kidding...
by bogomipz on Tue 7th Mar 2006 08:12 UTC in reply to "RE: No kidding..."
bogomipz Member since:
2005-07-11

The cracker is probably looking for a specific service that he has a strategy for gaining access through, and will try all your open ports to see if he can find that service.

Reply Score: 1

RE[2]: No kidding...
by RenatoRam on Tue 7th Mar 2006 08:31 UTC in reply to "RE: No kidding..."
RenatoRam Member since:
2005-11-14

Just to be sure, did you also remove the banners for the services? Otherwise discovering a service on a non standard port is pretty easy.

Besides, an attacker will find 2 ports open; guess which services he will try tu use? HTTP, FTP, SSH, telnet (maybe not in this order :-) )

Reply Score: 1

RE[3]: No kidding...
by KenJackson on Tue 7th Mar 2006 16:51 UTC in reply to "RE[2]: No kidding..."
KenJackson Member since:
2005-07-18

Neither OpenVPN nor OpenSSH present banners before authentication. They both use the OpenSSL library for encryption, which AFAIK is very solid. I figure, if I'm at risk, a whole lot people and corporations that think they are secure are also at risk.

Reply Score: 1

MacOS is not BSD
by Nicram on Mon 6th Mar 2006 16:42 UTC
Nicram
Member since:
2006-01-31

I would like to inform that BSD operating system world is not like Linux. MacOs is not like FreeBSD, & NetBSD is not like OpenBSd (even if one come from another many years ago). MacOS is not BSD "distro". Every BSD is full operating system based on some BSD kernel code, but the rest, with security pathes, software, drivers, etc. are different. So please stop saying that it is showed something to unix world. Because it did not. It just show, that apple make not secure OS basen on some BSD code. Nothing more. When You give a gun into children hand, it will not be a soldier because of that.

Reply Score: 2

Couple Problems
by ma_d on Mon 6th Mar 2006 16:42 UTC
ma_d
Member since:
2005-06-29

1.) The story is basically written by some punk kid. I call him such because he's not yet published the security hole he's apparently mastered.
2.) There are 3 reasons Mac isn't hit by virus's and spyjunk:
a.) Its market share is much smaller
b.) Its market share is much less gullible. (spyjunk)
c.) Its public server share is almost non-existant.

Apple needs to take security seriously these days, and people like this kid need to publish their security findings instead of caching them up for future profiteering/bragging rights.


The market share argument has always made sense to people because its based on a grain of truth: Why hack something that has no value. But market share is one key in many to value. You're not going to hack a large number of the apache systems out there because: They aren't running anything valuable (personal sites). However, you would target them for worms.

And you aren't going to fill a Mac with spyware. Its user will be unlikely to be suckered into whatever you're trying to sell to them, and they'll likely pay someone to remove it if they don't simply remove it themself.

Of course a Mac makes everybit as good of a DDoS bot as a PC.


The other problem with the article is that he doesn't even mention in what area the two security holes he used were (obviously he gained shell access, then he gained a priviledge escalation).

Reply Score: 4

Check out this write-up from MacDailyNews
by barcode on Mon 6th Mar 2006 16:53 UTC
barcode
Member since:
2005-08-02

http://macdailynews.com/index.php/weblog/comments_opinion/8795/

Be sure to read also the related articles at the bottom.

Essentially this and the reports of viruses were a bunch of hot air.

Reply Score: 3

A few questions about this
by kadymae on Mon 6th Mar 2006 17:09 UTC
kadymae
Member since:
2005-08-02

I've poked about the FAQs, but I'm curious, was root access enabled before the contest began?

Because Sysadmin is not quite the same as Root, yet I see a lot of people using the two interchangeably.

Reply Score: 2

Hmm
by Finalzone on Mon 6th Mar 2006 17:18 UTC
Finalzone
Member since:
2005-07-06

Correct title should be:
Mac OS X Cracked Under 30 Minutes

Hacker optimized programs while crackers do the damages.

Reply Score: 2

RE: Hmm (the word "hacker" has been corrupted)
by KenJackson on Mon 6th Mar 2006 20:20 UTC in reply to "Hmm"
KenJackson Member since:
2005-07-18

I gave you a plus because I lament the media's theft and corruption of words.

The good meaning of the word hacker was thoroughly documented in Steve Levy's excellent, long-ago history book, Hackers, Heros of the Computer Revolution. I observe that a lot of people still use the word in this way in forums to generally mean skillful coding--a very constructive thing.

But when the word is used in the general media today it always means something criminal.

There are two other words that I lament the theft of in a similar way, but I dare not mention them because they unnecessarily evoke emotion in some people.

Reply Score: 3

When I see a wide spread
by Windows Sucks on Mon 6th Mar 2006 17:27 UTC
Windows Sucks
Member since:
2005-11-10

When I see a wide spread worm or virus like you see almost monthly on windows then I will worry.

Till then I will use my mac, and not worry.

Reply Score: 1

Moulinneuf Member since:
2005-07-06

Apple MAc OS is not Open Source of Free software.

Reply Score: 1

Tom K Member since:
2005-07-06

I'm screenshotting that.

All this time you've spent telling us that OS X is 100% open-source software that Apple stole, and now this? Wow. Someone's psychotic.

Reply Score: 0

Moulinneuf Member since:
2005-07-06

"I'm screenshotting that."

Why ? You can aske me any time to repeat it , Mac OS X is not Open Source or Free Software its built from it. It does not mean that Mac OS X dont come from Open Source.

"All this time you've spent telling us that OS X is 100% open-source software that Apple stole"

Yes , Mac OS X is based on BSD's , wich they changed license and close to others. Its not really hard to understand. Build from Open Source , dont necessarely make your derivative and product Open Source. Where do you think the flaw came from , they where fixed in Open Source and people had the bright idea to see if they worked on Apple Mac OS X ...

"and now this? Wow. Someone's psychotic."

Learn what psychotic means. I did not change what I said either , you just still dont get it.

Reply Score: 1

kadymae Member since:
2005-08-02

Yes , Mac OS X is based on BSD's , wich they changed license and close to others.

This statement is patently untrue. Youve been corrected on this several times. Please stop your inane lying and willful FUDmongering.

1) Apple cannot legally change the BSD license. Only the UC Berkeley Regents can change the license.

2) Booting OS X into single user mode reveals the copyright notice as required by the BSD license.

3) Apple regularly releases the BSD portions of their code to the public. It isn't hard to find.

[3a) Apple has also released their changes to KHTML to the public. Also not hard to find.

3b) Apple has also released its code for XWindows to the public. Also not hard to find.]

4) Anything Apple has coded in house from scratch is theirs to keep closed or open up as they like. The fact that parts of their OS are BSD derived, or that 2 of their programs are OSS based does not change this.

(As an aside, the same goes for Xandros and their file management interface/program.)

5) Should Apple choose to close their BSD derived source, provided they keep the copyright notice, it is their absolute LEGAL right to do so under the terms of the BSD licence.

6) In terms of what Apple has done with the GPL and BSD licenses and code protected under them, they have yet to be shown to have violated the the terms of either license.

Reply Score: 4

memson Member since:
2006-01-01

OS X is based on OPENSTEP/NEXTSTEP. IIRC NeXT owned the sourcecode to OPENSTEP outright. Apple owns OPENSTEP via the NeXT buyout, so they own the sourcecode. They can do what they like with it, so long as they credit any parts of the BSD codebase they include within their product - which they seem to do.

Reply Score: 1

Moulinneuf Member since:
2005-07-06

http://en.wikipedia.org/wiki/OpenStep

"IIRC NeXT owned the sourcecode to OPENSTEP outright."

No , it whas joint Open Source effort between SUN and Next.

"Apple owns OPENSTEP via the NeXT buyout"

No , Apple own NextStep a commercial derivative of OpenStep library.

"so they own the sourcecode."

No , if they did GNUstep would not exist.

its the stupid mentality of they can close Open Source code because they made a derivative of it and say that its acceptable that is wrong and bad , BSD code and its protection clause dont grant the right to close the source code. It only say dont come suing us if anything goes wrong you can use it as you like.

Reply Score: 1

Emil Member since:
2005-06-29

I did, Mr. Troll, sir.

sudo -s
mv /bin/rm /bin/rm.org
vi /bin/rm
#write a script that calls rm.org with -i
chmod u+x /bin/rm

Sure, you still can cat /bin/rm, rm.org -rf ~/ but you said "Joe Average". I bet he knows no difference between rm and script that calls rm in interactive mode.

Now, be gone!

Reply Score: 4

remiss Member since:
2006-01-24

echo "alias rm='rm -i'" >>/etc/profile

Reply Score: 3

Emil Member since:
2005-06-29

Some shells may not use /etc/profiles. :-)

Reply Score: 1

archiesteel Member since:
2005-07-02

From average users view, i ask just one question, over 10-20 years of unix world how come this simple exploitable command slipped under the nose of thousands of delvels around the world?

The command didn't slip under anyone's nose, it does exactly what it's supposed to do. There is a similar command for Windows, by the way.

This is possibly the lamest attempt at FUD I've ever witnessed her. Give it up already!

Reply Score: 2

evangs Member since:
2005-07-07

rm removes files. rm -rf ~/ is going to do exactly what it says on the tin, i.e. remove files in your user directory. It isn't a bug, and it isn't an exploit. You've been posting the same crap on every news item so far. Tell me, how do you intend to fix this 'bug'? Preventing users from using the computer? This command (or similar) is available on every computer platform, from DOS to Unix.

Reply Score: 2

modmans2ndcoming
Member since:
2005-11-09

The hackers had local ssh access.... hrmmm

Reply Score: 4

theine Member since:
2005-09-29

The hackers had local ssh access.... hrmmm

Yeah, so? Local ssh access shouldn't enable you to do any damage to the system.

Reply Score: 2

Yet more FUD
by Tyr. on Mon 6th Mar 2006 17:48 UTC
Tyr.
Member since:
2005-07-06

Just another story in the recent FUD campaign against Apple. Expect all major tech sites to cover it and to cover it as ineptly as ZDnews did, eg. leaving out the fact 2 attack vectors, ssh and http access, were deliberately opened up for this competition. Props to slashdot for being the only one so far to mention these important "details".

The fact these people had access is not irrelevant "escalation of privilege" is generally easier than actually breaking in.

Edited 2006-03-06 18:02

Reply Score: 4

the should
by dcibils on Mon 6th Mar 2006 18:11 UTC
dcibils
Member since:
2005-12-28

start delivering ...

Apple Defender
Apple AntiVirus
Apple Firewall

for "regular" OS X users. We all know this kind of issues were comming as Apple/OS X popularity grew up.

Reply Score: 1

RE: the should
by Flatline on Mon 6th Mar 2006 18:40 UTC in reply to "the should"
Flatline Member since:
2006-03-06

Doesn't OS X already have a firewall built in?

Not sure whether it's enabled by default (I'm not a Mac user), but it's there nonetheless.

Reply Score: 1

RE[2]: the should
by evangs on Mon 6th Mar 2006 18:52 UTC in reply to "RE: the should"
evangs Member since:
2005-07-07

It isn't enabled by default, because no ports are open by default.

Reply Score: 1

RE[3]: the should
by Flatline on Mon 6th Mar 2006 18:54 UTC in reply to "RE[2]: the should"
Flatline Member since:
2006-03-06

Sounds like Ubuntu's philosophy.

I agree with most here that any machine should be behind a hardware firewall; having a firewall enabled on the machine itself is a good thing as well IMHO.

Reply Score: 1

RE[3]: the should
by Tom K on Mon 6th Mar 2006 18:59 UTC in reply to "RE[2]: the should"
Tom K Member since:
2005-07-06

... If only that were true.

I suggest you do a netstat -a on your Mac sometime.

Reply Score: 1

RE[4]: the should
by evangs on Mon 6th Mar 2006 22:13 UTC in reply to "RE[3]: the should"
evangs Member since:
2005-07-07

Active Internet connections (including servers)
Proto Recv-Q Send-Q Local Address Foreign Address (state)
tcp4 0 0 *.* *.* CLOSED
tcp4 0 0 localhost.netinfo-loca localhost.1017 ESTABLISHED
tcp4 0 0 localhost.1017 localhost.netinfo-loca ESTABLISHED
tcp4 0 0 localhost.netinfo-loca localhost.1021 ESTABLISHED
tcp4 0 0 localhost.1021 localhost.netinfo-loca ESTABLISHED
tcp4 0 0 localhost.netinfo-loca *.* LISTEN
udp4 0 0 localhost.49157 localhost.1022
udp4 0 0 localhost.49156 localhost.1022
udp4 0 0 localhost.1022 *.*
udp4 0 0 localhost.49155 localhost.1023
udp4 0 0 localhost.1023 *.*
udp4 0 0 192.168.2.2.49154 *.*
udp4 0 0 *.mdns *.*
udp4 0 0 192.168.2.2.ntp *.*
udp4 0 0 localhost.ntp *.*
udp4 0 0 *.ntp *.*
udp6 0 0 *.5353 *.*
udp4 0 0 *.mdns *.*
udp4 0 0 *.* *.*
udp4 0 0 localhost.netinfo-loca *.*
icm6 0 0 *.* *.*


So.... aside from NTP which is something I enabled, what else is on by default?

Reply Score: 1

RE[5]: the should
by Tom K on Mon 6th Mar 2006 23:34 UTC in reply to "RE[4]: the should"
Tom K Member since:
2005-07-06

NetInfo, mdns, 1023, 5353, ...

... Are you blind?

Reply Score: 1

RE[2]: the should
by kadymae on Mon 6th Mar 2006 18:54 UTC in reply to "RE: the should"
kadymae Member since:
2005-08-02

It has a firewall that is *not* enabled by default, but most of the ports that a hacker would like to slip in on ship closed by default, so ...

I would certainly say, turn the firewall on and get the extra protection, but running without it turned isn't a HUGE security risk, either.

Reply Score: 1

Missing the point
by JoeBuck on Mon 6th Mar 2006 18:55 UTC
JoeBuck
Member since:
2006-01-11

Yes, it is correct that the owner granted SSH access, and the cracker then used a local privilege escalation exploit. But the point you're missing is that because the black hats have a number of such exploits available, getting a user to run a trojan gives the bad guy root. It's one half of a two-stage attack: first get access as an ordinary user (trick the user into executing some code, by a trojan or a buffer overflow exploit). Then the bad guy is an ordinary user. The second step is to get root. So don't think that because you don't allow remote SSH access, that you are safe.

Mac users should demand that Apple be more aggressive about fixing security bugs. Apple hasn't been as aggressive as they need to be because their customer base is complacent.

Reply Score: 5

RE: Missing the point
by someone on Mon 6th Mar 2006 23:36 UTC in reply to "Missing the point"
someone Member since:
2006-01-12

I agree with the second part: Apple need to be more aggressive about fixing security bugs. They should also find better ways to address social engineering attacks (for example, making it easier to distinguish between a file and an application package).

However, you should also notice that many Macs are behind a router and/or ipfw.

Reply Score: 1

RE[2]: Missing the point
by Beryllium on Tue 7th Mar 2006 01:55 UTC in reply to "RE: Missing the point"
Beryllium Member since:
2005-07-08

Wow, way to miss the point a second time.

Reply Score: 1

fork bomb.
by MattK on Mon 6th Mar 2006 19:18 UTC
MattK
Member since:
2005-11-14

Ha! Well, I couldn't Rm -rf it, but it looks like a default OSX install is vulnerable to a fork bomb from a user account. Not terribly good.

Reply Score: 1

Why?
by Omega Penguin on Mon 6th Mar 2006 20:31 UTC
Omega Penguin
Member since:
2006-02-12

Is this news?No one would care if Windows got hacked in 30 min.And about the "more market share=more viruses" thing,remember that Mac OS has about 80 viruses,Windows has about 80,000.2% of that is 1,200,which is far more than 80.

The point?Mac OS X should have about 2.8% of all viruses,but it does not,because it is more secure.No matter how many viuses,though,Mac users should protect their systems.

Reply Score: 0

RE: Why?
by StephenBeDoper on Mon 6th Mar 2006 23:12 UTC in reply to "Why?"
StephenBeDoper Member since:
2005-07-06

And about the "more market share=more viruses" thing,remember that Mac OS has about 80 viruses,Windows has about 80,000.2% of that is 1,200,which is far more than 80.

The point?Mac OS X should have about 2.8% of all viruses,but it does not,because it is more secure.


That's not sound reasoning. Even a high school level education in mathematics should tell you not to expect the relation between the number of viruses and marketshare to be linear.

Edited 2006-03-06 23:28

Reply Score: 1

RE[2]: Why?
by archiesteel on Mon 6th Mar 2006 23:50 UTC in reply to "RE: Why?"
archiesteel Member since:
2005-07-02

Perhaps, but a factor of 15:1? Even if the relationship isn't linear, this still seems to favor Mac OS X (or Linux, for that matter).

This overlooks a point, however: whatever the reasons, there is very little malware for *nix platforms. Maybe this will increase with marketshare, but all that this means is that until the marketshare improves significantly, *nix platforms will be safer as a general rule.

Not only that, but (always following this reasoning) it's in the interest of Windows users for their OS to have a smaller market share, as it will improve security for their OS. Therefore, Windows enthusiasts should actively advocate that people switch to OS X, BSDs, Solaris or Linux, in order to be safer themselves.

Reply Score: 1

heh...
by deathshadow on Mon 6th Mar 2006 20:50 UTC
deathshadow
Member since:
2005-07-12

>> Tell me, how do you intend to fix this 'bug'? Preventing users from using the computer?

A sad truth, and one people rarely get, is the only secure server is one that doesn't serve... so I get a real laugh out of that dig as it does illustrate the point rather well.

I also get a real kick out of is statements like:

>> Doesn't OS X already have a firewall built in?

Which illustrate the ignorance of the average user, and the overblown media hype that's been given to firewalls the past few years. Firewall on a server can only block accesses on ports NOT used for serving. What are you gonna do? Block port 80 (http), port 21 (ftp) and port 22 (ssh) on a SERVER? No, because they it wouldn't serve http, allow users to update their http sites via FTP, or do simple things like backing up their SQL databases via a 'secure' shell.

Firewall is useless if the attack is occuring on a port that can't be blocked - of course the converse is also true - blocking ports that there's no software installed to respond on just wastes overhead. The only reason Firewalls help in Windows as much as they do is all the crap services running in the background the average user doesn't need (Telnet server, Messenger, etc). This applies under other OS too. If there's no software running to REPLY on a port - you don't don't need to block it inbound, and generally speaking if you need to worry about blocking outbound, you probably installed something you shouldn't have. (like uhm, Internet Explorer or Outlook)

Everything that has access IN at some point, be it FTP, HTTP, what have you has a point at which an attack can be mounted - Which is why the statements about things like linux or OSX being 'more secure' always get a chuckle out of me as it's not a matter of security but effort... and with most of the die hard hackers out there being rabid anti-MS zealots, where do you think most of the effort ends up going?

So it's no wonder when you give people a reason to look at OS X, it only lasted 30 minutes. I'd be willing to bet a better documented OS like linux might even last LESS time - except that I doubt any self respecting hacker would put the effort in since linux is their pride and joy.

Reply Score: 2

RE: heh...
by Flatline on Mon 6th Mar 2006 21:01 UTC in reply to "heh..."
Flatline Member since:
2006-03-06

>> Doesn't OS X already have a firewall built in?

>> Which illustrate the ignorance of the average user, and the overblown media hype that's been given to firewalls the past few years.

Actually, if you looked at the post I was *replying* to, you would see that the poster was saying (in a tongue-in-cheek way) that Apple should include Apple Defender, Apple Spyware, and Apple Firewall. I was simply pointing out that Apple already includes the firewall.

Of course you can't block the port if you're actively using it (port 80 being a good example for webservers)...duh.

Reply Score: 1

RE[2]: heh...
by deathshadow on Mon 6th Mar 2006 21:08 UTC in reply to "RE: heh..."
deathshadow Member since:
2005-07-12

Sorry, wasn't singling you out per se... just the discussion of firewalls that had cropped up in the thread in general.

Reply Score: 1

RE[3]: heh...
by Flatline on Mon 6th Mar 2006 22:40 UTC in reply to "RE[2]: heh..."
Flatline Member since:
2006-03-06

"Sorry, wasn't singling you out per se... just the discussion of firewalls that had cropped up in the thread in general."

Fair enough. I actually agree that firewalls have been severely over-hyped as a cure-all. It does make sense, though, to seal off anything that you don't need to "listen" for.

Reply Score: 1

RE: heh...
by ormandj on Mon 6th Mar 2006 23:01 UTC in reply to "heh..."
ormandj Member since:
2005-10-09

I'm sorry, but I must point out that you have the same "ignorant of the average user."

You really don't understand firewalling if you think it's just blocking some ports. Yes, that may be all your crappy linksys can do, but that's not all we do on the enterprise level.

As it's already put best, I will cite Wikipedia.

"Network layer firewalls operate at a (relatively low) level of the TCP/IP protocol stack as IP-packet filters, not allowing packets to pass through the firewall unless they match the rules. The firewall administrator may define the rules; or default built-in rules may apply (as in some inflexible firewall systems).

A more permissive setup could allow any packet to pass the filter as long as it does not match one or more "negative-rules", or "deny rules". Today network firewalls are built into most computer operating system and network appliances.

Modern firewalls can filter traffic based on many packet attributes like source IP address, source port, destination IP address or port, destination service like WWW or FTP. They can filter based on protocols, TTL values, netblock of originator, domain name of the source, and many other attributes."

- http://en.wikipedia.org/wiki/Firewall_%28networking%29

That article is pretty sparse, but I don't want to overload you with groundbreaking new information about what a firewall can do. I suggest you go check out pf sometime, if you've got a spare machine.

- http://www.openbsd.org/faq/pf/

It has the full functionality of most modern hardware firewalls at the better-than-consumer level. You can filter packets based on information in the header, or even in the payload itself.

I own a data center, so I work with this day in and out, we have extremely complex rules in place that do a _lot_. Everything from alerting us to incoming DDoSs (as well as actively attempting to drop the packets before it gets to our client's computers) to filtering out spoofed mail servers prior to the packets even touching our smtp agents. This is typically known as deep packet inspection.

Needless to say, those are only two small examples, there are thousands of other things you can do with a firewall. Please don't call people ignorant if you're ignorant yourself, and haven't bothered to research the topic you're writing about at least a _little_. Wikipedia is normally a good starting point! ;)

Reply Score: 1

RE[2]: heh...
by deathshadow on Mon 6th Mar 2006 23:29 UTC in reply to "RE: heh..."
deathshadow Member since:
2005-07-12

>> You really don't understand firewalling if you think it's just blocking some ports. Yes, that may be all your crappy linksys can do, but that's not all we do on the enterprise level.

and what you don't seem to understand is your entire post and linked articles of which mean exactly {censored} when the attacks are coming in via normal traffic routes - if the attack is via port 80 against apache, or port 21 against ftpd, or some other port that is allowed for some program that has a vulnerability so it looks like normal traffic - ALL of that fancy firewalling means Jack.

Reply Score: 1

RE[3]: heh...
by ormandj on Mon 6th Mar 2006 23:32 UTC in reply to "RE[2]: heh..."
ormandj Member since:
2005-10-09

That's not true. I filter incoming port 80 requests for various signatures that would/could be possible attacks. Normal HTTP requests don't get you local user privs. Malformed requests, can, however. Same for any service. "ALL of that fancy firewalling means Jack" <-- for me, it's meant no intrusions on any protected machines for well over a year now, pushing upwards of 2gbit/s in overall bandwidth from a multitude of services.

You really should control that temper of yours, btw. It's quite telling.

Reply Score: 1

RE[4]: heh...
by deathshadow on Tue 7th Mar 2006 03:05 UTC in reply to "RE[3]: heh..."
deathshadow Member since:
2005-07-12

>> Malformed requests, can, however. Same for any service

In which case you are treating the symptom, not the cause - the cause being piss poor error handling in whatever program is recieving the requests.

>> You really should control that temper of yours, btw. It's quite telling.
That's actually pretty funny, as that was friendly for me... but then I'm blunt and call things as I see them and to hell with who it offends.

George, sometimes they can't tell when you're acting...
It's not important for them to know, it's only important for me to know...

Reply Score: 1

RE[5]: heh...
by ormandj on Tue 7th Mar 2006 04:13 UTC in reply to "RE[4]: heh..."
ormandj Member since:
2005-10-09

"In which case you are treating the symptom, not the cause - the cause being piss poor error handling in whatever program is recieving the requests. "

Absolutely no argument there. However, I don't write all of the software for the thousands of servers sitting behind the firewall, nor do I have the intention of auditing them all for customers who do not pay for managed services. So, the best I can do is at least attempt to catch a large portion of the *crap* coming in before it has the *possibility* of allowing unknown people from Russia turn my network into a multi-gigabit spamming operation. Understand? ;)

"That's actually pretty funny, as that was friendly for me... but then I'm blunt and call things as I see them and to hell with who it offends."

Either you're really young, or you have a crappy job. I can't see anybody dealing professionally with a personality that abrasive. Being blunt is one thing, being rude is another. I can appreciate bluntness, as I'm blunt myself. I cannot, however, tolerate rudeness. To hell with who it offends? Nice. ;) Oddly enough, most of the Battletech players I've met have been pretty cool guys. Oh well.

Reply Score: 1

from university of wisconsn
by pixelmutt on Mon 6th Mar 2006 22:11 UTC
pixelmutt
Member since:
2006-03-06

In response to the woefully misleading ZDnet article, Mac OS X hacked under 30 minutes, the academic Mac OS X Security Challenge has been launched.

The ZDnet article, and almost all of the coverage of it, failed to mention a very critical point: anyone who wished it was given a local account on the machine (which could be accessed via ssh). Yes, there are local privilege escalation vulnerabilities; likely some that are "unpublished". But this machine was not hacked from the outside just by being on the Internet. It was hacked from within, by someone who was allowed to have a local account on the box. That is a huge distinction.

The challenge is as follows: simply alter the web page on this machine, test.doit.wisc.edu. The machine is a Mac Mini (PowerPC) running Mac OS X 10.4.5 with Security Update 2006-001, has two local accounts, and has ssh and http open - a lot more than most Mac OS X machines will ever have open. Email das@doit.wisc.edu if you feel you have met the requirements, along with the mechanism used. The mechanism will then be reported to Apple and/or the entities responsible for the component(s).

Mac OS X is not invulnerable. It, like any other operating system, has security deficiencies in various aspects of the software. Some are technical in nature, and others lend themselves to social engineering trickery. However, the general architecture and design philosophy of Mac OS X, in addition to usage of open source components for most network-accessible services that receive intense peer scrutiny from the community, make Mac OS X a very secure operating system.

Reply Score: 1

Not really fair...
by xtaski on Mon 6th Mar 2006 23:31 UTC
xtaski
Member since:
2006-02-09

Nobody seriously uses OS X as a server platform except ad/media/creative types... and they don't know when their servers are hacked anyway. In all fairness, most companies shield their servers with layers of firewall, IDS, and other security policies that would even protect a Mac.

I just wish Apple would sell me Aqua to run on my Linux desktop - I would pay $150 to have that GUI on Linux.

Reply Score: 1

RE: Not really fair...
by Tom K on Mon 6th Mar 2006 23:38 UTC in reply to "Not really fair..."
Tom K Member since:
2005-07-06

There's more to the OS X feel than just Aqua -- things that sorely lack in Linux.

The concept of DMGs and App bundles, directory layouts, window server ...

Reply Score: 2

RE[2]: Not really fair...
by ma_d on Tue 7th Mar 2006 00:31 UTC in reply to "RE: Not really fair..."
ma_d Member since:
2005-06-29

Maybe it's not the feel he's after, just the look.

And OS X's desktop feel most closely resembles Next from which it gets its MDI (multiple windows per process treated as one) and object oriented feel (the trash is a good example of an object, any throw away/removal goes their). If you wanna approximate this much on X11 I recommend WindowMaker.

The filesystem is organized, ahem, in two ways at the same time. There's the Unix layer, and then packed on top is the Mac.App stuff. I just don't know why you'd want this, but Gobolinux might get you somewhere along these lines.

And what precisely is new or unique about a DMG? How do they feel different from zips and tarballs?

Reply Score: 1

RE[3]: Not really fair...
by Tom K on Tue 7th Mar 2006 01:35 UTC in reply to "RE[2]: Not really fair..."
Tom K Member since:
2005-07-06

The "look" has been emulated one hundred times before on various other platforms.

And DMGs are unique because they're mountable disk images. You can do a lot with a DMG, and you can do a lot with mountable disk images in general. OS X can mount ISO, UDF, APM, MBR, etc. disk images out of the box. It doesn't distinguish between those or physical discs.

Oh, and before someone goes "Yeah well Linux does that too", then I have yet to see a distro where I can double-click on any kind of disk image and have it mounted locally without trouble.

Reply Score: 1