Linked by Thom Holwerda on Sun 30th Mar 2008 20:35 UTC
As you surely know by now, the CanSecWest conference was the stage for a contest, PWN to OWN. Three laptops were set up; laptops running Windows Vista, Ubuntu Linux, and Mac OS X. The goal was to hack the computer and read the contents of a file located on each of the machines, using a 0day code execution vulnerability. During the first day, you can only attack the machine over the network, without physical access. On the second day, user interaction comes into play (visiting a website, opening an email). On the third and final day, third-party applications are added to the mix. Each machine had the same cash prize on its head. As you all know, the Mac was hacked first, on day two. The user only had to visit a website, and the Mac was hacked. Vista got hacked on the third day using a security hole in Adobe's Flash, and the Ubuntu machine did not get hacked at all. Update: Roughly Drafted responds.
Thread beginning with comment 307267
To read all comments associated with this story, please click here.
To read all comments associated with this story, please click here.
Member since:2006-08-09
), but it's the same default as Ubuntu's.
RE[2]: OOooh Oooh Me first?
by MamiyaOtaru on Sun 30th Mar 2008 21:52
in reply to "RE: OOooh Oooh Me first?"
Member since:2005-11-11
I tend to keep sudo, but use a limited account with no sudo rights. Getting root access involves sudo adminUser (adminuser password), sudo -i (addminuser password). I get the benefits of having no root password as given by sudo, while running as what I'd actually consider a limited user.
Edited 2008-03-30 21:53 UTC
RE[2]: OOooh Oooh Me first?
by voidlogic on Mon 31st Mar 2008 01:56
in reply to "RE: OOooh Oooh Me first?"
Member since:2005-09-03
I think its worth pointing out that on Ubuntu only the first user account created is, by default, a sudoer and this privillage can easily be removed and added to another account.
System->Administration->Users and Groups, Select user and click properties, Click the user privilages tab and add/remove "Administer the system". You can of course just edit the sudoers file as well.
Member since:
2006-02-12
O.K. First things first. I was not supposed to use a computer this weekend, But I got an call that required an email. And while I was here...
The most effective and pure *simple* technique to secure OS X, is to not be logged in as an admin, or even any member of the 'admin group'. I own my Mac, I use the BSD Style 'ladmin' account and then a complex password. And then I avoid using that account for just about anything.
The Behavior is EXACTLY the same as when I need 'admin' access I type up both my admin name and password.
It is not common practice on a Mac, but I sincerely hope that we in the Mac community start to act right. It is hard to imagine a day when we are as bad off on OS X as we are 'generally' in Win XP but that doen not mean that I need to be logged in for admin purposes