As you surely know by now, the CanSecWest conference was the stage for a contest, PWN to OWN. Three laptops were set up; laptops running Windows Vista, Ubuntu Linux, and Mac OS X. The goal was to hack the computer and read the contents of a file located on each of the machines, using a 0day code execution vulnerability. During the first day, you can only attack the machine over the network, without physical access. On the second day, user interaction comes into play (visiting a website, opening an email). On the third and final day, third-party applications are added to the mix. Each machine had the same cash prize on its head. As you all know, the Mac was hacked first, on day two. The user only had to visit a website, and the Mac was hacked. Vista got hacked on the third day using a security hole in Adobe's Flash, and the Ubuntu machine did not get hacked at all. Update: Roughly Drafted responds.
To view parent comment, click here.
To read all comments associated with this story, please click here.
Member since:2005-11-11
I tend to keep sudo, but use a limited account with no sudo rights. Getting root access involves sudo adminUser (adminuser password), sudo -i (addminuser password). I get the benefits of having no root password as given by sudo, while running as what I'd actually consider a limited user.
Edited 2008-03-30 21:53 UTC
Member since:2006-02-12
Back on the Topic securing it is easy, falling for this hack would be hard
Yup that confounded me a little at first too. As the first time I tried to sudo from a non-admin account I was given a terse security warning. Then I thought it through and had to nest one sudo inside of another. Well in the end I find few reasons (outside of work -- where I am the Mac systems admin for all north American Macs for a publishing co.) Outside of banging on some naughty or inefficient code that I wrote I find very little practical reason to drop to the CLI
And also aside from reputable installers from respectable vendors I am very rarely asked to enter my admin name and password.
So If I am at a web page and it asks me to enter my local admin name AND then my password. AND then I enter it was I really hacked?
Member since:2005-09-03
I think its worth pointing out that on Ubuntu only the first user account created is, by default, a sudoer and this privillage can easily be removed and added to another account.
System->Administration->Users and Groups, Select user and click properties, Click the user privilages tab and add/remove "Administer the system". You can of course just edit the sudoers file as well.
Member since:
2006-08-09
Mac OS X uses the sudo concept just like Ubuntu does, if I'm correct. On OS X, I 'turn that off' and use a limited account (because I'm able to remember two passwords in stead of just one
), but it's the same default as Ubuntu's.