“Mac OS X is a secure operating system in that it’s multi-user and has limits on what some user accounts can do. If an account is setup as a basic user, that user can only hurt himself, not the whole system or other users. However, in the interest of being ‘friendly’ to new users, Apple leaves of a lot of the secure bits off for the first user created and this means that trojans like this week’s can cause some pretty nasty problems on your system. Yet, all of this is easy to correct. Just run over the following and you should be well on your way to a protected computer.”
What is more valuable, the system files or the files in your home directory? Seems like there have to be some “rm -r ~/*” scripts masked as nude pics of your favorite pr0n star before the so-called security experts realize that there *is* a threat from this kind of attacks.
I think however that it will take an much much longer time until somebody realizes that there is a fundamental misconception in a system that allows downloaded scripts to execute a “rm -r ~/*”, even after entering the admin password or doing a chmod to set execution permission.
– Morin
(edited to add chmod remark)
Edited 2006-02-18 20:15
You forgot to include the -f flag. The command you supplied would ask for user confirmation before deleting things (at least it does on most *nix…doesn’t do it in Ubuntu, though, and that’s a bad thing in my opinion…)
The problem is that they can actually LOOK like images. I think the way Linux handles this prevents this problem. To start a program, I need to go to the menu. To install a program, it either needs to be a package which opens with the package manager, where its pretty clear what you’re doing. If I want to install software without using its package, and its a shell script, gnome will ASK me what to do. “This file is a shell script? What do you want to do? [ Cancel ] [ Execute in Terminal ] [ Open with Text Editor ]. At that point, most people aren’t going to hit Execute in Terminal if they aren’t intending this script to do something. You have to open up a Terminal or specifically tell a script to run to get it to execute. Forcing a user to either click “Install” or click “Execute in Terminal”. Having scripts run without a user explicitly requesting it or through the user opening terminal is not acceptable and is apparently a major problem in Apple and Microsoft’s security architectures.
So you want a system that prevents the user from modifying his own files when ever he wants. How should the computer know the difference between a script that was downloaded and one I created to clear out my external drive?
You want an idiot proof computer. well give me your address and i will mail you an abacus. As you can’t have a computer that makes sure the user isn’t an idiot before he does anything. PEBKAC Problem exists between keyboard and chair. If you can’t handle it then don’t use it. Just like if you can’t handle a car you shouldn’t drive.
I have never lost data, through windows/linux / OS X through viruses, and stupidity of my own actions. if your not smart enough to do it as well then you shouldn’t be using a computer to begin with. it takes all of 5 minutes a week to safe guard most of your work.
> So you want a system that prevents the user from
> modifying his own files when ever he wants. How should
> the computer know the difference between a script that
> was downloaded and one I created to clear out my
> external drive?
Simply by the fact that you wrote one script yourself, and downloaded the other. The computer just has to store this information together with the script and look at it when you are trying to execute it.
Second problem would be users that copy a script from a website into a text editor and execute that. Such data could also be tagged, but sometimes it’s actually what the user wants to do (e.g. copy a script from a howto page).
A (partial) solution would be to provide undo operations for delete commands if the data has not yet been overwritten. This is something I’m waiting for anyway.
> You want an idiot proof computer. well give me your
> address and i will mail you an abacus. As you can’t
> have a computer that makes sure the user isn’t an
> idiot before he does anything. PEBKAC Problem exists
> between keyboard and chair. If you can’t handle it
> then don’t use it. Just like if you can’t handle a
> car you shouldn’t drive.
I don’t think that a really idiot proof computer exists. People always find ways to screw up, especially when they don’t know what they *want* to do. However, if they *know* what they want, then the computer should get out of their way as much as possible. I also think that you are trying to discuss the problem away.
– Morin
Simply by the fact that you wrote one script yourself, and downloaded the other. The computer just has to store this information together with the script and look at it when you are trying to execute it.
Interesting concept, however where would you store such extra information? While the suggestion sounds simple, I do not think that the solution is trivial.
I don’t really understand in which way you mean ‘where’, so I’ll give you several answers:
physically: where the script itself is stored (e.g. on disk)
file system: some kind of metadata section, either per file or even per part-of-file, the same way the file type or access rights are stored. (This is indeed a non-trivial part of the final solution because it might not be possible with the currently popular file systems).
in ram: The shell or OS could simply check for metadata when trying to execute a script. A more fundamental solution would be a programming model in which the data itself is treated as ‘tagged’ data after loaded from disk and cannot be executed directly (the latter is again non-trivial because it contradicts to the programming model of the most-used programming languages. It would however allow other nice things, such as controlling from the OS where data is copied to).
– Morin
The fact a virus can wipe your data files under your home directory rather than the system files is less of a problem. The data in your home directory is the data you should be backing up, you’re a lot less likely to lose this through viruses than you are through accidental deletion or hardware/software failure. Modern viruses/worms are even less likely to delete your user files, they want to become part of your system.
When this user data is backed up, malware infecting your system is the most serious issue. You won’t know it’s there, you don’t know what it is sending/downloading with your machine, you don’t know what snooping it is doing on your transactions.
All the talk about the sanctity of user data is just obscuring the issue. It largely seems to be raised when discussing Linux/Unix security as targetting the system files is that much more difficult. Making it easy to target system files is far more of a vunerability than allowing the targetting of user files.
Of course, the increased use of capabilities could even solve the latter issue. So programs only have access to what they need access to. Capabilities won’t stop a user accidentally deleting their own files, or having them corrupted in a crash. So backup up of user data is still important.
Can you imagine twice the amount of malware in your mailbox? There’s one batch coming for Windows and – oh joy! – there’s another one for a Macintosh!
So perhaps that’s another reason why we need OS diversity.
Just because you bought a shiny Apple, Redhat or IBM box doesn’t mean your instantly secure. Education is still required, it is the way of *nix security.
He didn’t mention FileVault, did he?
Great, the author doesn’t even suggest that it would be a good idea to check if you have the latest security updates installed. There goes his credibility.
Seriously?
Most of this stuff is rubbish, the majority of exploits are on services that are disabled by default.
So unless the user enables these things, he’s not going to have these problems.
The other is Bluetooth, something that is enabled by default, but the amount of manual interaction you need to install the Malware (I don’t consider it a Trojan, it’s Malware)
Plus you need to be within range of the Machine to start with.
That is the chance of getting infected, and getting infected by someone who isn’t your friend that is cranky.
As someone said before, this was fixed in June 2005 with the exploit.
Plus all the Auto Update program of OS X is enabled by default, it checks regularly when you are on the net to see i there are updates, and for you to install them.
Anyone tried them for Windows lately? The new Windows Update is a pain to navigate, plus it’s hard to see what’s actually being fixed in the patch.
You finish install on a OS X machine, and the update is one of the first things you see.
So the chances of any of this is marginal at best.
Not to say OS X is invincible, but it handles security seriously, and their patch times are much more regular and fix the hole quicker than Windows every would. (What’s their average patch time? 135days?)
There’s more and more of these articles coming up closer to the release of Vista, it’s all articles to buff up Vista I would guess.
Vista is still going to have the main account as an Administrator I’m sure, you are still going to see the same problems, no matter how their ‘focus’ is on security.
It’s still based on the same buggy code, unless it’s a complete re-write, then I can see problems.
Edited 2006-02-19 22:28
Not bad, but I wish the author had been more clear about where to go to change some of these settings. (I wanted to double check to see if I had locked my keychain — yes I had) and spent some time knoodling around before I found the correct setting.
The writer also assumes that we’re all going to SSH into our machines at some point and fails to mention that you can also disable all remote access simply by going to system preferencesl–>sharing –> services.
Me? I keep it all turned off.
Why is SSh getting mentioned?
It’s disabled by default.
Only power users turn it on and need it, and they know how to keep a machine up to date and know what SSH actually means.
The writer also assumes that we’re all going to SSH into our machines at some point and fails to mention that you can also disable all remote access simply by going to system preferencesl–>sharing –> services.
You mean the step immediately previous to the SSH tip that says to leave all services (SSH included) off unless you’re using them?