Cracking OSX 216
A reader writes: "BusinessWeek is running an article about the new potential target for cracking - all those shiny new Mac OSXs, with their nice new Unix underbodies. Will crackers start to go after these machines too?" Well, to a certain extent, of course, yes. Anything that's easy - but will new tools be developed for these box? My only caveat is the use of the hack rather then crack - but that's a semantics thing.
what they should say.... (Score:2)
heck they are a bit "safer" now because all the old mac OS9 virii have to be rewritten for OSX.
So consider an operating system without virii... and targeted less than windoze for virii & cracking.... targeted less than linux for cracking.... an OS with a new GUI, new memory managment, and probably a slew of developers witing to write antivirus software & sell it for their system (compared to what linux antivirus programs?
Re:As with anything.... (Score:2)
Re:Security for Mac Users (Score:2)
Actually, had IE been (re)written for Cocoa, the jump to (Open|GNU)Step would have been quite small. However, the initial jump to Cocoa would have been huge.
Think about it - if you write to Cocoa, and port to *Step, you'll be writing apps that are easily portable to anything but Windows! You gotta love that...
Re:Some Points to consider: (Score:2)
4) when I did a portscan of my own system using the built in tools, there were only 2 ports open, both of which are in the 700's somewhere - I don't know what they're for, but all the typically 'hackable' ports, like telnet, aren't open. No ports == harder to access.
I saw this as well. I believe they are being used by the built-in scanner. I installed a scanner on my Win98 box and then scanned the OS X box. No ports open except ssh.
Re:End of innocense (Score:3)
Re:Why stack smashing works on (almost) every CPU (Score:3)
What is it with idiots who know C and think that means they know C++ too?
Patches (Score:4)
shellcode! (Score:5)
http://belgo.org/propeller/
-Chris
Re:Cracker Schmacker (Score:5)
It's gets damned annoying hearing people constantly whine about how people use the word hacker when they really mean cracker. Languages evolve and change. You can't put up a resistance. Make up a new freaking word for coders if this bothers you so much. Because after the media's tainted the word "hacker", there's no going back.
Some Points to consider: (Score:5)
That said, let me outline what I believe are some salient points:
1) its' possible to install OSX *without* the BSD subsystem - no subsystem == no way to hack by command line.
2) Mac OS X has a firewall compiled in the kernel. While the firewall configuration hasn't been set (and realistically, how can Apple define the rules for everybody when they don't know how the machine is to be used?), you can use ipfw to configure, or there are GUI apps like BrickHouse (http://personalpages.tds.net/~brian_hill/brickho
3) Mac OS X ships with the root account *disabled* by default. That's right. If you have to do superuser-related actions, you have to log in as a user with administrator priviledges, and type in "sudo " at the terminal to do root-like things. This is only an extra step to 0wn the machine, true, but *everybody* knows the root's user name - not everybody knows which user also has admin priviledges. This ain't a magic bullet, but it makes things that much harder for the cracker without making it harder for the legit user as well.
4) when I did a portscan of my own system using the built in tools, there were only 2 ports open, both of which are in the 700's somewhere - I don't know what they're for, but all the typically 'hackable' ports, like telnet, aren't open. No ports == harder to access.
So what's left? One poster mentioned that hacks would be done through either exploiting bugs in apps like IE5, or by getting people to use trojan-horse style apps that open up access to the box without the user's knowledge.
This, I think, is where the real threat to typical Mac OS X users is. As a Mac user first, and a newbie Unix user, I would like to ask this community to help Mac users gain a better understanding of security and trust.
If I messed up on any details, please correct, not flame!
Re:The first exploit. (Score:3)
HP-UX and AIX don't provide you with the same security. Neither does any of the Linux variant's I've dabbled in, or even the otherwise fort-knox-like OpenBSD.
I've heard the arguments, but I don't buy them. If you can't remember your root password and don't have your data and configuration backed up, give up on this unix stuff. It's too mentally challenging for you. End of story.
SoupIsGood Food
Re:As with anything.... (Score:3)
Of course, you've mischaracterized it as "intelligence", when what it really is, is the dedication, attention to detail, and desire to fiddle with the inner workings of what is essentially supposed to be just a tool. None of these are traits of your average Mac user. Lots of Mac users are very intelligent, even if they aren't kernel hackers, so you needn't go around characterizing them as "unintelligent".
that said, read the Mac message boards lately, and you'll see a HUGE gap between people who used to be comfortable with a userless system, that gave them the rights and capabilities to delete the System folder if they wanted to - to the present state, where root is not enabled on the machine by default because "the user is not to be trusted with such a powerful tool, lest they delete something they don't understand".
The number one complaint you see is someone who gets into a situation where they have to use the terminal and sudo to get out of it. The implication is that these people messed with things that they didn't understand, but that's not the case. The vast majority of these people are just trying to install software, or move an application to a place they feel is more convenient for them to access. but without root privileges, the system won't let them, so they're being forced to learn these things they previously didn't need to know to use "the computer for the rest of us".
These are the people that will be in charge of tens of thousands of OS X Unix systems a year from now. Be afraid. Be very afraid.
They aren't necessarily less intelligent, but you're right when you say they don't have a clue about the first thing in security. They never needed to before.
How sinister, like linux -s (Score:2)
I can picture it now.... (Score:4)
Your Mac has been hacked! (OK)
Hmmm.. prefer that sound over Sosumi..
--
Re:End of innocense (Score:2)
You got your dates wrong. MerryXmas did appear before nVir [llnl.gov], whereas MeryXMas (also known as the Peace virus) was spreading early 1988 and triggered on march 2nd 1988.
See the Mac virus faq [claws-and-paws.com].
Some things not quite mentioned on the FAQ, but quite well known here in Montreal is that author of this virus was Richar Brandow, the then president of Club Mac Montreal [lcmm.qc.ca].
Karma karma karma karma karmeleon: it comes and goes, it comes and goes.
End of innocense (Score:5)
it used to be that simple HyperCard stacks could contain trojan horses. The very first Mac virus [hyperactivesw.com] was in fact a HyperCard [slashdot.org] stack.
Things moved on, and some started appearing as AppleScript applets or scripts. Nothing very serious, though, as AppleScript does a fairly good job at blocking potentially dangerous situations (eg, the Finder wont delete items when asked to, but simply move them to the trash).
Out of the box, Mac OS X is pretty safe, according nmap, which gives it a "worthy chalenge" rating.
Where things can get interesting, though, is when the user starts services without truly understanding what they are, like ftp and telnet. Most end-users have stupid passwords to begin with ( a friend of mine's bank card code used to be "12345"...you get the idea).
Still, with a Unix underpinning or not, the most vulnerable spot for user's machines (on Mac anyway) is launching an application which may be a trojan. Most other means of delivery (CD-ROM autoplay in QuickTime and desktop DB viruses) are now obsolete because the system no longer uses them.
We're still vulnerable to WDEF (Window Definition code resource) and CDEF (Control Definition code resources), but that's more or less ineviable. It's also not as bad as it used to be, since at least, the machine and the OS is protected. It's just the user's directory and files which may be at risk. It's easier to recover this way.
Karma karma karma karma karmeleon: it comes and goes, it comes and goes.
Re:Some info.... (Score:3)
Root login may be disabled, but that doesn't mean much. Getting root on a box involves subverting a process running under UID 0 into doing your bidding, often through buffer overflows, much more often than getting the root password on the box. Once you've gotten you own code to run under UID 0 you can install all kinds of backdoors without ever bothering to find out the root password.
No well adminstered UN*X box has had non-shadowed passwords for years anyway, and exploits doesn't commonly concentrate on getting the passwd file these days - that's sooo 20th century :)
--
Niklas Nordebo | niklas at nordebo.com
Good thread here... (Score:5)
Oh, come on. (Score:3)
Virus authors overwhelmingly target big targets, namely Windows. WordPerfect and Lotus Notes get hit by far fewer viruses than Word and Outlook. This isn't because they're better-written applications with good security features. It's because few people care about hitting the minority.
Until Apple's comeback a couple of years ago, there was so little interest in writing Mac trojans and viruses that months would go by without even the smallest update to Mac virus pattern files. Even now, it's an almost negligible trickle. The biggest problem lately hasn't been caused by an uptick in people targeting Macs; rather it's that MS Office 2001 for the Mac is so compatible with Windows Office that an increasing number of macro viruses now suddenly work cross-platform. This will become more pronounced in a few more months when the first new version of Mac Outlook in 4 years ships. Even so, I've seen an installation of 40 Macs go over a year without so much as detecting a Mac virus, much less getting hit by one.
Hacks/cracks/exploits/whatever are another story. Since Macs in sever roles will now be running Apache, sendmail, BIND and Unix-world FTP daemons, we should expect some Mac servers to be just as vulnerable to security holes that emerge in these services as their *BSD, Linux, Solaris and AIX cousins. Apple's auto-update functionality, similar to auto-updaters for Debian or things like AutoRPM and the Ximian updater should protect most, however, as long as Apple keeps its binaries up to date.
But targeting Mac OS X specifically? Who's going to bother?
Re:The underbelly.. (Score:2)
Smiley captioned for the humor imparied
Re:The underbelly.. (Score:2)
Re:The first exploit. (Score:4)
Um, if i'm not mistaken, Linux and nearly every other unix based OS has single user mode as well. For most people, this is a GOOD option. The number of people who might lock themselves out of their machine is greater than the number of people who are likely to be hacked by someone with physical access to the machine. I'm sure those who see single user mode as a threat will find a way to turn it off.
Cracking if you enable root & ... (Score:2)
The early adopters will of course until the novelty wears off (myself included.)
No need to... That gets rid of a lot of potential damage and potential for mischief.
All Macs come with sound input and in OS 9 they have already had multiple users and voice authentication (a few kilobytes of streaming audio as a password, not just a few crackable bytes. And telling someone the phrase doesn't help 'em get into the box. It has to be the guy whose voice recorded it on the rig that was used to record it. You have to be there and be the one.)
Passwords for security is a reflection of the boxe's limitations not the system's capabilities. Non-Apple boxes are probably far more at risk than Apple's boxes. Not to mention, there may not be ssh, there may not be root, there may not be a compiler, there may not be sendmail, there may not be FTP. Thats' a very small target to hit and not much stick to hit the 'pinata' with.
And nobody write viruses for Apple because its a 'lame box' for grannys and hippy-loser-types that "3l33t3 h4x0r5" spit on. Some times its good to be the underdog.
Instead of screaming at 'em lets educate 'em. (Score:3)
The point is that it doesn't ship that way and you don't know that unless you buy one and install it yourself. I am not sure that author had.
Without root, ssh, anonymous FTP, sendmail or the Developers toolkit (no compiler,) the box is as safe as you can get without pulling the plug.
Re:Some Points to consider: (Score:2)
Any box can easily be that secure, or even more secure. Hell, pull the ethernet cable out and ssh will be closed too.
The measure of security of a box is the security of the ports that *ARE* open. Even a flawed ssh implementation can be insecure.
So, to say no ports == harder to access is disingenuous, akin to saying "not turned on == harder to access". In other words, true, but irrelevant.
-
Re:Apple Security Contact info: (Score:2)
sunrpc, portmap, inetd - brickhouse is bad for you (Score:2)
23
53
111
113
137-139
The problem is OS X can't go to the bathroom without running some part of sunrpc. So there's port 111 for ya. Sometimes OS 9 has 113 open, so we won't call that one new. I've compiled and run samba on OS X, so there's 137-139.
Great pains should be made to make sure hosts.deny is set to ALL: ALL (my personal creed) with hosts.allow being the mechanism for letting people in. inetd should be replaced with xinted, and all the portmap stuff should be bound to localhost if a single machine, internal NIC if in an NFS environment.
Brickhouse is a nifty GUI for IPFW....but the pitfalls of using it are that when you run it...you actually end up with more ports open than if you hadn't run it in the first place. The firewalling rules Apple put in place out of the box are pretty decent. I ran brickhouse on the public beta a while back, and ended up with EVERY port above 1024 open...whereas nmap showed just a handful of ports open before. Things may have changed in recent months...but the big problem is still there...the people using it don't know what the fsck they're doing and likely will do themselves more harm than good by tweaking with the rules.
A lot of people will attatch their machine directly to the net via modem...so tripwire/MD5 yer getty's and login.
But that's a home environment. In a corporate environment, there's a pretty heinous version of the world readable shadow/passwd exploit, where netinfo can be made to give up all the logins/shadows for the entire company from one box, with user level access. This is if you're using directory services to propegate user info through your company's machines.
It remains to be seen how it could be countermeasred (it's suppsed to be a local exploit, but once you get a shell...you're local). Things that come to mind are one time passwords, or using the built in voice authentication. Maybe a combination of the 2.
In any case...this IS an new OS. Even though it's been around for a while in various incarnations...it's kind of a bazzar consensus of Mach, next, bsd, mklinux and nuKernel. My advice is for inexperienced users not to attatch this OS directly to the net until it's been in the wild for a while.
Wake-Up (Score:3)
Gimme some love (Score:2)
Re:this is retarded.. (Score:2)
But I Love You was an a vulnerability in an application, not an OS. And MacOS users are much more likely to run MS applications, which treat untrusted data as executable code. Seems pretty likely that someone will run these poor quality apps while logged in as root (or the MacOS equivalent administrator).
We will see MacOS X users have their systems screwed up in new ways that Unix users haven't before seen.
---
FreeBSD kernel not used for OSX (Score:3)
Re:It's Business Week for chrissakes (Score:2)
Matt's rant on this (Score:2)
http://www.soup-kitchen.net/soapbox/hackers.htm
Cracker Schmacker (Score:5)
Face it Hemos, cracker is a *stupid* word and therefore not likely to be adopted. And no, I don't see any problem with a double meaning for hacker.
After all, when a newspaper runs a headline "police seize drugs" you don't see drug store owners writing angry letters to the editor explaining that this sort of thing gives them a bad name and that the journalist should have used "substances of an illicit nature".
People are perfectly capable of determining the meaning of the word "drugs" from the context, and there's no reason why they can't do the same with "hacking". So stop moaning, please!
Re:Look on the bright side (Score:2)
Is it so bad, if the worst thing that happens after being cracked is that you end up with a harddrive full of warez? :-P But seriously, Apple seems to have turned all services off by default. The average Mac user doesn't want to leave their machine on 24/7 or run services, anyhow.
Re:Redundat (Score:2)
One thing that makes it tricky nowadays is that more homes are NATing/ipmasqing through boxes like the D-Link and Linksys routers, or through *nix machines these days. You can't just scan some ISP's block of ips and assume that there's 1 box by itself for each customer. When mom & dad and the kids are NATed onto one cable or dsl line, you're going to have a hard time telling one box from another when you're outside their subnet.
Of course, kiddies just grab the hottest exploit and try it at random on everyone, so it doesn't matter.
Re:So? (Score:2)
Pfft. Heh. That's because any more than that is enough to completely saturate [liethen.com] fast ethernet.
Re:So? (Score:3)
File Sharing and other network services are all based on TCP/IP.
Re:Some info.... (Score:2)
No, you can't rely on it solely, but it is a very nice feature to have. It's great that you can do this in an easy to use GUI rather than having to do this the hard way on the command line too. It's a little security through obscurity. Of course it's not foolproof, but it's better than having every Mac OS X user on the internet sharing the same superuser account for everything.
BTW, good passwords aren't really as much of an issue anymore. Most good exploits hijack an existing root process.
Re:Some info.... (Score:3)
Without going through NetInfo services or using a root account, you can't mess with a lot of things on the system. It's a good idea. Many security tips I've read suggest replacing the root account on your system with another superuser account. You should then delete the root account or set it up as a tripwire for people breaking into your system.
Re:So? (Score:2)
The biggest threat in my simple, uninformed opinion, is snagging a bunch of Macs to use as DDoS hosts. This is far more likely, given the fact that quite a few schools and universities have labs of 10-50 Macs, each with a routable IP on the school's network. More home users with OS X also means more Macs sitting on broadband 24/7.
Anyway, I guess my point is that I'm not too worried about critical secrets being found on a compromised Mac, but that a phalanx of grandmas will have their iMacs on their cable modems end up being used as DDoS hosts. Thankfully, it's relatively difficult to get root remotely on a Mac; the only services that are on by default are NetInfo (uses RPC) and AFP sharing. Any attacker who could convince either service to execute their own code has to know:
--
Re:Cracker Schmacker (Score:5)
--Mike
Re:OSX Security (Score:5)
Some info.... (Score:5)
2. There is an article up today on StepWise that describes how to update sudo [stepwise.com] to fix a potential buffer overflow (basically, you're just replacing the Apple-installed one with the current patched code).
3. EVERY copy of Mac OS X IMHO should come with a copy of BrickHouse [tds.net], a kick-ass GUI for configuring the built-in firewalling capability in OS X. It's certainly more attractive [tds.net] to most Mac users than using ipf.
4.
5. Not trying to be combative, just pointing out some issues that slashdot readers might not be aware of if they haven't played much with OS X. Yes, we need to be more concerned over security than we were with OS 9, but to me, the benefits of the system -- like being able to fix/update it yourself instead of waiting for Apple to release patches -- far outweigh the increased need for vigilance.
--
Re:Telnet access (Score:2)
man niutil, man niload, man nidump
k.
--
"In spite of everything, I still believe that people
are really good at heart." - Anne Frank
Re:Cracker Schmacker (Score:3)
-Daniel
Good security runs counter to the Apple philosophy (Score:3)
Chris
Re:FreeBSD kernel not used for OSX (Score:2)
you and pe1rxq are idiots.
Before you claim flamebait consider:
An OS runs one kernal. Granted some mainframe OS's or VMware might run more than one, I don't know actually, but a normal OS has one.
OSX runs a modified Mach microkernal. A microkernal does not require a monolithic kernal to function properly. It is its own kernal.
OSX uses BSD userland stuff this means when you type 'ls', you're running BSD ls.
I don't know much about the technical aspects of all this, but that much is obvious to anyone who spends 2 minutes looking at apple's site.
The fact that pe1rxq didn't know this is ok. The fact that he wrote as if he did makes him an idiot or a troll. The fact that it was moderated up to insightful means some moderator is smoking more of that $3.00 crack.
---CONFLICT!!---
A Nightmare in the making... (Score:2)
As a long time Mac user who is just starting to play with OSX, I can tell you that this is going to be an absolute security blood-bath. We don't know jack about user security and we don't know anything about how this new OS works.
To make matters worse, we're out there downloading everything we can get our hands on. We want to use this new OS, so every new app is a brand new toy to play with. If the read-me file says to log in as root before installing, we'll do it. If the read-me file says to trash this or that, we'll do it because we don't know any better. We're at the mercy of anybody with a webpage containing a download section.
For all I know, I've already installed a backdoor on my system. How can I tell? The learning curve will be steep on this OS. Mac users are not stupid and they will learn, but we're going to get smacked hard a few times before we figure out what we're doing.
Re:Cracker Schmacker (Score:2)
no kidding, i'm sick of it too. epecially when it's the same people who use "troll" incorrectly (or moderate it incorrectly). but whatever, "cracker" sounds stupid.
- j
s/Mac world/world/ (Score:5)
I'm not saying that consumer mentality is wrong, per se. Not everyone has the time or the inclination to learn all this stuff. However, the way the current network is built is not compatable with that mentality. There are things ISPs could do to make the network more tolerant of their users' mistakes but I don't see any ISPs taking those steps. Part of the problem on that front is that hiring people who are able to set that up would seriously affect the profit line and the margins are already razor thin in that industry.
Even if the ISPs did their part, there's still the issue of fraud on the net. People have this distrubing tendency to believe what you tell them (Do you believe that?) even if you're a complete stranger. Fraud on the net pays because it's easy to perpetrate, hard to catch and rarely punished severely enough to make it unprofitable. A healthy dose of skepticism would benefit most Americans, on and off the net.
The problems here are not limited to the Mac world.
DOS Attacks? (Score:2)
This doesn't necessarily open their own machines up to malicious-types, but it makes a lot more of them seem malicious themselves...
we'll just have to see (Score:2)
And as long as people don't run lots of services by default, this OS has the potential to be just as secure as MacOS classic...
-----
No, that's not the way it works. (Score:2)
I hear this a lot. Linux users are always telling me "there are fewer exploits for OpenBSD because fewer people use OpenBSD", which is like saying "There are fewer fatal car crashes involving Volvo's because fewer people drive Volvo's".
IOW, you are half right.
But not everybody who hunts exploitable holes is a black hat, there are people (such as myself) who hunt for bugs in any OS or software they use. I'll even write exploits- not to hack other systems, but to pressure the vendor to fix the problem and ensure that *MY* systems are not exploitable by others...
Re:So? (Score:2)
Bingo. The reason why relatively few people will crack OS X is the same reason why there are so few Mac system viruses compared to Windows. Most of the black hats use x86 commodity hardware, often self-built. Converting that code to PPC is a little easier now with Darwin's GCC, but it's still an extra hurdle.
Think back to the LinuxPPC contest a few years ago. They enabled a known vulnerable version of FTPD on purpose, but it still took weeks before someone wrote a PPC buffer overrun crack.
Re:Security through obscurity works. (Score:2)
PPC Assembly is publicly documented at both IBM [ibm.com] and Motorola [google.com]. APIs and a full development environment are available at Apple [apple.com]. The kernel is open source [apple.com].
This word "obscurity", I don't think it means what you think it means. Perhaps you meant to say "security through diversity"?
Re:Patches (Score:2)
If they need to use Software Update to 'root' the box, and the only way to make Software Update do what they need is by using root, then, well, we have a chicken-egg situation....
Re:Security for Mac Users (Score:2)
Re:Depends how it ships (Score:2)
Re:Entire world vs. Slashdot. (Score:3)
Re:End of incense (Score:3)
During that time, the Mac world was afflicted with about (under) 40 different viruses. A free program Disinfectant was developed by Northwestern university.
Disinfectant was wonderful. It solved all four problems: (1) Detection [after infection] (2) Repair [after infection] (3) Prevention [hook system traps, alert when virus tries to insert itself] (4) Education [it's detailed documentation was absolutely first rate]
And it was freeware. You could expect an updated Disinfectant to appear online within 24-48 hours after an entirely new Mac virus was discovered. (And this is all prior to the WWW, and even Gopher. Back in the days when Mac users used dial up CompuServe/AOL, and AOL was a Mac-Only service.)
As a result of Disinfectant, after about 30-some-odd viruses were developed for Mac, no more appeared. It just wasn't any fun. Limited market share platform, and your virus can't spread very far with Disinfectant around and widely installed.
There were Word Macro viruses -- but these were cross-platform, not unique to Mac. An AppleScript virus, but wasn't this years later? Didn't AppleScript not appear until about 1992 ish -- years after the original Mac virus wars?
"Drugs" vs. "illegal drugs" (Score:3)
you don't see drug store owners writing angry letters to the editor explaining that this sort of thing gives them a bad name and that the journalist should have used "substances of an illicit nature".
If journalists call such substances "illegal drugs," why can't they call cracking "illegal hacking"?
Re:what they should say.... (Score:2)
Can't they just run 'em in classic mode?
Re:End of innocense (Score:2)
I wish that Apple attached a more stringent warning to the SSH checkbox. In the System Preferences application (Sharing pane), there is a checkbox that says "Allow remote login: Allow other users to access your computer using terminal applications." What does that mean? It's not at all clear. I know that it means turning on SSH in Mac OS 10.0.1; in 10.0, it means turning on Telnet. No indication that that's changed.
Also, I wish that Apple would include a warning whenever someone turns on remote login or FTP access something like this: "Doing this can open your computer to malicious activity if your password is not secure. Secure passwords should be at least 6 characters, should not contain any words that are in any dictionary, and should contain both letters and numbers."
(Of course, Apple should not overplay the risks and scare people away from what really is a quite secure OS, especially when compared to Win98. It's a tricky balance for them to play.)
Re:they are already there. Re:Security for Mac Use (Score:2)
Re:FreeBSD kernel not used for OSX (Score:2)
Jeroen
Re:we'll just have to see (Score:2)
I think the most important reason for lack of virusses for the mac was a limitited technical functionality and more important a limited user base.
The most important was probably that MS wasn't capable of writing a completely cross-platform version of VBA for Office and IE/Outlook.
PS, the fact the artikel ends with
Customizable (Score:2)
my 2 cents
but... (Score:2)
wow.. (Score:2)
One thing that I wish I saw more press about is the security impacts of default configurations. I think that is one of the biggest places where Windows users get bitten in the ass. The 'I LOVE YOU' thing got spread because outlook defaults to blindly running scripts; my company was spared most of the trouble because the sysadmin had changed that default parameter. If you set up an FTP server on Windows 2000 it defaults to allow anonymous connections. We had a developer testing a piece of code he was writing that used ftp and he discovered a couple weeks later that he had a ton of pirate software under the ftp fileroot because he just turned ftp on and didn't look closely at the default options.
OS manufacturers, including *NIX ones, really need to start thinking about their default configurations. If OSX starts up not running any server daemons (as previous posters have claimed), then it is far more secure than most *NIX distributions, most of which will come up with sendmail, telnet, ftp, finger at the minimum.
Re:they are already there. Re:Security for Mac Use (Score:4)
So quick you didn't bother to read any of them? The most recent is over 6 months old and has been fixed for some time. Most of them are also LOCAL exploits and as anyone who knows anything about security will tell you, If you have physical access to the box it CAN be cracked. Also a grand total of 9 since 1998 doesn't look too bad to me.
Here's another BIG problem in your logic. The Classic environment in OSX reqires 9.1 whaich already has patches for what has been patched (or is patchable)
Re:Security for Mac Users (Score:2)
If you use OSX at all, try OmniWeb [omnigroup.com]. It's free and it's darn good. Doesn't lock up when downloading like IE5.1 on OSX.
Macintosh Security (Score:2)
Re:Security for Mac Users (Score:2)
Even though I'm not an OSX user myself, I can categorically state that I am clueless about security.
On the other hand, I don't run Outlook, which means I stop most viruses dead in their tracks without even realising it...
Hmmm, maybe I'm a security guru after all.
Re:Hack vs Crack (Score:2)
Should we bother listening to somebody complain about semantics when they don't even use the word "caveat" correctly?
By the way, I completely accept your definitions for "hacker" and "cracker", pallex. So do most Americans (those who do not treat the Jargon File like thier Bible, anyway).
Re:Cracker Schmacker (Score:2)
Damn straight! Originally, one of the meanings of "hacker" was "someone who breaks into computers". The Jargon File (which I'm too lazy to link to) claims that this sense is "deprecated", but I don't recognize ESR's -- or anyone's -- authority to do so.
One of the meanings of "hacker" is breaking into computers. Get over it.
--
security fixes are easier for os X (Score:5)
Mac users have the Software Update tool, which can be run manually, or automatically scheduled to run.
Unlike the windows update, there's no website involved, and it hits up apple's servers and mirrors. (Maybe this is more like the ximian updater or mandrake update tools.)
As long as Apple's software update server isn't cracked, the Mac user has a brainless way to automate software updates which can include security fixes.
Many Mac users are quick to jump and get the latest update, so propagating security fixes isn't a problem. The only problem is the unclear channel for reporting them.
A host is a host from coast to coast, but no one uses a host that's close
Apple Security Contact info: (Score:3)
Sounds like a business plan to me.
Check out the Vinny the Vampire [eplugz.com] comic strip
they are already there. Re:Security for Mac Users (Score:3)
Good thing thing is that OSX is still compatible with OS 9 so al the old exploits still work.
Best thing is that with good multithreading the user will never notice that the box is hacked. Even if it is slow that will be nothing new to the user.
Re:Security for Mac Users (Score:4)
Evidence indicates the same is true of Red Hat Linux and Windows 2000 users, as well. But why should this matter?
After all, most people aren't going to be using the server features of OSX any more than they do the server features of Windows 95. Those who do will probably have a wealth of firewall and security programs at their disposal soon enough (Symantec already has 'em for Mac OS 9).
Most crackers still won't bother with OS X, though, for the simple reason that it's such a small target. A few will attack it because they can, but most will stick to Red Hat and Windows because they're more common and more likely to provide useful data.
Re:Depends how it ships (Score:5)
Isn't that obvious? (Score:4)
Of course it will.
Why?
Why do mountain climbers insist on climbing the highest mountains? Simply because they're there.
It will be cracked at some point because it's a new target. Apple will then (hopefully) do the little dance that all OS makers do... patch it up and make it better.
If the crack exploits some flaw in Darwin, at least we can go look through the code to figure it out... a much greater luxury than what is allowed by most other OS manufacturers.
--
Re:The first exploit. (Score:5)
If all else fails, I'll just take the damn thing with me.
--
The first exploit. (Score:3)
It boots you into single user mode where root privledges are yours for the taking.
I suspect that this was implemented by Apple (tech support) as an emergency way to get into the system. But in the process it sure does make it a lot less secure.
R T F M (Score:4)
Before anyone else posts a FUD message about OS X, please go to: Apple's Web Site [apple.com]
You might learn something. Unless, of course, you're afraid to learn new things.
Now OS's easy to crack (Score:3)
I'd hope most of the things learned in those 20 years went into the development of MacOS X, but we shall soon see.
--
The underbelly.. (Score:5)
In a year or so people will find their toaster cracked and toasts defaced by crackers
--
Redundat (Score:3)
An OS that a substantial percent of the population will be using and that ISPs will want to support! Of course these machines will be a target.
As with anything.... (Score:5)
Re:The first exploit. (Score:3)
You're new here, right? Half the time, us posters can't be bothered with reading the article, much less knowing anything about what we are discussing. :)
Re:Security for Mac Users (Score:5)
That the majority of the Mac world is clueless about security can also be extended to the majority of the Windows, Linux and any other operating systems world.
Re:The underbelly.. (Score:4)
--
Re:As with anything.... (Score:3)
Basically there is no amount of security that con protect against stupidity. If an admin doesn't know to make sure his box doesn't have random things running, and doesn't regularly check for patches, well then the box is likely to get owned. There's really very little the creators of the OS can do to prevent this, other than making all the dangerous services are off by default.
As a side rant I'd just like to mention that BO2k is another great example of a stupidity exploit. It does not show some inherant flaw in Windows security, it shows an inherant flaw in user security. BO2k doesn't break in to a Windows box, you have to give it to a user, have them install it, and then and only then can they gain access. It's a whole lot like Telnet or VNC in that regard (except it's authors decided to make it hide itself since they fancy themselves hackers).
Re:The first exploit. (Score:5)
You know, a lot of this thread really exposes a lot of the ignorance about Mac OS X. Have many of you who post comments actually bothered to install and play with this?
tempest in a teapot (Score:5)
Whether MacOS X users choose to take advantage of the vast library of server code that they now, finally, have access to is for them to decide. If they don't, their machines will remain pretty much as secure as with earlier versions of MacOS.
Of course, given the strong support for Java that MacOS X supposedly has and the widespread availability of Java-based servers (web, ftp, smb, etc.), they may also choose to go with mostly Java-based services. Those aren't necessarily perfect either, but they avoid known UNIX bugs and they are intrinsically more robust against common problems like buffer overruns.
Altogether, I would expect the MacOS X security situation to be pretty good. What the article mostly shows is that there isn't much technical understanding at BusinessWeek. Reasoning that goes like "MacOS X is UNIX-like, therefore MacOS X will be susceptible to UNIX-like security problems" is simply not very informed.
Apples reaction? (Score:3)
Re:Wake-Up (Score:5)
I'm not sure why cracks found in MacOS 10 will serve as a wakeup call to people using or administering any other Operating System.
Look on the bright side (Score:4)
DocWatson
Depends how it ships (Score:5)
This could be a problem (Score:3)
This is because no one would bother trying to break into Macs. I mean why so you gain access to 1% of the web servers in the world.
Hmm "Security by rarity?"
Of course the problem with Mac OS X is anything they creaks UNIX would probably work against Mac OS X.