What is Digg?213 Comments
- inactive, on 10/12/2007, -32/+76I see no mention of it being set behind a firewall or having something like "little snitch" running to monitor connections visually or anything else. What do you expect? I can have a world-class lock and alarm system on my house and unless I activate it and lock the door, it's not going to prevent a ***** thing.
- saleens281, on 10/12/2007, -23/+61funny watching the fanboys get all irate. I hate to break it to you, but the "popup windows" don't exist when someone comes in via command line with a remote root exploit. Just because you lack the knowledge to understand the BSD/mach base that the OS is built on doesn't mean everyone in this thread does.
As for those claiming "apple would have to have more exploits look at the thousands for windows". Why? The reason that people have made the viruses/exploits they have for the past 10 years was to gain access to government installations, corporate espionage, or kiddies making botnets. Macs didn't function in any of the above positions, and if so it was such a small number it wouldn't be worth the time for anyone that was going to use it to go public. As hard as it may be to understand, the people writing these things aren't doing it *just because* no matter what they tell you. The very simplest of reason would be respect from their peers, and nobody ever got respect for releasing a mac exploit. - ridiculoufish, on 10/12/2007, -10/+48Pardon my caps, but I am flabbergasted that NOBODY seems to have actually read the competition. All you people talking about ssh and firewalls and stuff - HE LET ANYBODY ADD THEIR OWN ACCOUNT TO THE MACHINE.
Would you feel comfortable allowing anyone to configure their own accounts on any OS? Can you think of any OS that hasn't had a local root exploit? - inactive, on 10/12/2007, -19/+51That isn't true. The entire nature of the OS is very different on OSX than Windows. OSX is basically UNIX and just like in UNIX, you can't just randomly run something and have it destroy your machine or do something evil. You have to knowing make a choice to do it as an administrator -- OR just be a really dumb administrator.
For example, if something on OSX tried to automatically install itself, it would pop up a little dialogue box and ask for the administrator password. On Windows, it'll just install. Especially since most windows users run in admin anyway. - lukes, on 10/12/2007, -10/+36it's a fair test of mac security without a firewall. my friends with macs don't have firewalls installed, they have no virus scanners installed. they say they don't need them, and i believe this is a common sentiment among mac owners.
- GuineaPig, on 10/12/2007, -11/+35Does OS X come with a software firewall or something like "little snitch" on by default? If not, then it's a huge security threat, especially given that Macs are marketed primarily to consumers who want a computer that "Just Works" without really understanding how a computer works.
- flinx, on 10/12/2007, -7/+30OSX Advantage: *nix security model
OSX Disadvantage: *nix roots...with lots of common knowledge and thoroughly researched classes of vulnerabilities - flinx, on 10/12/2007, -2/+25the 'superuser' model is great. But there are many ways around it. It will be interesting to see if Vista's security model remains tight, but it has two achilles heels:
a) backwards compatibility raising it's ugly head
b) developers, developers, developers writing poor code and/or overlaying the security model in insecure manners
And with regard to sub7...yes they've moved on...to rootkits and bot armies. - giant.robot, on 10/12/2007, -4/+25Every copy of OSX has come with BSD's IPFW installed. It is not enabled by default but a short trip to the Sharing pane of System Preferences will turn it on for you. You can manually configure IPFW like you would on a FreeBSD system or use a program like Flying Buttress (formerly Brick House).
- harmoniacal, on 10/12/2007, -24/+44Okay, anything *nix is safer than Windows XP. Period. However, just as with any software, when it becomes popular, jerks will try to abuse it for their own petty gains. It's just the way it works.
- Wang, on 10/12/2007, -2/+22There are many unpublished OSX flaws. I know a guy who submitted a serious vuln to them almost 8 months ago, and they are still fixing it (and asking him not to disclose until they fix). They really take their time unfortunately :( I'm not saying that OS X is insecure, I am just saying that they rely a lot on people non-disclosing the vuln info until they have a patch/update out....and not everyone stays quiet :(
- sire, on 10/12/2007, -1/+20The simple fact is that Apple should be taking note of these occurrences and understand that with increasing popularity they will be scrutanized more. It shouldn't take real world mishaps before they get off their asses. It would be impressive if they acted proactively and made an effort to catch as many of these problems before they are publicized. Maybe thats just wishful thinking on my part =)
- superkendall, on 10/12/2007, -3/+22For GuineaPig - No, OS X does not ship with the firewall enabled by default. But it also does not ship with ANY network services open by default either, negating that as a problem.
The guy used an exploit from a local login, and you can't log in over the network with SSH and telnet disabled by default. - neocitron, on 10/12/2007, -5/+23i love OS X but this issue of security needs to be addressed and not denied by mac people... if you keep denying it then it's gonna hit even harder, sooner... Apple needs to notice this too.
- drakethegreat, on 10/12/2007, -4/+21You have to remember that a majority of Mac Users can be just as stupid as Windows users. Most aren't programmers or know ***** about security. The only reason Windows people don't think they are secure is because its obvious to them from news, etc. Average Apple users don't acknowledge there is a threat because there isn't one for the time being and that is enough to make an ignorant average user think hes invincible.
The programmers, experts, security types, etc. on Macs understand that we are not safe. I know for a fact that Macs are full of buffer overflows just like any Windows box. Now part of it is obviously the market share while another part of it is the security model (user accounts is always better then administrator and this simple fact will hold windows down against any Unix).
So the fact remains this guy had the ability to create an account and privilege escalation is a lot easier then rooting it with no access. He also obviously knows what he is doing if hes using unpatched vulnerabilities. You can't even create a windows competition like this because anyone with an account already can pretty root the system with almost no knowledge whatsoever. People who can find unpatched vulnerabilities will have anything.
While this reminds us that Mac OS X isn't 100% secure (which should be obvious), this doesn't point out that Mac OS X is any less or more secure then rivals. - MikhoohkiM, on 10/12/2007, -4/+19You really shouldn't, I don't l know why most of us mac user, feel we are so safe, just because we haven't been hit yet. What will be feel like when we are hit and hit HARD!!!! like around what 5% of mac user run a firewall?,
.01% run Anti-virus programs, and no one runs that spy-ware software that just came out.
ALL I know is I am going be pissed if i have to switch to vista and it also doesn't live up, but until anything like that happens I will keep backing up every week maybe even more often now a days - estvir, on 10/12/2007, -2/+17if you read the article, you will see that some services were turned on which normally aren't, especially those required for it to be a 'real' server.
- nyquist, on 10/12/2007, -6/+19Ummm,
http://rm-my-mac.wideopenbsd.org.nyud.net:8090/ssh
So, it seems the guy set up some script for you to login into the box. So, not really a remote exploit? - Laughingman234, on 10/12/2007, -4/+17ok...wait a second...the point of this site is to hack it...after you get ssh access?
On his blog he said he wasnt up and running until he got the ssh signup done. Therefore the hack was...internal? Through ssh? Does that not take out the hardest part of hacking? Sure anyone with terminal access to a computer could screw stuff up...hell I probably could. I want more info on this hack before I'll accept that my iBook is more exploitable than my PC. - panique, on 10/12/2007, -2/+15You are not accounting for "user tunnel vision": http://www.pantsland.com/?p=83
"Microsoft has upped security so that when a program that could be potentially harmful is run, either by the user or by some other means, Windows will ask permission before actually running it. The dialogue contains two buttons - Allow and Cancel - but Microsoft have totally missed a principal design idea with this: user tunnel vision.
These boxes will very quickly become an automatic thing for less tech-savvy users; automatically clicking Allow, that is. Gadgetophile uses the example that the box will soon look like it only has one button to the user - the ‘Make it Work’ button, and I completely agree with this." - estvir, on 10/12/2007, -3/+15in the article the hacker mentions how it the owner could have done some 'hardening' measures so he seems rather humble.
- SyDIGG, on 10/12/2007, -13/+24Last time I checked, Vista is not due until several months from now.
- aura, on 10/12/2007, -9/+20Every OS has flaws, and the bigger Mac gets, the more holes will be found. Smaller market share works in their favour sometimes.
- noneloud, on 10/12/2007, -10/+21I swear to God, "fanboy" is the most overused term on this site. People use it to imply that others are obnoxious in their preference of a particular product, and yet the people who usually use the term "fanboy" usually are simply acting condescending and elitist.
People are fans of their own preferences. Get over it. Just because some people choose to take their preferences to extremes doesn't mean that the rest of the people in that category should be clumped in with them.
Comments like "uh oh -- here come all the mac fanboys to bury the comments! aghh" and "lol. mac got ownd and all of you fanboys are denying it" and also "funny watching the fanboys get all irate." add NOTHING to intelligent conversation and only help to fan the flames of people who are not "fanboys" with what they believe in.
As always, if you have nothing productive to add to a conversation, don't add anything to the conversation; and if you like to say "fanboy" to describe people, please do digg a favor and go outside to get some fresh air instead. - locomorto, on 10/12/2007, -12/+22I thought the whole point of *nix was that every program ran in 'protected mode'. And this for what? Decades?
- MurrayFox, on 10/12/2007, -4/+14***** lame; the guy allowed anyone to setup a user account on his machine and gain ssh access.
Dumb competition. - gotamd, on 10/12/2007, -7/+16It's pretty impressive and more than a little scary that this guy was able to root the box so quickly. I guess it just goes to show that you really can't be complacent about security no matter which OS you're using.
- saleens281, on 10/12/2007, -2/+11they don't all run in protected mode. Some have the option... some require root mode.
- prockcore, on 10/12/2007, -2/+10Sure.. back before the web we *all* had "shell" access on a solaris or vax box.
The nature of unix allows multiple user accounts while keeping things like your web tree safe.
Anyone can get an account on sourceforge and ssh into and poke around. - Zorkon, on 10/12/2007, -8/+16Nifty.
Now how was this accomplished? Did the guy leave ssh turned on? File sharing? What attack vector was used to get in?
I'm doubting it was an "out of the box" OS X install (in which services like SSH and filesharing are disabled). - degree, on 10/12/2007, -3/+11this has not yet been noted, but gwerdna is andrewg backwards.
- inactive, on 10/12/2007, -24/+32You fail to understand a simple concept. If they can't get to your machine, the exploit doesn't matter. Hence the importance of a firewall between it. Regardless of the OS.
- ridiculoufish, on 10/12/2007, -6/+14Unless you consider allowing anyone to create an account at whim to be "proper configuration of services," you should double check your "clearlies."
And if you really think there aren't unpatched local privilege escalation exploits in Windows, start by googling "shatter attack." - sire, on 10/12/2007, -1/+8Yes, that is very, very true. I hope it doesn't get to that point. For once I would like to see a different approach. Apple is no slouch when it comes to innovation. And remember, they have one huge thing going for them right now, they have a chance to get out ahead before the exploits start piling up.
- degree, on 10/12/2007, -4/+11but whats going to happen is that as apple gets increased popularity, they will become part of the game in which the devs are ALWAYS trying to catch up with the hackers. The number of exploits in any OS is innumerable, they just all have to be found.
- supremo, on 10/12/2007, -3/+10LOL! This is lame! The guy lets anyone create a SSH user account on the server from a webbased script. Local exploits and remote exploits are TWO very different things. If you want to maintain local security you have to HARDEN the machine no matter what OS you use.
- cheesetoe, on 10/12/2007, -8/+14I agree that with time OS X will be compromised, but from an end user's point of view this article is total BS. QUOTE - "It runs a default install of Mac OS X Tiger, plus fink and some decent versions of Apache, MySQL and PHP." - and - "I set up an LDAP server and linked it to the Macs naming and authentication services, to let people add their own account to this machine. That way, they will all be able to enjoy the beauty of Mac OS X Tiger. And, of course, get a better chance of rm'ing it!" So this affects what percent of the Mac user base? Come on, how many of you reading this on your Mac have Apache, MySQL and PHP running, much less an LDAP server? Anyone with this level of tech savvy would be able to adequately protect their network using readily available OS X utilities. I call FUD!
- inactive, on 10/12/2007, -2/+8Not that this obviously dumb comment deserves a reply, but you must not understand that open source is great because exploits can be found and patched. Yeah, any one can check the Darwin code and find holes, then Apple can release a security update.
Then there's Microsoft. Their code is locked up. Did you know that when you run a file search, it sends a packet to Microsoft telling them what you looked for? On you own hard drive, too. You would have known if you could see the source. Or, win Windows Media Player plays any file (DVD, MP3, WMA), it sends the info of what's playing back to Redmond? You would, if you saw the source. And if you don't believe me, which I know you won't, get a real firewall on your system (Sygate) and run a search.
Open source is how progress is made. Linus said it best when he said there's no problem a million eyes can't find. Just think before you post ignorant comments. Its comments like this that ruin digg. - sporkwitch, on 10/12/2007, -14/+20They DON"T need anti-virus applications, though, that's the point. I've yet to hear of an infectious program of any sort for MacOS that didn't require a user dumb enough to blindy punch in his or her root password. As far as a firewall, the statistical likelihood of some random yahoo surfing the net to be singled out for an active hack is just slightly low (to say the least) and as such, a firewall is really not entirely necessary for a Mac user. Nice thing is this: the macs are really what they're marketed as, a stable, powerful computer, that just WORKS.
(NOTE: I'm not a Mac fanboy, I'm a Linux user forced to suffer with Windows so I can run my games.) - MacHarborGuy, on 10/12/2007, -2/+8question is, was the mac mini that was hacked running OSX Server? Most likely anyone running OSX Server or an XServe is going to have plenty of extra protection around it to prevent this type of hacking. I am assuming the hacked Mac Mini was just 10.4.4 OSX standard, with some of the file sharing/ssh access functions turned on.
The story doesn't really give enough information about the specifics of the setup. Was it behind a hardware firewall. What was turned on in the Sharing Preferences? Was the local firewall turned on? Did he tell anyone the IP of the computer (remember, in the real world, hackers actually have to FIND you in order to HACK you). If there was a hardware firewall, did he set it up for DMZ and place the mac within that?
There is alot of information that is needed for this story to really mean anything. - inactive, on 10/12/2007, -0/+6Uh, lets see - this guy opened up SSH, then created logins for everyone who wanted to "try to hack" his mac, then he let them login and go for it.
My only question is, what the hell is wrong with you people? This is the lamest peice of FUD yet.
Once you let people "inside" the box, on any OS, the game is pretty much over. This was more of a PR stunt (to generate anti-Apple FUD) than a legitimate test.
Lets put it this way, if this was a legitimate break in hack, then Apple's own Web servers would have been defaced by now - and you and I both know it.
(OSX ships with ssh off, and without accounts for anyold fart to login on. I wonder what their .profile's looked like - I bet he gave them SUDO capability). - MacHarborGuy, on 10/12/2007, -2/+7I run Apache, MySQL and PHP, all from the "Complete Apache/MySQL/PHP" installs, which are NOT the default installs. I also have my mac behind a firewall, and have the local mac firewall running as well. The only ports I forward are for Bittorrent. The only issue I have EVER had with my system is that I stupidly ran it for about a year and a half with only 10GBs of free space on average on the boot drive, a very BAD thing to do since the built-in fragmentation protection can't work like it was intended. I fixed that problem this past week.
As long as the local firewall is turned on, you are behind a hardware firewall, and you don't use any of the sharing functions on ANY system, not just Mac or PC, you should be fine. - OregonTrail, on 10/12/2007, -15/+20If you don't like these operating systems then write your own, geez (^_-)
- ntrsfrml, on 10/12/2007, -8/+13nothin is perfect in this world(except for Natalie Portman :p ).. I 'm a PRO PC user, handle around 80 computers @ work.. i recently switched to Mac..got a Powerbook for home and office reports, etc use just to avoid daily patches, worms, viruses etc.. Its been a month now.. not a single complaint or rant here.. Again I still use PC's @ work and for FPS game addiction :P
- TheSolomon, on 10/12/2007, -3/+8You're right, the pop-up windows don't occur in OS X when you're doing things via the shell. However, if you try and overstep the bounds of the account you're using, for example changing the contents of a system directory, you will be denied access just like you would via the GUI. In order to perform the operation, you'd either have to switch to the root account (using the 'su' command) before you attempt the operation, or you can execute the command using 'sudo' instead.
Access to the system will be limited based upon the active user's credentials, regardless of whether they are using the GUI or the shell. - inkswamp, on 10/12/2007, -0/+5No idea why you were modded down. I didn't realize that the conditions of this test were available on the site. Nice. I'm going to run a similar test... I'm going to load my car up with all kinds of valuables and leave it unlocked in downtown L.A. If it gets broken into, then it's a bad car.
- galfridus73, on 10/12/2007, -1/+6No, sorry - the hacker had access to the machine. You automatically can't call this a legit contest because of that fact.
Am I saying that this is a bad thing to talk about? Hell, no. I'm a Mac user who firmly believes that other Mac users do not pay enough attention to security issues (and I get into arguments on a regular basis with them). But I am saying that the competition needs to be realistic: put an OS X box, fully patched to the latest version, with nothing customized in the preferences, and with all the default Apple apps installed, on the net. Let people know what the IP address is, and leave it at that.
Now, when that box gets hacked (and it will, no doubt), then that will be newsworthy. This story is nothing more than a simple "huh." - MacHarborGuy, on 10/12/2007, -0/+5inkswamp
you don't just leave it unlocked in the middle of town. you put it next to a billboard reading "My car is unlocked. someone open it and rob me please". - r3zonance, on 10/12/2007, -7/+11Only thing making this news is the fact that some idiot made their Mac SSHable to the internet :D
I mean, Macs don't come with SSH enabled, let alone to the internet, out of the box. So a pretty lame test. - starmanjones, on 10/12/2007, -1/+5oh man... :D so i have a couple thoughts that i don%u2019t see...
the fanboy thing should be retired. it was thought up by windows fanboys to insult mac
people. windows people have always called mac people names because they didn%u2019t have much
else.
this guy in sweden... he%u2019s done this test for years. he had a $15,000 reward for anyone
that could break into his mac server. he was running OS 9. i think it was finally,
technically, won by someone because they found a small hole in a third party
application-which allowed him to change one character on the web page. i can%u2019t remember
the name but its one of the first web app creators it would be easy enough to google if it
mattered.
so thats the deal. Mac OS 9 really was bullet proof. i%u2019m a long time unix guy.
net/sysadmin... and i%u2019ve said it before- the one thing i miss is that when i needed to put
a database or other on the internet the one thing i could to in good conscience say that
data is safe... was run on OS 9.
so Mac people have a very long history of knowing that their Macs were safe from hacking.
It wasn%u2019t some fluke. Apple created it that way. this was at a time when microsoft was
actually building holes into windows for their own purposes. so... people expect more
from apple and apple has traditionally met those expectations. they expect less from
Microsoft.
so as a unix guy i am actually amazed its taken this long to get around to OS X. this
market share argument is just stupid. first the market share is always skewed to make it
lower... and they use the term market share... to imply installed base. its a distortion.
anyone who knows the business this.
so people hold apple to a very high standard because they have met a very high standard.
one of my biggest beefs with OS X is the non-standard architecture- but i do understand
why its been done. apple is taking a unix OS and changing it and making better every rev.
with apple long history of making safe computers i think everyone expects them to do what
they did with Classic Mac OS... OS 9... and make it bullet proof. the unix guy in me says
that might be impossible. but everytime they release an upgrade i am surprised by
something that they have done to make it more secure. they have hit all the marks on the
surface. its a very slick distro of unix. i think they will tame unix. their history
says they will.
the article was really short on details. it sounds a little fishy to me. i have no doubt
that any box on the net can be owned with enough time. the way this guy did it in the past
was to put the thing up configured in no special way. i expect he did the same. he%u2019s
running fink... which is a yikes thing... its sort a like cpan. and it is a fairly non
standard hack on it own.
so... you know... you put an unannounced windows box on an Internet connection and it will
be found and nailed... in under 15 minutes. it this guy -30 minutes when it was a
challenge and he had a bag of exploits... and was given non-standard access to the
machine. i call that not bad.
keep up the good work apple. -
Show 51 - 100 of 213 discussions
© Digg Inc. 2009
— Content created and posted by Digg users is