Cracking OSX

A reader writes: "BusinessWeek is running an article about the new potential target for cracking - all those shiny new Mac OSXs, with their nice new Unix underbodies. Will crackers start to go after these machines too?" Well, to a certain extent, of course, yes. Anything that's easy - but will new tools be developed for these box? My only caveat is the use of the hack rather then crack - but that's a semantics thing.

The first OS with builtin firewall ???

This line is a bit much. Linux has had it (and probably other OSes as well) for several years ...

Re:The first OS with builtin firewall ???

[boaworm]

> The first OS with builtin firewall ??
>>This line is a bit much

Yep, its been around, and its pretty useful. Many users can benefit from having a rather restrictive firewall on their PC.

Now even Windows XP has it, so even Microsoft has figured it could be useful to protect their Win*-boxes :-).. Wonder why ;)

Entire world vs. Slashdot.

Pick up any security rag and check out what they call it when someone breaks into a system, defaces a web site, plays a prank on someone, etc ..

Hacking

Re:Entire world vs. Slashdot.

[jgerman]

Just because the media has decided to pervert a term that's been around since at least the fifties to their own use does not make it right. In fact most real publications with clued in writers will make the distinction. Also it's not Slashdot vs. the World. It's real hackers and people who are aware of the subculture vs joe sixpack.

Warning MODERATOR ON CRACK

How the hell can this POSSIBLY be Insightful

Re:The first exploit.

Solution: lock your machine down using Open Firmware. Of course if you have physical access to the machine you can still get to the harddrive, but you knew that...

Re:OSX Security

Yes I know, Mac OS X uses the NetInfo system - but the original root password is still accessible through /etc/passwd

It's probably a good thing then that the root account is disabled by default, right?

Re:The underbelly..

In a year or so people will find their toaster cracked and toasts defaced by crackers ..
if ah fine sum honkey matha-faka disin' roun wit mah toas dis heah bik blyak mama gona shoot im in day ayus!

Telnet access

By default, os x runs no servers. It has, in a very accessable place, a single checkbox you can hit in order to enable FTP and Telnet services. This checkbox very clearly labels itself as a security risk.

Had a paragraph here talking about sudo and ssh vs telnet and some other stuff, but someone else more or less covered that already in the time i was writing this.

Mac OS X Server, once it is released, will probably take security issues a LOT more seriously.

My opinion in the end is that there WILL turn out to be some serious security issues in mac os x.. and then apple will fix the security issues, and put them in its internet-based Software Update, and within a week all the machines will have updated themselves automatically and EVERYBODY WILL BE HAPPY!! YAY!! Let's think about what makes all those Redhat boxen insecure: it isn't so much the exploits themselves as the fact that exploits are discovered, patches are released, and users who are lazy or ignorant or just plain have better things to do than read bugtraq all day don't install them. If you have a newbie operating system, you just plain need something like apt-get upgrade or apple software update or windows automatic update so that security fixes can happen without the user knowing about them.

P.S.: does anyone know how to go about changing NetInfo type stuff at the command line? The GUI NetInfoManager is nice and nifty and stuff, but it would be nice to be able to do some of this administrative stuff *without* having to be physically sitting at the machine. (Quartz has the technical ability to be internet streamed like X. Why hasn't apple implemented this yet?)

Re:Telnet access

[ktakki]

P.S.: does anyone know how to go about changing NetInfo type stuff at the command line? The GUI NetInfoManager is nice and nifty and stuff, but it would be nice to be able to do some of this administrative stuff *without* having to be physically sitting at the machine.

man niutil, man niload, man nidump


k.
--
"In spite of everything, I still believe that people
are really good at heart." - Anne Frank

Re:they are already there. Re:Security for Mac Use

wow. Seven whole security leaks since 1998. Are you kidding? MS has more reports in a month. Mac users are only ignorant about security threats because there haven't been any. (relatively)

Re:The first exploit.

You could also just take out the hard disk and mount the partitions from another computer.

Physical access is the bane of any security measure. (There are a couple of decent encrypted filesystems out there, it's worth mentioning.)

"Crack"? I think not!

On behalf of all poor white southerners, I would appreciate it if you did not associate us with illegal computer activities by refering to those involved with such activities as "crackers" or the activity as "cracking". "Crax0r" and "Crax0ring" are appropriate though. Thank you.

what they should say....

they should say that OSX machines will be targeted just like any system of substantial size... BUT they will be targeted a LOT less than windows machines.....

heck they are a bit "safer" now because all the old mac OS9 virii have to be rewritten for OSX.

So consider an operating system without virii... and targeted less than windoze for virii & cracking.... targeted less than linux for cracking.... an OS with a new GUI, new memory managment, and probably a slew of developers witing to write antivirus software & sell it for their system (compared to what linux antivirus programs? ... ) and what do you have? A decent OS.

Re:what they should say....

[sracer9]

"heck they are a bit "safer" now because all the old mac OS9 virii have to be rewritten for OSX."

Can't they just run 'em in classic mode?

Re:As with anything....

At least OSX installs with most if not all of the dangerous apps (such as ftp and apache) disabled. You need to have a certain amount of intelligence to get into trouble. Unlike some OTHER operating systems.

Re:Security for Mac Users

had IE been written for Cocoa, the jump would also be equally as huge.

Actually, had IE been (re)written for Cocoa, the jump to (Open|GNU)Step would have been quite small. However, the initial jump to Cocoa would have been huge.

Think about it - if you write to Cocoa, and port to *Step, you'll be writing apps that are easily portable to anything but Windows! You gotta love that... :-)

Re:Some Points to consider:

4) when I did a portscan of my own system using the built in tools, there were only 2 ports open, both of which are in the 700's somewhere - I don't know what they're for, but all the typically 'hackable' ports, like telnet, aren't open. No ports == harder to access.

I saw this as well. I believe they are being used by the built-in scanner. I installed a scanner on my Win98 box and then scanned the OS X box. No ports open except ssh.

Re:End of innocense

pppsssssssssstttt: someone along the line forgot to tell you that the "worthy challenge" rating by nmap only means that guessing the packet sequence numbers is a worthy challenge, not that hacking the box is a worthy challenge :)

Re:Why stack smashing works on (almost) every CPU

Never used C++, eh? STL's string class makes you try very hard indeed to create a buffer overrun.

What is it with idiots who know C and think that means they know C++ too?

Patches

There is an update checker which pops up to notify you of new patches from Apple when they are released, and you just click a button to install them. (I wonder what sort of authentication this has?) So when a major hole comes up it will be pretty easy to get a fix for it -- much easier than windows update on my NT box. I thought the article was a little harsh considering some of the major security flaws in products from Microsoft in the last few years.

Re:Patches

[Hack-n-slash]

You need to be an administrator to run the update on the local machine. I don't know if there's any authentication with Apple's servers, but I doubt it. (As others have mentioned, the security risk is minimal because it is the machine that initiates the contact with the server, so a hacker can't just tell the machine to run an update.)

Assuming the cracker has administrator or root (not a big assumption...it *will* happen one day), he can do pretty much anything he wants. The cracker can pop up software update windows anytime and replace the code that says "go to apple for software updates" to "go to my script kiddie site for software updates".

Re:Patches

[Xenex]

The 'problem' stated was that someone could use Software Update to crack the box.

If they need to use Software Update to 'root' the box, and the only way to make Software Update do what they need is by using root, then, well, we have a chicken-egg situation....

Re:Patches

[schwanerhill]

Actually, Software Update is a process that runs on the OS X machine, which connects to Apple's servers to check for software updates. It says that it can be set to check for updates automatically, but that doesn't seem to work for me; I have to press the Updage Now button to get it to check. (That said, I've never let it go more than a few days without running the check, so I may just not have waited long enough.)

However, you still have to know to look for the Software Update application; it doesn't run unless you turn it on. Therefore, it doesn't 'pop up,' so people who don't know what they're doing with a computer probably still won't update from the OS installed on the machine by Apple when they bought it. (An alarming number of people don't ever update their machines.)

You need to be an administrator to run the update on the local machine. I don't know if there's any authentication with Apple's servers, but I doubt it. (As others have mentioned, the security risk is minimal because it is the machine that initiates the contact with the server, so a hacker can't just tell the machine to run an update.)

Re:Patches

[Tech187]

So all the cracker has to do is spoof that he's the box at Apple that generates the shiney button to click. Then the MacOS users will happily click on the shiney button (which releases the hounds).

shellcode!

A year ago I wrote what I still believe is the only widely-available documentation for buffer overflows on Mac OS X. I didn't think anyone cared, but after an Apple employee compared me to a locksmith helping thieves, I've been disseminating it widely, thus:
http://belgo.org/propeller/

-Chris

Re:shellcode!

[praedor]

Whoa. I think you need to rethink your website color scheme. That blue text on a black background is hard to read. When I first got to your site I thought is was mostly blank, except for some white dates text on the left side.

Re:shellcode!

[jesuschristsuperstar]

You are an immoral hacker! You have tarnished the holy gummi drop apple image and shall surely be relagated to a menial job under Job's heirarchy as a garbage collector.

Re:Cracker Schmacker

Thank you.

It's gets damned annoying hearing people constantly whine about how people use the word hacker when they really mean cracker. Languages evolve and change. You can't put up a resistance. Make up a new freaking word for coders if this bothers you so much. Because after the media's tainted the word "hacker", there's no going back.

Some Points to consider:

I've done a quick survey of posted messasges, and I see quite a lot of FUD. I'm not a security expert by *any* stretch of the imagination, but I do read carefully what I can understand about security.

That said, let me outline what I believe are some salient points:

1) its' possible to install OSX *without* the BSD subsystem - no subsystem == no way to hack by command line.

2) Mac OS X has a firewall compiled in the kernel. While the firewall configuration hasn't been set (and realistically, how can Apple define the rules for everybody when they don't know how the machine is to be used?), you can use ipfw to configure, or there are GUI apps like BrickHouse (http://personalpages.tds.net/~brian_hill/brickhou se.html) that will help.

3) Mac OS X ships with the root account *disabled* by default. That's right. If you have to do superuser-related actions, you have to log in as a user with administrator priviledges, and type in "sudo " at the terminal to do root-like things. This is only an extra step to 0wn the machine, true, but *everybody* knows the root's user name - not everybody knows which user also has admin priviledges. This ain't a magic bullet, but it makes things that much harder for the cracker without making it harder for the legit user as well.

4) when I did a portscan of my own system using the built in tools, there were only 2 ports open, both of which are in the 700's somewhere - I don't know what they're for, but all the typically 'hackable' ports, like telnet, aren't open. No ports == harder to access.

So what's left? One poster mentioned that hacks would be done through either exploiting bugs in apps like IE5, or by getting people to use trojan-horse style apps that open up access to the box without the user's knowledge.

This, I think, is where the real threat to typical Mac OS X users is. As a Mac user first, and a newbie Unix user, I would like to ask this community to help Mac users gain a better understanding of security and trust.

If I messed up on any details, please correct, not flame!

Re:Some Points to consider:

[mandolin]

Telnet is rarly hackable, its just to simple. Its complicated things like lp, rpc, bind et al.

...As long as you consider the 'sending passwords in cleartext over an untrusted network' problem "rarly hackable".

Re:Some Points to consider:

[Syberghost]

If your box is providing Internet services, it by definition has ports open.

Any box can easily be that secure, or even more secure. Hell, pull the ethernet cable out and ssh will be closed too.

The measure of security of a box is the security of the ports that *ARE* open. Even a flawed ssh implementation can be insecure.

So, to say no ports == harder to access is disingenuous, akin to saying "not turned on == harder to access". In other words, true, but irrelevant.

-

Re:Some Points to consider:

[ReelOddeeo]

its' possible to install OSX *without* the BSD subsystem

Isn't this the default? That is, only truly wierd people would install the BSD subsystem. :-) Other Mac users would look at you funny, etc.

too bad it doesn't have a Linux subsystem. :-)

Re:So?

[Lurker]

a large AppleTalk network, and to be honest, I don't think that I've ever seen an Appletalk network that was more than 20-25 Mac's.

Pfft. Heh. That's because any more than that is enough to completely saturate fast ethernet.

You're completely talking out your ass. I have an network (shared 10baseT, not even fast ethernet) with 24 Macs and 5 printers. It used to have 35 Macs and 5 printers. Even with 39 AppleTalk devices on the network, I still got around 1 meg per second transfering files to & from our file server (PowerMac G3/233 running Mac OS X Server 1.02) If what you say were true, I wouldn't have had a transfer rate anywhere near that fast.

Re:The first exploit.

[SoupIsGood+Food]

Solaris (on sparc, at least) requires the root password to boot into single user mode. You can boot from the Solaris install CD without it, and overwrite everything on the boot disk, but it won't let you mount filesystems. This is secure and reasonable, protecting your data from any yahoo who can hit the reset switch on the powerstrip.

HP-UX and AIX don't provide you with the same security. Neither does any of the Linux variant's I've dabbled in, or even the otherwise fort-knox-like OpenBSD.

I've heard the arguments, but I don't buy them. If you can't remember your root password and don't have your data and configuration backed up, give up on this unix stuff. It's too mentally challenging for you. End of story.

SoupIsGood Food

Re:As with anything....

[jafac]

the intelligence of the people running OS X is going to be a big factor.

Of course, you've mischaracterized it as "intelligence", when what it really is, is the dedication, attention to detail, and desire to fiddle with the inner workings of what is essentially supposed to be just a tool. None of these are traits of your average Mac user. Lots of Mac users are very intelligent, even if they aren't kernel hackers, so you needn't go around characterizing them as "unintelligent".

that said, read the Mac message boards lately, and you'll see a HUGE gap between people who used to be comfortable with a userless system, that gave them the rights and capabilities to delete the System folder if they wanted to - to the present state, where root is not enabled on the machine by default because "the user is not to be trusted with such a powerful tool, lest they delete something they don't understand".

The number one complaint you see is someone who gets into a situation where they have to use the terminal and sudo to get out of it. The implication is that these people messed with things that they didn't understand, but that's not the case. The vast majority of these people are just trying to install software, or move an application to a place they feel is more convenient for them to access. but without root privileges, the system won't let them, so they're being forced to learn these things they previously didn't need to know to use "the computer for the rest of us".

These are the people that will be in charge of tens of thousands of OS X Unix systems a year from now. Be afraid. Be very afraid.

They aren't necessarily less intelligent, but you're right when you say they don't have a clue about the first thing in security. They never needed to before.

How sinister, like linux -s

[Simon+Carr]

There are few OSes that are secure at the console, at least without tweaking.

I can picture it now....

[bjb]

Imagine a dialog that pops up with the side profile of a person's face with the typical audio cue of the Mac's "Eeep!" sound...

Your Mac has been hacked! (OK)

Hmmm.. prefer that sound over Sosumi..
--

Re:I can picture it now....

[cpt+kangarooski]

What an incredibly useless dialog though. If there's no choice, a dialog is too much to present. The little yellow note dialogs are so much better for this sort of thing, you know. ;)

Re:I can picture it now....

[cpt+kangarooski]

No, I got the joke - I just tried to insert some more humor by criticizing the UI that presented the joke.... guess it didn't work.

(been usin' Macs since '86, hate OS X with a passion)

Re:End of innocense

[MouseR]

Sorry, but nVir and other application based viri pre-dated MerryXmas by a good 4 - 5 years. HyperCard viri didn't hit till at least about the time of System 7 and I was dealing with boxen infected by stuff like nVir back in '88.

You got your dates wrong. MerryXmas did appear before nVir, whereas MeryXMas (also known as the Peace virus) was spreading early 1988 and triggered on march 2nd 1988.

See the Mac virus faq.

Some things not quite mentioned on the FAQ, but quite well known here in Montreal is that author of this virus was Richar Brandow, the then president of Club Mac Montreal.

Karma karma karma karma karmeleon: it comes and goes, it comes and goes.

End of innocense

[MouseR]

In a sense, yes, but generally, not all that different.

it used to be that simple HyperCard stacks could contain trojan horses. The very first Mac virus was in fact a HyperCard stack.

Things moved on, and some started appearing as AppleScript applets or scripts. Nothing very serious, though, as AppleScript does a fairly good job at blocking potentially dangerous situations (eg, the Finder wont delete items when asked to, but simply move them to the trash).

Out of the box, Mac OS X is pretty safe, according nmap, which gives it a "worthy chalenge" rating.

Where things can get interesting, though, is when the user starts services without truly understanding what they are, like ftp and telnet. Most end-users have stupid passwords to begin with ( a friend of mine's bank card code used to be "12345"...you get the idea).

Still, with a Unix underpinning or not, the most vulnerable spot for user's machines (on Mac anyway) is launching an application which may be a trojan. Most other means of delivery (CD-ROM autoplay in QuickTime and desktop DB viruses) are now obsolete because the system no longer uses them.

We're still vulnerable to WDEF (Window Definition code resource) and CDEF (Control Definition code resources), but that's more or less ineviable. It's also not as bad as it used to be, since at least, the machine and the OS is protected. It's just the user's directory and files which may be at risk. It's easier to recover this way.

Karma karma karma karma karmeleon: it comes and goes, it comes and goes.

Re:End of innocense

[schwanerhill]

By default, every remote access mechanism is off in OS X. No SSH, no telnet, no file sharing, no web sharing, no FTP, no sendmail, no nothing. Of course, all of those things are available on the default install of OS X, but they're off by default. You can turn SSH, FTP, web sharing (Apache) and Apple's File Sharing on via the GUI; telnet cannot be turned on without going to the shell (so end users who don't understand the risks of turning telnet on are unlikely to do so by accident).

I wish that Apple attached a more stringent warning to the SSH checkbox. In the System Preferences application (Sharing pane), there is a checkbox that says "Allow remote login: Allow other users to access your computer using terminal applications." What does that mean? It's not at all clear. I know that it means turning on SSH in Mac OS 10.0.1; in 10.0, it means turning on Telnet. No indication that that's changed.

Also, I wish that Apple would include a warning whenever someone turns on remote login or FTP access something like this: "Doing this can open your computer to malicious activity if your password is not secure. Secure passwords should be at least 6 characters, should not contain any words that are in any dictionary, and should contain both letters and numbers."

(Of course, Apple should not overplay the risks and scare people away from what really is a quite secure OS, especially when compared to Win98. It's a tricky balance for them to play.)

Re:End of innocense

[ka-klick]

The very first Mac virus was in fact a HyperCard stack

Sorry, but nVir and other application based viri pre-dated MerryXmas by a good 4 - 5 years. HyperCard viri didn't hit till at least about the time of System 7 and I was dealing with boxen infected by stuff like nVir back in '88.

Your main point is pretty well taken, but just because MerryXmas was on the top of your sources list does not mean that it was the first mac virus. Luckily the relative difficulty of programming on the mac kept the volume of viri relatively low and since the Java runtime was not implemented fully and M$ didn't do as much w/vba on Macs we've mostly missed out on the last several rounds of email/web based nasties, only time will tell what this new system will do to that profile, but I am really pretty excited about finally having some decent dev tools to work with out of the box on a MacOS system. Macs haven't been as much fun or as interesting to me since HyperCard died. One of the things that's kept M$ sales high is the availabilty of an easy dev tool (VB) that they've leveraged to the hilt. The Ironic thing is I think they really stole the concept from HyperCard and simply put a psuedo-object oriented basic in place of HyperTalk. Both were originally geared toward beginning programmers, but as M$ continued to move forward w/VB and make it a widely used and abused) tool by enterprise, Apple (as usual) failed to see what it had and make it evolve in a timely manner.

Re:End of innocense

[ka-klick]

Well, I tried replying to MouseR, but it didn't go through. All I was saying was there was alot of stuff BEFORE Merry Xmas and none of it was Hypertalk until that. I'm including as much of my attempted reply as /. will allow.

You got your dates wrong. MerryXmas did appear before nVir, whereas MeryXMas (also known as the Peace virus) was spreading early 1988 and triggered on march 2nd 1988.

Nope, sorry, try again. I've been using macs and dealing with this stuff since '87. Either my memory is better than yours, or better than your sources. Looking through one of your sources I found links to all the following info: From Symantec's Site (SAM was one of the first commercial mac AV ut's) Note the date they list as first occurence (1987):

nVIR
nVIR is probably the most prolific and highly infectious of all Macintosh viruses. nVIR has two basic strains, A and B, and nine known variants (clones). It first appeared in Europe in 1987. When nVIR finds its way into a Macintosh computer through an infected application, it normally infects the System file first. Once the computer is infected, nVIR becomes memory-resident every time the computer starts up, infecting any applications it comes in contact with. To announce its presence, after every eight to sixteen restarts (or after four to eight infected application launches), nVIR causes the system to beep. At least one known strain of nVIR can utilize the MacIntalk sound driver (MacInTalk is a software-based speech synthesizer) and, instead of beeping, speak the words "Don't panic."

peace was NOT MerryXmas
peace aka MacMag is a very old (maybe oldest) virus, but was not a Hypercard Virus per say (it was found in a HyperCard Stack, but infected system files) Merry Xmas was a Hypercard ONLY virus that infected other stacks
I HAD more data but /. killed it as junk.

Re:End of innocense

[commodoresloat]

According to this document, you're both wrong. The first known Mac virus was the "Peace" virus. This virus actually did spread through a HyperCard stack, but not via HyperTalk as the original poster suggested (e.g. the "Merry XMas" virus). Rather, an infected XCMD installed an infected INIT directly into the system. For people that knew HyperTalk, the Merry XMas virus was much easier to deal with, since the code is easy to get at - the virus functioned, as I recall, by trapping the "set" command.

Re:built-in firewall

[el_nino]

Those who will use the server services in OS X on public servers will have to open those services to the net, so I don't see how the built-in firewall is going to help...
--
Niklas Nordebo | niklas at nordebo.com

Re:Some info....

[el_nino]

root access in Mac OS X is disabled by default

Root login may be disabled, but that doesn't mean much. Getting root on a box involves subverting a process running under UID 0 into doing your bidding, often through buffer overflows, much more often than getting the root password on the box. Once you've gotten you own code to run under UID 0 you can install all kinds of backdoors without ever bothering to find out the root password.

/etc/passwd is only accessed if the machine is booted into single-user mode

No well adminstered UN*X box has had non-shadowed passwords for years anyway, and exploits doesn't commonly concentrate on getting the passwd file these days - that's sooo 20th century :)
--
Niklas Nordebo | niklas at nordebo.com

Good thread here...

[Psarchasm]

There is a good thread on this topic at http://www.macintouch.com/websecurity.html

Oh, come on.

[hatless]

Will there be a deluge of cracking and virus-writing directed at Mac OS X? I'd suspect not. MacOS on the desktop accounts for less than 5% of what's out there, and on the server, it's far less than that. OS X will probably up their internet-connected server population a bit, but I wouldn't hold my breath waiting for Apple's overall market share to reach 7% any time soon.

Virus authors overwhelmingly target big targets, namely Windows. WordPerfect and Lotus Notes get hit by far fewer viruses than Word and Outlook. This isn't because they're better-written applications with good security features. It's because few people care about hitting the minority.

Until Apple's comeback a couple of years ago, there was so little interest in writing Mac trojans and viruses that months would go by without even the smallest update to Mac virus pattern files. Even now, it's an almost negligible trickle. The biggest problem lately hasn't been caused by an uptick in people targeting Macs; rather it's that MS Office 2001 for the Mac is so compatible with Windows Office that an increasing number of macro viruses now suddenly work cross-platform. This will become more pronounced in a few more months when the first new version of Mac Outlook in 4 years ships. Even so, I've seen an installation of 40 Macs go over a year without so much as detecting a Mac virus, much less getting hit by one.

Hacks/cracks/exploits/whatever are another story. Since Macs in sever roles will now be running Apache, sendmail, BIND and Unix-world FTP daemons, we should expect some Mac servers to be just as vulnerable to security holes that emerge in these services as their *BSD, Linux, Solaris and AIX cousins. Apple's auto-update functionality, similar to auto-updaters for Debian or things like AutoRPM and the Ximian updater should protect most, however, as long as Apple keeps its binaries up to date.

But targeting Mac OS X specifically? Who's going to bother?

Re:The underbelly..

[Bob+McCown]

True, but I still think both of the OSX machines on the net might be a target....

Smiley captioned for the humor imparied

Re:The underbelly..

[Bob+McCown]

I often put crackers in my toaster oven, with a bit of tomato sauce and cheese, for mini pizzas!

Re:The first exploit.

[mattkime]

Not to difficult to get into X right now. If you have physical access to teh machine, all you have to do is hit the re-start button on the front and hold Command+S while booting.

Um, if i'm not mistaken, Linux and nearly every other unix based OS has single user mode as well. For most people, this is a GOOD option. The number of people who might lock themselves out of their machine is greater than the number of people who are likely to be hacked by someone with physical access to the machine. I'm sure those who see single user mode as a threat will find a way to turn it off.

Cracking if you enable root & ...

[crovira]

A lot of Mac end-users won't enable root or ssh or anonymous FTP. Not that many will install the developper's tools. Ergo, no compiler...

The early adopters will of course until the novelty wears off (myself included.)

No need to... That gets rid of a lot of potential damage and potential for mischief.

All Macs come with sound input and in OS 9 they have already had multiple users and voice authentication (a few kilobytes of streaming audio as a password, not just a few crackable bytes. And telling someone the phrase doesn't help 'em get into the box. It has to be the guy whose voice recorded it on the rig that was used to record it. You have to be there and be the one.)

Passwords for security is a reflection of the boxe's limitations not the system's capabilities. Non-Apple boxes are probably far more at risk than Apple's boxes. Not to mention, there may not be ssh, there may not be root, there may not be a compiler, there may not be sendmail, there may not be FTP. Thats' a very small target to hit and not much stick to hit the 'pinata' with.

And nobody write viruses for Apple because its a 'lame box' for grannys and hippy-loser-types that "3l33t3 h4x0r5" spit on. Some times its good to be the underdog. :-)

Instead of screaming at 'em lets educate 'em.

[crovira]

The article was pretty uninformed but some of the points were valid. You CAN definitly (mis-) configure your OS X box to be as open as a two-dollar whore.

The point is that it doesn't ship that way and you don't know that unless you buy one and install it yourself. I am not sure that author had.

Without root, ssh, anonymous FTP, sendmail or the Developers toolkit (no compiler,) the box is as safe as you can get without pulling the plug.

h3LL's 9rANNI35 pwN j00!!!

[ehintz]

Anyway, I guess my point is that I'm not too worried about critical secrets being found on a compromised Mac, but that a phalanx of grandmas will have their iMacs on their cable modems end up being used as DDoS hosts.

This comment brought up a lovely visual picture of Monty Python's Hell's Grannies going 1337.

h3LL's 9rANNI35 pwN j00!!!
Regards,

Re:Apple Security Contact info:

[mr_burns]

osxtalk.com is an OSX slashcode site

sunrpc, portmap, inetd - brickhouse is bad for you

[mr_burns]

being a bay area .com casualty, I've spent the last few months searching for jobs and staring at /var/log/messages on my border router. These ports get scanned constantly on my DSL pool:

23
53
111
113
137-139

The problem is OS X can't go to the bathroom without running some part of sunrpc. So there's port 111 for ya. Sometimes OS 9 has 113 open, so we won't call that one new. I've compiled and run samba on OS X, so there's 137-139.

Great pains should be made to make sure hosts.deny is set to ALL: ALL (my personal creed) with hosts.allow being the mechanism for letting people in. inetd should be replaced with xinted, and all the portmap stuff should be bound to localhost if a single machine, internal NIC if in an NFS environment.

Brickhouse is a nifty GUI for IPFW....but the pitfalls of using it are that when you run it...you actually end up with more ports open than if you hadn't run it in the first place. The firewalling rules Apple put in place out of the box are pretty decent. I ran brickhouse on the public beta a while back, and ended up with EVERY port above 1024 open...whereas nmap showed just a handful of ports open before. Things may have changed in recent months...but the big problem is still there...the people using it don't know what the fsck they're doing and likely will do themselves more harm than good by tweaking with the rules.

A lot of people will attatch their machine directly to the net via modem...so tripwire/MD5 yer getty's and login.

But that's a home environment. In a corporate environment, there's a pretty heinous version of the world readable shadow/passwd exploit, where netinfo can be made to give up all the logins/shadows for the entire company from one box, with user level access. This is if you're using directory services to propegate user info through your company's machines.

It remains to be seen how it could be countermeasred (it's suppsed to be a local exploit, but once you get a shell...you're local). Things that come to mind are one time passwords, or using the built in voice authentication. Maybe a combination of the 2.

In any case...this IS an new OS. Even though it's been around for a while in various incarnations...it's kind of a bazzar consensus of Mach, next, bsd, mklinux and nuKernel. My advice is for inexperienced users not to attatch this OS directly to the net until it's been in the wild for a while.

Wake-Up

[Space]

Isn't OSX was based on *BSD and isn't *BSD supposed to be more secure out of the box? If cracks are found quickly, will that serve as a wakeup call to all admins of "out-of-the-box" Distros, be it RedHat, Mandrake, SuSE, Debian, BeOS, QNX, *BSD, WinNT, Win9x, etc. Maybe managers and hiring personnel will fianlly realize that all admins are not created equal.

Re:Wake-Up

[dnh]

Out of the box simply refers to service running after a default install. There is no single default setting for all BSD derived systems, so each one has its own settings. OSX will have its own settings, probably will almost nothing running

This is a very simple thing to change, and RH and the others have been getting much better, but all still leave in the 'server' install, so all the little kids thinking they are 'l33t' will leave their box with everything from bind to apache to rpc and nfds open. Then they get hacked.

Re:Wake-Up

[wbattestilli]

In making a secure OS, FreeBSD is a good base to start from. Security is only as good as the software running and configuration used.

Throwing FreeBSD on to Mach and then piling NeXT, a new GUI, compat layers, an A LOT of other subsystems creates a complicated, new system with lots of room for crackers to play.

Some of OSX' problems in common with *BSD, Linux and the UNIX's. ie an hole in BIND.

The big (easy) holes will probably be Apple's problems alone. ie forgetting to delete a temp file crated by some GUI library

Just like every other field in this world. There are alot of people called admins that are very bad a their job...this is doubly true for managers and hiring personnel.

Re:Wake-Up

[Tech187]

You are thinking of one specific fork of BSD (OpenBSD), where it's maintainers place a great emphasis on no out-of-the-box security flaws. No OS is more secure than the person setting up and maintaining makes it.

I'm not sure why cracks found in MacOS 10 will serve as a wakeup call to people using or administering any other Operating System.

Gimme some love

[Graymalkin]

Mac OS X is going to be primarily run by a bunch of consumers, of course it will be a major crack target as popularity of it increases. Alot of people are going to end up calling tech support wondering why their passwords don't work or why their personal files have been wiped out when they left their computer connected to their broadband connection for a little while. Or they're going to wonder why they are suddenly sending out massive amounts of net traffic concurrently with major websites being DDoSed. For most of the people here this is almost a non-issue, slashdot users are at least aware that their security is insufficient. OSX users here may or may not know about osxsecurity.com or osxtalk.com both of which provide slash-ish forums pertaining to OSX. Consumers for the most part are in the dark, SYMANTEC. They'll pop out an OSX version of their internet security suite which will basically be some scripts to edit hosts.deny and/or provide a front-end to ipfw. Lots of consumers will pick this software up over the next couple months, ESPECIALLY if OSX specific cracks start happening en masse. I'm sort of hoping Apple decides network secuity is a valid reason to spend some dough and works at getting their OS up to snuff with Unicies better configured out of the box for security.

"Good" hacker == Wizard

[Weasel+Boy]

The battle is lost. The general public will always think of hackers as vandals. So don't be a hacker. Be a coding wizard. The public will probably never think of a wizard as an intrinsically bad person, and it conveys exactly the connotation that you want. "You ordinary people, don't even try to understand what I'm doing. I'm a wizard." (Or is that 'W1X0Rd'?)

Down with nasty, evil hackers! Up with beneficent code wizards!

Re:this is retarded..

[Sloppy]

But I Love You was an a vulnerability in an application, not an OS. And MacOS users are much more likely to run MS applications, which treat untrusted data as executable code. Seems pretty likely that someone will run these poor quality apps while logged in as root (or the MacOS equivalent administrator).

We will see MacOS X users have their systems screwed up in new ways that Unix users haven't before seen.

---

FreeBSD kernel not used for OSX

[OpperNerd]

"a warning about a flaw in the Free BSD software kernel that was used to develop the operating system. ..". The FreeBSD kernel was not used for OSX, only the userworld. OSX uses a Mach kernel.

Re:FreeBSD kernel not used for OSX

[Darby]

Dear Moderators,
you and pe1rxq are idiots.

Before you claim flamebait consider:

An OS runs one kernal. Granted some mainframe OS's or VMware might run more than one, I don't know actually, but a normal OS has one.

OSX runs a modified Mach microkernal. A microkernal does not require a monolithic kernal to function properly. It is its own kernal.

OSX uses BSD userland stuff this means when you type 'ls', you're running BSD ls.

I don't know much about the technical aspects of all this, but that much is obvious to anyone who spends 2 minutes looking at apple's site.

The fact that pe1rxq didn't know this is ok. The fact that he wrote as if he did makes him an idiot or a troll. The fact that it was moderated up to insightful means some moderator is smoking more of that $3.00 crack.


---CONFLICT!!---

Re:FreeBSD kernel not used for OSX

[pe1rxq]

Mach is only a microkernel, running under it is a monolithic BSD kernel made out of nearly every *BSD project on the planet.

Jeroen

Re:It's Business Week for chrissakes

[Teferi]

Meh...My father used to work there, and I got to know the computer guy to a decent extent, and he generally tends to be on the clueful side.

Matt's rant on this

[mattbee]

So I was drunk, but still...
http://www.soup-kitchen.net/soapbox/hackers.html

Re:As with anything....

[Moofie]

Stupidity? Laziness? That's a terrible mischaracterization of computer users.

Look...system administration SHOULD NOT BE NECESSARY for the safe and reasonably secure operation of a computer. I don't have to be able to adjust the valve timing on my car to keep it from exploding! Yes, people ought to be able to install and update software on their computer. No, it should NOT be designed such that it REQUIRES a computer expert (like me) to operate it!

Re:As with anything....

[Moofie]

OK somebody draw me a diagram and explain how my post is flamebait.

Cracker Schmacker

[hrm]

My only caveat is the use of the hack rather then crack - but that's a semantics thing.

Face it Hemos, cracker is a *stupid* word and therefore not likely to be adopted. And no, I don't see any problem with a double meaning for hacker.

After all, when a newspaper runs a headline "police seize drugs" you don't see drug store owners writing angry letters to the editor explaining that this sort of thing gives them a bad name and that the journalist should have used "substances of an illicit nature".

People are perfectly capable of determining the meaning of the word "drugs" from the context, and there's no reason why they can't do the same with "hacking". So stop moaning, please!

Re:Cracker Schmacker

[mjpaci]

Hey, I was called 'cracker' from 1st through 4th grade (early 80's) and sometimes 'white cracker' as well. Of course, I was the only white kid in my class of 30. I don't think they were referring to my computer skills.

--Mike

Re:Cracker Schmacker

[daniell]

There's a very simple answer to the evolutionary language issue. There are communities, like the entire CS department at most any decent college, that can make a language distinction between the two words. Then there are those, like journalism (often overly alarmist no less) and those exposed to just journalism, who fail to make a distiction. I don't believe that "hacking" is ever going to mean the same thing for everyone anymore than I believe that the U.S. will correct an age old spelling error that's lead to an error in pronounciation, namely that of the element Al, Aluminium.

-Daniel

Re:Cracker Schmacker

[diablovision]

Hacker's a dumb word anyway. Security professionals don't call themselves "hackers". It implies a substandard, ad hoc solution to a problem lacking formal verification. It's the difference between the terms "Structural Engineer" and "Carpenter".

Re:Cracker Schmacker

[Che+Guevarra]

Is it "Trekkie" or "Trekker" ? I can never remember...

Re:Cracker Schmacker

[iso]

no kidding, i'm sick of it too. epecially when it's the same people who use "troll" incorrectly (or moderate it incorrectly). but whatever, "cracker" sounds stupid.

- j

Re:Cracker Schmacker

[oojah]

Wow, someone on slashdot who isn't just a sheep! (Baa to the rest of you :)

It's like this guy who refuses to step into the present with regards to what pirate means.

Sheesh, just because he's got a lower slashdot uid doesn't mean he's automatically right.

I am intelligent enough to distinguish between software piracy and high seas piracy and so I doubt that I'll ever think that they need the same punishment.

oojah
--

Re:Cracker Schmacker

[Reality+Master+101]

Damn straight! Originally, one of the meanings of "hacker" was "someone who breaks into computers". The Jargon File (which I'm too lazy to link to) claims that this sense is "deprecated", but I don't recognize ESR's -- or anyone's -- authority to do so.

One of the meanings of "hacker" is breaking into computers. Get over it.

--

Re:Cracker Schmacker

[137]

Exactly. It's just like RMS's claim that Linux should be called "GNU/Linux". Whether or not he is technically correct (he is) is really beside the point. Language, at its core, is fundamentally driven by communal interaction, which means that one person (or one group in the context of a larger, pluralistic whole) simply does not have the power to dictate the meaning of words.

This isn't to say that among certain circles you can't sustain the difference between "hacker" and "cracker" or "Linux" and "GNU/Linux", but it does mean that your power to do so is really, really limited. And, hacker prejudice aside, don't the folks who break things have just as much right to choose their name as the folks who build things?

Re:Look on the bright side

[Kartoffel]

if lots of shiny new Cubes are hacked and found to be serving warez FTP sites and IRC

Is it so bad, if the worst thing that happens after being cracked is that you end up with a harddrive full of warez? :-P But seriously, Apple seems to have turned all services off by default. The average Mac user doesn't want to leave their machine on 24/7 or run services, anyhow.

Re:Redundat

[Kartoffel]

Yup. Kiddies will go after things that are plentiful and easy. If MacOS becomes popular with consumers, it'll be popular with crackers. The more common and easy to own something is, the more popular it becomes with the kiddies.

One thing that makes it tricky nowadays is that more homes are NATing/ipmasqing through boxes like the D-Link and Linksys routers, or through *nix machines these days. You can't just scan some ISP's block of ips and assume that there's 1 box by itself for each customer. When mom & dad and the kids are NATed onto one cable or dsl line, you're going to have a hard time telling one box from another when you're outside their subnet.

Of course, kiddies just grab the hottest exploit and try it at random on everyone, so it doesn't matter.

Re:So?

[Kartoffel]

a large AppleTalk network, and to be honest, I don't think that I've ever seen an Appletalk network that was more than 20-25 Mac's.

Pfft. Heh. That's because any more than that is enough to completely saturate fast ethernet.

Re:So?

[Ducon+Lajoie]

Sorry. Been using OS X full time since it's release. PB before that.
Sush!

It does NOT have full support out of the box. It has NO suport for Localtalk.
It does however, and I think that's what you're refering to, have ful Appleshare support, but over TCP/IP. So it does indeed integrate well with 8.6 and above machines.

Re:So?

[Ducon+Lajoie]

Just FYI, OS X does not support AppleTalk (networking protocol) for anything but printing. It does not support LocalTalk (network topology) at all.
File Sharing and other network services are all based on TCP/IP.

Re:Some info....

[Valdrax]

Well, let's hope that administrator isn't using the internet, because many applications, such as some popular IRC clients, use your account name as a default logon.

That's a good point. I've always hated that. I did make the mistake of using my common alias online as my login. I should probably fix that.

My intention is not to troll; one cannot rely on the root account being 'disabled' to prevent it being hijacked. You need to ensure your passwords are hard to guess, and that you don't send out information identifying other priviliged accounts (which must exist, in order to enable the root account) over the internet too.

No, you can't rely on it solely, but it is a very nice feature to have. It's great that you can do this in an easy to use GUI rather than having to do this the hard way on the command line too. It's a little security through obscurity. Of course it's not foolproof, but it's better than having every Mac OS X user on the internet sharing the same superuser account for everything.

BTW, good passwords aren't really as much of an issue anymore. Most good exploits hijack an existing root process.

Re:Some info....

[Valdrax]

Well, you have to know the name of an administrator's account or its UID to do anything with it. UID 0, or root, is well known on most systems. However, the administrator of a random Mac OS X machine on the internet could be anything, and there's no easy way to find it without already being on the system.

Without going through NetInfo services or using a root account, you can't mess with a lot of things on the system. It's a good idea. Many security tips I've read suggest replacing the root account on your system with another superuser account. You should then delete the root account or set it up as a tripwire for people breaking into your system.

Re:So?

[rabidMacBigot()]

I can't see a massive corporate network of Macs being any sort of problem, since the odds of finding a massive corporate network of Macs is pretty slim to begin with.
The biggest threat in my simple, uninformed opinion, is snagging a bunch of Macs to use as DDoS hosts. This is far more likely, given the fact that quite a few schools and universities have labs of 10-50 Macs, each with a routable IP on the school's network. More home users with OS X also means more Macs sitting on broadband 24/7.
Anyway, I guess my point is that I'm not too worried about critical secrets being found on a compromised Mac, but that a phalanx of grandmas will have their iMacs on their cable modems end up being used as DDoS hosts. Thankfully, it's relatively difficult to get root remotely on a Mac; the only services that are on by default are NetInfo (uses RPC) and AFP sharing. Any attacker who could convince either service to execute their own code has to know:

• the weakness of that service
• enough PPC assembler to exploit that weakness
• how to convince the Mac to start up a shell server, because none are running by default, and you need a shell to get a rootshell.

--

Re:Security for Mac Users

[mjpaci]

IE is already on the Mac platform and the move to OS X was a small one. All they had to do was 'carbonize' IE for it to run natively (not using Classic) on the Mac. The jump from carbon to Linux is HUGE. Now, had IE been written for Cocoa, the jump would also be equally as huge. Sorry. No IE for Linux. Why would you want it? Netscape has been really good about updating Navigator. :)

Re:This could be a problem

[mjpaci]

That would be 'Security through Obscurity'

Re:Hack it!!!

[mjpaci]

>Apple tried to sell OS8 with great fervor as well and were quite unsuccessful with it.

WHAT? They sold a bazillion copies of OS 8. Are you referring to OS 9, maybe? They sold quite a few copies of that, too.

Re:Cracker vs. Cookie

[mjpaci]

Being the naive young child of Left Wing liberals up until recently I thought that crackers and cookies were: 1) What the black kids called me (see my post above). 2) What I called the black kids (cookie, burned) not realizing, since my parents were too liberal even to explain race relations in the 70's, that they might take offense. Hell I was called White Cracker. Why shouldn't I call them Burned Cookie? My whole education on race was "Just don't call them 'boy'." That I didn't figure out until college. Just rambling... Mike

Re:The underbelly..

[mjpaci]

Good point.

I didn't mean it as punishment, just as time better spent for him and us. How? For him, obvious. For us? If he's wacking he ain't posting here.

--Mike

Unn*x Us*r Unfriendly

[robertc5]

My take on this is that OS packagers try to make configuration too plug and play.Maybe a better way to encourage good security practices would be to make it a real pain to configure the installation to the point of useability. If (for example) the owner had to set permissions before he could use anything; then the user would have to think about security. For most users detailed (and lengthy) instuctions would be needed.

Re:works another way though

[Hack-n-slash]

Remember, one of the reasons the user needs the software update is bacause his computer has a security hole which may have already been exploited. The little peice of MacOS X code that says "go to Apple to get my software update" can be replaced with "go to my script kiddie site for software updates".

Re:OSX Security

[bnenning]

Pure FUD. /etc/passwd is ignored if NetInfo is running, which is pretty much always. I just checked two Macs, one running the retail OS X and one running the public beta, and neither has any passwords in /etc/passwd. Finally, in the retail OS X the root account is disabled by default; you have to either enable it or use sudo to become root.

Some info....

[imac.usr]

1. root access in Mac OS X is disabled by default. You can use sudo if you're an Administrator but that means knowing somebody's account/password, which is tougher, though certainly not impossible, to get if you have services turned off by default (which they are).

2. There is an article up today on StepWise that describes how to update sudo to fix a potential buffer overflow (basically, you're just replacing the Apple-installed one with the current patched code).

3. EVERY copy of Mac OS X IMHO should come with a copy of BrickHouse, a kick-ass GUI for configuring the built-in firewalling capability in OS X. It's certainly more attractive to most Mac users than using ipf.

4. /etc/passwd is only accessed if the machine is booted into single-user mode (or if you futz with lookupd), and IIRC the password is shadowed in the release version of OS X.

5. Not trying to be combative, just pointing out some issues that slashdot readers might not be aware of if they haven't played much with OS X. Yes, we need to be more concerned over security than we were with OS 9, but to me, the benefits of the system -- like being able to fix/update it yourself instead of waiting for Apple to release patches -- far outweigh the increased need for vigilance.


--

Re:Some info....

[sydb]

I'm not sure how root access being disabled by default is a security feature of worth.

Specifically, I don't see how it's tougher to get an Adminstrators password than to get root's. OK, root might have a default, widely known password, but if the 'administrator' doesn't know enough to change that password, my guess is their own password is "password".

Re:Some info....

[sydb]

Yes, but with an Administrators account I can apparently:

1. Enable the root account
2. Set the password.

Then I can do whatever I like.

Re:Some info....

[sydb]

Sounds more like "irrelevant to security" to me.

If a cracker can't get straight to root, but can go via an admin account, the only benefit to the victim is that it takes a bit longer and a little more work.

Re:Some info....

[sydb]

Well, let's hope that administrator isn't using the internet, because many applications, such as some popular IRC clients, use your account name as a default logon.

This is not a security feature of note if other security measures are not taken, such as avoiding transmitting account names over the internet.

My intention is not to troll; one cannot rely on the root account being 'disabled' to prevent it being hijacked. You need to ensure your passwords are hard to guess, and that you don't send out information identifying other priviliged accounts (which must exist, in order to enable the root account) over the internet too.

My suspicion is that it would be more secure to have the root account enabled with a hard password (long, mixed-case letters, numeric and non-alphanumeric, non-dictionary). That way privileged root-enabling accounts are not required.

Re:Some info....

[am+2k]

IIRC the password is shadowed in the release version of OS X

That's not true. You can get all passwords (encrypted) by executing "nidump passwd ." from any user account. I just tried it on Mac OS X 10.1.

Re:Some info....

[daemons_advocate]

I tend to agree with you... I'm a Mac user, but I prefer OS 9.*... :) My server expertise lies with Solaris and BSD...so anything that deals with OS X, I will have to pick up when the time comes...Like any UNIX variant, OS X will have its fair share of bugs and problems that will eventually be worked out. I would probably buy OS X Server if I was paid enough...so I could learn all the little intracacies before I put it up as a production machine...

Re:Security for Mac Users

[bruns]

Hrm, well IE 5 for Mac isn't nearly as bad as IE for Windows. Hell, I wouldn't ever use any other browser for Mac but IE.

Its the only one which doesn't crash on me, and it renders pages halfway decently. People should give more credit to the Apple developers a Microsft, regardless of what their Windows counterparts do. I mean, Office isn't so bad either on the Mac.

Good security runs counter to the Apple philosophy

[Broken+Bottle]

Apple pushes their products ease of use, but good security practices on a *NIX OS are not easy sometimes. Well, they might be if you're a *NIX guru, but they certainly won't be if you're the average Apple user. I wonder how Apple is going to address these (potential, if not real at the moment) security issues with their customers and not scare them away from OSX. That would be unfortunate because OSX really is a nice piece of work, but, I feel, having the ease of use of a classic Mac and the power of UNIX are two goals that run counter to each other. Maybe Apple will make an effort to educate it's customers...

Chris

Re:The underbelly..

[Darby]

laugh. Go back to jerking off to Victoria's Secret catalogs

This is a punishment how exactly?
---CONFLICT!!---

Re:The underbelly..

[Darby]

Better point right back at you ;-)
---CONFLICT!!---

A Nightmare in the making...

[Che+Guevarra]

As a long time Mac user who is just starting to play with OSX, I can tell you that this is going to be an absolute security blood-bath. We don't know jack about user security and we don't know anything about how this new OS works.

To make matters worse, we're out there downloading everything we can get our hands on. We want to use this new OS, so every new app is a brand new toy to play with. If the read-me file says to log in as root before installing, we'll do it. If the read-me file says to trash this or that, we'll do it because we don't know any better. We're at the mercy of anybody with a webpage containing a download section.

For all I know, I've already installed a backdoor on my system. How can I tell? The learning curve will be steep on this OS. Mac users are not stupid and they will learn, but we're going to get smacked hard a few times before we figure out what we're doing.

That's not a sploit...

[Greyfox]

That's the FBI back door.

s/Mac world/world/

[Greyfox]

The reason the Internet is currently such a playground for skript kiddies and crackers is that 99% of the people who connect to it are clueless about security. They don't know the first thing about networking, TCP/IP, clients or servers. They just know that they double click the icon that CD they got in the mail installed on their desktop and their computers connect to the Internet. Most of them don't even know what a modem or an ethernet card is. The salesperson just told them to plug their phone cable or that cable from the cable box into that hole there and that's what they did.

I'm not saying that consumer mentality is wrong, per se. Not everyone has the time or the inclination to learn all this stuff. However, the way the current network is built is not compatable with that mentality. There are things ISPs could do to make the network more tolerant of their users' mistakes but I don't see any ISPs taking those steps. Part of the problem on that front is that hiring people who are able to set that up would seriously affect the profit line and the margins are already razor thin in that industry.

Even if the ISPs did their part, there's still the issue of fraud on the net. People have this distrubing tendency to believe what you tell them (Do you believe that?) even if you're a complete stranger. Fraud on the net pays because it's easy to perpetrate, hard to catch and rarely punished severely enough to make it unprofitable. A healthy dose of skepticism would benefit most Americans, on and off the net.

The problems here are not limited to the Mac world.

Re:Security for Mac Users

[Smileyq]

I agree but I also thing that Apple was aiming alot into the UNIX crowd for this one. I mean as a UNIX users for years on end and a mac user I'm loving it. I mean how long does it take to make a great GUI for UNIX well apple did it. Anyways OS X is pretty secure out of box. It doesn't have much of anything open (port wise). Maybe we should start up our own OS X security training course hehe. Thanks for the great post.

DOS Attacks?

[maniac11]

A friend who's employed as a lead network administrator at a major public university has experienced a huge increase in port scanning since the release of OSX. He attributes it, not to malicious attacks, but to inquisitive college kids opening the Network Services control panel and hitting 'Port Scan' -- Just to see what it does...

This doesn't necessarily open their own machines up to malicious-types, but it makes a lot more of them seem malicious themselves...

we'll just have to see

[jbridge21]

The security of OSX will depend on how fast Apple puts out patches, just like any other operating system.

And as long as people don't run lots of services by default, this OS has the potential to be just as secure as MacOS classic...
-----

Re:we'll just have to see

[Twisted+Mind]

Was MacOS so secure? As far as I know it was not multi-user and before version 9 not even multi-profile.
I think the most important reason for lack of virusses for the mac was a limitited technical functionality and more important a limited user base.
The most important was probably that MS wasn't capable of writing a completely cross-platform version of VBA for Office and IE/Outlook.

PS, the fact the artikel ends with .htm instead of .html sais it all.

No, that's not the way it works.

[Nonesuch]

QNX holes have shown up on BugTraq/Securityfocus.

I hear this a lot. Linux users are always telling me "there are fewer exploits for OpenBSD because fewer people use OpenBSD", which is like saying "There are fewer fatal car crashes involving Volvo's because fewer people drive Volvo's".

IOW, you are half right.

But not everybody who hunts exploitable holes is a black hat, there are people (such as myself) who hunt for bugs in any OS or software they use. I'll even write exploits- not to hack other systems, but to pressure the vendor to fix the problem and ensure that *MY* systems are not exploitable by others...

Re:So?

[frankie]

Bingo. The reason why relatively few people will crack OS X is the same reason why there are so few Mac system viruses compared to Windows. Most of the black hats use x86 commodity hardware, often self-built. Converting that code to PPC is a little easier now with Darwin's GCC, but it's still an extra hurdle.

Think back to the LinuxPPC contest a few years ago. They enabled a known vulnerable version of FTPD on purpose, but it still took weeks before someone wrote a PPC buffer overrun crack.

Re:Security through obscurity works.

[frankie]

Obscurity? No.

PPC Assembly is publicly documented at both IBM and Motorola. APIs and a full development environment are available at Apple. The kernel is open source.

This word "obscurity", I don't think it means what you think it means. Perhaps you meant to say "security through diversity"?

Re:Security for Mac Users

[MasonMcD]

Actually, I think this is best served by 3rd party software like this. Apple can just keep stuff (telnet, apache, etc.) turned off by default (Apple now ships with OpenSSH for access rather than telnet), and if you want fancy stuff, get a GUI firewall configurator.

Re:Depends how it ships

[MasonMcD]

Exactly. Apache and Sendmail are *not* on by default. Sendmail is actually rather complicated to enable (for a typical user...config files) but Apache is a radio button away. I use dyndns and a firewall, so I feel pretty confident. But maybe Apple *really* doesn't need to be worried until the broadband revolution, happening RSN (TM).

0xDEADBEEF

[r0ach]

We W1ll 0wn Z33 0S-X!

Re:Cracker vs. Cookie

[ReelOddeeo]

Both Cracker and Cookie are computer jargon terms, and nobody seems to get them confused. So why the problems with Cracker vs. Hacker? Or Hacker vs. Ax Murderer?


very few animals were harmed in the making of this post.

Re:End of incense

[ReelOddeeo]

There was a long span of time between HyperCard and AppleScript.

During that time, the Mac world was afflicted with about (under) 40 different viruses. A free program Disinfectant was developed by Northwestern university.

Disinfectant was wonderful. It solved all four problems: (1) Detection [after infection] (2) Repair [after infection] (3) Prevention [hook system traps, alert when virus tries to insert itself] (4) Education [it's detailed documentation was absolutely first rate]

And it was freeware. You could expect an updated Disinfectant to appear online within 24-48 hours after an entirely new Mac virus was discovered. (And this is all prior to the WWW, and even Gopher. Back in the days when Mac users used dial up CompuServe/AOL, and AOL was a Mac-Only service.)

As a result of Disinfectant, after about 30-some-odd viruses were developed for Mac, no more appeared. It just wasn't any fun. Limited market share platform, and your virus can't spread very far with Disinfectant around and widely installed.

There were Word Macro viruses -- but these were cross-platform, not unique to Mac. An AppleScript virus, but wasn't this years later? Didn't AppleScript not appear until about 1992 ish -- years after the original Mac virus wars?

Re:The first exploit.

[re-Verse]

Is this an exploit? Is ths ANY different that booting linux from lilo as "linux 1" when you lose your root password (?!?!), of from BSD, typing "boot: s"

Both dump you into single user mode, with no password, giving you full root access.

so i doubt if this was implimented by Apple tech support, unless they've been working on *NIX systems for a looong time before their new jobs at Apple.

"Drugs" vs. "illegal drugs"

[yerricde]

you don't see drug store owners writing angry letters to the editor explaining that this sort of thing gives them a bad name and that the journalist should have used "substances of an illicit nature".

If journalists call such substances "illegal drugs," why can't they call cracking "illegal hacking"?

Re:Hack vs Crack

[pallex]

its just a language (Colour vs Color thing) - get used to it!

I`m always going to call someone who enters other peoples computer a Hacker, and someone who removes copy protection a cracker, and so are, I imagine, most of Europe.

Mod me down for being un-American if you like, but its the way it is!

We`ll just have to learn to get along with each other!

built-in firewall

[Therlin]

Those who will use the server services in OS X are probably aware of the OS X built-in firewall.

Apple doesn't provide a pretty GUI for it, but some other guy took the time to write one.

Re:built-in firewall

[Therlin]

good point :)

Security through obscurity works.

[TheLink]

Proving thus security through obscurity works, despite idiots who keep saying it doesn't.

Thing is, there are all these security experts who are writing scripts for "script kiddies". So it just takes one expert to write and publish a working kiddie script for the Mac and then you'll have kiddies port scanning the world for that vulnerability.

Sure it's good to point out vulnerabilities. But it's a bit harder to justify the benefits of making kiddie-scripts available to the world.

You might be surprised how long most people take to find things out on their own.

You can find a bug and report it to the vendor who takes years to fix it, despite that nobody exploits it. Later you find a similar problem in some other vendor's product. Nobody seems to have noticed it either. And these are supposed to be security products too ;).

Either that or the people who notice such things are keeping quiet.

Cheerio,
Link.

Re:they are already there. Re:Security for Mac Use

[scrod]

Under NO circumstances would OS X be vulnerable to OS 9 security exploits. It doesn't matter if the classic environment is running, because OS X uses its own BSD-derived networking stack! Classic is merely a hardware abstraction layer! All its networking goes through OS X!

Re:Depends how it ships

[fintler]

They don't need a trojan or anything, sudo /bin/tcsh passwd will do the job. The default user on the box can do this by just having their own password.

OS X only 'fairly' secure out of the box

[Chuck+Bucket]

While doing some research on this, and eating Altoids, I found a 'Shareware' app for OS X called Brickhouse. Esentially it's a GUI for 'ipfw' to apply/change firewall rules under OS X. In the description it states:

• While Mac OS X is fairly secure as installed, it also includes a powerful network traffic filter or firewall that can both prevent break-in attempts and keep your computer from being used in attack on another computer. Unfortunately, the default installation leaves it wide open, and you must manually 'add rules' or filters using a command line tool called ipfw. You need to use Terminal.app to do this.

So there you go, it won't be enough for Mommy or Daddy to install OS X, they'll need to configure ipfw, and in this case, they'll need a 25$ Shareware product to do it! Man, that bites. Will OS X users want/demand free software as we've come to appreciate under Linux? I for one can't go back. I'm looking for the time when source is taken from a GPL'd Linux app, and then 'carbonized' (with the pinstripe look) and then released as a 25$ shareware app for OS X.

Oh, and I'm already sick of the 'pinstripe' look of EVERY OS X app. Yeech!

Chuck Bucket
----

Re:The first exploit.

[uid8472]

Sorry to burst your bubble, but the latest Open Firmware rev lets you password-lock at the hardware level, so that you have the option of even preventing a single-user boot.

Yes, but if you can change the amount of installed memory, the password protection goes away on the next boot. This really is a feature, not a bug; there is no substitute for proper physical security.

Re:The first exploit.

[drinkypoo]

Sorry to burst your bubble, but the latest Open Firmware rev lets you password-lock at the hardware level, so that you have the option of even preventing a single-user boot.

That must be recoverable; There's got to be some way to clear the OF password, even if it involves clearing PRAM with a paper clip.

Anyone know how this is done on the new mac hardware?

--
ALL YOUR KARMA ARE BELONG TO US

Security for Mac Users

[10.0.0.1]

That means Apple users now have to consider all the security issues that come with operating in a Unix world.

Unless Apple comes up with a fancy widget that (Most) OSX users are able to click on to make their boxes secure I can say this: It ain't gonna happen. Don't get me wrong, there will be plenty of competent users out there, but the majority of the Mac world is clueless about security.

Re:Security for Mac Users

[nycdewd]

your presumption is 100% wrong, IE is not/will not be the prominent browser on OS X, it is and likely will be OmniWeb

Re:Security for Mac Users

[nycdewd]

your presumption is 100% wrong, IE is not/will not be the prominent browser on OS X, it is now and likely will be OmniWeb

Re:Security for Mac Users

[nycdewd]

how now, anon cow? OmniWeb, you dolt

Re:Security for Mac Users

[IronChef]

Hrm, well IE 5 for Mac isn't nearly as bad as IE for Windows. Hell, I wouldn't ever use any other browser for Mac but IE.

If you use OSX at all, try OmniWeb. It's free and it's darn good. Doesn't lock up when downloading like IE5.1 on OSX.

Re:Security for Mac Users

[-Harlequin-]

but the majority of the Mac world is clueless about security.

Even though I'm not an OSX user myself, I can categorically state that I am clueless about security.

On the other hand, I don't run Outlook, which means I stop most viruses dead in their tracks without even realising it...

Hmmm, maybe I'm a security guru after all.

Re:Security for Mac Users

[sydb]

Given there are already, and have been for some time, Solaris and HP-UX ports of IE, I should think this brings us no closer whatsoever.

Re:Security for Mac Users

[blitzrage]

As if Windows users are any better?

Re:Security for Mac Users

[mblase]

...but the majority of the Mac world is clueless about security.

Evidence indicates the same is true of Red Hat Linux and Windows 2000 users, as well. But why should this matter?

After all, most people aren't going to be using the server features of OSX any more than they do the server features of Windows 95. Those who do will probably have a wealth of firewall and security programs at their disposal soon enough (Symantec already has 'em for Mac OS 9).

Most crackers still won't bother with OS X, though, for the simple reason that it's such a small target. A few will attack it because they can, but most will stick to Red Hat and Windows because they're more common and more likely to provide useful data.

Re:Security for Mac Users

[eXtro]

By default MacOS X is going to come up only as a client to the internet, so by default it will be pretty secure. The biggest weakness will most likely be the web browser since Internet Explorer will be the most common one.

That the majority of the Mac world is clueless about security can also be extended to the majority of the Windows, Linux and any other operating systems world.

Re:Security for Mac Users

[EvilStein]

Apple doesn't need to. That's why you search Versiontracker for "Brickhouse" Voila, click some pretty buttons, secure MacOS X. :)

Re:Security for Mac Users

[Brummund]

Hm, if MS ports IE to OSX, how far away is a port to Linux?

:-)

It's Business Week for chrissakes

[revbob]

Let me repeat that: Business Week.

Like you expected them not to believe closed source == more secure?

Re:This could be a problem

[Twisted+Mind]

Even more, the old Mac OS isn't even an server OS.

doesnt work like that.

[TotallyUseless]

The user's computer contacts apple to inquire for the updates. Apple doesnt send out notification to the program. There is no message or signal you can send to trigger it on someone else's computer.

but...

[TotallyUseless]

The Mac versions of Explorer and Outlook dont support any of the exploits used on windows. No activex stuff or vb nastiness supported. I actually received a copy of iloveyou from someone. it opened as a text attachment, not any kind of executable

ack, sorry

[TotallyUseless]

i try to say something nice about mac explorer, and it goes and screws me with a double post. figures :D

Customizable

[TotallyUseless]

My guess as to why you never heard the mac users you know complain about control over the os, might be the fact that the old mac os was actually crazy customizable. Most non mac users just dont realize how much control you could really have over your system. Between themes, kaleidescope, countless extensions and control panels, and resedit, you could change pretty much anything imaginable on your system.
my 2 cents

but...

[TotallyUseless]

The Mac versions of Explorer and Outlook dont support any of the exploits used on windows. No activex stuff or vb nastiness supported. I actually received a copy of iloveyou from someone. it opened as a text attachment, not any kind of executable

wow..

[grue23]

this is one of the few cases where the article itself is more flamebait than the /. article pointing to it. businessweek itself admits that macOSX is more secure than 9 and previous versions, but not until it's about halfway down the article. The article is pretty pointless: 'MacOSX will be more of a target for hackers except it won't really and it's actually more secure than 9 anyway'.

One thing that I wish I saw more press about is the security impacts of default configurations. I think that is one of the biggest places where Windows users get bitten in the ass. The 'I LOVE YOU' thing got spread because outlook defaults to blindly running scripts; my company was spared most of the trouble because the sysadmin had changed that default parameter. If you set up an FTP server on Windows 2000 it defaults to allow anonymous connections. We had a developer testing a piece of code he was writing that used ftp and he discovered a couple weeks later that he had a ton of pirate software under the ftp fileroot because he just turned ftp on and didn't look closely at the default options.

OS manufacturers, including *NIX ones, really need to start thinking about their default configurations. If OSX starts up not running any server daemons (as previous posters have claimed), then it is far more secure than most *NIX distributions, most of which will come up with sendmail, telnet, ftp, finger at the minimum.

Re:Worst Re:they are already there. Re

[ka-klick]

No, you forgot the smiley. ;-)
As humorous as your comment was it had some pretty serious flaws in it that I didn't want people taking as gospel (If I saw it on slashdot it must be true ;-))

Re:they are already there. Re:Security for Mac Use

[ka-klick]

A quick search reveals there are already some "bugs" in MacOS

So quick you didn't bother to read any of them? The most recent is over 6 months old and has been fixed for some time. Most of them are also LOCAL exploits and as anyone who knows anything about security will tell you, If you have physical access to the box it CAN be cracked. Also a grand total of 9 since 1998 doesn't look too bad to me.

Good thing thing is that OSX is still compatible with OS 9 so al the old exploits still work.

Here's another BIG problem in your logic. The Classic environment in OSX reqires 9.1 whaich already has patches for what has been patched (or is patchable)

Macintosh Security

[herwin]

In the past, the relative security of Macintosh systems was due to the lack of remote access and the generally unattractive nature of a user community that was willing to give you a barbed-wire enema if you crossed it. (Well, not literally, but there were enough people in the community who were willing to go after a virus-maker that it was a bit risky.) I wonder if either factor has changed much. Mac OS X 10.0.1 comes with standard telnet, rlogin, rsh, etc., disabled and SSH installed instead, and the user community remains small and intolerant.

Re:What's up with bad mouthing UNIX?

[cant_get_a_good_nick]

And I didn't see anything in the article about Linux, which has had some highly public worms recently. And I didn't see anything about BSD on PDPs, upon which the Morris worm took out a major portion of the then-existing Internet.

It's an article about Mac OS X security. Not Microsoft. Mac OS "classic" (previous to OS X) was secure by not having anything really to exploit. No shells, few net daemons, for years TCP/IP wasn't standard and very few Macs were on the Net so any cracks couldn't touch it anyway. Now you have a situation where all that has changed. Scripts will be written. KiddieZ will run them. People will get rooted. Instead of burying heads and saying "he he, it's not Microsoft" and ignoring problems, worry about fixing them.

Re:End of incense

[MrBogus]

Speaking of Disinfectant, our college Mac Plus lab got whacked with a nVIR variant that Disinfectant could sometimes identify, but couldn't handle. Took out pretty much every disk in the lab, so perhaps a little too virulant to even spread that far.

But I agree with the sentiment that a free, virtually universal antivirus program minimized the number of viruses. Imagine if Microsoft shipped anti-virus software with Windows (ignoring the half-assed attempt with DOS 6 for the moment).

Re:Hack vs Crack

[Golias]

My only caveat is the use of the hack rather then crack - but that's a semantics thing.

Should we bother listening to somebody complain about semantics when they don't even use the word "caveat" correctly?

By the way, I completely accept your definitions for "hacker" and "cracker", pallex. So do most Americans (those who do not treat the Jargon File like thier Bible, anyway).

Re:Apple Security Contact info:

[phandel]

Sounds like someone is going to have to setup a slash code site just for the OSX and their security issues.

Like this?

security fixes are easier for os X

[firewort]

Security fixes are easier for os X.

Mac users have the Software Update tool, which can be run manually, or automatically scheduled to run.

Unlike the windows update, there's no website involved, and it hits up apple's servers and mirrors. (Maybe this is more like the ximian updater or mandrake update tools.)

As long as Apple's software update server isn't cracked, the Mac user has a brainless way to automate software updates which can include security fixes.

Many Mac users are quick to jump and get the latest update, so propagating security fixes isn't a problem. The only problem is the unclear channel for reporting them.


A host is a host from coast to coast, but no one uses a host that's close

Apple Security Contact info:

[Alien54]

As noted in the article, but which seems to have been overlooked by most posters:

For starters, there's no security destination for OS X users on Apple's Web site. Nor does Apple operate a security mailing list to notify users of potential weaknesses and patches they could apply to lock down their systems. Microsoft, Sun, and Red Hat all maintain security mailing lists and security destinations.

Apple also has failed to provide a way for programmers or others to notify the company of new security flaws. "There is currently no known e-mail address, or drop box of any sort, to notify Apple of a potential or confirmed security problem in any of their products," Norvell says. That isolates the best source of information about new security leaks: Apple's customers.

Furthermore, Apple hasn't shown any indication that it has assigned dedicated staff to tackle security issues and writing patches. A key component of security for any serious OS is a team of experienced code writers that can quickly evaluate threats, assess the damage potential, and inform customers. Such a dedicated response team is particularly crucial with Unix products.

Here's why: Due to the underlying similarity of all Unix systems, a vulnerability in one type of Unix system can often be to compromise another. That means security engineers must scramble to ensure that Unix problems announced on one platform won't prove hazardous to others. This is the way the CERT notification system has worked until now, and it has depended on software vendors investigating reports in a timely manner. That's tough to do without a dedicated security staff.

Sounds like someone is going to have to setup a slash code site just for the OSX and their security issues.

Sounds like a business plan to me.

Check out the Vinny the Vampire comic strip

Re:Apple Security Contact info:

[Rick+BigNail]

But the site you linked to use php, not perl.

Worst Re:they are already there. Re

[leuk_he]

Worst thing is that MaxOS (or linux..) users have no sence of humor when it touches their OS.

they are already there. Re:Security for Mac Users

[leuk_he]

A quick search reveals there are already some "bugs" in MacOS

Good thing thing is that OSX is still compatible with OS 9 so al the old exploits still work.

Best thing is that with good multithreading the user will never notice that the box is hacked. Even if it is slow that will be nothing new to the user.

Hack vs.Crack

[guinsu]

This whole hack vs crack thing is on the whole very stupid and shortsighted. Languages change and evolve, accept it. Words change meaning, fighint this hack vs. crack war is like people who get annoyed at split infinitives or the fact that the word 'gay' has pretty much changed meanings since the 50's. All it does is make certain computer uses look like uptight nitpickers and evokes images of the comic shop owner on the Simpsons.

Re:Depends how it ships

[2starr]

It does come with Apache, telnetd and sshd all disabled. Probably the biggest risk for these is that they can be enabled with the click of a button, so the average user might not think of it as a big deal. Another security issue is that the root account is disabled by default. This is harder to enable though, so I would suspect that most users wouldn't know how to enable it and if they do, they probably are thinking about security.

this is retarded..

[Dragonshed]

>OS X's heavy reliance on Unix makes Macs tempting potential targets for hackers and viruses.

When was the last time you did 'apt-get upgrade service_pack_4' because the I Love You virus had infected your /usr/bin/soffice install??
The only reason the media is so concerned with virii is because microsoft cared so little for security in the first place. Hacking OSX might be a valid concern considering the possible complexities of unix, but virii?

Isn't that obvious?

[AlphaOne]

This is a little like asking if a brand new model of car is likely to be stolen.

Of course it will.

Why?

Why do mountain climbers insist on climbing the highest mountains? Simply because they're there.

It will be cracked at some point because it's a new target. Apple will then (hopefully) do the little dance that all OS makers do... patch it up and make it better.

If the crack exploits some flaw in Darwin, at least we can go look through the code to figure it out... a much greater luxury than what is allowed by most other OS manufacturers.
--

Re:The first exploit.

[AlphaOne]

This isn't any different than just about every other system. If I can physically get at it, I can break into it.

If all else fails, I'll just take the damn thing with me.
--

check developer's lists

[wmulvihillDxR]

According to the darwin developer's lists, the kernel started with a core ported from Mach that was a little old. There was discussion of updates and changes (including security fixes) being done in a timely fashion. The conversation died out which leads me to believe that either they continued the discussion off the list and are happily patching the darwin kernel, or they just glazed over that. I'm going with the first one since those darwin people are pretty smart and professional. But it IS interesting...

Which 'sploit do you choose?

[b1t+r0t]

So tell me, how do you 'sploit two different architectures at once, when a given remote root buffer overflow exploit has only one chance because they crash the vulnerable task if they fail to take it over?

Think about it... if you tried to hit an OS X machine with a Linux BIND 'sploit, it would crash the nameserver for a simple DoS. But because BIND has now crashed, it's no longer vulnerable! No root for you!

You better get your OS fingerprinting right the first time through! Seems with appropriate fingerprinting obfuscation, OS X would be a nice choice for running a BIND nameserver.

Of course inetd daemons like wuftpd and sendmail let you have another chance, but I doubt OS X is running wuftpd, and sendmail is pretty clean these days. And so is apache.

By the way, because the PowerPC is big-endian, there is a class of buffer exploits that it is immune to. Sometimes only one byte of buffer overflow is possible, and on an X86 that lets you change the low byte of the return address to return to a wrong place near the original caller. On the PPC, that's now the high byte of the return address, which is basically useless.

Re:The first exploit.

[praedor]

But...with linux (and others I presume) one can password protect single user mode. I would assume that this could be done with MacOS X too(?)

Of course, it is likely that most people do not enable the password protection...and what happens when you lose/forget your password? It isn't like forgetting a bios password where all you have to do is open the case and blank out the bios and start over.

So?

[BigumD]

I haven't really looked at OSX yet, but I can't help but thinking: What's the big deal? How many enterprise-wide networks are run with Mac's?
Now don't get me wrong, I understand that there may be personal/sensitive files on the Mac, but I hardly see any "h4x0r 4tt4ck" that brings down 2 machines on my network as a major concern.
The only thing that this may effect is a large AppleTalk network, and to be honest, I don't think that I've ever seen an Appletalk network that was more than 20-25 Mac's.
I'm sure I'm missing the point here, so please fill me in....

The first exploit.

[3G]

Not to difficult to get into X right now. If you have physical access to teh machine, all you have to do is hit the re-start button on the front and hold Command+S while booting.

It boots you into single user mode where root privledges are yours for the taking.

I suspect that this was implemented by Apple (tech support) as an emergency way to get into the system. But in the process it sure does make it a lot less secure.

Re:The first exploit.

[Karlt1]

Once you have physical access to most computers there are simple ways to get adminstrative access. It took less than 5 minutes of searching to find a Linux boot disk that allows you to change the administrator's password on NT. No "hacking" required -- just press return twice to accept the defaults and type in the new password.

Re:The first exploit.

[dasunt]

You're new here, right? Half the time, us posters can't be bothered with reading the article, much less knowing anything about what we are discussing. :)

Re:The first exploit.

[MasterVidBoi]

Every other *nix out there also has single user mode.

Of course, nothing is stopping a user from pulling the plug, starting the machine, and holding down the Option key on boot, which brings up the Open Firmware Startup Disk selection. Just start it up from an OS 9 system folder, or an OS 9 system CD, and you have that box running an OS that totally ignores *nix permissions.

If your really that paranoid, there are ways of enabling an Open Firmware password, so someone will need that password to boot at all. Of course, that is extremely unsupported and Apple would rather you don't do that, fearing the technical support nightmare.

Thats even ignoring the physical attack methods, removing the drive, or the whole computer.

Re:The first exploit.

[reynolda]

Sorry to burst your bubble, but the latest Open Firmware rev lets you password-lock at the hardware level, so that you have the option of even preventing a single-user boot.

You know, a lot of this thread really exposes a lot of the ignorance about Mac OS X. Have many of you who post comments actually bothered to install and play with this?

Re:The first exploit.

[Tech187]

Hell, even SparcStations have the kind of access available. Hold down the Stop and A keys to slam a running Sparc down to the bios. Unless it has security enabled, reboot it to single user mode. If it does have security enabled, you can probably still boot it from a NetBSD boot floppy or an Bootable ISO image burned to CD.

Any time there is physical access to a machine it's likely there's an easy way to break into it.

Re:OSX Security

[G4-Ben]

Ummmm. Root isn't enabled by default. Go back to your PC. Please.

R T F M

[G4-Ben]

Before anyone else posts a FUD message about OS X, please go to: Apple's Web Site

You might learn something. Unless, of course, you're afraid to learn new things.

Huh ?

[tmark]

BUT they will be targeted a LOT less than windows machines.....

Why exactly would this be ? It would seem the sudden appearance of lots of new Unix boxes would make them very attractive targets, indeed.

Re:Look on the bright side

[tmark]

Apple is at least headed in the right direction...They are offering an OS with a little freedom for someone who wants to play.

I completely disagree. The people who buy Macs mostly do not want to play with the OS. When I talk to Mac users I know, their main complaint was about the lack of stability in the OS (and most of them were OK living with that anyways); noone ever mentions a lack of control of the OS.

And for these people, we will see if "any form of *nix is better than what they had"...especially if lots of shiny new Cubes are hacked and found to be serving warez FTP sites and IRC, or maybe worse, if files start disappearing, because the people I described in the first paragraph are probably *exactly* the last people in the world who want to worry about securing a Unix box.

Re:Now OS's easy to crack

[hillct]

Trolling was not my intent. I'm merely pointing out that after 20 years of UNIX develpment, I hope the developers of MacOS X took what was learned, into account. It's a grat OK, as far as I've seen. I just wonder about the security considerations that went into it's design, in light of the treditional MAC userbase, which are typically not those, expert in mattars of network security, or who would demand that such consideration be taken when designing the OS.

--CTH
--

Now OS's easy to crack

[hillct]

There's something to be said for running a 20 year old unix with thousnds of patches and fixes.

I'd hope most of the things learned in those 20 years went into the development of MacOS X, but we shall soon see.


--

Re:Now OS's easy to crack

[hotblack296]

I wouldn't worry too much about thier heads being filled with religious crap. I live a couple of blocks from campus and If the May Day celebration this past weekend was any indication, I don't think much religious crap is getting through. "Computers are useless. They can only give you answers." Pablo Picasso.

The underbelly..

[SirFlakey]

Let's face it .. anything that is connected to the net is a potential target .. if only for DOS attacks.

In a year or so people will find their toaster cracked and toasts defaced by crackers .. "0wn3d by t045tM45t3r" whitegoods.attrition.org =) ?
--

Re:The underbelly..

[toastmaster]

god damn i'm 31337

--

Redundat

[swagr]

Will crackers start to go after these machines too?

An OS that a substantial percent of the population will be using and that ISPs will want to support! Of course these machines will be a target.

As with anything....

[heyetv]

As with any OS, it'll often be the apps that run on the machine that get cracked, not always just the OS itself. Now that apache, mysql, etc. run on OSX, the same vulnerabilities exist as for any other *nix running the same services. And lets not even get into the intelligence of who will be adminning the machine... almost all NT cracks are from extremely poor setups of the OS, ACLs, and services... OSX can suffer from bad adminning just like anything else.

Re:As with anything....

[Sycraft-fu]

I think you're correct on this one. 99% of security failures are human ones. Most of the time a script kiddie gets in via a known, patched exploit that the admin has been too lazy/dumb to get and install the patch for. Also a lot of breakins happen through custom web code that the programmers don't properly test and so leave a buffer overflow exploit or something of the like sitting in there. Only occasionally do I hear about breakins that result from a new, previously unknown security hole in an existing presumed secure program. All the rest of the time the hole is known, but the admin hasn't bothered to fix it.

Basically there is no amount of security that con protect against stupidity. If an admin doesn't know to make sure his box doesn't have random things running, and doesn't regularly check for patches, well then the box is likely to get owned. There's really very little the creators of the OS can do to prevent this, other than making all the dangerous services are off by default.

As a side rant I'd just like to mention that BO2k is another great example of a stupidity exploit. It does not show some inherant flaw in Windows security, it shows an inherant flaw in user security. BO2k doesn't break in to a Windows box, you have to give it to a user, have them install it, and then and only then can they gain access. It's a whole lot like Telnet or VNC in that regard (except it's authors decided to make it hide itself since they fancy themselves hackers).

Re:As with anything....

[TheAwfulTruth]

Course, people are too stupid to drive their cars without crashing them all the time too. Yes, the average person is too stupid and lazy to operate the average computer without problems regardless of the OS. I agree that administrators SHOULD NOT be required, but the fact is, THEY ARE. When this issuse has been addressed, as it has in the near past with internet terminals and other dumbed down devices, they are not accepted by the general public. Why? Because making them foolproof also limits their potential. People want the tremendous power of a generalized OS, they just can't handle it. (I think the same could be said about cars, motorcycles, guns, god any almost anything else as well) You can't have absolute power and flexibility and total safety from misuse. SO we sit in a middle ground of giving users the power and flexibility they want and hope they don't misuse it, when they do they call their local family computer expert (or in the case of a car, a mechanic) to fix it for them. Frankly I think that situation fits the bill quite nicely, any move to either side is a detriment to all.

Re:tempest in a teapot

[rfsayre]

Machines get broken into not because they are "UNIX-like" or because they are "Windows-like" but because their network services have bugs. Most of the time, those are bugs in server code, not in the kernel...Reasoning that goes like "MacOS X is UNIX-like, therefore MacOS X will be susceptible to UNIX-like security problems" is simply not very informed.

hey d00d,
How do you "break into" a machine that doesn't allow remote logins, e.g. any previous MacOS. But don't take it from me, take it from the W3C.

Art At Home

Re:tempest in a teapot

[rfsayre]

Conversely, well-run UNIX servers only run those services that they need to run, giving them the same protection as a stripped down pre-MacOS X machine.

Yeah, and many of those services run in user mode processes. Here's an old BSD-related chestnut.

buffer overruns... The possibilities are endless, and the lack of process based security makes pre-MacOS X machines more vulnerable than UNIX boxes.

Bzzt. When you do that to a *nix network daemon you often gain root shell access, no need to get into machine code. Just go look for examples of macintosh buffer overrun exploits. There aren't many. Searching for examples of *nix buffer overrun exploits results in a deluge of examples.

So, if you are to reply again, explain why there are so many more of these exploits for *nix. Consider the possibility it has something to with remote logins and multi-user setups, things MacOS classic lacks.

Art At Home

Why stack smashing works on (almost) every CPU

[mbessey]

I think that it's a shame that AIM didn't learn from earlier mistakes by allowing the stack return register to be manipulated like that. Are you aware of any good reasons why they would let that be done?

Well, either you have to store the return address in memory at least some of the time, or you have to severely restrict the number of nested function calls allowed by the architecture.

You could argue that the RA should be saved in an area that's not writeable by a normal user process, but then function calls become nearly as slow as system calls, which is a performance loss most users wouldn't tolerate.

There are a few processor families that use two separate stacks: an argument stack and a return address stack. Those would be much more resistant to overwriting the return address with data. As far as I know, that architecture is mostly used in processors dedicated to the Forth language, which has explicit support for that sort of architecture.

The "real" solution is to write your code such that it's not vulnerable to buffer overflows in the first place. It's not hard to do, really. Of course, using a language that has a useable String type (hint: NOT C or C++) helps a lot.

Re:Why stack smashing works on (almost) every CPU

[mbessey]

I think you've been misinformed (or possibly, your experience with C++ is very different than mine).

It is nearly as likely that you'll have buffer overflow vulnerabilities in code that uses STL strings as it is in code that uses C strings. That just might have something to do with one being implemented in terms of the other...

It takes nearly as much discipline to avoid those problems in C++ code as it does in regular C. For starters, you have to make sure that you use the subset of C++ that doesn't include any of the features of C that lead to buffer overruns.

As opposed to a language that has a better String type (i.e. TCL, Perl, BASIC, Python, Java, etc), where it's not even possible to overwrite the stack in the same way.

Re:Why stack smashing works on (almost) every CPU

[Morth]

Well, either you have to store the return address in memory at least some of the time, or you have to severely restrict the number of nested function calls allowed by the architecture.

Yes, but they could for example have put the return address at offset 4 of the current stack frame instead of the parent stack frame. That would've made it much more resistant to buffer overflows as the start of the variables would be above the return address.

Of course, you could still change the return address of the parent function, but that would be much less reliable.

Re:Hack vs Crack

[pdalite]

Back in the day - am I showing my age? A 'cracker' broke copywrite to enable game trading, while a 'hacker' was a skilled computer intruder - no script kiddies then! It upsets me that nobody seems to remember what a cracker really is!

Full of crap

[1+inch+punch]

If Classic (the Mac OS 9 environment) is not even running how can you "exploit" the box?

Re:tempest in a teapot

[janpod66]

How do you "break into" a machine that doesn't allow remote logins, e.g. any previous MacOS

You don't need remote logins to break into a machine. For example, many security problems are buffer overruns and allow you to execute some arbitrary machine code. You can use such security holes to disable access controls on the web server, to start up new servers, to share disks without access control, etc. The possibilities are endless, and the lack of process based security makes pre-MacOS X machines more vulnerable than UNIX boxes. If you really want something interactive, you can use those bugs to upload a short command line interpreter.

Conversely, well-run UNIX servers only run those services that they need to run, giving them the same protection as a stripped down pre-MacOS X machine.

But don't take it from me, take it from the W3C.

Which only goes to show that you shouldn't believe everything you read on the web. Think for yourself.

tempest in a teapot

[janpod66]

Machines get broken into not because they are "UNIX-like" or because they are "Windows-like" but because their network services have bugs. Most of the time, those are bugs in server code, not in the kernel.

Whether MacOS X users choose to take advantage of the vast library of server code that they now, finally, have access to is for them to decide. If they don't, their machines will remain pretty much as secure as with earlier versions of MacOS.

Of course, given the strong support for Java that MacOS X supposedly has and the widespread availability of Java-based servers (web, ftp, smb, etc.), they may also choose to go with mostly Java-based services. Those aren't necessarily perfect either, but they avoid known UNIX bugs and they are intrinsically more robust against common problems like buffer overruns.

Altogether, I would expect the MacOS X security situation to be pretty good. What the article mostly shows is that there isn't much technical understanding at BusinessWeek. Reasoning that goes like "MacOS X is UNIX-like, therefore MacOS X will be susceptible to UNIX-like security problems" is simply not very informed.

That's not the way it works.

[w2gy]

I have a law - let's call is w2gy's law. It goes something like this:

The number of vulnerabilites and tools available to attack any given operating system or piece of software is directly proportional to the number of installations of that operating system or piece of software.

In other words, lots of people use Outlook Express, so virus writers write their warez to exploit it - they will put time and effort into it that nobody is prepared to really put into finding holes in mutt because there are more people running it. Similarly, a large number of lame websites run NT, so web defacers will spend time and effort investigating how to break NT/IIS. If a hacker wants to break into a Solaris box (where all the fun stuff is, apparently) they are going to try and break it - if there is nothing out there running Solaris, they won't try.

The opposite is also true - when was the last time you saw Plan9 or even QNX up on Bugtraq? Why? Because nobody runs it, nobody is interested. There is nobody out there who is going to come up with holes that they can never exploit in the real world.

So, as to whether OS X will get lots of new tools depends on how well it sells. It took NT a good year or so in the market place before people started taking interest and we started to see tools like Back Orifice.

Apples reaction?

[Tyler+Eaves]

I see a few possible reactions to this from the big Fruit. A: Release a firmware update that doesn't allow the system to run with altered files. So as soon as you actually install anything it stops running. B: Releases new 'Granny Smith' kernel that leads to loss of memory and preformance.

classic mode virii

[nilstar]

yea, could you imagine the dialog box.... "this virus requires OS9.x or earlier. press okay to reboot your machine in classic mode to run this virus, othewise press cancel".

Re:Depends how it ships

[Tech187]

The fact is, though, that if the User account has the capability to enable the root account and other services, someone will come up with a way for them to be enabled covertly. It'll be some trojan or other. Once that's been accomplished it's not that difficult to 0wn the box.

Re:Look on the bright side

[Tech187]

No, the worst thing to happen is when the police ram down your door and confiscate all your computer equipment because someone else was running a child pornography website on your hardware.

Look on the bright side

[Ryan_Terry]

If you look at it the right way Apple is at least headed in the right direction. In the days of voice activation and gesture diven computing they are going back to the basics. They are offering an OS with a little freedom for someone who wants to play. Try doing anything on earlier macOS versions and you will see that any form of *nix is better than what they had. IMHO this should be looked at as a chance for macOS to move ahead, however "crackable" it may seem. They will learn and develop as they go. I like to see them headed in the direction to offer users more control via the OS.

DocWatson

Re:Look on the bright side

[Tachys]

Hey, use mac users love playing with our macs. It's just in the form of tons of shareware

Depends how it ships

[zero1101]

I don't know for sure, but I doubt that OSX is shipping with Apache, Sendmail, etc, etc, installed and running by default, unlike some other operating systems I could mention. As far as vulnerabilites in the OS itself, there are generally fewer of those. As long as the default setup is reasonably sane, I can't see this ushering in a new era of l33t M4x0r h4x0rz.

The *almost* prefert OX

[idontunderstand]

To me, OSX is almost the prefect OS. It is BSD, comes with a superb interface, hosts Office suite, supports nVIDIA graphic boards, ... and it is not from Microsoft. Too bad Apple programmers need to feed their families and thus put up a price tag...

This could be a problem

[Tachys]

People managing Mac OS Servers would be used to not giving security a second thought.

This is because no one would bother trying to break into Macs. I mean why so you gain access to 1% of the web servers in the world.

Hmm "Security by rarity?"

Of course the problem with Mac OS X is anything they creaks UNIX would probably work against Mac OS X.

OS X & security

[daemons_advocate]

Hence the reason why I run OpenBSD and a very locked down set of NetBSD servers to run my little party...Tried, true and trusted...I use what I know and trust, and that is BSD...M$ is a repulsive server option and anyone who employs their products for secure servers deserves a good cracking if they get it...why not use the best thing out there... If you had the money and wanted the best wine, you wouldn't be shopping at Walmart....you'd have your ass down at the snooty wine shop getting your ass kissed over a bottle of Martuex Chignon. The same goes for secure servers...I like the idea of Mac going UNIX as well as the next guy, but it's not ready for the prime time secure server market...too young and too untried...give me an OpenBSD server anyday...

OS X

[daemons_advocate]

Like anything else, security is a process, not a product. It is a frame of mins that all sysadmins must get into to be effective against server contamination. Preventing this kind of thing tkaes not only skill on the part of the UNIX admins, but the people that work on and with the server need to be schooled as well to threats. All to often this is overlooked. Anything and everything is a potential target...vigilance and skill pay off if applied correctly...

PC vs. BM

[nihon]

You *could* suggest they call it a "B.M.", but only if it has Windoze on it...hmm...I guess that could double for a "Bill Machine", too...among other things...