Slashdot Mirror
Ancient Flaws May Leave Mac OS X Vulnerable
mdeb writes "ZDNet Australia is running a story that claims Mac OS X 'contains unpatched security flaws of a type that were fixed on alternative operating systems more than a decade ago.' As an example, in August of last year, Apple patched the 'dsidentity' bug, which could easily have been exploited to grant a non-privileged user with admin rights the capability to create and remove 'root' user accounts."
Wow, stop the presses. Security flaws on a *nix based system. Boy that's news no one expected. Or does somehow the magic Apple logo protect you from all harm - and Bill Gates?
"It's the height of ridiculousness to say for those 9 lines you get hundreds of millions."
Now we will just have to sit and wait for Steve Gibson's assessment that Apple intentionally left these exploits open as a backdoor to the system!
was an "alternative" operating system. Why is a hole which was patched 6 months ago news? No harm, no foul.
"National Security is the chief cause of national insecurity." - Celine's First Law
some mac-o-phile will be on here saying how it doesn't matter and mac os X is uber secure.
If it's dead, you killed it.
ZDNet Australia is running a story that claims OS X 'contains unpatched security flaws of a type that were fixed on alternative operating systems more than a decade ago.'
Only in the Southern Hemisphere. Up here, trolls rotate counterclockwise.
I watched C-beams glitter in the dark near the Tannhauser gate.
Duh. any user with admin rights can create and remove user accounts.
What's more diabolical is that you can do this without entering the admin password. That's not a bug either but maybe an unwise choice. (sorry but I ain't saying how till they patch it.)
Some drink at the fountain of knowledge. Others just gargle.
Shouldn't users with admin rights, by definition, be able to create acounts of any level?
This doesn't really sound like a hole to me, but expected behavior.
Thank God people have almost cracked running Windows XP on these new Mactels!
Good thing I use Windows ME.
Errors in OSX? Impossible. This is the perfect OS, FOSS and stuff. Must be a Microsoft developer involved.
Mod me down, I really don't give a shit.
So Neil Archibald, senior security researcher at software security specialists Suresec, says so, and futher said his opinion is justified because Apple does not use software auditing tools to scan enough of its software. This same Suresec, as can be seen on their web page, sells tools and consulting around source code auditing.
i think i did this to myself once....
All these people boasting about security flaws on various system, especially OS X seem to make it sound like you'll just be checking your email one day and all of the sudden BAMM! OH TEH NOES SOMEONE HAS ROOT ON MY SYSTEM AHHH!!! Just like with windows you need to be doing something that will put you at risk for someone to exploit this vulnerability.
-1 (Troll) is antihammer
It must have happened when they translated the binary off of the stone tablets, likely because they were limited to only bronze tools.
If brevity is the soul of wit, then how does one explain Twitter?
depricated and replaced by dig(g)
That's the first time I've heard operating systems other than OSX described as "alternative".
--Rob
Towards the Singularity.
"Why do you keep saying that word? I don't think it means what you think it means."
Did someone mix up apple.slashdot.org with slashdot.org? There are WAY too many Apple crossposts the past few days.
You keep using that word. I do not think it means what you think it means.
Mod me down with all of your hatred and your journey towards the dark side will be complete!
We need a mod category for "baiting the untold OSX masses".
Since OSX is BSD based, wouldn't that mean the BSDs (or the one OSX is based on) are vulnerable as well?
Digg is a lot faster at this because it automatically promotes stories to the front page if it gets enough diggs (often in a short time). Slashdot, however, only posts a certain number of stories a day, and there is typically a queue of 2-3 days worth of stories ahead of anything new, unless it's REALLY important.
If you need web hosting, you could do worse than here
You keep using that word. I do not think it means what you think it means.
I wonder if Suresec/ Neil Archibald pitched their services to Apple and got turned down?
Also, from TFA:
"In my experience -- which is also the experience of some of my peers -- Apple has been very slow to respond to reported security vulnerabilities. It expects security researchers to wait indefinitely to release the vulnerabilities and offers no incentive for them to do so," said Archibald.
So he's trying to make a living on discovering security holes and getting paid not to make them public? I'm okay with this practice, I suppose, but I get the feeling that he's trying to up the ante by generating some bad press for Apple. The whole things seems awful contrived.
AC: Only on slashdot... could the sentence "My hovercraft is full of eels." be moderated "+4, Insightful
That might make it uninteresting to the kind of "mass mischief" makers who write worms... but that's hardly the only reason to worry about security. Especially if you're the sort of person/buisness to attract attention.
/etc/init.d/press restart
Starting process... [ok]
Writing PID... [!!]
***Process restart failed with error code 05.
***You are using UNIX. Stuff happens!
Considering the user must be priviliged is it safe to say that the user has already authenticated and in the system. I always use passwords like "asldkfje983r0u!56@#987$%^rnYA(*U()*U&0u" for standard users. If they can crack that they deserve to gain admin rights too. You should see my admin key: it is a 10^12 digit mersenne prime.
Of course, you might have actually read that part and part of your subconscious dismissed it as false. Reminds me of this post from yesterday.
Well, hopefully this causes a great big scare and lots of crapped pants. Seriously. I know too many OSX users who brag about how they can blatantly ignore almost all the common security protocols for computer use 'cause they're on the Holy Apple OS X, IMMUNE TO ALL THINGS BAD! I shudder to think what these people do in their cars when they hear about it winning some special six-star crash test rating.
"Fight for lost causes. You may discover they weren't."
My name is Inigo Montoya, you referenced Princess Bride, prepare to read the same joke ten thousand times.
Even worse! That very same story appeared on ZD Net Australia two days ago!
The horror!
Slashdot is really going downhill these days!
or maybe it was submitted to both at once.
Personally, I don't read Digg, so I couldn't care less what appears on it, or when.
It seems to me, that if you're compulsively refreshing both Digg and Slashdot enough that you're complaining about slashdot being a couple of hours behind Digg, that maybe there are more important problems in your life that you should be addressing.....
Advanced users are users too!
"You keep using that word. I do not think it means what you think it means."
I ain't got a fucking clue what you guys are talking about, but hey! When in Rome.
It does have no viruses and is the most stable and secure OS in the world. But nothing's perfect. Operating systems are a massively huge and complex piece of software.
You want to talk about ancient vulnerabilities affecting people today, look at Windows' WMF. Hell, XP is still having people run in admin accounts in the year 2006.
"Sufferin' succotash."
now that you've gone and said that, i went and tested it... WITH A GUEST ACCOUNT. and suprise! doesn't work.
I think the article makes a good point and one that Apple needs to address. I've long had the impression that Apple does not do enough security auditing, especially of some of their inherited code and that some of their new software has not been as security minded as it could be. I've not heard any of the grumbling the author has about security researchers being treated poorly or response times being particularly slow, but he may be closer to such things than I.
That said, from the article it is unclear if any of the discovered bugs are remotely exploitable. The one concrete example given is just a local privilege escalation, which is not really all that serious. I do wish that Apple would pay more attention to security and I hope they have a team of elite hackers with their ears on IRC and their hours spent trying to hack boxes. I'm not sure that they do though. My suspicion is a lot of the security comes from the fact that many of the employees are old school UNIX guys that take it more seriously than management. This is, however, unlikely to really bite Apple given the giant target that is Windows where local privilege escalations like the one described here are so common no one reports on them and I don't think MS even bothers to fix them.
Where are all the OSX exploits??? I've been running without a virus scanner, although I back up frequently. Nothing, no spywear, viruses etc.
Are there probably exploits possible. Yes of course. But Apple's security record has been very very good.
This is absolute hogwash.
Nor is it spelled that way. Me ducks...
That does it! I'm swiching back to Micorosoft Bob!
CmdrTaco! Please add a "-1, Crap joke" moderation option.
Is that, like, a decoder ring or a shoe-phone?
There are bigger problems in OSX. Auto-installing Dashboard widgets was stupid, and "Open Safe Files After Downloading" (a silly name for "Open Potentially Unsafe Files After Downloading") is an unnecessary risk only minimally mitigated by adding warning dialogs... but at least you can turn it off. More details in these comments:
h tml
http://www.scarydevil.com/~peter/io/osx-security.
http://www.scarydevil.com/~peter/io/apple.html
http://www.scarydevil.com/~peter/io/apple2.html
Thankfully even these are not as easily exploited as Microsoft's poisoned gumbo of IE, Outlook, ActiveX, and Security Zones... but Apple really needs to take a good look at the way they approach the Internet, and quit being so trusting.
I just hope Bill Thompson isn't the type of alarmist hack who'd jump up and down and say, "Neh! Told you so!"
you quoted a claim that there is an unsubstantiated, unnamed hole. You really should try critical thought sometime.
"National Security is the chief cause of national insecurity." - Celine's First Law
He's right that Apple users are complacent about security. What he doesn't metnion is that this is a trend amongst security companies (scream loudly about how vulnerable Apple users are because they aren't buying his company's fucking products).
He's right that Apple is very secretive and sometime extremely slow to address security vulnerabilities. He's wrong that Apple not speaking to him means it isn't interested. Apple just learnt the lesson early that being too open to the press (on any topic) is make yourself a victim of their fickle moods.
He's right that there might be large holes in Apple's OS from earlier NeXT days, but he's sure as fuck wrong when he says it applies to both PPC and Intel architectures. Any crack that relies on memory in the stack being overwritten will not be cross platform.
He's right that there are open vulnerabilities. He's wrong and simply trolling (probably for profit, the fucker) when he doesn't mention that none of them are remote.
And people here wonder why /. is considered a silly source of information...
That's a pretty big statement. There are mainframe OS'es used in banks and the like that have not been rebooted in a decade+ - how has it been determined that OS X is that stable?
Secure? People involved in things like OpenBSD and VMS might be surprised to read such a thing. Let alone Wang's XTS-300 STOP (http://www.radium.ncsc.mil/tpep/epl/epl-by-class. html) or many many other operating systems. But hey, don't let a blanket statement be ruined by little things like that.
This is hardly surprising since Apple is hardly known as a state of the art UNIX hacking shop. Switching to Linux would solve this problem, but it would raise the problem of keeping compatibility between updates, since they would lose control of changes.
Ah, to be a typical dumbfuck MCSE. What a life.
When I saw the headlines I thought someone had found Egyptian Hieroglyphs from aliens explaining how to break into OSX.
Guess my definition of Ancient isn't the same as the posters.
Find coupons in Greeley
'You keep using that word. I do not think it means what you think it means.' I hope you saw this coming.
concrete5: a cms made for marketing, but strong enough for geeks.
You see, you hold a crucifix straight up and down for Vampires; cock it 45 degrees so it sort of looks like the Apple logo, and you'll keep Gates away! But, there's a problem with Balmer, you also need the Firefox logo to ward him off. Sometimes, you need Nerdy, the MS Slayer. She's, yes, it's a woman, the chosen one. I can't say anymore now.
That is a pretty big security gap. The ability to log in as an administrator, and add other accounts with admin access. Ask your work for a notepad and pen... it would be a better match for you. (Although I'm sure you would run to HR and complain your notepad has security issues, it allows you to write whatever you want on it...)
I read
Say hello to my little sig.
you are cool: irc.pulltheplug.org #social
Comment removed based on user account deletion
Yes, it has no viruses, but do you really think it's more stable and secure than say, OpenBSD?
English is easier said than done.
And then it was like... beepbeepbeepbeep, and then, like, half my accounts were gone. And I was like, huh?
They were really good accounts too. And then I had to recreate them and I had to do it fast, and they weren't as good...
-=Lothsahn=-
Well, it wouldn't be a big deal... except that so many Windows users still run as an administrator by default!
"[Regarding the 'cloud,'] ownership was what made America different than Russia." -- Woz
I haven't RTFA and I suppose I never will. So how exactly would I benefit if /. had posted this article two days ago?
Also this delay gives people time to think up witty comments, although you seems to have spent your time doing something else of course.
Yahoo! Australia broke this one open, eh? So, it's pretty big news, right? And from the summary, I see that Apple patched a flaw six months ago. Uh huh. That seems like something I shuold hear about now. Ooh, I also see from the summary that users with admin rights can do things that only admin users can do! E-stop the e-presses! This is FRONT PAGE MATERAL!
blarg.
The way that I'm reading the article one would have to be at the keyboard of the Mac in order to exploit the security flaws. For most home users this in not a big issue, if an issue at all, due to the fact that 'strangers' would have to break into the house to be able to exploit the flaws. Further, it appears to me that one would have to have an account on the mac in question, as well as physical access in order to exploit the flaws. If you've no account then you've no access. Of course someone that uses 123456 as their password is seriously screwed, but that's a different security issue.
"Oh drat these computers, they're so naughty and so complex, I could pinch them." --Marvin the Martian
lets the spinning begin, and ironically the MS bashing to start. I think its funny this is going to turn into a debate on Windows Security, but what can you do.
... LOL ... how does crow taste?
An observation I made in a post a few months ago was that since 2001 Apple has released 5 different releases of OSX, 4 of witch were paid upgrades (approx. $600 if you were staying current all along). They have patched literally thousands of bugs and security holes and continue to do so at a pretty steady rate. We don't hear about it, (In my opinion) because the media contains a majority of zealot mac users, but that doesn't mean it isn't true.
It's also worth noting that apple has less then a 5% market share. It wasn't until Firefox hit around 10% we started to see hackers paying attention and start exploiting the MS alternative product. It wasn't that is was so much more secure before, turns out just nobody cared to exploit it when it had no market share. If apple ever gained a respectable market share I believe they would have more holes then windows.
And before you say "its unix"... blah blah blah. You all said it wasn't "unix" a couple of weeks ago when the government released the unix/apple security holes, witch by the way were about triple the windows holes.
anyways go ahead and flame me, but I think its still pretty funny to see this "old" hole. Especially after reading the MS VP response earlier, and some arrogant SOB cleverly writes something to the affect "i'd like to see those same questions submitted to the security guy over at apple, what a difference it would be"
You may think it's a flaw, but it is also why many people still read Slashdot.
So, yes, the real world has proven that same type of potential exploit in the two platforms can legitimately be viewed as a serious problem in Windows (because damage can and does occur) but theoretical in Mac OS (because damage has not occurred).
"National Security is the chief cause of national insecurity." - Celine's First Law
Why... how awful. Or the user could have gone to the command line and typed 'sudo foo' and run anything as root that he wanted, including creating and deleting users or whatever else he wants to do, if he has admin rights.
You could at least have chosen an example that wasn't totally useless on 99.9% of Macs. (Those which allow admins to sudo. Most people aren't dumb enough to explicitly grant admin privs to people they don't want to run as root, either because they know they know what it means and choose not to or because they don't and they don't just randomly check every check-box that comes along.)
-fred
Sign #11 of Slashdot overdose: You see the phrase 'moderate Republican' and you wonder if that would be a +1 or a -1.
10) Ten million+ active boxes still "too small a number" to target.
9) Worlds virus writers all work at Valve; have no idea what the hell OS X is.
8) OS X originally scheduled to have virus this year; pushed back till Q2 next year to add Intel support and a Universal Binary.
7) Russian Mafia all actually use Macs, tell underlings to keep macs virus free so they don't have to run virus scanners.
6) Forget buffer overflows; real mechanism viruses use to spread is actually second mouse button.
5) No viruses released for sale on ITMS yet.
4) Actually viruses everywhere but Jobs Reality Distorition Field keeps Mac users thinking they are not there.
3) XCode secretly detects and transforms viruses into RSS readers instead at compile time; explains glut on Macs.
2) Virus writers accientally drug virus into one of several hundred "Untitled Folders" on Desktop, now have no idea where it is.
1) Mac owners just too damn pretty for God to let them get viruses.
"There is more worth loving than we have strength to love." - Brian Jay Stanley
Too bad I couldn't come up with a LAND pun too...
Suresec appears to be a not-for-profit organization, from the ".org". So, why is Neil Archibald coming across like he is expecting compensation/incentive to not go public with discovered bugs and exploits ASAP?
It has always struck me as odd that these bug finders want to tell the world as soon as possible. Revealing the discovered exploits doesn't help to protect the end user if it's in the code, it just makes them more vulnerable. Once the information is revealed the dark siders have information to further their own not-so-friendly agendas and place the end users at risk.
a non-privileged user with admin rights
Isn't then theoretically impossible?
------- In the end there are no begining
The main thing that allows so many Linux distributions to work with low maintenance cost is that they are all based around the same kernel. When a fix is issued to the main kernel tree, it is fixed on all Linux's as they update. So distribution makers aren't pressed to patch it manually themselves. Perhaps OS X's variant of the Mach kernel has strayed too far from the main Unix tree, and suffered a form of seclusion from the goings on of the main tree?
In undeveloped countries, the consumer controls the market. In capitalist America, the market controls you.
Come ye to knowledge, and know that it is good. ;)
The author shows his true colors in the following statement:
Anytime someone claims that the only reason A is safer than B is that B is used more often, alarm bells should go off. It's never the only reason.
We went through the same thing with Linux vs. Windows, Firefox vs. IE, I've seen people make the claim about Opera vs. Firefox, it was said about Mac vs. Windows long before OSX, etc.
If you think about it, the popularity-as-sole-reason argument boils down to claiming that security by obscurity is enough.
He's ZDnet's designated "Apple hitman." They love him because Apple stories - especially negative Apple stories - generate more page views and discussion than any others, especially on News.com.
I'll grab some examples later, but it's no coincidence that this story is almost pure speculation.
I, together with another guy on the MacNN boards, discovered some of the more serious aspects of the vulnerability pertaining to url types and mounting of remote volumes around two years ago, when a website could quite easily download, mount and execute an applescript or any application on your machine without you seeing it (Apple's response to this was the fact that you have to authenticate any new application the first time it's run these days, something now also in WindowsXP and Vista). We notified Apple and waited. And waited. And waited. Finally, after 3 or 4 months, Apple finally released the patch with the new functionality.
It was an extremely serious vulnerability because it was so easy to exploit and Apple really dragged their feet on that, and on other similar cases.
The guy is spot on with that comment. Apple is really slow in responding to possible exploits.
It surprises me that such a big fuss is made. I agree that for someone who 'wants' security features and they don't work as expected there is a problem, but what about the other people who don't want security features even though they cannot be turned off in OSX or Windows XP for example? It makes me enjoy using OSs which don't have security features (such as MorphOS or AmigaOS) as these let me 'the user' do *EVERYTHING* I want to do on my own computer.
FWIW if you look up the hacker "nemo" of felinemenace.org that's him. He has found a number of vulnerabilities for which he is credited by apple. Given the number of vulnerabiliites that he has found by him self(as well as with others from suresec) I'm sure he's probably getting a little tired of it by this time, and would like apple to get a little bit of bad press to shame them into doing better. Also he has written a rootkit for Mac OS X but removed it from public view. So don't let anyone ever tell you there's no malware for Mac OS X. Further he has given talks on how to infect mach-o executable formats. nemo is the solution, and nemo is potentially a problem when his tools meet more widespread use (which is why I'm glad he removed the rootkit)
but when he says that OS X is vulnerable, NO ONE knows better than him
1)Error is found in OS X.
2)Apple fixes error.
3) Media makes article about how unsecure OS X is and how all mac users are going to regret the day they didn't run antivirus software.
4)???
5) Profit!
Flamebait? LOL
I don't care how I am moderated since it is a fact that Apple is a niche productr, esp with less than 5% market share. Please take off those pink colored Apple glasses and look around.
If you mod me down, I *will* introduce you to my sister!
There is no such thing as a "non-privileged user with admin rights". Either you are an admin, and have full access to root, or you're Joe User.
"In August last year, Apple patched the "dsidentity" bug, which was discovered by Archibald and affected OS X versions 10.4.x up to 10.4.2.
This "trivial" bug, according to Archibald, could easily have been exploited to grant a non-privileged user with admin rights and allow that user to create and remove "root" user accounts."
Can you not read? Big f'n deal? It allows a NON privileged user to get admin rights, then do whatever he wants, try reading the article, dumbass.
Not to spoil the joke, but this gives your password away instantly. Assuming that by 'digits' you mean numbers between 0 and 9 and keeping in mind that a Mersenne prime takes the shape 2^x-1, such password can be narrowed down to only four (three?) possibilities. More specifically, the 'x' equals 2log(10)*10^12 rounded up, or one more, two more or possible three more.
Well admittedly, the relative simplicity of the bug is a cause for concern. However the choice of the word "ancient" made me laugh. I was thinking, was the security hole as big as the ancient Egyptian pyramids? The pharoh I guess was the root. Ya know, "Pha-root!" some sort of salute or something. I mean "right triangle" came from some sort of ancient Egyptian interjection, sounding something like "rrright!" with the "rrr" being a gutteral, almost German sounding string. Of course, Pharohs simply opened themselves up to the security vulnerabilities (especially with that hooking the brain business; gives me the cold shiver). I mean his freaking death shrine has a BACKDOOR and NO FIREWALL. At the valley of kings there was much better security, because of a "curse placed on it." I guess that's the Microsoft approach. Either way, the Windows approach is tantamount to a pyramid. You make something that's sort of pretty, but is basically some brute temple to his excellency yada yada Mr. Gates. After the ceremony, hackers immediately break into the pyramids. People look at them forever and say, "how'd they make that s***?" as well as, "who thought this was secure?" Well, Windows is certainly a megalith. That comparison works. I mean hiring Arthur Anderson Accounting to work their system process manager would be an improvement. Which is my final Unix rave. In Windows it is so hard to figure out what is running and what is taking up time. Most of the time, you don't know what's taking up so much time. It'll freeze, then you reboot and it has no idea there was a problem. A Unix box goes down and it nearly resurrects itself, not to mention lets the root know what happened. In real life, Super-User wins. By the way, this bug apparently affects root in MacOS. Its hard as hell to even enable root access in MacOS. I'd only be worried about hackers with new holes to exploit. I actually somewhat favor this "treage" approch to computer security. Fix the worst hole and work your way down. Really, what's more important. Defacing the least viewed page on a website, or allowing potentially anyone to open your computer with a WMF that some speculate may even be a backdoor. I'll close with this: being a Windoze admin would be a lot easier than a Unix one. You don't have high expectations and you get to blame your equipment when the system gives way. Unix admins would be fired. Or they'd patch up the system. M$ would have a cow if any admin did that...
Yes, it has no viruses, but do you really think it's more stable and secure than say, OpenBSD?
You know Darwin has a BSD core, don't you?
The opposite of progress is congress
OS X draws code from OpenBSD. In fact, a lot of the command-line BSD tools are taken from OpenBSD. Darwin is a compilation of the best of the best.
Take a guess what server army.mil runs on. Go ahead, guess.
"Sufferin' succotash."
When we spoke to Apple on the phone about this issue, the security team had never even heard of the application, and burst out laughing at the simplicity of the vulnerability," said Archibald.
don't take it personally. seriously. They were laughing with you, not at you.
Actually, Darwin uses a lot of OpenBSD code.
"Sufferin' succotash."
Someday these smug mac users are going to get their comeuppance.
Really.
Someday.
Any day now...
I've known some very conservative Republicans but have yet to meet one that doesn't at least acknowledge some of the good the ACLU has done in the past (obviously they don't like other things the ACLU has done).
I'll also take a guess and predict that it's sitting in the equivalent of the DoD's public-facing webhosting centre, many, many levels away from any red(?) network cable (red network cable/ports being, IIRC, the secure/classified networks.
What does that have to do with the listing of several dozen OSes which would have a far more valid claim at being the world's most secure than OS X, or even Open BSD.
What's that? Apple patched a vulnerability in November ?
Where's the exploit for these ancient security problems?
Oh. There isn't one. Interesting. Not.
FLAMEBAIT!?!?!?!?
What kind of crack do these mods smoke?
Or are there that many Apple freaks that have had their sense of humor surgically removed?
Actually, it DOES work, unless you've gotten a recent security patch. I did this from a limited account on my work PC (I don NOT have admin priviliges) and it worked. The password is usually just "Password" or simply the name of the user you added.
Just because it didn't work for you doesn't mean it doesn't work! The fact is that this is/was a security flaw in XP. It has since been patched.
> since 2001 Apple has released 5 different releases of OSX,
> 4 of witch were paid upgrades (approx. $600 if you were
> staying current all along)
4 x $129 = $516, not $600. That's an $84 difference. $84 buys a gig of ram.
In my case, my G4 came with 10.0. The upgrade to 10.1 was free for all 10.0 users. I bought 10.2, 10.3, and 10.4 from Amazon.com and used their three $35 rebates, which means these upgrades cost me $282, or about half of what you quote. I probably could have saved $94 by sticking with 10.3 as 10.4 didn't give me too many new features, but it would have been an awesome upgrade for, say, someone coming from 10.2 -> 10.4
To look at this another way, the public beta of Mac OS X came out in 2000 and the final retail version came out in early 2001, or about 5 years ago. I really doubt there are many people running 10.4 on their 5+ year old Macs. I'm trying to say that I doubt many people bought, say, a 450 MHz G4 with Mac OS 9, then bought every upgrade since, now up to 10.4. Even the 466 and 533 Mhz G4s came with Mac OS X 10.0 (and 9.1, a dual boot plus Classic VM).
At this point I will stop defending Mac OS X upgrade prices. Mac users pay a price premium for their machines and software, but these days it's a really good deal once you tally up all of the features and bundled software. I do wish the major OS upgrades were cheaper, I think $49 would be more fair than $129. But it certainly hasn't cost me "approx. $600".
Archibald can suck on my balls.
How dare he point out my precious $1499/- iBook i bought on the day Tiger was released is *shudder* vulnerable like that... that... Windows ???
Archibald: You are targeted for Termination (by Mac Geeks worldover).
"Doing what i can, with what i have." ~ Burt Gummer
In fact, a lot of the command-line BSD tools are taken from OpenBSD.
I sleep better at night knowing that OS X's version of ls has been audited.
I am one and acknowledge that the ACLU has done some very important things in the past. The group is now nothing but a self-perpetuating beast with some simply idiotic causes: the right of high school boys to wear skirts, eliminatation of Christian religious symbols from flags while ignoring non-Christian religious Indian ones, etc.
Regardless of that, I fail to see what a liberal would find objectionable about my sig.
Here, let me show you:
I may be President of the United States.
I may decide to be richer than Bill Gates on day.
I may write some dumb article with the word "may" in the headline 'cause as long as I have "may" in the headline I can write whatever I feel like.
sheesh
*BSD grows faster than Apple has in the last decade. They probably would have used Linux, but the license wouldn't allow them to make OS/X proprietary. Of course, that has also given them a security hit. Should have used OpenBSD instead of FreeBSD...
I know exactly what this particular exploit is and how to use it. Just write a trojan that
1) set the malloc log file to, oh, say, the name of a kernel module - like the HFS driver, maybe.
2) run a regular user command that has the s bit sait. Something innocent, like dmesg.
3) Laugh as the user overwrites key bits of the OS with debugging messages.
Clear, Dark Skies
Just because you live in some poor backwards town that charges NINE PERCENT sales tax doesn't mean the rest of us are suckers, too.
Clear, Dark Skies
The exploit in question allows any random program the user executes to trick the OS into trashing critical system files.
No admin rights needed, sunshine.
Clear, Dark Skies
could leverage this exploit to trash system files. Thus, it could be used as the payload for a trojan; user downloads "NAKED TETRIS V69!!!" and it overwrites his kernel. Oops!
Clear, Dark Skies
Good to see that they've got internet access in middle/high-school now...
The original post was, and I quote: "We don't hear about it, (In my opinion) because [...]"
The response simply pointed that out for the ridiculous statement it was.
Enjoy your childhood while it lasts, cause with maturity of the kind you've displayed, I suspect you'll have a hard time finding work outside of the fast-food sector.
Well, it is like darwinian evolution. The survival of the fittest and evolving. If a life form (read OS) finds a good design to deal with some problem or event, why would it change a good design for an unproven new design? If BSD or any other unix is working very good, there is no need to throw it to the can and write something new. It is better to keep the good things and change what is bad or what is needed to solve new problems.
1 38338378/sr=8-1/ref=pd_bbs_1/102-7077303-6245742?n =507846&s=books&v=glance
If you want to see the complete (I hope so) heritage of the unix OS take a look here: http://www.levenez.com/unix/
If you look for the MacOSX, you will find it is there, and its roots are there since 1986.
Good OSes are like good wine, they get better with time. Bad ones don's live too long.
About the command line, I recommend you to read: Neal Stephenson's "In the beginning... was the command line" Here is a link to the book.
http://www.amazon.com/gp/product/0380815931/qid=1
Uhmmm. The submitter has missed the entire point of that exploit - admin rights aren't required, because the program checks for admin credentials with 'getenv("USER")' - ie "export USER=some_admin" is the exploit.
It's time us Mac users stood up to these irresponsible security practitioners. Exposing vulnerabilities in OSX is just not on guys. For now i've never had any problems with viruses or worms and it's jerks like this Neil guy who are making things bad for all of us. I'm a graphics artist by trade and I don't want to have to worry about this nerd hacker bs. I've emailed this jerk and he seems to think he's done nothing wrong, infact he seems to think he's doing the Apple community a service. Let him know what the community really thinks. Email him at itl @ nopninjas.org
Ahh wonderfull wizards bring back memories.
"I see your trying to exploit this system.
What do you want to do, hacker?
[ ] Blue Screen the computer
[ ] Install a backdoor
[ ] Copy all private data to a remote location
[ ] Install virus of choice
[X] Encourage user to switch to Apple"
Ok; sometimes things are just so bleedin' ignorant that I feel compelled to respond rather than crapflood.
Are you really saying that Unix has been around since 1946?!
Because it seems to me that if unix.org has anything to say about Unix, it's been around since the early seventies. Is that really twice as long as Apple's been in existence? What kind of math do you use where "early seventies" = 2 x 1976?
Damn. And they make MY POSTS negative one.
I'm fairly liberal and I don't have a problem with it. Cheap shot, a little cliché, but whatever.
The Darwin userland is based mostly on FreeBSD with a little bit of NetBSD, neither of which have audited the 4.4BSD code like OpenBSD has. Besides, it has unique problems, such as earlier an early exploit of Apache based on case-insensitivity. And aside from all of this, security isn't a top priority for Mac OS X like it is for OpenBSD.
English is easier said than done.
Apple is well aware of the importance of keeping OS X's security record as perfect as possible. They would have to have to put in a incredible amount of work because of OS X's inherent flexibility and scriptability. Well they better be or there will be a hell of a lot of iGeeks will be mighty unimpressed!
Music, Games, Media Art and Programming
The ACLU always has been, and always will be, a group that argues for the maximum amount of liberty possible for individuals based on the constitution. I fail to see how the particular cases they fight really matter -- it is the legal precedents they're arguing for. Nobody wants Nazis marching down their street, but people who are intelligent enough to put 2+2 together know that anyone stopping Nazis could also stop a more worthwhile political cause. You can bitch and moan about guys wearing skirts, but when public schools tell students they can't wear a star of david or a cross on a necklace, it's nice to have the issues sussed out in court ahead of time. Just because you have the benefit of hindsight on the eventual outcome of issues they fought 50 years ago doesn't mean the first steps of issues they're fighting today are less important.
That said, I doubt many intelligent people find your sig objectionable, they just assume you're an 18-year old who doesn't know enough about the world to actually think about issues, and advertises the fact by throwing together some non-sequiter about a group he doesn't like. If you had an actual, sensible statement in there you might properly have something to object to.
Recursive: Adj. See Recursive.
So if you give the author the benefit of the doubt, and assume that by "safe" he meant "safe for a user to connect to the internet" rather than "secure", then his point stands.
In a world where predators attack X but not Y, it's safer to be a Y than an X even if an X has more armour. The concern is that if Y becomes interesting enough to be attacked, then it's really in trouble.
Any sufficiently self-referential snowcloned
Why guess?
Facts are right there.
Change is certain; progress is not obligatory.
That's not the worst I've seen, but it's pretty bad.
Time to send the folks at Apple a copy of _Innocent Code_.
(I think the worst was a script that checked $PS1 for a "#" character)
mdrTaco! Please add a "-1, Crap joke" moderation option.
I think the option you're looking for it "-1, Troll".
And the knowledge that they fear is a weapon to be used against them...
Not being permitted to wear a Star of David is a possible infringement on constitutionally protected religious freedoms. How is the right to wear a skirt in public schools a constitutional freedom? Nearly every school in this country has a dress code, as do places of work. There is precedent in similar cases that does permit organizations to forbid the display of religious symbols.
A specific case that comes to mind was a police officer that wanted to wear a tiepin with a cross on it and was prohibited to during the summer when the tie was not part of his uniform. The ACLU was nowhere to be found.
Is the eradication of Christian symbols in public places a civil liberty? Where in the constitution does it say a sports team's logo may not display a cross, but may display an Indian religious symbol? Was there a civil liberty violated there?
Moreover, my signature was a tongue-in-cheek remark that no liberal should take offense to, especially the ones on Slashdot that argue almost everything under the sun is protected speech.
If you are going to take personal jabs at me and call me an 18-year old, at least spell your big words like "sequitur" correctly. Then again, you barely used it correctly. Furthermore, if I were still 18, I would probably be dillusional enough to align myself with the left. Liberalism is like bed-wetting, most people are lucky enough to grow out of it.
A good portioin of OS-X is BSD based. BSD is open source tested and unix. Its hard to crack BSD. The PowerPC also helps preventing buffer overflow exploits. The intel transition will be interesting.
Believe it or not, there are states that have no sales tax at all.
Clear, Dark Skies
I recall viruses existing on the Mac back in the '80s!. Also this story is somewhat of a dupe as it seems people have been predicting the "inevitable" Mac OS X virus since 2002.
-- Boycott Shell
The right to wear a skirt in school is a constitutional freedom inasmuch as both male and female students are legally equal in the eyes of the state. There is no inherent biological difference between the sexes that requires men to wear pants while women may be allowed to wear skirts. I'd rather the years of twisting and turning through the courts happen when only a trivial offense is at issue, but if you'd prefer the ACLU not address it until some school district requires females to wear burkhas, that's your perogative. As the old saying goes, easy cases make lousy laws. Waiting for women in schools to be restricted in some more offensive way could easily lead to overreaction by the courts or legislature.
The ACLU was nowhere to be found.
So are you complaining that they get involved in too many cases or not enough? They don't have an infinite supply of money or time -- there are literally hundreds of constitutionally fascinating cases that get ignored every month by the ACLU and legal organizations on the right AND the left. Often they are trying a similar case elsewhere in the country, and much as it sucks for that individual who is ignored, it makes more sense for the ACLU to fight many different battles with their resources than fighting 20 versions of the same religious freedoms case in different jurisdictions if they'll all end up in a handful of US Circuit courts or all together in the Supreme Court.
I'm not sure if you thought I was using it in the mathematical sense or what, but non-sequitur is a completely appropriate description of your sig. If you actually think ACLU meetings have frequent flag-burnings I can see how you wouldn't see the absurdity, but then you'd be aligned with the "those other guys are teh evil!!!" mentality of wignuts on all extremes. Congratulations on your spelling prowess, my local newspaper printed the Non-Sequitur comic strip for years under the misspelling, which has forever scarred me.
Liberalism is like bed-wetting, most people are lucky enough to grow out of it.
Yes, well fortunately guys like Thomas Jefferson, Patrick Henry, and Thomas Jefferson were immature enough to fight for civil liberties (and even write a few down!) before they grew out of that silly phase. "Give me Liberty or give me Death!" What kind of hippie shit was that? Didn't he know there was a war on? What a bunch of pinkos.
Recursive: Adj. See Recursive.
I am making note of the ACLU's priorities. They have a strong tendency toward attacking Christianity, while defending other religions. This is simply undeniable. The only thing this has to do with time or money is how they choose to allocate it. I heard this much from talking to an ACLU lawyer.
;-). It is not even the ACLU's argument. This would be like saying we should permit murder to protect abortion rights.
Your argument that the ACLU should be protecting every American's right to wear whatever they want wherever they are in order to protect us from being forced into or prohibited from wearing certain religious symbols is just silly (in fact, I may even go as far as to call it a non sequitur
I can see why you would misuse terms like that when your point of reference is an encyclopedia, especially Wikipedia. A non sequitur is just a non-logical remark, not just one that is sarcastic. Though I suppose most sarcastic remarks can be wedged into the category of non-sequiturs, it is not necessarily a proper classification. For example, during Judge Alito's confirmation hearing in the Senate on Wednesday, Sen. Kerry claimed that because Pat Buchanan, Anne Coulter, and Robert Bork supported the appointment, they should vote against it. This is a non sequitur. I have no great spelling powers, nor does it bother me when things are misspelled. I just found it funny that you misspelled and misused a word like that right before labeling me an ignorant juvenile.
Thomas Jefferson was not in favor of the modern day notion of Libertarianism, much less contemporary Liberalism. Look beyond the catchphrases at who he was and what he supported. Though he was a liberal in the traditional sense, keep in mind that the liberal philosophy used to be one of capitalism and natural rights, not half-baked ideas about anonymity in every facet of life or removing Christian symbols from every public and private institution.
I don't get it. Am I a dumb 18-year old, or an Archie Bunker style relic?
Ooh, I also see from the summary that users with admin rights can do things that only admin users can do!
That would be wrong.
Feel free to apologize.
Clear, Dark Skies
BSD core? YES OpenBSD? NO, it's FreeBSD. And yes, the BSDs do share a lot of the same code, but Darwin itself is FreeBSD based. "The most widely-sold UNIX-based operating system, Mac OS X offers a unique combination of technical elements to the discerning geek, such as fine-grained multithreading, Mach 3.0 microkernel, FreeBSD services, tight hardware integration and SMP-safe drivers, as well as zero configuration networking. Tiger's state-of-the-art kernel features improved SMP scalability and 64-bit virtual memory, while standards-based access control lists take UNIX permissions to the next level." Add to that the FreeBSD "Beastie" deamon mascot, and there ya go, case closed. It's not a blowfish folks, it's a Beastie.
--DV
In this day it is safer to be a ninja than a samurai
That was the point.
Impressive. That's what we call an opportune moment for the display of truly obscure information.
Which completely explains the flocks of converts coming to OS X constantly. And of course they're insignificant... yeah right. I mean, it's not like they've defined design and tons of new computing standards or anything. Saying that apple is insignificant is like saying that Ferrari doesn't make the majority of all cars, so they must be bad car makers...
They have a strong tendency toward attacking Christianity, while defending other religions. This is simply undeniable.
;-). It is not even the ACLU's argument.
It's very deniable that they "attack" Christianity. They attack government measures attempting to impose it on people, but that is quite different from attacking the religion itself or opposing its free practice by anyone in this country. They defend it when it is under attack and there are not other organizations better suited to fighting a particular case (let's face it, it's the majority religion and there are few "attacks" on it, and plenty of well-financed groups willing to defend it when necessary). They also defer to the Anti-Defamation league on many cases involving Judaism, and let the extremely well-financed and politically powerful NRA handle second amendment issues.
When the ACL defends the KKK, they are defending Christians on religious grounds (most racist organizations in this country, including the KKK, are are based on Biblical interpretation). Most Christian organizations aren't interested in fighting that particular battle, so the ACLU is left alone to defend the Protestant Christian principle of personal Biblical understanding.
The only thing this has to do with time or money is how they choose to allocate it. I heard this much from talking to an ACLU lawyer. Of course, that's how all groups work. They step in to defend any religious group if necessary, it just is rarely necessary for Christianity because of the rare infringements and the wealth of existing organizations.
Your argument that the ACLU should be protecting every American's right to wear whatever they want wherever they are in order to protect us from being forced into or prohibited from wearing certain religious symbols is just silly (in fact, I may even go as far as to call it a non sequitur
It's not my argument, either. I don't know how you possibly came to think that it was. Women are allowed to legally wear an item of clothing. Men are not, and the only reason is because "we don't want guys wearing dresses". The sexes are treated differently, even though there is no practical or biological reason for the difference in treatment. Under the US Constitution, it is illegal to treat women and men differently unless you can show a reason why it is absolutely necessary. A guy wearing a dress might be silly to you or me, but I can't think of any reason why he should be legally prohibited from doing so, if women are allowed to wear dresses. As I said, this is a trivial argument, and thankfully so -- then there will be legal precedents to point to that will cut short future arguments if more serious infringements take place.
Look beyond the catchphrases at who he was and what he supported. Though he was a liberal in the traditional sense, keep in mind that the liberal philosophy used to be one of capitalism and natural rights, not half-baked ideas about anonymity in every facet of life or removing Christian symbols from every public and private institution.
I'm quite familiar with Jefferson's beliefs, writings and teachings. Having lived in Virginia right next to a 15-story tall copy of his Virginia Statute of Religious Freedoms (the model for our own First Amendment, the United Nations Statute on Religious Freedoms and many other nations' laws) and reading his many, many published works, I can't conceive of how he would be anything but thoroughly bemused at the state of Christianity in this country, that so many portray it as being under attack by some mysterious force while simultaneously being the faith that 85%+ of Americans believe in. He certainly was Liberal in that he believed as many liberties should be reserved by the people and as few given to the government as necessary.
Recursive: Adj. See Recursive.
This is another anti-OS X screed by the mainstream media.
Despite all their railings, OS X hasn't been attacked. As most geeks already know this, I wonder who this sort of propaganda is targeting? PHBs?