Slashdot Mirror
Army Dumps NT as Web Server, Moves to Mac
kootch writes "This sounded too funny to believe, but I think it's true. The US Army, after being the victim of a script baby and having their web pages vandalized, has moved their site from an NT box to a Mac box running WebStar as their server software. Don't believe me? Go here!"
(Disclaimer: Apple folks, I have a moral obligation to tweak macs. I grew up with an Apple IIgs.)
Ah, yes. There's nothing like a brick wall to prevent someone from breaking the lock.
MacOS actually gets some bonuses from its, uh, quaintly anachronistic operating system tendancies. (This is not a flame. I think it's cute to tell an application how much memory it gets. See disclaimer. Tweak. Tweak.) For example, the fact that the entire OS is really built to communicate over Appletalk instead of TCP/IP means there's absolutely *nothing* open by default for abuse on the general Internet.
Those who remember these kind of things will note that *the* definitive, original WinNuke was a bug in the TCP handling of an "Out Of Band" packet sent to port 139 on a Windows box. Open door. Boom.
As much as I love Linux, there are more open ports in your standard issue distribution than you're likely to find in an average brothel. Unix in general is hooked into TCP/IP addiction on a practically native level.
The speed on the mac might not be great. The stability probably won't be perfect, but who knows. With much less embedded functionality, there's Just Less To Break.
"We here at the US Army know that the most secure computer is the one that isn't plugged in. We use the next best thing."
Yours Truly,
Dan "Must Never Post When He's This Tired" Kaminsky
DoxPara "Will Have No Memory Of This Post" Research
http://haveasenseofhumor.www.doxpara.com
Once you pull the pin, Mr. Grenade is no longer your friend.
Mac's may not be the most stable platform, but in terms of security, they have a point. No remote logins (can't upload malicious CGI's, etc...), no command shell, plus there's a much smaller crowd that knows the workings of IIS or Apache. It's not like they're running a high volume e-commerce site. It's probably just a bunch of static pages, with maybe a search engine attatched.
The price they pay for the security is that they may need to reboot the Macs a few times a week or month
just cuz mac os doesn't support remote logins doesn't mean they're secure. ever hear of buffer overflows? find one, smash the stack and take over. make a few toolbox calls and erease all the files on the server.
open source software, on the other hand, allows you to check the source yourself (eg, grep strcpy *.c) and quickly fix known bugs.
using mac os stuff and saying it's more secure cuz there's no logins is false. saying it's more secure cuz less crackers try to crack mac os apps or cuz there's less spoilt scripts out there for mac os apps is security though obscurity.
Actually, the F117A uses both methods: the shape of the plane reflects the radar signal away from the signal source, while a special coating absorbs some of the signal...we use this stuff at work sometimes...(I work on RF power amps)...I wonder if this stuff would protect a G4 from the HERF Gun mentioned on /. today...
the article says:
yes, the macOS has no 'root' or shell-type access, and, by itself, is arguably one of the most secure platforms available, if only for the same reason that is is one of the most virus-immune - very few hackers, crackers, or virus writers use macs (despite all the movies like 'hackers' and 'the net')
and, by that same token, any web server just serving up http and ftp is fairly secure. adding on all the other services, and opening up ports to who-knows-what is asking for trouble. simpler is better. and a mac as a webserver is a very simple solution.
since when has the w3c been in the business of security surveys? oh well.. they're right on a few accounts, but may not be totally up to speed on the software they're talking about. the mailing lists are/have been alive with reports and fixes for security holes in open transport, os8, webstar, and all the various plugins that come along with it.
if i were choosing the most secure server for the mac, however, would have gone with webten, an apache-based port by tenon, over webstar (if one were to go with a commercial package). it's fast, reliable, and simple - no fluff. the latest issue of webstar folds in all kinds of services that are unnecessary, and have proven to be security risks in the past. my sites are running on webstar 3, but that's because of how easy it is to add new domains and administer/monitor.
the press-release tells us the mac 'does not allow remote logins'. well, if you open it up via appleshare or install timbuktu it does. even if you don't, and you stick entirely to the webstar package, you get lasso (database), a pop/smtp mail server, proxy server, ftp server, and remote admin tools by default.
i expect the army has disabled lasso - as it has been shown to be a gaping hole in previous, standalone releases - and probably use a dedicated mail server, proxy, etc., but the main webstar server cannot be administered without either a separate admin tool (which can be run locally or remotely via tcp/ip) or web-based admin, whose security is, in my experience, pretty easy to get around.
all that aside, the mac makes an excellent web server. pare down the software to the essentials, give it plenty of RAM and a steady power supply, and it should be happy and stay that way for a good while.
as for apple's PR picking this up, i think they would prefer it if the army had chosen osX server with apache, since os8.x is not really a server product.
- Entertaining Bits from the Ancient Kernel Tree
I have to disagree with this statement. I have a 7200/90 sitting next to the k6-2 system I'm working on right now and I used to run Apache on it under LinuxPPC R4. For static content it does great. I never load-tested it, but it would have no problem serving a low-volume site.
joeNow I'm curious. Open Transport is a pretty strange beast. Is its TCP/IP stack a barely-warmed-over port of the standard Unix model, or is it truly something new?
I'm usually very calm and collected in this sort of situation, but I just can't hold it back.
OPEN YOUR SMURFING MINDS!!!!!!
All this "haha, web server on a Mac" crap is really getting to me. This place is so Linux-bigoted that it simply amazes me. You don't bother to find any facts or think about the situation at all. If you did, you would realize that Macs are the most secure mainstream web server available for this sort of task. Sure, they may not perform nearly as well as Apache et al, but how are you going to hack a box that has no facilities, no conception, of remote administration or control?
Sure it'll be slow, but good luck breaking in without actually sitting down in front of the thing.
Mod down posts with a "Free Mac Mini/iPod" sig, they're spam!
I thought the TCP/IP stack was licensed from Mentat. Sun's too.
This weekend, I'm doing some freelance work, to replace an Apple "server" with a penguin box, at my partner's office..
Spoilsport that she is, she seems to think that a system with no real security measures, memory protection or multitasking is a pretty poor choice for a server platform.
Of course, being a design company, macs are the perfect client machine, since they are painfully easy to use, and fairly easy to untrash. However, as a server? The expression "dumber than a box of rocks" springs to mind...
Their page loaded very quickly for me.
Maybe the Mac webserver is doing a good job :-)
So the intelligence behind our military efforts are imploring the "user-friendly" Macs as a web server? Despite the fact the Microsoft has it out for them in ever corner of the ring, the nations/worlds computer infiltration leaders will only see this as an invitation. Once the word get's around "been there, done that" is what I believe actually keeps worthy security even an option. You get board, you go on to the next challenge. Only this time they'll be starting fresh, so when something DOES go wrong, they get to sit and stare at their reflection in the monitor. The idea that changing their server will actually provide for a more secure host is silly. Silly I tell you... hahahaha... silly. I was also wondering one other thing; will they recieve *special* camo-coloured G4's???
on the sixth day God created man.
on the seventh day, man returned the favor.
without ever having to worry about someone getting root.
Yeah, you don't have to worry about someone getting root, because once they're on the box, they *are* root. They can delete the system folder, install software, anything. I bet there's not sandbox for CGI either - one buffer overrun and you can trash the operating system.
The next Cmdr Taco duplicate will be ready soon, but subscribers can beat the rush and see it early!
tho camo would be cool! Yeah, I want a camouflaged case, yow!!
Chuck
try { do() || do_not(); } catch (JediException err) { yoda(err); }
OS X has a command shell and remote login, so one should presume that they are running MacOS 8.x, not OS X.
BTW, I think your characterization of the CGI bug is exaggerated. But that's okay; it's fair game.
"The intruder ... modified computer files to prevent detection"
But not by much. He still got caught!
Wouldn't it be cool if he went to jail and his # was 31337?
netcraft aslo says that "knox-www.army.mil is running Microsoft-IIS/4.0 on NT4 or Windows 98" hmm... Fort Knox?
/snicker
Large print giveth, and the small print taketh away
well atleast they are going to a better system then the nt box with known exploits , i am not so sure how this will effect ppl , i have used a few macs over the years and i have to say , personaly i enjoy the easy uses that the mac offers , but i dont realy enjoy the mac becouse it doesnt have alot of the power i have seen in my linux and and sun box , but i cant say that they should go with linux , or unix , but i like the linux system and the sun . i have seen the stablitiy in the systems.
but this is the military so i cant say what is right in there case. but rara ra for the switch from nt , i never realy liked nt it kept blue screening me , i have had my linux box up for a month or more now. which comeing form windows for 10 years i have to saythat is one heck of a good thing.
It's too bad that there's still so much mac bigotry out there. They've always been the most secure webservers.
I wonder how they got permission from Army requisitions to buy an Apple..
I must say that any step away from Microsoft is a good one. Although BSD/Apache would probably handle the load better than the Apple (as would Linux) the Apple is a valid choice when looking for a webserver to serve static pages.
I also see a little bit of the 'security through obscurity' showing here; Not too many people run Apples of this caliber, therefore less people will try to hack them, therefore fewer exploits will be discovered, therefore the server is more secure.
.sig: Now legally binding!
Keep in mind that we're talking about a government web site. That means no ads. Hence, there's not going to be nearly so much dynamic content. With static web pages, the server doesn't need to nearly as much work. I remember back in 1995 when www.dartmouth.edu came to life on a Mac, and stayed that way for a year or two.
/.ed. Then the network isn't the issue--it's saturated with incoming requests, so forget about outgoing data. The server then has request after request queueing up. So how large can that queue get before problems show up? Will the software gracefully drop connections, or will the OS crash when some number of active connections is exceeded? Will the web server run out of memory and crash?
/. right now.
Now the problems you're likely to see are when a server gets
It looks like www.army.mil is learning about
The only thing that was altered was a readily accessible public relations page that had little validity with much at all. Data was not compromised about anything that the army really values (missle locations, operatives, troop movements, etc). Just get Debian and the latest security fixes possibly some heavy encryption and security and there you have it nothing else is needed. Using a mac is just a temporary stop gap measure to make sure no one can in the short term do anything to the public content and make them loose face.
Slashdot social engineering at it's finest
Now that the G4 means that apple is a munitions company, it makes sense for the army to support them.
I like the Macintosh hardware as much that the next guy. I can understand how the MACOS 8.* is popular. Its easy to use for normal people. Let me get one thing straight though. It is by no means a server OS. It is as much of a server OS as Windows 3.11. MACOS X is a server OS. It was written to be a server. That is why they are making MACOS X server and MACOS X client.
That's wacky! I love Macs, but I would never rely on one as a server. They make teriffic user workstations, but server-stability, they have not.
-awc
(speaking for the other AC) "13 years" isn't to be taken literally. There are "script kiddiez" which already have own children.
Great. And what's the first thing we do now that they're on the Mac? Slashdot 'em. Teaches 'em for not trusting the Penguin.
no, macs are not the mac os. they come with it installed, but that doesn't mean they are actually it.
mac os (and mac firmware) do have good plug and play support (much better than windows and x86 bios). the only time i ever had to worry about irqs and other stuff in linux was on an x86 machine which had a pnp 3com nic that i couldn't seem to get working until i disabled pnp on it.
as for "a cold heartless box", is that opposed to a warm and caring mac os box?
one thing mac os definetly doesn't have, is configurability. you can't override irqs, you can't rewrite things (closed source), and most apps hide advanced options from the user (that's if they even allow you to change them at all). my biggest gripe about mac os is that apps always seem dumbed down to the lowest common denominator, and hidden options to protect users from themselves.
(btw, i used mac os for years on a 68k; then i got a 7100 and stuck mklinux on it. i've been using linux ever since then.)
In fairness, the main reason they did this IIRC is that WebSTAR doesn't really offer the same level of remote access and administration that Apache does. It is entirely feasible that Apache/Linux could be made just as secure.
Still, this is pretty damn cool, especially after seeing the G4 commercial. I hope Apple doesn't blow this marketing opportunity as they have blown many others in the past.
I use Macs for work, Linux for education, and Windows for cardplaying.
So much for people having a sense of humor. ;)
(For the sarcasm-impaired moderators: that last smiley was a wink. To show I'm being sarcastic and silly. Don't get riled up because I'm indirectly flaming moderators. I've been a moderator on many occasions. And I can take a joke. I see the 'flamebait' moderation of my previous post as a joke. So there. :)
---
"'Is not a quine' is not a quine" is a quine.
"'Is not a quine' is not a quine" is a quine.
Quine "quine?
would be to convince the Army that linux or *bsd is better that Mac for web serving :)
Yes, you do make a valid point, but consider this proposition.
:)
Most people break into systems with the intent of using that system as a gateway into the other machines on the network.
So people can hack into a unix box, hide the traces of their break in, install a nice packet sniffer and such, and otherwise, use the machine to scope out the network, figure out the topology etc. etc.
A mac isn't so great at TCP/ip. In fact, the mac doesn't have a means of running a program remotely, so therefore, the worst that a scriptkiddie cracker can do is dump the harddrive. (Which can easily be remedied by backups, disk images and such) Of course, you could give me a counterargument by saying the said cracker could construct a buffer overflow such that he can write a sniffer program into the buffer, but such a cracker would have to know the inards of the MacOS inside and out, and write really, really compact code, which is pretty hard with Risc Cpu's.
I used to work at an ISP and we had 30 or 40 macs running as web servers. We had very few problems with them. As far as security goes, they're right...it's top notch on a Mac (not many ways in.)
So what would happen let's say worst case senario and Steve Jobs decided to get his hands dirty and crack the army's homepage. All of the so called "security" for the mac would be compromised because someone (Jobs) knows a great deal about his own platform. Anyone who also programmed the http server for the mac would have inside information about it's operation. The only safe thing is for the army to make a secure hardware/software platform of their own and then not publish the documentation about it. Its then even more secure than the Mac idea.
Slashdot social engineering at it's finest
The fact that it is closed in so many ways is what makes it so stable. People can't screw it up by needless pulling it's strings. And yes I do use linux,, RH and KDE all the way! :)
No, I don't mean Denial of Service. Move it to {MS,PC,DR}-DOS and custom TCP stack. Nobody will ever figure out how the hell to break into you. Unless they're older than 13 years.
This news gives a little more meaning to Apples G4 commercial about a group of tanks defending the G4 box. Does this mean Apple will annouce a new color, "Army Green?"
-Vel
-
ping -f 255.255.255.255 # if only
Mac OS X is a weirded up BSD system with a bag on the side^w^w^w^w MacOS on the top.
Regards,
Sascha
Sure, there aren't many Mac Webservers out there. But as long as you take proper care of it, it makes a great server. It's not Linux, mind you, but Linux is Linux and Mac is Mac. Each does things differently. I'm sure the Army has its reasons for choosing MacOS; I doubt it's any OSS-related FUD seeing as they could have switched to one of a number of commercial Unices as well.
I know of Mac boxes that have had over a year of uptime (this was a while back, and as a consequence they were still running System 7.6, one of releases which wasn't exactly known for stability). It's all a matter of taking care of the thing.
Admittedly, though, I'm dumbfounded as to why they didn't use Apache (which does have a Mac port; a company called Tenon maintains it under the name WebTen, though I think they might have closed off their branch of the code). WebStar does have its own advantages, though.
I wonder if they'll switch to Apache/OSX when it comes out (hell, why didn't they do it now? OSX Server comes with it; even Darwin comes with it, and yes the CGI bug has been fixed).
But unless you already have the hardware on hand, it doesn't make sense (to me) that you would buy Mac hardware to run linux. Mac's are nice. I like them. But Apple does charge a hefty surcharge on it's hardware. If you are going to run the Mac OS, then it makes sense, and you can have a nice dual-boot system. But for a dedicated server... it doesn't sound reasonable. (Of course, we are talking about the army. :-)
I think we've pushed this "anyone can grow up to be president" thing too far.
Slashdottings aside, I dont think the army sites get that many hits that they absolutely need some fast apache box, and with as many "employees" as they have the possible extra effort to maintain the server isnt a problem either.
I could list several sites that use little old Mac Plus systems from the mid to late 80s that work just fine as webservers. Macs are unhackable in this form and contrary to some misguided individuals they are very very stable machines.
ever hear of buffer overflows? find one, smash the stack and take over. make a few toolbox calls and erease all the files on the server.
It's not that simple to erase a disk on a Mac. You have to have pretty good knowledge of the machine's configuration (including I think the HD name and a few other things that would be hard to get remotely) and it's not like the Toolbox has a single "format c:" command. Also, remember that nobody won the Crack-a-Mac contest.
Moderated up to "Interesting" ?
That story is old, old, old, old.
Memory Protection has nothing to do with the user level of a given process (program as you called it). The kernel determines whether the code being executed currently is running in user mode or root user mode or supervisor (kernel) mode. It has nothing to do with the memory mapping. Read a book or two.
Yes, this bug was fixed with a patch to OS X Server...
RateVegas.com - Vegas Reviews
I wonder if this stuff would protect a G4 from the HERF Gun mentioned on /. today...
it might, but I know for sure those tanks wouldn't. Oh the joys of anachronistic paradox.
+&x
Not true actually - of all the "Crack a Mac" contests that have been sponsored over the last few years, the only time macs have been hacked was due to new non-standard plugins to the webserver. A Mac on the net (especially without a webserver) _is_ impossible to break into without a physical attack. If you know otherwise, I'd need to see the proof before I believed it.
There are various programs (Like folderbolt) that "lock" files and folders (directories in Unix speak)...even entire disks. Like with Unix, you can attribute different levels of access...deny all, read only, write only, etc.
To kick it to the next level, every directory or file can have its own password. Once you are in on a Unix box as root, you have the keys to the candy store.
So if a wily cracker were able to take advantage of a mythical overflow, and by some miracle managed to upload executeable code, when it tries to modify the read-only files, the system it will prompt for a password. Recieving none, it trips all sorts of alarms.
Some of these security programs can also encrypt/decrypt on the fly.
So, the MacOS, alone, is more secure than all but the most carefully audited Unix box. Add something like folderbolt, and security is no longer an issue...even for the Army.
SoupIsGood Food
Well, if they ran Apache, they might confuse it with a certain chopper. 'That damn Apache's down again' - 'quick, scramble the fire and rescue boys...'
Just a thought....... if the box is "serving" it is a server.
eof
So why does the netcraft lookup on www.dtic.mil show Netscape Enterprise 3.x on Solaris?
Do really dense people warp space more than others?
Maybe Linux with Apache would be more appropriate as a web server that MacOS with WebStar, but wich one is more secure out of the box?
...
If they choose NT in the first place, it's probably because the webmaster have little knowledge about Linux or *BSD. They wanted to have a web server that is easily administered.
Linux/Apache does not offer a platform that is easily administered and it is not secure out of the box. You have to tweak the system configuration to disable some services and install several patches to make it really secure. Even with some graphics tools for Apache, this is a combo that is far less easy to maintain than IIS or WebStar.
Because there where too many security issues with NT/IIS, they choose the most secure platform that is easy to administer wich is MacOS/WebStar.
This is the best option for them, Linux/Apache will be the best option for somebody else.
Stop thinking that Linux/* is the best solution for everybody. This is not a perfect platform nor any other platform is perfect. You want people to be able to choose their OS, then stop commenting theyre choice with "they should use Linux", "Linux is the best", "Linux/Apache can be made as secure as MacOS/WebStar", "Linux all the way",
I'm running Linux on my latop, I have two Win98 box at home, at work I use a NT box and a Solaris box... Diversity is great!!!
But don't products used by .mil and .gov have to be something called "orange booked" or something like that?
I really haven't followed that sort of thing, but I could swear I read something about a list of prducts that are OK'd for use by them.
Killing spammers is too good for them.
Hasn't anyone contemplated that perhaps this page is yet another hacked army page? much more subtle of course... but just as funny
If the army ever wants to do things like execute CGI's at an acceptable speed they sooner or later have to implement some secure environment to maintain their webspace. Moving towards more obscure (no flames please, they could have used eg. Apple's OS X) architectures is simply not a solution. These guys are supposed to protect our freedom and they cannot even protect a webserver?
--Coke
I think I would have to agree with you here.
/.)[Note 1]. So, why would the army need all of the fancy chmancy stuff?? Just makes things easier to break.
I mean, the army needs the net to display certain types if data. IMHO, 95% of that data will be static(i.e. not generated on the fly from a db like
[Note 1]
Now, let's say that there's a conflict going on that the army is involved in.
--Would it make more sense to be trying to display troop movements online, or to use their radios instead?
--What would be the point of telnet access durring an armed conflict?
--Do tank repair schedules really need to be dynamically generated?
[/Note 1]
Therefore, switching to a single-user OS on really fast hardware with a small server running a limited amount of processes seems to be that way for them to go.
Just my $0.02...
censorship is a form of noise, which actively seeks to drown out content with silence - Crash Culligan
because Linux is not very good as a server. they would do better with a BSD unix in there, not some cheap unix-wannabe knockoff like Linux.
That's a heck of a weird theory. On a single-user system, *everything* runs as root.
I've used WebStar and Pictorius before on a Mac (prefer the latter, myself), and it's not half bad as a web server, but I wouldn't put anything stressful on 'em, as I'd be afraid of stability problems.
Remember, Apple was the last big OS vendor to fix the ping-o-death problem (took 'em until MacOS 8).
--
Interested in XFMail? New XFMail home page
"open source software, on the other hand, allows you to check the source yourself (eg, grep strcpy *.c) and quickly fix known bugs. "
:-)
Um, it's the unknown bugs that are the problem. Making source available does not always result in fewer bugs. At all. There are plenty of rock solid closed applications, and plenty of flakey open source applications*. People who want stability go with stable software, wherever it is from.
The fact that there are fewer crackers or scripts targetting Mac OS does not make Mac OS more secure - but it makes it much less likely to be compromised.
In real life (i.e. the time spend earning your rent/mortgage), running a web site that is unlikely to be hacked is often more useful than running a theoritically more secure one that is likely to be hacked.
*If you really don't believe this, email me for a list
-----
Unless they're older than 13 years.
_ But, aren't the people who hacked into the sites older than 13 anyway? Aren't the majority of the people who hack into sites older than 13?
_________________________________________________
I could be way off my rocker on this one, but I'm just wondering...
Insert mind here.
Macs are the MacOS. If you take away macos then you have nothing left. The macos is the most elegant os every devised and allows for true plug and play. The only thing that came close as far as I know to the same level of plug and play were the next, amiga and atarist systems. MacOS is integral to the Macintosh experience. Without it you just have a cold heartless box without the functionality and fun.
Well, actually there are radar-absorbing materials, in addition to the facetted surfaces that merely 'deflect' the radar energy. (mind you, this is from watching the Discovery Channel waaay too much :-) )
It is true from what I recall that the major radar-evading mechanism of the f-117a is the physical structure which causes the radar energy to be reflected by flat surfaces, rather than by rounded surfaces on traditional aircraft that provide the tell-tale signatures that radar systems key on.
But, in addition, radar absorbing materials are used in the construction that reduce the energy returned from critical areas like bomb-bay doors and the canopy.
Don't agree? Check out howstuffworks.com
Well, I guess that renders moot the comments about the mac not being slashdotted, eh? ;)
Geeky modern art T-shirts
What is this ad about? I don't think it's hit the airwaves where I live yet.
Slashdot social engineering at it's finest
linux geeks are even more self righteous than mac geeks. and that is OK i guess, as i am quite the self righteous mac geek... yes, opey, even a mac makes a great webserver! WebSTAR can be easily remotely managed with it's Admin app, which, btw, uses port 80 and an encrypted connection. i have an iMac 333 with 160 MB ram running os 8.6 webstar 4.0, Lasso middleware and filemaker with 50 virtual domains on it. i get 130,000 hits a week, (which isn't much), and it is idling! The army's descision to go with a mac just underscores the fact that the mac can and does perform better than NT, and is MUCH easier to manage than NT or any flavor of UNIX...
yep. Right Here
Apache on MKLinux I can understand... but MacOS is evil.
If they coded a small optimized kernal that did nothing but run a given web server that was only programmable by removing the disk and inserting it into another computer (hot swappable hdd's rock) then I suppose you'd have the worlds most secure web server. You could even be lazy and just use your favorite open source kernal with EVERYTHING removed that gives it a user interface of any kind or lets any non httpd services run and all the security features turned on.
Of course the down side.. it'd be a major pain to work with. I work with Windows & Macs daily, they make me want to commit suicide, so it's about the same situation. Also is it really that important to keep your web site from being hacked? I mean keeping people from hacking in and jumping to other computers in your network is important but what the @$%*# do I care if they change a few web pages? I keep backups for exactly that reason, just restore and start looking for the security hole. The MOST I'd do is reformat and install again to make sure they didn't leave any trapdoors. Last time I had to restart Linux I had all my data files in a sepperate partition so that was simple, the entire install took less then 15 minutes and about another 15 minutes to restore my settings and all user information. If you're really concerned about the security you can always recompile with all the security on, better optimization, etc and save it to a cd-r.
At what price learning? At what cost wisdom? The price is a man's peace of mind, and the cost is his life.
Ah, cool, thanks for clearing that up. What about its TCP/IP stack though? Is it based on BSD's still, and hence still filled with the fun vulnerabilities (such as Ping O' Death)?
---
"'Is not a quine' is not a quine" is a quine.
"'Is not a quine' is not a quine" is a quine.
Quine "quine?
...why not use some of that radar-absorbing materiel that that air force uses on their stealth aircraft?
A stealth Mac.
Tres-cool, IMHO.
censorship is a form of noise, which actively seeks to drown out content with silence - Crash Culligan
Mac OS X is Unix based so if they are running it there then a command line is accessable. Got telnet FTP and all the other fun stuff. The World Wide Web Consortium document applies to Mac OS 7.5.5, 7.6, 8 etc.. I would assume they are not using OSX because they are running WebStar instead of apache but you never know do you.
Most computers are more than powerfull enough to flood a T1. I am sure the of has plenty of horespower.
As for security. Most of the apple web servers use Apples fairly old ACL per directory for file shareing. The Permission are secure and have stood up to time. As far as connecting to the files system from remote if you use another Mac it does indeed encrypt the passwd.
The Mac has very limited functionality for networking built in on MacOS, this makes it more secure. Apple fixed the TCP/IP large packet bug back in 1995. The current IP stack is fairly fast and based on the System V steam type TCP/IP stack.
Most of the Apple web site security issues have been from Filemaker integration. Filemaker is a GUI DB for MacOS (it has issues).
One of the other advantages to not having any cosole based applications, no concept of standard in and standard out, is if you do run an application on the Mac it doesn't do anything usefull. Also MacOS doesn't have any sensible kind of IPC or RPC support so even if you can compromise a single application it is extremly difficult to get to the operating system or another application.
If you did use Perl, your perl scripts need to be safe. But again on a Mac, there is no plain text file that you could grab security information.
Open BSD could be made equally secure, but it would take lots of customization and intelligence about it, the Mac is VERY high security for default configuration. Though flexibility is an issue with Macs.
"His[Mankind's] heaven is like himself: strange, interesting, astonishing, grotesque." -Satan "Letters From Earth" Mar
Umm, no.... it came up just fine.
We've run mac servers for various things. Guess what- they all work well, and they all handle a load just fine. Just because the OS doesn't support pre-emptive multitasking, it doesn't mean that the applications can't be multithreaded. If you only have one process running on the machine, which is a well written multithreaded server application, your machine should be solid. The application can handle all preemptiveness itself between its own threads. Sure, this makes programming a little bit trickier, but it can be done. The only thing that you may end up taking a hit on are the creation and destruction of threads, and I/O if the theads are requesting I/O at the same time.
Oh, and one more thing MacOS's TCP/IP stack is multithreaded as well- something that Linux is currently lacking (not to mention a main performance roadblock).
You mean, as opposed to NT?
I'm trying to teach myself to set people on fire with my mind... Is it hot in here?
Macs make secure web servers because they don't have anything to exploit. How the hell are you going to exploit something that has NOTHING listening to the network except an HTTPD listening to port 80, delivering a static page. About the only thing you could try is a DoS attack. *NIX boxen usually have 50 daemons running, and often crazy protocols like NIS that make them wide open to attack. WebStar is a solid HTTPD, too. Despite the comments here about Mac OS stability, the fact of the matter is that most of the problems with it are due to lack of memory protection. If you are running a solid application that doesn't have memory leaks and wild hair pointers, it can be very stable. I ran a Mac OS server with AppleShare on a UPS that had an uptime of 3 YEARS. That is stabilty as good as you can get on any system. In reality no server is any better than the stability of the network applications it runs and the OS, and the fact of the matter is if you are careful you can find good Mac OS versions and good applications. Mac hardware was generally better engineered than the PC equivalent (lack of cost pressure I guess) so you had that going for you too. One writer here mentioned Mac OS on a 7100. THAT IS A VERY BAD COMBINATION. The 7100 is a kludge, being the first PPC Mac pasted onto an old Nubus architecture. The Mac OS of the same period had a very crufty emulator as well, and the pair really were unstable. But not all Macs are that way....
That's funny. I do just that. A 7200 running LinuxPPC r4. Granted, it only has an ISDN line it can saturate, so that's not too hard...but if people tout 486s running Linux for a web server...well, a 7200 has quite a bit more muscle than that.
pooptruck
I run a webserver on a 6100 and it's rock solid - no need to reboot for something like 3 months now, would have been more but I upgraded the system to 8.6 which was one reboot.
:)
Server
There's nothing there now though, all the real content has been moved but the server still exists
I also have some friends that run a pretty huge commerce site using Macs running Webstar and Filemaker Pro AV-Store as their main set-up very happy with it although they will probably move to OS X Server with Apache and Web Objects soon......
Troc
Troc's dubious podcast and blog: http://www.trocnet.net
Macs are great, I wish I could afford one. I think a mac would make a great server. They seem stable enough, you could even but a *nix on for command line functionality. Doesnt the BSD's also support the mac family of processors?
Microsoft aggravates my tourettes syndrome.
I found the 'divide by zero' excuse really amusing, and the response that a $2.95 calculator cannot be crashed in this manner is priceless!
======
"Cyberspace scared me so bad I downloaded in my pants." --- Buddy Jellison
Sacred cows make the best burgers.
remy
http://www.mklinux.org
AFAIK if they are using Webstar they must be running MacOS 8.x, not MacOS X server as some previous comments suggested.
In the June 1999 issue of MacTech Magazine there was an interview with Chuck Shotton. He is the guy who created, in 93, the first Mac http server MacHTTP, which later became Webstar.
In the interview he explains how they made Webstar into a high-performance web server. To summarize:
a) use of caching to avoid hitting on the dog slow MacOS filesystem
b) optimizations to have the right balance between I/O time and calculation/processing time
c) taking advantage of the MacOS thread manager and the fact the MacOS 8.x is NOT a premptive multitasked OS.
c) will sounds odd to most; what they do is that since the app has control over the premption (rather than the OS) they use that advantage to minimize the number of context switches, etc. i.e. they have their own highly tuned and specific scheduler rather than relying on the generic scheduler of the OS.
This is pretty cool on a dedicated MacOS box that do just web server.
As for MacOS crashing, my router is running MacOS 8.6, it has been up & running nicely since I last booted it, one month ago; it has never crashed so far.
Note: I'm not saying MacOS is the best, fatest and most stable OS out there; just that for some applications a Mac can be stable and fast plenty.
As far as security go, since you can't remotely login on a Mac and since there is no shell, you don't have any risk of someone exploiting some buffer overflow bug or remotely using the box. (Note tho that you could add softwares to control you Mac remotely, like Timbuktu or VNC, but then you are taking risks, as on any other OS with such means.)
Just my $0.02
Janus
You can't run a web server on MacOs, that's why most folks don't.
:)
Makes sense, right? That's what you said...
MacOS isn't a server OS, so you can't run a web server on it...server OS's are either Unix or Variants thereof, or have the word "Network" or "Server" in the title.
So you can't share files with a ton of networked users reliably, let alone run say, a website that's been online for years, serving like, what close to a million hits a day, with virtually no downtime or successful intrusions.
It just can't be done
-K
One day, you'll learn to watch what you post...
This is a very ignorant comment. If you don't want to run any daemon on Unix it is very easy: just strip everything in /etc/inetd.conf and everything useless in /etc/init.d/* ; should take about 2 minutes. Reboot and do a "ps -awux" to double check.
I hate to be the bearer of bad news but the Netcraft What's that server running says :-
www.hqda.army.mil is running Netscape-Enterprise/3.5.1 on Solaris
I know Netcraft say that they are not 100% though.
Isn't the whole concept of a mac to make even creating an ai or finding the meaning of life to be made as trival as possible in all circumstances?
There's nothing wrong with their choosing a Mac. It is more secure, and it's probably going to be just as fast. If you're just going to run a web server, why choose an operating system that has dozens of vulnerabilities published each month?
Perhaps that just goes to show "linux sux"?
I don't think so.
If you must indiscriminately bash Apple, at least pick your fights a little more carefully.
Actually for a target like a military organazation, it's tough to say. However if you set up the PPC correctly you can have a very secure webserver that can back up over the network without fear of security issues inside the network.
What you need is the Mac, and a second NIC. Running non-MacOS X set up the web server. Set the first NIC in OpenTransport to use TCP/IP and set it up appropriately. Now run a cable from the _second_ NIC to the backup/storage(EMC?) server that should be behind the firewall. Have this NIC run AppleTalk though the AppleTalk control Panel. THIS IS SECURE vecause without 3rd party extensions or AppleShareIP Server a Mac CANNOT communicate TCP/IP over 2 NIC's or Appletalk over 2 NIC's. Thus you have the webserver using TCP/IP and the backups and updates coming in through File Sharing using Appletalk. It's very easy to set up and it works very well.
Since the Mac has no command line by nature it is very hard to breech security, and any breech would come through the web server itself or directly through memeory manipulation of the TCP stack (ha!). The only way to get into the other network qould be to have GUI access to the SErver, which can only be done with more 3rd party extensions.
my login may not be working, but i am chainsaw1 (chainsaw1@hotmail.com)
Wow. This is pretty impressive.
dillrod
Linux on the other hand can be very secure, but only after it has been properly set up, by someone who knows security and Linux well.
Which brings up the question, "Why has no one offered a distribution of Linux specifically geared towards web serving" . Such a distribution would be great. One that leaves off all the unneccessary protocols, daemons, and such. One that forces you on initial configuration to set up all the neccessary security blocks. And finally, one that makes it easy to begin webserving, by supplying Apache already with SSL, PHP, and mod_perl; MySQL; Perl with DBI and a CPAN that works, etc... Such a distribution would firmly seat Linux as the best webserver platform.
But as it is, its tough getting a webserver up securely and with all the bells and whistles under Linux. I wish it were easier.
Rikkers
Yes, you could make root access impossible but from the console. You could completely remove the su program, for example. You can also disable all SUID and SGID programs, depending on the UNIX you're using (and in some cases, whether or not you have the source).
More mundanely, you can restrict root login to the console, then using a combination of encrypted connections (such as SSL), proper security management of running services (um, Webmasters, read the WWW Security FAQ...and other info at: http://www.w3.org/Security/), and such tools as IPchains you CAN make UNIXen secure...
Kernel hackers can put together very secure UNIXen when needed. In fact, there are UNIXen which have been made C2 secure, but I am unaware of Mac or Win systems that have done this.
Yes, if you use a less feature-rich OS like the MacOS you need to do less work to make it secure (to the levels it can be)... just like it's easier to repair a Volkswagen than a Ferrari...
o/~ we are pissed, we are pissed, we have to resist... o/~ - ec8or
While I respect the opinions of the author, I'm not entirely sure I agree with everything he has to say.
remy
http://www.mklinux.org
So what? Just switch off AppleTalk entirely. I have seen "hacks" to get FileSharing started, but they worked only when AppleTalk was already running.
Never seen a hack to start AppleTalk on a machine where it was off.
Regards,
Sascha
www.dtic.mil is running Netscape-Enterprise/3.6 on Solaris
I would have to agree with the ppl above who see this as a sensible move. A lot of the places I come to put default installs of most software on their systems. Lack of knowledge about the systems you work with is not a good thing (tm) and with the complexity of some systems you can't blame it all on a stupid sys-admin. Microsoft software for example is notorious for the stuff that's enabled when you choose a default install.
One of the key things in security is not putting doors where you don't need them. MacOS doesn't have any doors by default. You can laugh at this or you can judge it by it's merits as the U.S.Army did.
Message on our company Intranet:
"You have a sticker in your private area"
beauty is only a light switch away
They got smart and dropped NT?!?!
Does this mean we have to take Army Intelligence off the Official Oxymoron List :-)
Well, the TCP/IP stack supports MultiHoming, Limited Defence to DOS attacks (this gets better with every release), and all those goodies. The only chance of cracking a mac remotely if through Apple Talk services (which are currently being transfered to TCP/IP) or if there is some remote administration in your Web Sever. Well, Apple Talk can easily be disabled (so that the libs are not even loaded at startup). AppleScript can be used as an CGI, for dynamic pages (IIRC, it also being changed to a more PERL like structure) and since the only remote access to AppleScript is by AppleTalk, simply disabling Apple Talk stops a potential issues that MIGHT arise. For MacOS, especially with AppleTalk turned off, there are no services to break into. None. It is vulnerable to DOS attack, but, IIRC, less vulnerable than NT (which isnt saying much)
My 7100/66 (running MacOS 8.5) is as stable as a rock! This thing runs rings around the first generation PCI Macs in terms of stability. I admit, things were a bit shakey durning the dark emulation days, but since 8.0, the thing has just been unsinkable.
shit man it doesnt count if you're sitting down in front of the damn machine.
the page that is linked directly loads up fine, but http://www.army.mil/ is choking.
give me some numbers -- serving a web page out from hanks deli down the street doesnt count.
one process? what happens if you try to do anything else?
ooooo multithreaded tcpip, i guess why the majority of web servers run macos. . . or am i wrong?
I may not have the most knowledge in this field but I always assumed that the majority of exploits were based on buffer overflows that allow the cracker to execute arbitrary code supplied whilst overflowing said buffer.
The code that would then be executed would not necessarily depend on a CLI or plenty of ports open.
Therefore, I can't understand how not having a CLI or plenty of TCP/IP applications make a web server intrinsicly more secure. Can anyone enlighten me?
it does not absorb radar it just deflects it in a different direction. ugh
Just point netcat at one of the servers to determine if its Apache or not.
No need for conspiracy theories.
> My point is, thinking Linux is the correct OS for every application (and advocating it that way) is just plain naive.
I think you have a brain and are able to make logical conlusions. We don't need no people like you here. Please go away and let us flame the army for not using Linux.
actually its loading up for me now, but 20 mins ago. . .
I guess the army wants the world to think that they "think different."
i just put in
The first contest I saw along these lines took place some time ago - I'm thinking as far back as '96, IIRC. However, every once in a while, you'll see one pop up. (Although, I have to admit I haven't seen one for Macs recently.)
In the end, this comes down to the classic bugaboo of functionality vs. security. Any system that provides for remote administration is going to be subject to attacks. Moreso if it's an unencrypted channel. And the more services you run that listen to ports, the liklier it is that one of them will be exploitable.
By the way - in one instance, the web server was cracked due to a configuration mistake. Only goes to show - it doesn't matter how good the system is if you don't take the time to configure it correctly.
Now we know why the G4 Mac has been
classified as a weapon...
Did the MacOS X guys fix that problem yet where running two instances of a CGI binary simultaneously would cause a bomb screen? Oh well, at least Macs can't be hacked - it's not like you can get a rootshell on a system that doesn't have a shell. :) (Yeah, I know, there's CLIs available for MacOS, and there's probably telnet servers too, but it's still fun to make fun of.)
"Welcome to iArmy"
---
"'Is not a quine' is not a quine" is a quine.
"'Is not a quine' is not a quine" is a quine.
Quine "quine?
You would think this was funny if you had seen the most recent G4 apple commercial.
Sosumi. just kidding. DONT!
AFAIK, the pre-OSX Mac still runs all code in supervisor mode. Even if this has been fixed, if there is no memory protection, then you can overwrite the kernel, which obviously runs in kernel mode, so the difference is moot. And finally, unless I am mistaken, the most important difference between user and supervisor mode is that the former is subject to memory protection and the latter is not. All of these issues are closely interrelated.
as macs virtually no way for remote intrusion...best you can hope is to knock 'em offline.
Makes sense to me when remote admin is a non issue. Run a machine that can't be accessed (for the most part) that way.
And yes, I realize you can run a multiuser system like linux and close all the ports but 80.
I think they wanted to go to the next level, as it were...
-K
One day, you'll learn to watch what you post...
If the Army's looking for reliability, they just made the best choice.
My homepage is served up from a Mac running WebStar. (www.nls.net) It's running MacOS 7.6.1, and has an uptime of well over a year. So long as you don't play with the box, and don't run MacOS 8.1, you can keep a WebStar box up for far longer than an NT box, and longer than many Linux boxes I've seen. Plus, with MacOS' actual genuine lack of protocol support, you've got less risks. Lack of multi-user also is a serious advantage as there's really no way into the box. By keeping you out of the network, and off it, MacOS has made itself probably the most secure operating system in existence.
And I don't wanna hear no 'blasphemer' rants and such. I personally hate MacOS, really. I run PowerPC's at home, and they don't run MacOS. But facts are facts. And you need to be willing to accept that before you can call yourself any sort of computer 'expert.' No two OSes are created equal, but they're all good for something.
I do give them credit for dumping the NT server, but Mac's? I think it is a ruse and they are actually running Apache...! Let the consipracy theories begin!
"When I look down I miss all the good stuff, When I look up I trip over things..."-Ani DiFranco
the mac will be multi-user capable starting with os9. link: http://macweek.zdnet.com/1999/09/05/osxing.html. and with respect to the comments about the macs, i have a design office, so we use macs. but we also have several cobalt servers and an osx server. the cobalt is of course easier to administer and stable. the linux community needs to focus on use and the appropriate level of interface for various tasks. osx will be a good operating system for the computer challenged--and needs to be simplified for certain users. as linux and bsd begin to permiate the os market, other companies--apple, cobalt--will provide functionality for user groups--interface--adding value to the core os.
"There is no surer way to ruin a good discussion than to contaminate it with the facts."
I've been reading the replies to this article and I have to say I am simply *astounded* by the ignorance towards the Mac and MacOS that I have read.
I logged onto the Army site and it came up really fast. It was not Slashdotted as many other sites get after being listed on Slashdot. One ignorant reader even jumped to blame the MacOS because he was not able to get onto the site. I've got news for that person, there are many reasons *you* can't reach site, the most likely is that the problem is the connection between your client machine and the server. Also, does that same reader blame Linux when Slashdot had all the frequent downtime not too long ago?
Another reader mentioned that the server probably cost "1000s" of times what their (certainly hypothetical) presumably Linux server would cost. When is the last time he/she shopped for a Mac? I've got news for you, Macs use all the same compenents as PCs these days and cost about the same for a *comparable quality* PC. Apple simply chooses higher quality parts than the crappy machines one can buy at CompUSA and, worse, Circuit City. Oh let me guess, that person is going to "put together" their own hand built machine. Good for you, I just wouldn't want to be the poor sap who has to maintain your little computer project when it has a hardware problem. I mean who would I call for customer support? You? Give me a break. You just want an excuse to bill your client.
Then there's the *cost* of maintanence. The Mac server will be configure and forget. Configuration will take about 15 minutes. Let's use a 14 year boy who can do it at minumum wage, that's about $1 for his time. Now a Linux server is going to take, what, all day, to configure with security. At $100+/hr that's about $800 setup fee. Oh and what happens when your Linux server gets cracked because you didn't hire the supreme Linux security gurus (for much more $/hr) - or the latest security flaw of the month in Unix is discovered? That costs money to fix too.
And then there's the people who think the Mac needs to be re-booted once a week. That was about 5 years ago with MacOS 7.6. Today's Macs with MacOS 8.6 will probably need to be re-booted only when replacing the hard drive or an extended power failure. No, the memory is not protected, but at least the web page is from crackers.
It's not like the Mac does not have protected memory. Apple makes a server OS called MacOS X Server and it does. But it also has the underlying security issues because it is based on Unix. The (wise) managers don't want to have to deal with crackers - Get it?
To all you Linux bigots, I hope you don't break your arms patting yourselves on the back for putting down the Mac server. The Army's Mac is running great and makes a great web server. To Roblimo I have to say that the only thing that is funny is the attitude that Linux is superior to all OSes for everything. Some of us just want the job done and don't need to show our "superior" computer skills because we understand a CLI and our manager does not. Enjoy yourselves in your hacking, I've got work to do!
everyone keeps saying "use linux, not a mac". macs are hardware, linux is software; so that statement makes no sense. as for me, i run linux on a mac.
The fundamental effect is that there is no door. Without a door, there's no lock to pick.
Dillrod
One of the things a Mac has going for it, as a web server platform, is that it is not multiuser. Neither is NT, really, but Microsoft has added enough multiuser features to it to make it exploitable (install IIS and you get a dozen services by default, like echo, time, chargen, and other services). With a Mac, there is none of that. Run a web server without CGI access (put a few CGI scripts on another machine running a Mac-native scripting language/environment like Frontier) and you have a near unexploitable machine. One that is of limited functionality, but why should a web server do dozens of things? Most sites are not like slashdot, and use 99+% static content.
With the new G3 and G4 (I haven't used a G4 but the G3's are very fast) processors, Macs are becoming fast machines. Would I run a web server on a 7200? No thank you. Not even on one running NetBSD or Linux, the machine just doesn't have the capacity. But MacOS 8.6 (or whatever) on a G3 or G4, running a dedicated web server program could potentially be a great idea.
darren
(darren)
Thats funny.
/me points and laughs
Now lets see:
First globalHell created chaos as well as plenty of other script kiddies on their servers right after the staff of www.eeye.com released retina, then they went ahead and issued an FBI hacker hitlist to go after a bunch of teens.
What a waste of money since they should've went ahead and used it to secure their networks.
Anyways I can see them using Mac's running PPCLinux but I hope it's not the attrocious MacOS...
So whats the order like? 10,000 Lime Green iMacs? Or is Apple going to make a special colored camoflauge "Army Mac"?
;)
Want Root?
That's funny.
Dillrod
> Teaches 'em for not trusting the Penguin.
Fight everything that's not Linux.
Really stupid...
As much as I love Linux, there are more open ports in your standard issue distribution than you're likely to find in an average brothel.
:)
That's the best quote I've heard all day.
This is absurd. There's much more to security than whether the system includes a command line. Someone argued that a single-user system is more secure than a multiuser system because it has no root account. That's a complete crock. The MacOS (pre-OS-X) has no memory protection to speak of. So *every* program runs with what amounts to "root" privileges.
/bin/sh, but, hell, if you can run arbitrary code with operator-level access I'm sure you can think of something. One more reason why designing a system for multiuser access from the beginning is simply a Good Thing, whatever the disigenuous claims of MacOS apologists.
If you exploit a buffer overflow in Apache on a multiuser system you end up with access restricted to whatever user the daemon is running as. But if there is a buffer overflow in Webstar or any scripts it calls on the Mac, then exploiting it gives you root-level access to the entire system. Sure, you have to do something more clever than just spawning a
I used to run LinuxPPC on my 7200 and it was alright... but only after i had 256 of RAM... The Army, having switched from one platform to another, probably might plan to go MacOSX Server or LinuxPPC in the future... but probably won't, knowing them, until someone does something stupid again... either way, the G4 smokes. We have two of them here at work and on photoshop they are ridiculous. without the altivec "Velocity Engine" -enable Steve's RDF- it's only about 30% faster then the G3/400 we have. either way, it's a step in the right direction.
In
You break in, change the webpage to call me a stupid so-and-so or something, and we're even :)
:)
;)
All cgi, and java servelet capability will be turned on...
You game?
Like I said, the best you can hope to do is send stupid amounts of packets, but you won't succeed in much else...
I'm sure their *must* be *some* exploit out there...
As for security via obscurity...
Naah. Security is security. Unless you come here and unplug the thing, Ifigure you ain't got a chance in hell
just email me if yu are intereted (anyone) I got a pretty fast machine here and a decent link to the net so...
-K
One day, you'll learn to watch what you post...
A lot of posts here are calling for a Linux/Apache solution to the Army's problem. Ahem... [[stepping on soap box]]
Keep in mind what these army folks were looking for: a secure, virtually administration-free, relatively stable webserver that is resistent to remote attacks. For that application, a Mac server makes sense.
Why didn't they choose *nix? The admins probably aren't big tech heads, and the fact that several flavors of UNIX are free probably scared off their superiors anyway. But for this application (remeber, they're concerned with remote attacks) I'd say MacOS is definately more secure for a couple of reasons:
- No shell, thus no root shell (duh!)
- The lack of publicly known kernel knowledge (has anyone even tried hacking a Mac?)
- Not multi-user
- No remote access
My point is, thinking Linux is the correct OS for every application (and advocating it that way) is just plain naive.
--Mid
Well maybe they did, but they're running web star under mac os.
I've used web star in the past and here's my take- it's a fine server, but the fact is that macs _crash_. Ask anyone who works on a mac all day if they have freeze ups or have to force reboot often. This just won't do for a server. If a daemon dies on a *nix box you can at least telnet in and reboot it, but if you mac freezes and your away from the office its time to jump in the car and reboot the damn thing. I dunno- maybe the g3s and g4s are more stable than the older power pcs, but i'll take apache on a linux box any day over web star on a mac.
So he messed with the Army. His punishment should be let the Army mess with him. How does 3 months of boot camp sound? Get a drill instructor like the one from "Full Metal Jacket".
Our typical uptime between crashes was 2 months - and nearly all of the crashes were attributable to power surges getting through our UPS. Of course, that was before denial-of-service attacks became popular, but I also filtered nearly everything out at our Cisco router.
At the time, Macs were something like 15 or 20% of installed webservers, IIRC, believe it or not.
I'm about to install a headless web server at my ISP. It's an iMac chassis without video, I'll install MacOS8.6 with the absolute minimum of extensions, WebStar and Timbuktu for remote admin. I'll also use an external watchdog power strip which will reboot automatically in the unlikely event of a crash.
Well, this makes sense. If I take the engine out of a car it's much less likely that someone will drive off with it :)
If they don't really need the extra features a Unix would give them, why not use a braindead system which happens to give the webserver complete control of the computer and has almost no capabilities to exploit?
Daniel
Hurry up and jump on the individualist bandwagon!
Though it is more difficult, you can still hack Macs. The ease of doing so depends on how the Mac is configured, and whether or not third-party apps such as Timbuktu and Mac command line and telnet add-ons are running. Even without such enticing additions, if things such as AppleShare are left on, there are holes.
Like any system, if it is properly administered it can be secured, and if not, there are ways to break it wide open...
If you need the power of a better OS such as Linux or BSD, you'll need to do more work to get the same level of security than on a Mac, but it can still be done. It's all in the skills of the administrator...
Want to hack Macs, or prevent it? Go to:
http://freaky.staticusers.net/index2.shtml
http://www.securemac.com/
http://www.l0pht.com/~spacerog/
o/~ we are pissed, we are pissed, we have to resist... o/~ - ec8or
This is because I seriously doubt that there is -one- machine running the website. There are probably half a dozen performance-tuned Macs. (Like performance tuning a Honda: you -can- do it, even if it isn't as cool as hot-rodding a V8 muscle car). I reloaded www.army.mil a couple of times, and it always came right up (I'm on a T1).
Way back when the web was new, Mac OS boxes running Webstar were configured into a "RAIC", or "Redundant Array of Inexpensive Computers" were very commong for high-traffic sites. We call 'em server arrays today, but the concept is the same. Lots of small computers all mirroring one another, with a slick DNS server set-up to handle load balancing/distribution. Then NT came along, and webmasters suffered greatly. Now the pendulum is swinging back, and the Mac and Linux are where it is -at-...
SoupIsGood Food
That is exactly how I run mine, headless with TB2 for admin - just remember that TB2 won't initialise the remote control stuff unless it sees a video card. This is a problem on my 6100 because it doesn't initialise the video card unless it sees a monitor. I got round that by putting a mac -> vga adaptor on the end od the video card :)
Troc's dubious podcast and blog: http://www.trocnet.net
They all used Macs. They are so 31337. What's good enough for our nation's crackers is good enough for Unca Sam.
This message brought to you by the Council of People Who Are Sick of Seeing More People.
.. in "Practical Unix and Internet Security" (the Safe Book, IIRC) that use of the Mac is preferred, though he was referring not to OS X (since it didn't exist yet) but the regular MacOS. His theory is that the single-user system is tighter without a root account, and you can tighten things down without ever having to worry about someone getting root. Not sure I can totally buy it. Its in the index somewhere, I forgot the page reference and I'm not sure where my copy is right his second...
ZOMG I WOULD LOVE TO KNOW ABOUT YOUR FEELINGS ON MACINTOSH VERSUS WINDOWS, VI VERSUS EMACS, AND HOW YOU'RE NOT A DORK
So any knowledgable hackers want to enlighten the ignorant among us as to the virtues of Mac web servers? I'd be really interested how they stack up to the favorite Slashdot choices such as Linux, OpenBSD (I mention it over other *BSDs because of its emphasis on security, but obviously hearing about {Free,Net,*}BSD would be cool too), and even commercial Unices like Solaris. Any takers?
----------
In a real emergency, we would have all fled in terror, and you would not have been notified.
Anything that dumps on msoft is probably good, even if it is apple. Wonder how long their mac will hold up....
"We are all geniuses when we dream"
- E.M. Cioran
Hmmm, Ok. Cool, never would have thought to take that route to strengthen my IT shop. But hey, if it works, more power to them.
-Master Switch, one more element in the machine
Netcraft tells us:
www.army.mil is running WebSTAR/4.0 ID/70636 on MacOS
And it's not a G4.... the headlines on www.army.mil tell us that it is a G3...
First the U.S. Navy abandons Microsoft and now the U.S. Army. Microsoft may have won the battle, but they're going to lose the war.
The heavily trafficked MacIntouch uses Webstar. So, I would say that MacOS is a stable platform for a webserver, but no barn burner by any means.
remy
http://www.mklinux.org
As for MacOS crashing, my router is running MacOS 8.6, it has been up & running nicely since I last booted it, one month ago; it has never crashed so far.
Ditto here. My mac is the firewall/router for my home network, it's problem free. Only time I reboot the darn thing is when patching the OS or upgrading the router software (IPNetRouter kicks ass!)
Mac's are a very secure web server. However, I've got to question how good of performance you'd get out of them. Based on the current OS, I guess it would be a question of the server package.
On the other hand I suspect that MacOS X isn't any better than your average UNIX box, if that good. So in this case you'd be better off running OpenVMS or OpenBSD.
I'm sure MacOS won't be as stable as Unix or NT, but because it is a single-user operating system, it can be (and from what I've heard IS) more secure than multi-user systems.
Sure Unix and NT can be MADE secure. But if super-user access is only from the console, you've wiped your plate clean of a lot of headaches (and the ability to administer remotely, however).
Can you isolate root access to Unix to JUST the console (not even su would be available)?
Ok, I may be wrong as it's been a while since I've used a mac, but here's my outlook:
First, on a mac, you can't get remote access. Sure you can hit a buffer overflow, attempt to execute the risc code to change things, but as someone else stated, with the "name" of the harddrive, you can't kill things.
On a [linux *bsd macosX] box, it'd be possible to start other daemons through a buffer overflow. They could be deleted totally, but that's still one more step for them to botch up.
On a side note:
The admins for the military aren't ALWAYS the best trained (ok, possibly flame bait, but my brother is an admin for the marines, so I have a good idea of what he was and wasn't taught...incidently they're still using NT)
For super secure stuff I sure as hell wouldn't run linux. Every week some unchecked piece of GNU software has a buffer overflow. I'll use OpenBSD which is way more secure.
Like the article said: No standard command shell, and no remote login capability. Makes it really hard to break in. I believe that, in the "Hack a Mac" contest that ran a year or two ago, the system was only compromised through a flaw in a third-party plug-in.
With a Mac, you don't even have to give up your networking. The Mac is quite happy to talk AppleTalk through its serial port or second Ethernet while it runs Internet services on the primary Ethernet. Not that I'd recommend it for a machine that sits outside the firewall.
Of course, once they get tired of the MacOS, they can just as easily convert over to LinuxPPC... but a system is only as secure as the administrator makes it.
I don't know. I can't say as I have ever heard great things about Mac servers in general, or Web servers specifically, and I hear a lot about servers. I don't buy the reasoning about Macs not having a shell, so they are harder to break into. If you secure your server, and follow good practices (like having the doc root and the server root in different spots, etc.) you shouldn't have much to worry about. I guess what ever works. If (or more likely _when_) they find out it doesn't work for them, maybe they'll move it to a different server.
-JEV
and became aware of the LinuxPPC challenge.
Pork is not a verb
Interesting that thay should post that article on a machine that is running Netscape-Enterprise/3.6 on Solaris. Has anyone seen the documents they refer to at w3 that describe Macs as being the most secure web servers?
I guess the lesson is: don't try and fix your mistakes (like scripting problems), just blame the software and change it completely. It's too bad that the army can't blame NT or IIS (or whatever webserver they were using) and instead says "MacOS secure because you can't login." Wow. Security through lack of capability! Great stuff. Why not Linux?