Another OS X security article on The Register (Security Focus)

Discussion in 'Apple' started by Ilgaz Ocal, Feb 8, 2006.

  1. Ilgaz Ocal

    Ilgaz Ocal Guest

    Apple's in the eye of flaw finders
    By SecurityFocus
    Published Wednesday 8th February 2006 11:07 GMT
    At the recent ShmooCon hacking conference, one security researcher
    found out the hard way that such venues can be hostile, when an unknown
    hacker took control of the researcher's computer, disabling the
    firewall and starting up a file server.
    While such compromises have become common in the Windows world, this
    time the computer was am Apple PowerBook running the latest version of
    Mac OS X. The victim, a security researcher who asked to remain
    anonymous, had locked down the system prior to the conference and
    believes that a previously unknown exploit caused the compromise.
    However, in the following weeks, forensics performed on the system did
    not reveal any clues as to how the PowerBook had been compromised.
    Full story at:
    <http://www.theregister.co.uk/2006/02/08/apple_vulnerability/>

    (This time, posting the article as if any "pro" people among us gives a
    clue how the heck that can happen)
    Ilgaz
     
    Ilgaz Ocal, Feb 8, 2006
    #1
    1. Advertisements

  2. Without knowing how this machine was set up? This guy should document
    that in detail. It's actually irresponsible not to do it. A remote root
    exploit is serious enough.



    Jochem
     
    Jochem Huhmann, Feb 8, 2006
    #2
    1. Advertisements

  3. Ilgaz Ocal

    Randy Howard Guest

    G.T. wrote
    Why should a secure OS even allow you to run with no password on
    root?
     
    Randy Howard, Feb 8, 2006
    #3
  4. Because it's your computer, and you should be able to run it as you wish.
     
    Michelle Steiner, Feb 8, 2006
    #4
  5. Ilgaz Ocal

    Randy Howard Guest

    Michelle Steiner wrote
    I guess you missed the "Secure" part above. :)
     
    Randy Howard, Feb 8, 2006
    #5
  6. Ilgaz Ocal

    Don Bruder Guest

    And there simply is *NO* other correct answer than this one.
     
    Don Bruder, Feb 8, 2006
    #6
  7. Ilgaz Ocal

    Randy Howard Guest

    Don Bruder wrote
    Unless, you want it to be secure. You can have
    a) Configure-it-however-you-want
    b) Secure

    Pick one.

    Excessive customization is probably the number 1 issue with
    system stability today.
     
    Randy Howard, Feb 8, 2006
    #7
  8. Well, honestly, it's not as if Apple makes it easy to run the system
    insecurely. A regular administrator account can't be created without a
    password (that I can tell), and the Root account is completely disabled
    until you've researched enough to find out how to enable it.

    It's a fundamental difference between Mac OS and Windows: The Mac is
    secure by default, and requires knowledge and skill to make it
    insecure. Windows is insecure by default, and requires knowledge and
    skill (and an antivirus subscription) to make it secure.

    I'll take the secure-by-default system any day of the week.
     
    Garner Miller, Feb 8, 2006
    #8
  9. Ilgaz Ocal

    Warren Oates Guest

    Does that mean you can use sudo without a password?
     
    Warren Oates, Feb 9, 2006
    #9
  10. Sure enough. That's really stupid that they allow that, I totally
    agree. At least it gives a warning, but... wow.
     
    Garner Miller, Feb 9, 2006
    #10
  11. Ilgaz Ocal

    42 Guest

    On the flipside a system that doesn't let you do what you need it to do
    isn't much more than a paperweight. The market for secure paperweights
    is quite small.
     
    42, Feb 9, 2006
    #11
  12. According to what I've read, Windows Vista will be even better
    than the Mac. It will have the default account set up to be
    a normal user, and have the same kind of password authentication
    that OS X has for doing privileged tasks. But instead of just
    "Administrator" and "normal" users, you can have accounts
    privileged to do only a subset of things (and of course, an
    easy management interface to deal with administering that.)

    We'll see.
     
    Christopher C. Stacy, Feb 9, 2006
    #12
  13. Unless, you want it to be secure. You can have
    a) Configure-it-however-you-want
    b) Secure

    Pick one.[/QUOTE]

    How about not having it connected to the internet or intranet? Yes,
    there are people who have and use computers that aren't connected.
     
    Michelle Steiner, Feb 9, 2006
    #13
  14. Sure can; I just did it. I have only one account, and I removed the
    password completely. I then immediately changed back to a password.

    Then I noticed that you wrote "Created", so I created a new
    administrator account without a password. I immediately deleted the
    account.

    In both cases, the system asked me to confirm that I wanted no password
    for the account.
     
    Michelle Steiner, Feb 9, 2006
    #14
  15. I guess you missed the "Secure" part above. :)[/QUOTE]

    Nope.
     
    Michelle Steiner, Feb 9, 2006
    #15
  16. Ilgaz Ocal

    42 Guest

    If you think Jobs RDF is good you should see Microsoft's. Indeed,
    Microsoft has it on all the time, at full blast... its just not as
    good... less people fall for it.
    Unless they make it like the mess XP Home is.
    Creating Groups of varying permissions / restrictions and assigning
    users to one or more groups... That's been around on windows since
    Windows NT 3 actually. Its bad enough they "innovate" by copying
    Apple... its going to be ridiculous if they "innovate" by simply re-
    dressing features they already have.

    This has also been around forever on Unix.

    OS X supports it too, although not in the GUI (to my knowledge). (I'd be
    surprised if OS X server doesn't have it in the GUI though.)
     
    42, Feb 9, 2006
    #16
  17. Ilgaz Ocal

    Randy Howard Guest

    Michelle Steiner wrote
    Nope.[/QUOTE]

    There is a logical inconsistency inherent in that response.
     
    Randy Howard, Feb 9, 2006
    #17
  18. Ilgaz Ocal

    Randy Howard Guest

    Michelle Steiner wrote
    How about not having it connected to the internet or intranet? Yes,
    there are people who have and use computers that aren't connected.[/QUOTE]

    Of course that is true, but really has nothing to do with the
    above. I said nothing about the internet. Plus, not having a
    password on a system without an internet connection is still a
    potential problem, unless you have it locked in some secure
    CIA-plot-movie inpenetrable room.
     
    Randy Howard, Feb 9, 2006
    #18
  19. Ilgaz Ocal

    Warren Oates Guest

    Now Michelle, you're arguing for argument's sake.

    We all know that a a savvy user who

    1. is the only user of her machine
    2. isn't connecta to the 'net

    doesn't need a password or much security.

    But _you_, being the said savvy user, must know that this is not a good
    approach for the average (or below average) someone who is less savvy. I
    think it's a mistake for Apple to allow a system to run like this.
    There's a storm of hacking coming our way, and, ours being a Unix
    system, most of it can be avoided by decent security. I mean, golly,
    Win2k won't let you boot straight in, or set up an admin account with no
    password; it even gets annoyed if it thinks your password is too weak.
    IT guys (they're always guys) will tell you they'd rather see a bunch of
    postits on the monitors, with obscure and long alphanumeric passwords
    written on them, than you should use "fluffy" or "mabel" as a password;
    the premises are easier to secure than the network.

    Have you ever run a firewall on your Mac, and logged the port-banging
    that goes on? It's incessant, these guys looking for a way in. Be
    careful out there.
     
    Warren Oates, Feb 9, 2006
    #19
  20. Ilgaz Ocal

    Randy Howard Guest

    Jon wrote
    (in article
    I understand that. The problem with the theory is that once you
    allow that, you can no longer call the product a "secure OS".
    Yes, and once that is allowed, security in any real sense goes
    out the window.
     
    Randy Howard, Feb 9, 2006
    #20
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.