Submitted by “In response to the woefully misleading ZDnet article, ‘Mac OS X hacked under 30 minutes’, the academic Mac OS X Security Challenge has been launched. The ZDnet article, and almost all of the coverage of it, failed to mention a very critical point: anyone who wished it was given a local account on the machine (which could be accessed via ssh). The challenge is as follows: simply alter the web page on this machine, test.doit.wisc.edu. The machine is a Mac mini (PowerPC) running Mac OS X 10.4.5 with Security Update 2006-001, has two local accounts, and has ssh and http open – a lot more than most Mac OS X machines will ever have open.”
Bullshit argument. Of course you should offer at least one or two services.
Remember Defcon 9? They couldn’t even hack a OpenVMS system with telnet shell access, httpd, ftp and a admin account! Talking about security!
Of course you can’t upgrade your Apple to OpenVMS, instead upgrade to OpenBSD – yes you can!
However, OS X is generally used as a desktop OS and not as a Server. Most real world systems don’t have any services turned on by default and many are behind NAT routers. This *mimics* (it’s already more wide open than most OS X systems) the real situations better.
OpenBSD would be a fine choice for a server, but I don’t people are purchasing Macs to use them as servers.
Do remember that Apple sells an entire line of Macs intended to be servers!
I am not sure how well XServe sells or what percentage of XServe users actually use Mac OS X Server as their OS.
All Xserves we are selling are running macosX, if they would not run macosX, why even sell them an mac???
Having ssh and httpd is VERY common on servers. Or at least httpd, ssh could be setup in an secure way by using vpn or something, but it is pretty common with servers accesting ssh for their users.
Isn’t a Mac Server an oxymoron, similar to postal service or military intelligence ?
>> Isn’t a Mac Server an oxymoron
Don’t tell that to the US Army – they bought a whole SLEW of G3’s for that very use.
>> or military intelligence ?
Oh wait, nevermind.
In order to make things fair then, when testing Windows the Remote Desktop Server and IIS software should be left running right? In which case you’re not really testing the security of the operating system, but the software running on it IMO.
No OS fairs well under such conditions, whether it takes someone 10 minutes or an hour to break in really isn’t even remotely a measure of how secure any of my boxes were yesterday, are today, and will be tomorrow. As for people who still associate computers with magic, if they care about security they should have someone who knows what they’re doing install a hardware firewall between their modem and any computers (routers are great for this and provide other good features too) and they should have some kind of automated AV update and scan depending on the OS.
So really, security benchmarks are for the most part useless marketting ploys. Does everyone agree?
An upgrade for a geek is a downgrade for a normal computer user ..
Dang it OSNews, fix the site so people can vote!
128.104.16.150, no response.
Publicity stunt or he went home early.
FOUL!!!
Like anyone is really going to give up their secrets to cracking Mac OS X.
shesh, so lame
I tried “ssh test.doit.wisc.edu” and the machine seems to have ssh access enabled.
Edited 2006-03-06 22:50
Indeed, nmap reveals that ssh and http are open:
Starting nmap 3.81 ( http://www.insecure.org/nmap/ ) at 2006-03-06 18:33 EST
Interesting ports on test.doit.wisc.edu (128.104.16.150):
(The 1659 ports scanned but not shown below are in state: filtered)
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
427/tcp closed svrloc
443/tcp closed https
Nmap finished: 1 IP address (1 host up) scanned in 35.609 seconds
“and has ssh and http open”
It’s all in the summary.
‘”It probably took about 20 or 30 minutes to get root on the box. Initially I tried looking around the box for certain mis-configurations and other obvious things but then I decided to use some unpublished exploits — of which there are a lot for Mac OS X,” gwerdna told ZDNet Australia .
According to gwerdna, the hacked Mac could have been better protected, but it would not have stopped him because he exploited a vulnerability that has not yet been made public or patched by Apple.’
That’s not misleading at all, he got root via unpublished local vulns. That’s still insecurity, why isn’t anyone jumping on Apple to step up the security process? Why are so many people quick to defend Apple, when there’s a good amount of evidence security researchers are picking OSX (and it’s open source subcomponents) apart?
Edited 2006-03-06 23:04
Because it has not been proven that this is a true story!
It’s prob about at real as weapons of mass destruction in Iraq. They could be there and people said they were there but NO one has proven it yet! But people were sure hooked when Powell went to the UN though and said they were there!
Same thing (Although much less serious) some guy says he did XYZ but yet no one is showing how it was done? The person won’t even give a credible name! Come on you must be kidding!
Until the facts show themselves, there is nothing to show that someone has hacked a current Mac, patched 100% in 30 min.
“Why are so many people quick to defend Apple, when there’s a good amount of evidence security researchers are picking OSX (and it’s open source subcomponents) apart?”
Do you know anyone who has gotten a Worm in OSX or a Virus or hacked? I doubt it.
It’s people like you that keep believing that OS X is the pinnacle of computer security.
The lot of you are in for a nasty surprise sooner or later.
I’m still waiting… People have been saying that about Linux, Unix, BSD’s, Mac OS etc for ever and a day. Linux is growing by leaps and bounds, shoot companies like Google run their whole business on Linux and Bsd.
Hummm when is the last time you heard Google having to go to an outside company like Akamai to protect their network? Oh thats right Akamai uses all Linux all over the world also.
The internet is run by Unix type OS’s not Windows. And the internet keeps humming along. Yes, you will have a few unpatched machines here and there that will get taken down. But I am still waiting for all the Linux and BSD web hosters like Yahoo to get taken down, waiting for the University of VA’s Apple supper computer to get taken down. (It faces the net)
Yet NONE of this has happened. None.
You missed the point.
The point was that Apple apologists are aplenty, and they’re living up in the clouds. With every security issue raised about OS X, they have a cheap explanation.
The truth of the matter is that OS X got *owned*, regardless of how. I feel pretty confident about my Mac Mini/iBook setups, but I’m not blindly faithful — I still keep tabs on the latest security patches, and I don’t let anyone touch my Mac either locally or remotely.
I didn’t miss the point. My point was please show me where Mac OS got “Owned” ??? I am not seeing it. If you take this story with nooooo proof as law then I guess you are right.
I can say I hacked norad and if I can get someone to reprint the story I guess that makes me true to my word also. LOL!
Um …
The guy who *held the competition itself* said that the machine was successfully broken into. Are you on crack?
The “GUY” ??? LOL! Are you on crack? Who is this guy, does anyone know him, are there any other witnesses like on this forum tonight?
I mean did you even look at what you wrote “The Guy” Didn’t even put “The Guy”‘s name. LOL!
Oh yea this same guy broke into my VAX machine tonight in under 30 minutes. LOL! Now I guess I can be the guy also. I will get my cousin to come on and be the hacker guy and use a cool undercover name like “supercrack” and say yea he hit my Vax machine hard! LOL!
Come on how gullible can people be. LOL!
Is your mouth a cockholster? LOL! Someone needs to grow some pubes, LOL!
Boy that was genius! Have nothing intelligent to say so you revert to calling names! LOL! Good lord.
It’s not use arguing with you because you intentionally misunderstand and ignore the points.
On that count, you remind of Moulenfool quite a bit. 🙂
Hummm when is the last time you heard Google having to go to an outside company like Akamai to protect their network? Oh thats right Akamai uses all Linux all over the world also.
That’s great, but who uses Akamai to protect their network?
Ummmmm, Microsoft has long used Akamai to provide caching for their webservices. That is an OOOOOOLD story.
They don’t use it for network protection though.
Yes. They use akamai for hosting downloads, not to protect their networks.
There is a difference buddy
Ummmm, Akamai handles 4 of MS’s 8 DNS servers!
Also : http://www.crn.com/sections/breakingnews/dailyarchives.jhtml;jsessi…
“Akamai runs a service to help boost Web site performance by caching copies of Web sites on many servers in many locations. Akamai can help defend against denial-of-service attacks by spreading the attack among many servers. Just as a distributed denial-of-service attack enlists large numbers of systems to attack a single server, Akamai presents a distributed defense against denial-of-service attacks.”
Sounds like network protection to me. But maybe I can’t read.
Come on it’s just the same as Microsoft using several parts of BSD in Windows, like Telnet, the FTP client, the IP stack etc. It’s well known, old news!
Edited 2006-03-07 00:18
Ok, you’re partly right. It helps against DDoS attacks, but that’s not the purpose.
The Microsoft server themselves are not handled by akamai, only some content providing.
LOL! Anyway you look at it. Microsoft depends on Linux to get business done, just like almost every other big company on the net!
Providing content, protecting networks, providing DNS etc Unix, BSD’s and Linux are what run the internet. Not Windows. Even MS knows this.
Um, no. They rely on a third party company to help them handle such high bandwidth demands. I think the fact that they use akamai, despite akamai using Linux/BSD/whatever, is cool on their part.
All they care is that akamai can help them with the bandwidth demands (hardware wise, not software-wise), not what they do to get the job done.
Remember MS is the same company that said Linux was not enterprise ready, still is not enterprise ready, yet Microsoft would not be able to get their content out, prevent DOS attacks and handle half their DNS without Linux. Trust me MS thought long and hard before they went with Akamai!
You can’t tell me they didn’t look at the Linux part of the deal in the process! If Linux is as bad as MS says then why do they depend on it? They could just give Akamai a whole bunch of Windows Licenses. LOL!
Then they would not have to hear me laugh and 2 they would be safer (Since MS clames that Windows is also more secure)
They go to akamai ebcause it saves them money, nothing more.
Actually they first started using Akamai after Web developers sharply criticized the design of Microsoft’s DNS network after significant outages hit the company’s sites. The servers were configured into the same section of Microsoft’s corporate network, meaning that if that section failed, no back-up system was available to handle data traffic.
Also they were hired by Microsoft to back up one of its server networks and alleviate the hacker attacks that blocked traffic to Microsoft Web sites
They further moved data and traffic to Akamai after the Windows update servers started DOSing due to the blaster worm a couple years back.
Had nothing to do with saving money, they could not do the job themselves to they turned to the experts. LOL! Just happens that Unix and Linux are the best OS’s for these tasks.
Edited 2006-03-07 01:00
No, they could have done the job, it just would have been a lot more expensive.
By the way, I’m pretty sure they no longer use BSD code in their tcp/ip stack. http://FTP.exe I think is still BSD though.
Well we know is was there, that is a fact. We can’t say it’s totally gone cause we don’t have access to the source code to check.
I am sure MS would say it’s gone or they would keep silent like they do on Akamai.
Far as we all know there could be more BSD code in Windows. ?? Who knows! They don’t have to tell.
For all we know, there isn’t! Who knows! They don’t have to tell.
Any what’s this about them keeping silent about akamai? Why do you say this? Do you think they’re going to constantly announce they use akamai? No. Do they try to hide the fact that they use it? Not at all.
http://www.theinquirer.net/?article=10413
When asked about Akamai ” Microsoft blankly refused to comment.”
Any story you read about them using Akamai you see the same thing. No comment. (Guess it’s a little bit embarassing to have to use the toy OS to get business done. )
Ah, the inquirer. An amazingly reliable source of news.
The inquier was a quick google grab. But if you can show me somewhere that MS talks about using that service, I would like to see.
I am sure they are far too red in the face to talk about that often.
Anyway back to the subject at hand. I am still waiting to see Mac machines get hacked like swiss cheese like the researchers say. The one we are looking at here seems to be going strong.
http://www.microsoft.com/presspass/press/1999/sept99/AkamaiPr.mspx
Wow, interesting that this story came out before MS actually needed them, back when they were partners to help spread MS media. Not anything even in the 2000’s (Or at least like 2003 when MS was having their problems)
Far as we all know there could be more BSD code in Windows. ?? Who knows! They don’t have to tell.
Yes, they do. Read the BSDL.
And Microsoft has been quite open about BSD licensed code, so it makes no sense for them to have “hidden” BSDL code in their products. Microsoft isn’t about zealotry or NIH — they use whatever means they can to develop the best product they can, just as Apple does. It hurts no one to admit that certain components (network stack, etc.) are based off of BSD code.
Microsoft does whatever they can to make the most money they can. If Microsoft made the best product they could then they would have the best products! But they don’t!
They sell more, like GM sells more cars then Toyota, they sell more volume but they don’t make better cars.
Big difference between a marketing company (Which MS is) and a company that makes great products. If that was the case then people would not switch to macs and Linux machines to get away from their problems with Windows. Microsoft would not have to sell you and or give you products that fix the broke products they sell you. (Oops, they bought a product not made one. Sorry I was getting ahead of myself)
Like WHY should you need SPYWARE remover software? Why can’t MS fix that? Doesn’t seem to affect other platforms??? Come on now. They are just about making money, money, money! And why did I have to use freeware for 2 or 3 years to handle this issue before MS decided to do something and make a product (To do what the freeware was already doing dame good!)
And you can’t say it was because of competition cause most people are and were using freeware, not paying for it like virus scan. And as long as Microsoft sells their VS product on par with everyone else and let it sell on it’s merits then there is no competition issues.
Edited 2006-03-07 02:40
You do realize taht Akamami isnt a company you hire to “protect” your network. It’s a global caching service that allows a company to provide fast, streaming content regionally without having to establish their own satellite DC’s in those regions.
You also seem quite misinformed about how corporate level networks are setup, let alone how someone would find vulnerabilities within a software package let alone exploit them.
So, fanboy, go talk on slashdot.
You are right it must be patched but people are saying that it is not a realistic test and it s not. Also people are running al kinds of scripts with cron as root that may write files that are all security risks when i have a local account even I can do some damage to a lot of machines and i am no security expert and no hacker i am a simple system administrator. You have to be always alert you have to always keep security as tight as posible only alowing ssh some ip’s for example inpecting log’s ,……that is true for all operating systems also for os-x.
“Why are so many people quick to defend Apple, when there’s a good amount of evidence security researchers are picking OSX”
I remember the first editions of OSX where one could take ‘root’ and take down the kernel with simple commands (http://www.google.co.uk/search?hl=en&safe=off&q=osx+privilege+escal…).
Despite this there are many in the apple community continually promoting the idea that OS X is practically invulnerable.
Edited 2006-03-06 23:31
Wow, I remember when there were viruses in Dos? LOL!
Question is, can you do that now? You for sure can do that in Windows. There is no question about it. Almost ALL windows worstations run with the “root” admin account as the current user. No work there.
You can rootkit the heck out of Windows machines and 99% people out there would not even know and would never find out.
Show me where someone can take root and take the Kernel down with a simple command. Shoot I will put my own Mac up for that challenge!
You truely are dillusional. Rootkits exist for Unix/Linux/OSX just as well as they exist for Windows. If you’re in the right circles, you’ll have easy access to them.
Also, the point of a rootkit is to make detection difficult if not impossible in some situations. The same, suprise suprise, can happen in Unix. In fact, rootkits existed on Unix before Windows. Hmm.
So to your final point, if Im in user mode in Windows XP (which I am) show me the simple command to take root and take down the kernel. Other than Ctrl+Alt+Del which doesn’t give you root access.
” If you’re in the right circles, you’ll have easy access to them. ”
you mean if you are in the wrong circles 😉
I agree with you that one cannot take down the kernel with “a simple command,” but if you say that you will put your mac up for hacking attempts, you should do it. If you do, please tell us.
Right and gwerdna should tell Apple about this “vulnerbility” unless he has some reason (Black Hat unsavory much?) for keeping it secret. If indeed said reason exists, and the whole thing is not a flim-flam.
95% of all exploits are only usablew to escalte privilidges for a local account. Remote exploits are much more uncommen (take a look at OpenBSDs track record – tons of security patches, but few that covers remote exploits).
The guy was given “local” access through SSH.
What validates THIS challenge, is that you are NOT handed a local account. Therefore, you do not have a local account to work your way from the inside out.
Not to because I want to “validate” the original claims, but I too would like them to offer up some real proof and methods of attack. What vulnerabilities were actually used.
The reason everyone is defending Apple in this matter is the same reason people defend the *nixs and BSDs, this was done using local (ssh accounts are considered local not remote, for those who do not know) exploits and not remote vulnerabilities.
JRM7
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 3.8.1p1 (protocol 1.99)
80/tcp open http Apache httpd 1.3.33 ((Darwin))
427/tcp closed svrloc
443/tcp closed https
How do you get the version of the server software with nmap? I should really learn more about it…
The easiest way is just to use -A. It’ll get OS and daemon versions for you. You need nmap 4.x though.
Dang. I’ll have to wait until I upgrade to Dapper Drake! 🙂
Thanks for the tip, though!
You can try nmap with the “-sV” flag. It just won’t have up to date service information.
I am amazed at the number of Mac zealots who want to plug their ears, cover their eyes, and insist that all talk of exploits in Mac OS X are lies, despite the claims of reputable computer security researchers to the contrary.
Yes, it is true that this was not a remote exploit. But privilege escalation is half of what you need for a remote exploit: if you can trick an ordinary user into executing arbitrary code, and that arbitrary code has a root exploit, the remote attacker gets root.
If I were a paying Apple customer, I would lean on the people I’m paying money to to do a better job of patching the already-known exploits. Remember, the bottom layer of MacOS X (Darwin) is available in source form for the black hats to inspect; Mac users need to be just as careful as everyone else to keep their patches up to date.
There are real architectural reasons for better safety on Unix-like systems, but it is no excuse for complacency.
No one is saying they are lies. They are saying that OS X’s hack was done by a local user, not a remote user.
Windows problem is remote user hacks. remote vulnrabilities are teh bad ones.
Well, it’s been more than 30 minutes and the page is still unhacked. Just goes to show you how much FUD the ZDNet article was.
Not exactly FUD. It was completely different situations. On the box that the ZDnet article talks about anyone and everyone was given local shell accounts. Quite a bit different than whats currently being used in the UnvWi hackertest.
and quite a bit diffrent than what happens in the world.
Not totally tho. Most webhosting servers will have SSH access for any of their users. So a similar privelage escelation attack COULD be accomplished. Tho it should technically be much harder
Umm…the article is about a challenge to hack Mac OS X because of an article that said it can be done in 30 minutes.
The discussion of Akamai and Microsoft is totally irrelevant. Though I personally find it interesting, it is completely off topic.
Can we return to the issue at hand?
BTW – As someone else pointed out, the Mac OS X challenge web site is still running. If OS X is so easy to break into, then why is a web site challenging the public to hack it, still up? Its been several hours since the challenge was made. I thought OS X could be hijacked in 30 minutes. If that is the case, why is the page still up?!
You are right.
I am still waiting for this machine to be hacked myself. Will be interesting to see if it can be.
The problem I see with this is that, when it doesn’t get hacked, too many people will rejoice and once again claim that os x is invulnerable.
But they’re testing such a small part of it here. If you’re going to talk about desktop machines then you have to acknowledge that most exploits will involve something other than just opening ports to fairly secure applications. Frequently it will involve getting the user to accept some form of data, getting the exploit code in just far enough to open a much wider range of code to attack. Things like the viewing of maliciously crafted files (to use a nice media term). This new challenge simply doesn’t acknowledge those attack angles.
While the recent 30-minute exploitation was portrayed in entirely the wrong way by zdnet, it does highlight a critical problem: all these claims about how not running as root is more secure are a little weak. Compromise the user account and you’re in the same situation as the rm-my-mac exploit (the attacker is going to get root). Don’t compromise the user account and point not running as root doesn’t even come into play.
I’m not saying it’s pointless to restrict the default user account, just that the presence of privilege escalation holes is still a very serious thing for a desktop machine.
hmmm… so, basicly, if you can gain a local account on a Mac, then you can hack it…. just like all the Unix type systems out there.
peice of cake…. I will just call up teh sys admin and as for a local account…. oh wait.
hmmm… so, basicly, if you can gain a local account on a Mac, then you can hack it…. just like all the Unix type systems out there.
Yeah, that’s exactly what I’m saying, except it’s not supposed to be so easy on all the unix type systems out there. I have access to at least one system with several thousand users running solaris. I’m not a cracker so I don’t know how easy it would be to get root but I don’t think the admins would consider using os x for this machine for one second.
peice of cake…. I will just call up teh sys admin and as for a local account…. oh wait.
Or you could use some other exploit to gain access to a local account. People have never claimed that wasn’t possible, only that the damage done would be minimized due to the lack of root access. This proved that once you get a local account, not running as root doesn’t matter.
So basically people don’t want to believe that you can’t crack a MacOSX machine that has ssh and http services available? That’s ridiculous! Many many people including me run a MacOSX server with http and ssh, iChat, IMAP, POP3 services available to the outside world yet nothing extraordinary happens. You people, just subscribe to macos-x-server list to get the proof. Local account is one thing, open ports are quite another.
I respect ZDnet test and this test.
However, those kind of tests are progressively loosing significance.
Now we have fairly secure OSes, whidely and extensively tested and fairly simple to manage, we have secure crypto primitives with provable security and robust protocols based on them.
Real pains now comes form other things.
Applications:
even if built and run on a secure framework, a custom application is more subject to bias, bugs, security misconceptions etc than an OS or a protocol that’s much more extensively tested and examined. Simply, there is no easy way to make a non-trivial application x that’s used and tested by 100 end users as secure as application (or system, or protocol) y that is used and tested by 100 millions of users, even if real testers would just be 100 thousands.
Here, just a couple of cases where best systems + good programmers + good admins == quite a mess
http://www.theregister.co.uk/2005/07/06/usc_site_cracked/
http://www-tech.mit.edu/V124/N20/20ssn.20n.html
Consumer electronics security, c.e. users:
what’s the point to have super-duper strong encryption, or bug-free, absolutely secure operating system on a PC, a machine that’s not built for top secret level security and it’s usually not managed to even fairly good security?
Circuits are not shielded and some really good opponent can bypass any of your contermesoures reading the EM path radiated from your machine, from CPU to monitor, with a TEMPEST equipement.
Or someone may tamper your machine, as credit card readers and bancomat are tampered, in order to bypass anything you are supposing to do to secure your data.
Or simply most people will chose guessable or easy to bruteforce passwords, or leave sensitive data on non ecrypted media, or even don’t care of anything.
IMHO, security at OS level will become progressively a PRErequisite for security rather than a subject to security analysis itself.
Well, now, here’s CNet’s latest Apple security warning:
http://news.com.com/Mac+OS+X+patch+faces+scrutiny/2100-1002_3-60465…
Is it another Chicken Little scenario or is it a cause for concern?
If I’m reading it correctly (and I’m not an OS X user so I’m not entirely familiar with the workings of the OS, and my gf refuses to let me “experiment” with her powerbook), then the flaw with file content issue wasn’t actually repaired, Apple only put a stop gap into their own net apps like Safari and iChat. But since the flaw still exists at the OS level, if users of something like firefox are tricked into downloading a masqueraded file they could still wind up with a nasty payload, one that could theoretically be combined with a privilege escalation vulnerability and cause some serious grief.
Yes, yes, I know, Mac users know better than to click on links, right? So yes, I know, why worry about such a trivial flaw existing, right?
If I was a Mac user and reading between the lines, this is the quote that would concern me:
However, with its security update for Safari, Mail and iChat, Apple believes it cut off access for such Trojans. “The tools most people use (now) have built-in validation for things before they even get to the desktop,” Schiller (Michael Schiller, Sr VP for Worldwide Product Marketing, Apple) said. “The point of where people get the file is often through the browser and mail and instant messaging.”
So basically, they don’t need to worry about the flaw existing in a core OS component because they believe they can block it at the application level. Assuming you only use their applications to access the net.
To reinforce that:
“If the method we use works for most people most of the time and some people use some other tools and would like to have some more support for validation, we think that’s good feedback we’ll consider for the future,” he said. “We always try to make this better and stronger.”
Huh? If this method works for most of our customers using our own apps, we’ll consider building this security into the OS to protect users of other applications.
And one more:
This vulnerability has actually existed for years in Mac OS, Long said. If attackers really were targeting Mac users, numerous examples of malicious code taking advantage of the flaw would be in circulation. “In fact, that is not the case,” he said. “While it can be a factor in a system being compromised, this vulnerability by itself does not justify panic.”
So again, the argument, is OS X secure because it can’t be compromised or secure because nobody’s really made a serious effort to compromise it?
Yes, Apple is based on BSD and uses well proven OSS tools like OpenSSH and Apache for network services. I won’t argue that properly deployed, an OS X system is fairly secure. In the context of this example, I doubt the machine will get compromised but I don’t think it proves anything.
Can you be as confident that those parts of the OS that are not “proven” OSS technologies, all those little proprietary bits built on top of it, are just as secure? I guess time will tell, but the fact is that Apple has yet to face a serious security breech with OS X and only then, by their reaction, will you be able to judge how seriously they’re taking platform security.
Security is a mindset; ignoring vulnerabilities because you can’t envision an obvious attack vector (“Oh sure it was compromised, but it was done over SSH using a local account, so what do you expect?” Huh? That’s ok, then?) isn’t appropriate, you need to assume vulnerabilities CAN and WILL be exploited by attack vectors you may not have yet anticipated. You don’t just reduce the vectors, you reduce the vulnerabilities themselves.
Remember macro viruses in Office? Back then, did anybody anticipate opening a word file in Windows could launch a covert virus attack against everyone in your address book? Hindsight is 20/20 and we can argue now that was simply poor design on Microsoft’s part, but at the same time there didn’t exist precedent to believe that two unrelated desktop components would be linked and compromised so effectively. Microsoft took a long time to learn that lesson the hard way, if they truly have yet. Apple should and must do better. There’s only so much an OS can do to secure the apps running on top of it, but it should still do whatever it can.
We can argue all day long about the nature of OS X security, and certainly much of it is academic for now, but remember that denial ain’t just a river in Egypt.
This is testing the security of Apache and OpenSSH, which are already known to be quite secure. Testing the security of OS X would be more like adware/spyware wargaming.
Yes I second that.