Gaining root access to a Mac is ‘easy pickings’, according to an individual who won an OS X hacking challenge last month by gaining root control of a machine using an unpublished security vulnerability. On February 22, a Sweden-based Mac enthusiast set his Mac Mini as a server and invited hackers to break through the computer’s security and gain root control, which would allow the attacker to take charge of the computer and delete files and folders or install applications. Within hours of going live, the ‘rm-my-mac’ competition was over. The challenger posted this message on his Web site: “This sucks. Six hours later this poor little Mac was owned and this page got defaced”.
There you go all you bsd* and mac fanatics!
Is shown that bsd/mac is very insecure!
You can no more depend!
No more laugh about windows – it not happens!
There was challenge like that with windows vs linux ago. It lasted days!! Not just hours!!!
You *nix have much to learn – is one who laughs last is looks best!
OS X is hardly OpenBSD. I don’t recall ever saying differently. Then again, I’m not one of those “fantatics” who is out there bashing MS Windows at every turn.
Had the OS in question been OpenBSD, that hacker would not have bothered in the first place…
Despite being a Mac user, I have to say OS X may very well be the least secure out of all of the *BSDs (esp. as a server)
This being said, I don’t think this attack would apply to home users, especially those who have a NAT router.
Edited 2006-03-06 17:34
hahaha what did you think was going to happen?
In any operating system there are security precautions you need to take when turning a machine into an internet server and expecting it to be secure.
Our company has Windows and Solaris machines in our DMZ. Do we just install windows and solaris and then throw them out in the DMZ. Hell no. You lock your systems down to the point where the one things that run on them are the services that you *require*.
There are packages and services that can be hacked in any OS, there are also unknown problems with every OS. For example we have found windows to be very secure when totally locked down, not running IIS, and only running the services we need on them.
And of course another big thing to take into consideration when locked down a system is locking down the Network, to kill anything unwanted before it gets to the system. Firewalls, screening routers and such can greatly increse your protection.
Good thing for you most hackers only care about owning machines, not crashing them. There are plenty of fun mangled packets for Windows that will cause it to blue screen.
A friend of mine was at a biz convention where everyone was on the same network. They were bored so they transmitted some of these malformed packets network-wide. Lots of PCs at the convention blue screened instantly, and I guess their booth got more customers when most of the other booths’ demos stopped working
With SSH access allowed, I’m not surprised. The only general-purpose OS I’d trust to run a shell server on the default install is OpenBSD.
If malicious users have local access, you should implement the other kind of MAC, manditory access controls. I remember a Gentoo/seLinux demo that allowed root access.
Misunderstood the parent comment for a second, so I’m removing mine.
Edited 2006-03-06 16:45
I’d trust OpenSSH on one system but not the others because of the potentially insecure software the others include. OpenBSD has a fully audited userland and employs numerous hardening techniques. OSX is a fine OS to run an sshd that always blocks users, but let them in and they’ll find a way to get root.
Assuming they didn’t just ssh brute force their way in, this would mean a fully patched OSX is crawling with local vulns. It might not be an UBBER remote buffer overflow, but it’s still security, the only good vuln is a patched one.
Mac OS X is insecure.
I posted my ip address here last week and I got hacked.
Thanks for the lesson guys, I’m off to wipe my hard drive now.
I’m sure there’s a very good reason why this isn’t a problem. Apple fans will tell us why soon.
I think OSX is a good OS, but there seems to be so many Mac users out there that take up their machines and OS as a religion, and berate and belittle every other OS out there. Seeing reality like this slapping them in the face is pretty funny. Of course, I expect to see a ton of excuses popping up now about how it’s not really an exploit in OSX, it was user stupidity, blah blah blah.
he didn’t sit there forever w/ the network cable unplugged, spoofing and gloating.
This guy intentionally allows people SSH accounts so that they might ‘rm -rf’ it if they can. That’s the contest.
Here is the non-cache version of the URL that the author used in his article.
http://rm-my-mac.wideopenbsd.org/
The owner of the box says it is setup like “It runs a default install of Mac OS X Tiger, plus fink and some decent versions of Apache, MySQL and PHP. Software Update recently updated it to Mac OS X 10.4.5 and fixed some security issues.”
So, it’s a mac with 10.4.5 with ‘fixed some security issues’ which and what are unknown, as well as additional updates to apache, mysql, and php.
He has a web form for people to create SSH accounts in the attempt that they might totally own the box and ‘rm -rf’ the box, a totally devastating thing. So he opened up the security on his mac to be a web server and an SSH server. Not a really wise thing to do, but if you are participating in a security challenge you have to give people a little bait to make it worthwhile.
But to date the only thing that they have been able to do is deface the site which is run in the local user space. Not so severe after all IMHO.
ZDNet’s article is completely misleading.
“It probably took about 20 or 30 minutes to get root on the box.”
What root? The disabled, non-running root? If he had root, then he should have rm -rf the box. But he didn’t… Why? Cause he didn’t have root!!!!
“According to gwerdna, the hacked Mac could have been better protected, but it would not have stopped him because he exploited a vulnerability that has not yet been made public or patched by Apple.”
Ok, some unknown ‘gwerdna’ guy says he got the mythical root account access using some super secret and unknown exploit that is unpublished or patched. It probably exists in a land called Narnia too…
The worst offense is this:
“Within hours of going live, the “rm-my-mac” competition was over. The challenger posted this message on his Web site: “This sucks. Six hours later this poor little Mac was owned and this page got defaced”.”
This is so wrong and misleading. On the original challenge web site here is what the owner had to say”
“This sucks. Six hours later this poor little Mac was owned and this page got defaced. Good thing is it didn’t get rm’d! Way to go PTP.”
Exactly! It was defaced! Not rm’d. It’s still up and running.
Check out his site, roam around. Read the notes and the /Idiots.
ZDNet is really being amazingly retarded lately.
… But it still got hacked.
That bothers you, doesn’t it? It bothers you a lot.
If you had checked the after-being-hacked-posts on the rm-my-mac site, you would know that gwerdna created a file in /. I don’t think you can do that with normal user permissions, but feel free to correct me.
if the owner created his and/or the other user with admin rights. Yes it is possible. But it does not give you root access.
The ZDNet article is lacking many details I woud be interested in hearing. Most importantly, I would like to know what services were running, how was the computer connected to the internet (through a router or direct), was the firewall turned on, and what vulnerability was used to gain access.
I think it is important for people to exersize a little more common sense when it comes to security. First of all, don’t connect your desktop machine directly to the internet! Even if it is the only computer you own, buy a router with NAT and plug that into the modem, and your computer into the router… please!
Now the article does mention that it wouldn’t have made a difference if the various services that were turn on (web server, remote desktop or whatever) were there or not as they weren’t used to gain access. If this is true, this is definately a problem worth getting excited about.
First of all, don’t connect your desktop machine directly to the internet! Even if it is the only computer you own, buy a router with NAT and plug that into the modem, and your computer into the router… please!
That’s good advice. But my desktop GNU/Linux machine is directly connected via a static IP address and I think I’m pretty secure. I use ‘iptables’ to just drop most incoming packets.
Only OpenSSH and OpenVPN are exposed, and both of those are on non-standard ports. So even if you find me and scan me for all open ports, you won’t know what services you’ve found.
The cracker is probably looking for a specific service that he has a strategy for gaining access through, and will try all your open ports to see if he can find that service.
Just to be sure, did you also remove the banners for the services? Otherwise discovering a service on a non standard port is pretty easy.
Besides, an attacker will find 2 ports open; guess which services he will try tu use? HTTP, FTP, SSH, telnet (maybe not in this order 🙂 )
Neither OpenVPN nor OpenSSH present banners before authentication. They both use the OpenSSL library for encryption, which AFAIK is very solid. I figure, if I’m at risk, a whole lot people and corporations that think they are secure are also at risk.
I would like to inform that BSD operating system world is not like Linux. MacOs is not like FreeBSD, & NetBSD is not like OpenBSd (even if one come from another many years ago). MacOS is not BSD “distro”. Every BSD is full operating system based on some BSD kernel code, but the rest, with security pathes, software, drivers, etc. are different. So please stop saying that it is showed something to unix world. Because it did not. It just show, that apple make not secure OS basen on some BSD code. Nothing more. When You give a gun into children hand, it will not be a soldier because of that.
1.) The story is basically written by some punk kid. I call him such because he’s not yet published the security hole he’s apparently mastered.
2.) There are 3 reasons Mac isn’t hit by virus’s and spyjunk:
a.) Its market share is much smaller
b.) Its market share is much less gullible. (spyjunk)
c.) Its public server share is almost non-existant.
Apple needs to take security seriously these days, and people like this kid need to publish their security findings instead of caching them up for future profiteering/bragging rights.
The market share argument has always made sense to people because its based on a grain of truth: Why hack something that has no value. But market share is one key in many to value. You’re not going to hack a large number of the apache systems out there because: They aren’t running anything valuable (personal sites). However, you would target them for worms.
And you aren’t going to fill a Mac with spyware. Its user will be unlikely to be suckered into whatever you’re trying to sell to them, and they’ll likely pay someone to remove it if they don’t simply remove it themself.
Of course a Mac makes everybit as good of a DDoS bot as a PC.
The other problem with the article is that he doesn’t even mention in what area the two security holes he used were (obviously he gained shell access, then he gained a priviledge escalation).
http://macdailynews.com/index.php/weblog/comments_opinion/8795/
Be sure to read also the related articles at the bottom.
Essentially this and the reports of viruses were a bunch of hot air.
I’ve poked about the FAQs, but I’m curious, was root access enabled before the contest began?
Because Sysadmin is not quite the same as Root, yet I see a lot of people using the two interchangeably.
Correct title should be:
Mac OS X Cracked Under 30 Minutes
Hacker optimized programs while crackers do the damages.
I gave you a plus because I lament the media’s theft and corruption of words.
The good meaning of the word hacker was thoroughly documented in Steve Levy’s excellent, long-ago history book, Hackers, Heros of the Computer Revolution. I observe that a lot of people still use the word in this way in forums to generally mean skillful coding–a very constructive thing.
But when the word is used in the general media today it always means something criminal.
There are two other words that I lament the theft of in a similar way, but I dare not mention them because they unnecessarily evoke emotion in some people.
When I see a wide spread worm or virus like you see almost monthly on windows then I will worry.
Till then I will use my mac, and not worry.
I am debian pure user compile everything myself, and so computer literate.
Linux/BSD/MAC posters on OSN regularly chide themselves that there are thousands of eyes watching open source code and even if iny vulnerability is found will be fixed in minutes. What happened to those thousands of eyes? are they sleeping? are they drunk? or are they just living in ivory tower?
Now devels responding to this item have started deflecting readers attention from ‘root cause’ of this problem by discussing technalities of the hack. From average users view, i ask just one question, over 10-20 years of unix world how come this simple exploitable command slipped under the nose of thousands of delvels around the world?
#rm -rf ~/ is devastating command to ordinary mac/linux user. And the no-one in unix world has posted easy fix which average joe can understand and implement.
Apple MAc OS is not Open Source of Free software.
I’m screenshotting that.
All this time you’ve spent telling us that OS X is 100% open-source software that Apple stole, and now this? Wow. Someone’s psychotic.
“I’m screenshotting that.”
Why ? You can aske me any time to repeat it , Mac OS X is not Open Source or Free Software its built from it. It does not mean that Mac OS X dont come from Open Source.
“All this time you’ve spent telling us that OS X is 100% open-source software that Apple stole”
Yes , Mac OS X is based on BSD’s , wich they changed license and close to others. Its not really hard to understand. Build from Open Source , dont necessarely make your derivative and product Open Source. Where do you think the flaw came from , they where fixed in Open Source and people had the bright idea to see if they worked on Apple Mac OS X …
“and now this? Wow. Someone’s psychotic.”
Learn what psychotic means. I did not change what I said either , you just still dont get it.
Yes , Mac OS X is based on BSD’s , wich they changed license and close to others.
This statement is patently untrue. Youve been corrected on this several times. Please stop your inane lying and willful FUDmongering.
1) Apple cannot legally change the BSD license. Only the UC Berkeley Regents can change the license.
2) Booting OS X into single user mode reveals the copyright notice as required by the BSD license.
3) Apple regularly releases the BSD portions of their code to the public. It isn’t hard to find.
[3a) Apple has also released their changes to KHTML to the public. Also not hard to find.
3b) Apple has also released its code for XWindows to the public. Also not hard to find.]
4) Anything Apple has coded in house from scratch is theirs to keep closed or open up as they like. The fact that parts of their OS are BSD derived, or that 2 of their programs are OSS based does not change this.
(As an aside, the same goes for Xandros and their file management interface/program.)
5) Should Apple choose to close their BSD derived source, provided they keep the copyright notice, it is their absolute LEGAL right to do so under the terms of the BSD licence.
6) In terms of what Apple has done with the GPL and BSD licenses and code protected under them, they have yet to be shown to have violated the the terms of either license.
“This statement is patently untrue.”
http://en.wikipedia.org/wiki/Mac_OS_X
YOU ARE THE LIAR.
Mac OS X is under APSL and its own EULA.
For the rest :
http://ezine.daemonnews.org/200602/apple.html
http://news.com.com/Open-source+divorce+for+Apples+Safari/2100-1032…
http://developer.apple.com/opensource/tools/X11.html
Apple never used the GPL , if they did they would have to release the source code for it , they used the LGPL. They tried the usual BSD trick and it got them some bad press to , so they again released some of the code they felt like releasing.
If Apple Mac OS X whas Open Source , BSD would be equal to it minus the proprietary driver , proprietary software and third party proprietary codecs. It could also be ported legally without trouble to other platform , other computers with same architecture.
Apple take everything from open Source , switch its license and close it , is it legal , no , because nothing specificaly grant them the right to do so , is it illegal , no because no judge as ever statued or been asked to make a legal judgement on the subject , they are in a grey area.
I know you refuse to accept reality , so see you next time , with the exact same answer , again.
OS X is based on OPENSTEP/NEXTSTEP. IIRC NeXT owned the sourcecode to OPENSTEP outright. Apple owns OPENSTEP via the NeXT buyout, so they own the sourcecode. They can do what they like with it, so long as they credit any parts of the BSD codebase they include within their product – which they seem to do.
http://en.wikipedia.org/wiki/OpenStep
“IIRC NeXT owned the sourcecode to OPENSTEP outright.”
No , it whas joint Open Source effort between SUN and Next.
“Apple owns OPENSTEP via the NeXT buyout”
No , Apple own NextStep a commercial derivative of OpenStep library.
“so they own the sourcecode.”
No , if they did GNUstep would not exist.
its the stupid mentality of they can close Open Source code because they made a derivative of it and say that its acceptable that is wrong and bad , BSD code and its protection clause dont grant the right to close the source code. It only say dont come suing us if anything goes wrong you can use it as you like.
I did, Mr. Troll, sir.
sudo -s
mv /bin/rm /bin/rm.org
vi /bin/rm
#write a script that calls rm.org with -i
chmod u+x /bin/rm
Sure, you still can cat /bin/rm, rm.org -rf ~/ but you said “Joe Average”. I bet he knows no difference between rm and script that calls rm in interactive mode.
Now, be gone!
echo “alias rm=’rm -i'” >>/etc/profile
Some shells may not use /etc/profiles. 🙂
From average users view, i ask just one question, over 10-20 years of unix world how come this simple exploitable command slipped under the nose of thousands of delvels around the world?
The command didn’t slip under anyone’s nose, it does exactly what it’s supposed to do. There is a similar command for Windows, by the way.
This is possibly the lamest attempt at FUD I’ve ever witnessed her. Give it up already!
rm removes files. rm -rf ~/ is going to do exactly what it says on the tin, i.e. remove files in your user directory. It isn’t a bug, and it isn’t an exploit. You’ve been posting the same crap on every news item so far. Tell me, how do you intend to fix this ‘bug’? Preventing users from using the computer? This command (or similar) is available on every computer platform, from DOS to Unix.
The hackers had local ssh access…. hrmmm
The hackers had local ssh access…. hrmmm
Yeah, so? Local ssh access shouldn’t enable you to do any damage to the system.
Just another story in the recent FUD campaign against Apple. Expect all major tech sites to cover it and to cover it as ineptly as ZDnews did, eg. leaving out the fact 2 attack vectors, ssh and http access, were deliberately opened up for this competition. Props to slashdot for being the only one so far to mention these important “details”.
The fact these people had access is not irrelevant “escalation of privilege” is generally easier than actually breaking in.
Edited 2006-03-06 18:02
start delivering …
Apple Defender
Apple AntiVirus
Apple Firewall
for “regular” OS X users. We all know this kind of issues were comming as Apple/OS X popularity grew up.
Doesn’t OS X already have a firewall built in?
Not sure whether it’s enabled by default (I’m not a Mac user), but it’s there nonetheless.
It isn’t enabled by default, because no ports are open by default.
Sounds like Ubuntu’s philosophy.
I agree with most here that any machine should be behind a hardware firewall; having a firewall enabled on the machine itself is a good thing as well IMHO.
… If only that were true.
I suggest you do a netstat -a on your Mac sometime.
Active Internet connections (including servers)
Proto Recv-Q Send-Q Local Address Foreign Address (state)
tcp4 0 0 *.* *.* CLOSED
tcp4 0 0 localhost.netinfo-loca localhost.1017 ESTABLISHED
tcp4 0 0 localhost.1017 localhost.netinfo-loca ESTABLISHED
tcp4 0 0 localhost.netinfo-loca localhost.1021 ESTABLISHED
tcp4 0 0 localhost.1021 localhost.netinfo-loca ESTABLISHED
tcp4 0 0 localhost.netinfo-loca *.* LISTEN
udp4 0 0 localhost.49157 localhost.1022
udp4 0 0 localhost.49156 localhost.1022
udp4 0 0 localhost.1022 *.*
udp4 0 0 localhost.49155 localhost.1023
udp4 0 0 localhost.1023 *.*
udp4 0 0 192.168.2.2.49154 *.*
udp4 0 0 *.mdns *.*
udp4 0 0 192.168.2.2.ntp *.*
udp4 0 0 localhost.ntp *.*
udp4 0 0 *.ntp *.*
udp6 0 0 *.5353 *.*
udp4 0 0 *.mdns *.*
udp4 0 0 *.* *.*
udp4 0 0 localhost.netinfo-loca *.*
icm6 0 0 *.* *.*
So…. aside from NTP which is something I enabled, what else is on by default?
NetInfo, mdns, 1023, 5353, …
… Are you blind?
It has a firewall that is *not* enabled by default, but most of the ports that a hacker would like to slip in on ship closed by default, so …
I would certainly say, turn the firewall on and get the extra protection, but running without it turned isn’t a HUGE security risk, either.
Yes, it is correct that the owner granted SSH access, and the cracker then used a local privilege escalation exploit. But the point you’re missing is that because the black hats have a number of such exploits available, getting a user to run a trojan gives the bad guy root. It’s one half of a two-stage attack: first get access as an ordinary user (trick the user into executing some code, by a trojan or a buffer overflow exploit). Then the bad guy is an ordinary user. The second step is to get root. So don’t think that because you don’t allow remote SSH access, that you are safe.
Mac users should demand that Apple be more aggressive about fixing security bugs. Apple hasn’t been as aggressive as they need to be because their customer base is complacent.
I agree with the second part: Apple need to be more aggressive about fixing security bugs. They should also find better ways to address social engineering attacks (for example, making it easier to distinguish between a file and an application package).
However, you should also notice that many Macs are behind a router and/or ipfw.
Wow, way to miss the point a second time.
Ha! Well, I couldn’t Rm -rf it, but it looks like a default OSX install is vulnerable to a fork bomb from a user account. Not terribly good.
Is this news?No one would care if Windows got hacked in 30 min.And about the “more market share=more viruses” thing,remember that Mac OS has about 80 viruses,Windows has about 80,000.2% of that is 1,200,which is far more than 80.
The point?Mac OS X should have about 2.8% of all viruses,but it does not,because it is more secure.No matter how many viuses,though,Mac users should protect their systems.
And about the “more market share=more viruses” thing,remember that Mac OS has about 80 viruses,Windows has about 80,000.2% of that is 1,200,which is far more than 80.
The point?Mac OS X should have about 2.8% of all viruses,but it does not,because it is more secure.
That’s not sound reasoning. Even a high school level education in mathematics should tell you not to expect the relation between the number of viruses and marketshare to be linear.
Edited 2006-03-06 23:28
Perhaps, but a factor of 15:1? Even if the relationship isn’t linear, this still seems to favor Mac OS X (or Linux, for that matter).
This overlooks a point, however: whatever the reasons, there is very little malware for *nix platforms. Maybe this will increase with marketshare, but all that this means is that until the marketshare improves significantly, *nix platforms will be safer as a general rule.
Not only that, but (always following this reasoning) it’s in the interest of Windows users for their OS to have a smaller market share, as it will improve security for their OS. Therefore, Windows enthusiasts should actively advocate that people switch to OS X, BSDs, Solaris or Linux, in order to be safer themselves.
>> Tell me, how do you intend to fix this ‘bug’? Preventing users from using the computer?
A sad truth, and one people rarely get, is the only secure server is one that doesn’t serve… so I get a real laugh out of that dig as it does illustrate the point rather well.
I also get a real kick out of is statements like:
>> Doesn’t OS X already have a firewall built in?
Which illustrate the ignorance of the average user, and the overblown media hype that’s been given to firewalls the past few years. Firewall on a server can only block accesses on ports NOT used for serving. What are you gonna do? Block port 80 (http), port 21 (ftp) and port 22 (ssh) on a SERVER? No, because they it wouldn’t serve http, allow users to update their http sites via FTP, or do simple things like backing up their SQL databases via a ‘secure’ shell.
Firewall is useless if the attack is occuring on a port that can’t be blocked – of course the converse is also true – blocking ports that there’s no software installed to respond on just wastes overhead. The only reason Firewalls help in Windows as much as they do is all the crap services running in the background the average user doesn’t need (Telnet server, Messenger, etc). This applies under other OS too. If there’s no software running to REPLY on a port – you don’t don’t need to block it inbound, and generally speaking if you need to worry about blocking outbound, you probably installed something you shouldn’t have. (like uhm, Internet Explorer or Outlook)
Everything that has access IN at some point, be it FTP, HTTP, what have you has a point at which an attack can be mounted – Which is why the statements about things like linux or OSX being ‘more secure’ always get a chuckle out of me as it’s not a matter of security but effort… and with most of the die hard hackers out there being rabid anti-MS zealots, where do you think most of the effort ends up going?
So it’s no wonder when you give people a reason to look at OS X, it only lasted 30 minutes. I’d be willing to bet a better documented OS like linux might even last LESS time – except that I doubt any self respecting hacker would put the effort in since linux is their pride and joy.
>> Doesn’t OS X already have a firewall built in?
>> Which illustrate the ignorance of the average user, and the overblown media hype that’s been given to firewalls the past few years.
Actually, if you looked at the post I was *replying* to, you would see that the poster was saying (in a tongue-in-cheek way) that Apple should include Apple Defender, Apple Spyware, and Apple Firewall. I was simply pointing out that Apple already includes the firewall.
Of course you can’t block the port if you’re actively using it (port 80 being a good example for webservers)…duh.
Sorry, wasn’t singling you out per se… just the discussion of firewalls that had cropped up in the thread in general.
“Sorry, wasn’t singling you out per se… just the discussion of firewalls that had cropped up in the thread in general.”
Fair enough. I actually agree that firewalls have been severely over-hyped as a cure-all. It does make sense, though, to seal off anything that you don’t need to “listen” for.
I’m sorry, but I must point out that you have the same “ignorant of the average user.”
You really don’t understand firewalling if you think it’s just blocking some ports. Yes, that may be all your crappy linksys can do, but that’s not all we do on the enterprise level.
As it’s already put best, I will cite Wikipedia.
“Network layer firewalls operate at a (relatively low) level of the TCP/IP protocol stack as IP-packet filters, not allowing packets to pass through the firewall unless they match the rules. The firewall administrator may define the rules; or default built-in rules may apply (as in some inflexible firewall systems).
A more permissive setup could allow any packet to pass the filter as long as it does not match one or more “negative-rules”, or “deny rules”. Today network firewalls are built into most computer operating system and network appliances.
Modern firewalls can filter traffic based on many packet attributes like source IP address, source port, destination IP address or port, destination service like WWW or FTP. They can filter based on protocols, TTL values, netblock of originator, domain name of the source, and many other attributes.”
– http://en.wikipedia.org/wiki/Firewall_%28networking%29
That article is pretty sparse, but I don’t want to overload you with groundbreaking new information about what a firewall can do. I suggest you go check out pf sometime, if you’ve got a spare machine.
– http://www.openbsd.org/faq/pf/
It has the full functionality of most modern hardware firewalls at the better-than-consumer level. You can filter packets based on information in the header, or even in the payload itself.
I own a data center, so I work with this day in and out, we have extremely complex rules in place that do a _lot_. Everything from alerting us to incoming DDoSs (as well as actively attempting to drop the packets before it gets to our client’s computers) to filtering out spoofed mail servers prior to the packets even touching our smtp agents. This is typically known as deep packet inspection.
Needless to say, those are only two small examples, there are thousands of other things you can do with a firewall. Please don’t call people ignorant if you’re ignorant yourself, and haven’t bothered to research the topic you’re writing about at least a _little_. Wikipedia is normally a good starting point!
>> You really don’t understand firewalling if you think it’s just blocking some ports. Yes, that may be all your crappy linksys can do, but that’s not all we do on the enterprise level.
and what you don’t seem to understand is your entire post and linked articles of which mean exactly {censored} when the attacks are coming in via normal traffic routes – if the attack is via port 80 against apache, or port 21 against ftpd, or some other port that is allowed for some program that has a vulnerability so it looks like normal traffic – ALL of that fancy firewalling means Jack.
That’s not true. I filter incoming port 80 requests for various signatures that would/could be possible attacks. Normal HTTP requests don’t get you local user privs. Malformed requests, can, however. Same for any service. “ALL of that fancy firewalling means Jack” <– for me, it’s meant no intrusions on any protected machines for well over a year now, pushing upwards of 2gbit/s in overall bandwidth from a multitude of services.
You really should control that temper of yours, btw. It’s quite telling.
>> Malformed requests, can, however. Same for any service
In which case you are treating the symptom, not the cause – the cause being piss poor error handling in whatever program is recieving the requests.
>> You really should control that temper of yours, btw. It’s quite telling.
That’s actually pretty funny, as that was friendly for me… but then I’m blunt and call things as I see them and to hell with who it offends.
George, sometimes they can’t tell when you’re acting…
It’s not important for them to know, it’s only important for me to know…
“In which case you are treating the symptom, not the cause – the cause being piss poor error handling in whatever program is recieving the requests. ”
Absolutely no argument there. However, I don’t write all of the software for the thousands of servers sitting behind the firewall, nor do I have the intention of auditing them all for customers who do not pay for managed services. So, the best I can do is at least attempt to catch a large portion of the *crap* coming in before it has the *possibility* of allowing unknown people from Russia turn my network into a multi-gigabit spamming operation. Understand?
“That’s actually pretty funny, as that was friendly for me… but then I’m blunt and call things as I see them and to hell with who it offends.”
Either you’re really young, or you have a crappy job. I can’t see anybody dealing professionally with a personality that abrasive. Being blunt is one thing, being rude is another. I can appreciate bluntness, as I’m blunt myself. I cannot, however, tolerate rudeness. To hell with who it offends? Nice. Oddly enough, most of the Battletech players I’ve met have been pretty cool guys. Oh well.
In response to the woefully misleading ZDnet article, Mac OS X hacked under 30 minutes, the academic Mac OS X Security Challenge has been launched.
The ZDnet article, and almost all of the coverage of it, failed to mention a very critical point: anyone who wished it was given a local account on the machine (which could be accessed via ssh). Yes, there are local privilege escalation vulnerabilities; likely some that are “unpublished”. But this machine was not hacked from the outside just by being on the Internet. It was hacked from within, by someone who was allowed to have a local account on the box. That is a huge distinction.
The challenge is as follows: simply alter the web page on this machine, test.doit.wisc.edu. The machine is a Mac Mini (PowerPC) running Mac OS X 10.4.5 with Security Update 2006-001, has two local accounts, and has ssh and http open – a lot more than most Mac OS X machines will ever have open. Email [email protected] if you feel you have met the requirements, along with the mechanism used. The mechanism will then be reported to Apple and/or the entities responsible for the component(s).
Mac OS X is not invulnerable. It, like any other operating system, has security deficiencies in various aspects of the software. Some are technical in nature, and others lend themselves to social engineering trickery. However, the general architecture and design philosophy of Mac OS X, in addition to usage of open source components for most network-accessible services that receive intense peer scrutiny from the community, make Mac OS X a very secure operating system.
Nobody seriously uses OS X as a server platform except ad/media/creative types… and they don’t know when their servers are hacked anyway. In all fairness, most companies shield their servers with layers of firewall, IDS, and other security policies that would even protect a Mac.
I just wish Apple would sell me Aqua to run on my Linux desktop – I would pay $150 to have that GUI on Linux.
There’s more to the OS X feel than just Aqua — things that sorely lack in Linux.
The concept of DMGs and App bundles, directory layouts, window server …
Maybe it’s not the feel he’s after, just the look.
And OS X’s desktop feel most closely resembles Next from which it gets its MDI (multiple windows per process treated as one) and object oriented feel (the trash is a good example of an object, any throw away/removal goes their). If you wanna approximate this much on X11 I recommend WindowMaker.
The filesystem is organized, ahem, in two ways at the same time. There’s the Unix layer, and then packed on top is the Mac.App stuff. I just don’t know why you’d want this, but Gobolinux might get you somewhere along these lines.
And what precisely is new or unique about a DMG? How do they feel different from zips and tarballs?
The “look” has been emulated one hundred times before on various other platforms.
And DMGs are unique because they’re mountable disk images. You can do a lot with a DMG, and you can do a lot with mountable disk images in general. OS X can mount ISO, UDF, APM, MBR, etc. disk images out of the box. It doesn’t distinguish between those or physical discs.
Oh, and before someone goes “Yeah well Linux does that too”, then I have yet to see a distro where I can double-click on any kind of disk image and have it mounted locally without trouble.