Page 1 of 1

Man, that's gotta be some kinda record

Posted: Mon Mar 06, 2006 12:37 pm
by Ferno
heooge link

a mac hacked in less than thirty minutes. oof.

Posted: Mon Mar 06, 2006 1:38 pm
by Krom
Not really surprising, security through obscurity is no security at all. Anything as complex as a whole operating system is going to be full of holes, Microsoft gets all the attention but nobody else is really any better at it. Other operating systems might even be worse then Windows because they don't get the same level of attention. It wouldn't surprise me if Windows was harder to crack at default settings with only the latest patches installed then any other comsumer level OS, assuming you didn't do anything stupid like leave the admin account with no password. :P

Posted: Mon Mar 06, 2006 2:16 pm
by Ferno
lol

this just blows the 'macs are more secure' argument right out of the water.

Posted: Mon Mar 06, 2006 2:29 pm
by DCrazy
The machine (a Mac Mini) probably wasn't running OS X Server. So Apple will hide behind \"servers should run OS X Server\" to try and dodge this quite frankly lethal bullet. Quite a shame that the Mac-thumpers won't see this as an exposure of their brainwashing and hypocrisy.

Posted: Mon Mar 06, 2006 4:42 pm
by Stryker
Thanks for that link--the comments made my day!

Posted: Mon Mar 06, 2006 4:46 pm
by Cuda68
I am surprised it took that long. We have some MAC OSX boxes at work and we found a bug at the login screen. While you are at the login screen the running user is system, so if you type in \" >command \" at the login screen for user name you get a shell with system privilages. Very close to the windows exploite useing the sticky key feature at the login screen. The sad part is MAC OSX is more or less Free BSD. These problems really should not exist.

Posted: Mon Mar 06, 2006 7:01 pm
by Money!
Is the link gone? Or is my comp fukked up? Either way, this sounds interesting and the link didn't work.

Posted: Mon Mar 06, 2006 7:05 pm
by Lothar
Mac is not really that secure, despite what mac zealots often say.

Neither is Linux. Back when I handled security for my company servers, I saw just as many probes for Linux-based bugs as Windows-based bugs.

OpenBSD is pretty secure, though. For the most part, that's because it installs with everything turned off -- so even if some particular protocol is insecurely implemented, the only way it can be exploited is if you choose to turn it on.

Posted: Mon Mar 06, 2006 8:07 pm
by Isaac
It's going to be fun when your brain and computer are meshed...

Posted: Mon Mar 06, 2006 8:42 pm
by DCrazy
OS X runs arbitrary code on boot

OS X isn't UNIX. It's got parts of some BSDs in there and some ported/cross-compiled userland stuff, but the kernel is Mach and a lot of other stuff is GNU. They also wrote their own init daemon which is the reason for the above exploit.

Cuda, the reason for that is so you can use the command line repair utils if your machine is screwed up. Kinda like the FIXME single-user root shell most *NIX distros use out of the box in case fsck finds an unrecovrable error on boot.

Posted: Mon Mar 06, 2006 9:35 pm
by Paul
One thing to note, though, is that everyone was given local access... it wasn't a remote exploit.

Posted: Mon Mar 06, 2006 10:41 pm
by Topher
How does that make a difference? If it's meant to be a server then there are going to be lots of people with local access. It's a security hole no matter which way you look at it.

Posted: Tue Mar 07, 2006 10:06 am
by DCrazy
Privilege escalation = big problem. All the Mac addicts are vehemently (and wrongly) claiming that this isn't a true security breach. Apparently these people don't realize that one-step attacks are a thing of the distant past; modern attacks involve multiple stages, including but not limited to getting access to a local account (phishing, rainbow tables, holes in SSH server, etc) and privilege escalation. This guy did the most critical of those steps.

Posted: Tue Mar 07, 2006 11:37 am
by Pandora
Although i am probably a 'Mac Zealot' i agree with DCrazy. My problem with this report is - at the moment - that i just don't know if is true. Details about the hack and confirmational information from other sources is missing as of yet ... so let's wait and see...