Mac OS X easy to hack?

[TheAnimus]

http://www.theinquirer.net/?article=30091

A MAC enthusiast has managed to prove that his favourite brand of computer is dead easy to take over.
According to ZDNet, the Swedish-based Mac fan set up his Mac Mini on the Interweb and invited hackers to break through the computer's security and gain root control.

Within six hours the "rm-my-mac" competition resulted with a hacker called "Gwerdna," gaining the necessary access.

Gwerdna said it only took him half an hour because a Mac is "easy pickings". He said that despite the common assumption of Mac owners that their boxes were harder to hack than Windows, there were shedloads of unpublished exploits for the computers.

He said that even if the Mac had been better set up it would not have stopped him. But he added that the Mac OS X doesn't have the market share to really interest most serious bug finders, who are apparently much happier taking over Windows machines.

According to Rixstep here, although Tiger does sort out a lot of these issues, one of the main problems is that OS X is not true Unix.

The site says that no self-respecting Unix designer would be so stupid as to allow arbitrary code to run as root without authentication.

So six hours eh? Granted the user had a local account, but this is what i find funny:
http://www.theinquirer.net/?article=30103

ZDNET’S TAKE on the half-hour Mac hack is "woefully misleading", says Apple fan Dave Schroeder from the University of Wisconsin.

So basically this guy is moaning because apparently been able to gain priveledge esculation isn't a big problem?! WHAT?!

So now he's doing a test of HTTPd + SSHd on an obscure PPC platform, which i must admit I'll be intrested to see if any problems happen, as i run both packages under NetBSD on an old ARM i've got under the bed. I choose security by obscurity in doing so, but as can be seen from the first news iteam, MAC OS X is not quite obscure enough not to have a mirriad of un-published exploits.

[ExceededGoku]

You can't really call a Mac easy to hack because there are just soo few out there that "hackers" find it hard to find a mac and so cannot gain access at all... However security is becoming a real problem for Mac and they need to sort thigns out before we have Windows "Mac" edition ()

[TheAnimus]

sorry i'm confused, are you saying that mac's are hard to hack because their hard to find

if so thats a good argument!

The problem i have is mac fans rant on about you if you say that the duo mini's are quite tiny, but you wish u could buy it without OS-X on. Because its a peice of wank they just use the classic "well you've never used it" (which is similar to what people say if you slag of their church, you wouldn't understand because your not a beliver).

The fact of the matter is 6 hours is bad no matter how you look at it, the mac isn't obscure enough not to have anyone looking for bugs, worse is the description of the problem, basically BSD you can use W^X, windows has DEP, MAC OS X has a shiny GUI. Which is better?

[ExceededGoku]

Yes I am saying they are hard to hack because they are hard to find
Also yes I completely agree all Macatics (lol mac fanatics) think that their G5 1.8Ghz vastly more powerful than any PC with like 10000000000000000000000000000Thz CPU with 800000TB DDR6904184104 etc. they are just kidding themselves and now they are starting to see the downfalls of having people buy the macs more, which is that there are more hackers willing to spend time destroying it.

[TheAnimus]

I think people are hacking macs more because of the attention things like the iPod have brought mac, i was speaking to a mate on campus, he recons mac have a better product market placement than MS. People will go in and ask for an iPod, not a walkman, now once those same people are told they need to have an iMac, well, then they'll buy one.

Apple aren't seam like the loveable loosers any more, their now seen as the profitering arseholes who choose intel's CPUs when AMD's are technically better (people seam to not think about supply, and how few AMD can churn out compared to intel) or the draconian locked down hardware which imo, is worse than any of the anti-trust complaints MS have against them (if shipping wmp with XP is bad, how evil is shipping itunes with an iPod?). As such more people are anti-apple.

But the big gripe is, MAC OS X isn't secure out the box, this problem by the sound of it, comes from a util thats running with root privs thats vunerable to a buffer overflow. Now whilst there are some un-documented hacks no doubt for 2k3 or Vista even, i doubt there are quite as many on the out of the box install, if just because MS are in control of all theirs. That in my mind makes for a safer out of the box environment. The funny thing is, which is what i can't understand, all the mac os fans saying take an XP box on the net and see how long it lasts. Assuming its an updated one (like the mac os x one was) then i'd imagine quite a long time.

[aidanjt]

Originally Posted by TheAnimus

...their now seen as the profitering arseholes who choose intel's CPUs when AMD's are technically better...

Have you done many Intel Core Duo vs. AMD Athlon x2 performance indexes yet? I'm not fond of Apple either, but I'd rather riddicule their bastardisation of UNIX (OS X) rather than their choice of PC Arch CPU, which in all fairness is proving to raise the eyebrows of even the hardest of AMD fanboys.

[TheAnimus]

don't get me wrong, i think the Duo's are neet, but the first wave of dev machines (which regetably is the ONLY x86 mac i've played on proper) wasn't remotely impressive.

I was mostly thinking desktop CPUs, not laptops and the duo (which i even admited to liking in mac mini form... thats prase indeed!)

But regardless, the choice makes sense when you look at quite how much fabrication intel can do.

However, I'd say that a mates opteron runs FreeBSD a lot better than my Dothan. (not remotely a fair comparison).

[aidanjt]

hmm.. well since the Pentium 4 Intel has been focusing on rapidly shrinking silicone and designing their cores to that end. At least Intel now admits that silicone is close to being streached to its limits and are changing their philosopy to enhancing core design, Core Duo is obviously the first main step (of many) in this process..

It'll be nice when the EFI boards hit the market with Intel's chips for PC users.. Of course I'll wait a year or so after before throwing cash at it to iron out the kinks with firmwares and software. We'll see how it goes anyway.

[Gordy]

Originally Posted by TheAnimus

Apple aren't seam like the loveable loosers any more, their now seen as the profitering arseholes who choose intel's CPUs when AMD's are technically better (people seam to not think about supply, and how few AMD can churn out compared to intel) or the draconian locked down hardware which imo, is worse than any of the anti-trust complaints MS have against them (if shipping wmp with XP is bad, how evil is shipping itunes with an iPod?). As such more people are anti-apple.

Aside from the fact all companies exist to make money, the intel choice makes sound business sense. Yes at the time of the choice AMD rule the roost, but its the future that counts and in particular the mobile line.

Apple have been suffering on their line of laptops (imac and mini can be considered laptops too really) not the desktops. AMD are behind in this area to intel so it makes sense to go to intel purely for this. Intel is too big a company with too much money to allow amd to stay in front for long.

Onto the mac security front. EVERY OS has security issues whatever they are as its impossible to write a piece of software as complex as an os without bugs. However inherintly the OS X (And unix basis) is more secure for several reasons. Firstly secuirty through obsecurity, secondly not having everthing turned on and allow through the firewall like windows.

This so called hacking test was a joke and I would be interested to see the outcome of the second more realistic test.

[Gordy]

38hrs and no one got in

http://test.doit.wisc.edu/

[TheAnimus]

I wouldn't call the test a joke by any extent of the imagination, getting remote access to an Apache SSH server is hard.

Getting access to an IIS server with remote desktop is hard.

The second test is a lot more restrictive, fact of the matter is the easyest way to get in would be if PHP was running a badly made code (not that all PHP code isn't inherently bad from a security perspective).

The first test showed how easy it was for a local user to get privledge escalation. This is bad, and the point is even windows has DEP!

[dangel]

Security through obscurity?

[TheAnimus]

yeh but how much of that has gone now its x86?

Buffer overflows, which theres a good chance this is what it was, are architecture specific, and thats why i run an ARM box with my unix favourate of the month on it. Now apple are just x86's in scratchable cases, there is very little obscurity, in fact the average x86 distro of BSD on some random hardware will be more obscure, so therefore safer?

[dangel]

Overflows in XP are mostly down to crappy old API/c-style code if you ask me - something they've really tightened up on with the version 8 runtimes (or at least given you the option of doing it). I think the point with the Mac is that, sure, it's obscure - but it's not particularly 'safe' - and that's partly down to the design of OSX (as opposed to 'true' BSD). One wonders with the advent of Vista (and it's almost _anal_ focus on security) we'll see the tables turn (they have been slowly with XP become reasonably secure [by comparison to it's first release]) on other OS'. Certainly the security in Vista is causing me a few headaches as a dev..

[headbrace]

I was going to make a thoughtful, considered reply to this thread. But given that I had to spend a fair amout of time deciphering what you had written, I just gave up really.

I think Gordy makes good valid points.

[dangel]

Originally Posted by headbrace

I was going to make a thoughtful, considered reply to this thread. But ...

Well we'll just have to make do won't we?