MacDailyNews - Where Mac news comes first

I want to know more about the exploit that was used by the hacker and why the reports are unsubstantiated.

I want to know more about it so I can assure customers that it is not an issue.

Right on Brother Man... Right ON

FUD - Fear, Uncertainty & Doubt.

It's what got George W. Bush where he is today, and it's what Symantec, Sophos et al. are trying to do to maintain their business. No viruses = no business.

I think you really have a point here. But still, if that Mac mini was hacked in only 30 minutes, it is not very positive.

But, that hacker refers to all kind of unreported backdoors. I findit odd that MacOS X isn't hacked before, at least not that I know of.

Maybe this whole thing was planned and out hacker already had the root password.

MW: Side, The Dark Side of the Force is surrounding these FUDders.

It does my heart good to know the Windows world is scared shitless because of Apple. This is awesome.

I don't worship at the alter of Jobs like most here do.

However, I switched a little over a year ago and now several of my friends and family have also switched due to my prodding. OSX is far superior to anything Microsoft has delivered and more and more people are discovering this. Just wish I had money to invest in Apple.

BTW, it was iTunes that finally swayed me to try a Mac. I had been put off by the expense of switching in the past but iTunes for windows finally convinced me that if it was this good then I should try a Mac. That and I already hated Microsoft Yes the switch has been expensive but it's been worth it.

People are sheep, FUD WORKS, and the real uphill climb is beginning for Apple. But this is all good news, because Apple is climbing, after all. Next Christmas is gonna be another monster for Apple. I expect back to school will be huge as well.

Or maybe it just means that our precious operating system is finally being shown to be not quite as bullet-proof as we would like to think.

Sure, the ZD/CNet article could be a farce, but still, how long will Mac users (I am one, and proud of it) continue to deny the truth? I understand and have read a boatload about Leap/A but the fact seems to be after the dust settled that no matter how ridiculous and idiotic the classification... apparently Leap/A is a titular virus.

We need more information on the 'hacked in less than 30-minutes' thing. Soon.

The guy who put his Mini up for attack is a Windows programmer. (Check out all the Windows books on the shelf in the background of the picture.) OK, so that just makes us suspicious, but the kicker is he allowed anyone to set up their OWN account on his Mini. So it's just like having local access to the machine. And there have been several vulnerabilities in MacOS only available to someone with LOCAL access. The thing is, no one in their right mind would set up any system giving local access to everyone on the internet, and then inviting them to hack it. This is ridiculous. If it were a Windows box, no hacking would even be necessary to bring it to its knees.

Wake me when someone can drive off with my OSX without first giving them the keys.

Im starting to become convinced that Jobs doesnt have anything up is sleeves. I wont mention his long held belief that people didnt want faster computers because I think he is half right--most people --by far--dont buy the fastest computer though most people dont want to buy a computer that is rumored to be slow. I think what held Apple back, aside from the fact that there is only one manufacturer of Macs is that it was not and still is not the prefered machine for games, cad, or for the internet. To this day Macs wont work with many internet sites. I saw RSS and Podcasting as a way for Apple to create an internet within an internet which internet within an internet would eventually gobble up the original internet within itself. Apple should have the blackberry and all this about IPOD--basically a walkman before RSS is marketing of mass destraction from the reality that Jobs has really failed to exploit RSS, Podcasting and the wonder of wireless communications. I think that the idea of computers in colors was a wonderful idea because it acknowledged that computers are owned by not geeks but people who might enjoy computers in colors. But has Apple really learned the lesson of computers in colors? I think fake titanium lap tops was a bad idea. I think HD is still just an idea apparently. Its time to make Apple what we really want it to be--innovative lap tops that can defeat alien invaders--not just game invaders but real invaders--rugged--coveted. And its about time to realize the potential of IPOD and some sort of phone/pda device. I think Apple should include real professional film, audio recording and animation software with every Apple. These computers should be about realizable self expression and entertainment. I bet you can sell more computers and make more money selling those computers than you lose by including the software with the computer bundle. Isnt including the software what really made Apple viable again (aside of course from the success of the IPOD)? Im sorry but I dont see INTEL inside as innovation. apple--first in flight.

It's not a proven threat until it happens in "the wild". Even then, X has a long way to go before it can be declared to be as insecure as any version of windows. It is FUD, exaggerating the threat. I'm no expert, but it seems news and security software companies are trying to lump together all these unknown, undisclosed vulnerabilities, bugs, etc. as "viruses" when at least in my understanding, that's not what they are.

I agree with SteveJack, which must be why I think he's so smart. Let's now tie his insight in with another perennial complaint about Macintosh, namely that it has been under-advertised and under-promoted by Apple.

The increasing, and expected, Mac Backlash is the main reason why Apple has chosen to kill them softly in the marketplace. By taking the long-term grassroots approach to market share increase, instead of making outrageous (but true) claims that OS X is vastly superior to Windows, Apple is preparing an army of dedicated Mac users to refute the FUD when it finally hits the fan.

I believe the evil megalomaniac leader in the 1984 Apple ad said it best:

"We are one people. With one will, one resolve, one cause. Our enemies shall talk themselves to death and we will bury them with their own confusion. We shall prevail!"

Both sides seem to be using that same strategy now.

Before insulting "most" Mac users on this thread, learn to spell "altar."
Thanks,
Kate

Here's a link to a real OS X Web challenge. This one has SSH on, but no accounts are given out. HTTP is on of course as well. This one is an insecure systems by my standard, but it'll be interesting if it's crackable.

http://test.doit.wisc.edu/

In case you want to see the picture I referred to in my last post, first go to the guy's FAQ here:

http://rm-my-mac.wideopenbsd.org.nyud.net:8090/faq

Wander on down to the link for the picture of the computer and hit it.

Here's that link if you don't wanna go to the trouble:
http://rm-my-mac.wideopenbsd.org.nyud.net:8090/rmm.jpg

I don't believe the ZDNET article is a farce, it's just not that informative. The guy who set-up the competition, didn't invite people to hack a Mac OS X machine across the internet. He gave everyone a local account to hack the machine from inside. That's right, each hacker was given a local account which they could access via SSH then rummage the machine looking for a way to gain root access. This is a totally different type of exploit than your normal hacks and cracks. Local user exploits can always happen. All you need is time and savvy. Typically most security focuses on remote exploits. Not what this competition was about.

I don't know why the user set this up this way--pure stupidity if you ask me. But unfortunately, shoddy reporting (not enough details), will lead to tons of people spouting off that your Mac web server can be hacked in 30 minutes (which isn't true, or at least hasn't been proven true).

That's a true summary.

With people discovering MacOSX flaws, someone still finds a way to spin it to being Microsoft's fault.

I'm proud. This is like "FUD Trek: The Next Generation"

That's ridiculous. It'd be like me saying, "I'm going to leave my front door open. I bet you can't steal from me!"

Just more FUD, and, as usual, ZDNET is glad to report it.

Mac OS is the most secure out-of-the-box Desktop OS. Period.

That said, it is not perfect, nor is it invulnerable. Period.

The whys and whats are not as important as that single fact. Just like the most important part of safety equipment in a car is the driver, the user is the most important security feature of ANY computer. Mac users need to take prudent steps to secure their computer and be able to recover their system. Not doing so is just plain stupid.

If someone were to develop and get malware for the Mac in the wild it could easily spread like a wildfire, as few Mac users have software for anti-virus removal and backed-up files for recovery.

What if said malware, in addition to other actions, inhibited your ability to access the internet? Now, not only do you have an infected computer-- you lack the ability to download the software necessary to remove it from your computer. Unless you live near a fairly large city Mac software is far from easy to grab off the shelf.

Yes, you will be able to recover your system and might be able to recover your files, but easily? NO. Most of the chicken little stuff we have seen lately is self-serving FUD from people who make their living from selling security software and/or services.

That said, making sure you have your files properly backed up and an anti-virus program readily available is wise and prudent. Period.

"At the crossroads on the road to the future, each progressive spirit is opposed by 1000 men appointed to guard the past." -Maurice Maeterlink

The spirit of this article is totally accurate. All of us OS X folks are interested in making the system secure. So why are the lies and FUD being circulated? It's not by people who really want OS X to be a better product. It's not by people who have actually found a vulnerability. These attacks come from people wanting to preserve the status quo, operating in bad faith. Compare the OS X "trojans, worms, and security holes" to Microsoft's claims that Windows is cheaper to run than Linux. Do you see the parallels? Rear-guard defensive manuevers cloaked in the appearance of truth. Hint to Microsoft: Apple is no Caldera.

There has been no PROOF that this so called HACKER was able to exploit the system and gain root access at all, leave alone in 30 minutes.

Hasn't stopped the Windows loving, Mac hating MORONS from running with this story.

If any of them had a shred of credibility, then taking this report at face value with nothing but the claim as proof just shows how pathetic these Windows apologists really are,

MT,

Brilliant. Couldn't have been said more succinctly.

Thanx!

If you all have been following my posts recently, you already know I can confirm Mac OS X, in it's present form, is remote hackable, especially from websites.

Apple is addressing the issue is all I can say. (NDA)

Those who are saying because of Mac OS X's low market share is the main reason we are not hacked more often are probablly right.

These pathetic attempts to show how unsecure Mac OS X is only show the opposite. If this is the best these "hackers" can to against Mac OS X, then I feel REALLY safe using Mac OS X. Apparently, they can't come up with anything better than "concept" worms that require the user to give permission and hackers who say they did something without any proof or details. I'm sure Mac OS X is not invulnerable, but it's much much better than Windows.

People go after OSX because so many of the faithful say it can't be done. You hold OSX out to the public as an indestructable, impenetrable fortress. This is an irresistible temptation to the same people who go after Windows just because its the biggest kid on the block.

Given sufficient time and a determined mind, there is no operating system that can't be broken into. Your own banter and swaggering egotism is the reason these incessent attacks are taking place.

Try being honest with newbies and potential switchers for a change. Don't tell them Macs are perfect. Don't tell them Macs can't get viri and such. Just tell them the truth. At this point in time, Macs are the best system out there.

The Mac Mini that was "hacked" was done so by a guy with an axe to grind...he set the thing up so *anyone* could log in and get an account.

3 cardinal rules of Systems Security:

1) Don't let the bad guy get physical access to your computer. If he can touch it, it's not your computer anymore.

2) Don't let the bad guy run programs on your computer. If he can log in, it's not your computer anymore.

3) Don't let the bad guy to convince YOU to run his programs on your computer. If you run his programs, it's not your computer anymore.


This guy is a a**hat troll.

I don't doubt an OSX system could be hacked in half an hour ... even I could do it if the system's admin left enough doors open. And a Windows guru just might do that ... accidentally or on purpose.

Some Mac users might do the same! My step-daughter's iBook boots up and auto-logins to an admin account! The one she uses for everything! We have spoken about this several times and she has said she'll let me set up her next system (in a few months) but that she'll allow no changes to her current system (fear of loss of data).

Mac users should thank the (WERE they MS employees?) folks who created the ineffectual malware that the ignorant are making such a fuss over! Nobody is out there sweating over being The First with a Mac virus. Well, maybe a few ... those who want the watered-down acclaim for the first VIRUS, and can accept that other non-viral exploits preceded his effort. And ... there are now fewer Mac owners leaving their systems wide open to the simplest of exploits.

As much as we Mac users are called zealots and macolytes and such we all must keep in mind that there are Microshaft zealots as well. They just don't have to defend their position as much because they're in the majority, but nonetheless the thought of Apple becoming dominant in the computer world scares them more than it excites us.

Don't get me wrong, I love Apple and OSX and I'm not defending Windows or Microsoft, I think they are crap, but....

The notion that Apple is or will become dominant in the computer world is like saying that Creative will become dominant in the portable music player world..

Sure, Apple gained a POINT in one year.. So now they are up to 4% marketshare... At this rate, Apple will have a 10% marketshare in 2012... That is not even close to being dominant..

Give it up peeps.. We will always be the minority.. There's nothing wrong with that...

Tre - dream on troll.
Anything can happen. M$ is dying - the sheeple are just to stupid to realize it yet.

All a paraplegic killer kitten can do is try to tell you that you should never allow people to setup local accounts on your system at their leisure. After that, you are on your own...

The hacker had a legit user account on the machine he hacked.

Yes, I believe he hacked it.

How many Russian hackers have a legit user account on your home machine?

If none then don't worry about the vulnerability he used to gain root access.

You are still safe.

the contest was set up very much like a server environment: many unprivileged doing their own thing on a single machine. with that said, shouldn't it be reasonable to expect that none of the users can perform a privilege escalation attack and gain root access to deface the site?

what this test really proves is that privilege escalation attacks are possible with Macs (a true bug). the really interesting thing here is how the attack was performed, and how should we protect against it until Apple releases a patch.

with all that said, i still love my PowerBook 12" and the two PowerMacs. =)

SteveJack is attempting to put some spin on this, but it would be better to say Mac OS X is more secure than Windows and leave it at that.

Local access isn't something folks generally give away. However, what's to stop somebody sending malware (exploiting the Safari safe file hole) that runs a shell using the techniques the hacker used to gain root?

Nothing is impenitrable.

Cheers. Magic word = account.

Comment:
...the thought of Apple becoming dominant in the computer world scares them more than it excites us.

Not likely to happen, but what would be so wrong if it did? What could be so very terrible about Mac OSX that the MacZealots haven't recognized?

Comment:
We will always be the minority.. There's nothing wrong with that...

Yeah, see if there are any minorities around that suffer through any 'tyranny of the majority'. If you find some, ask them how cool it is to be ostracized.

Comment:
...Nothing is impenitrable.<sic>

Yes. But, some things are less penetrable. And some things are much less penetrable.

Look, Fort Knox doesn't get robbed less often than all 7-11s because there are LESS Fort Knoxes. And it was built by fallible humans, after all. So, is it possible to acknowledge that the single Fort Knox likely has better security than all of 7-11s put together - by DESIGN?

Spongebob,
Don't jump on Tre. He's probably right, except his math is wrong. I think the Mac OS will make bigger gains in the next few years. However, Windoze will probably always reside on more computers than any Mac OS because of business/corporate users. The real benchmark is how many home/personal users use Winblows vs. the Mac OS. This is the area that Apple can make big gains.

For what it is worth, here is a repost of a note I posted elsewhere about this spurious event:

To understand what has happened in this spurious story it is important to read the exact challenge that was made:

http://rm-my-mac.wideopenbsd.org/

And to read the page that reveals the fallacy of the original report as well as provides a REAL - ACTUAL challenge:

http://test.doit.wisc.edu/

My observations:

(1) The original challenge was, as the URL itself points out, to 'rm-my-mac'. 'Rm' specifically means erasing the hard drive. This never happened. The challenge was not exactly met, and I am wondering why this obvious point has been ignored in the press reports. Nonetheless, according to the hacker 'gwerdna', he did work his way up from a provided ssh accessible user account up to root access and make changes to the machine.

(2) Gwerdna is NOT actually a 'hacker' by definition. Note that I am sticking to the traditional and honorable definition of 'hacker', not the abused and stupid definitions floating around the net these days. A real hacker provides the specific method they used to break into a system. Gwerdna never did this. Instead he keeps his methodology a secret. This means that (A) gwerdna is a 'cracker', that being someone who breaks into a system for no other purpose that to perpetrate damage. Crackers have no interest in improving the system the 'crack'. Yes, gwerdna chatters on about related information, but never provides any useful knowledge to prevent similar cracks in the future. (B) Since gwerdna's methods remain unknown they are, from a scientist's perspective, unreproducible and therefore unprovable. Apparently gwerdna was on the machine with a level of access that allowed him to change aspects of the machine. That is ALL we actually KNOW about what happened. Talking about some undocumented method of cracking a Mac does NOT at all PROVE that the crack even exists. For all we know this entire event is a perpetrated joke and anyone believing it is being laughed at. That is how very poorly this event has been documented and understood. Let gwerdna prove how he cracked the Mac. Then he will gain credibility and will rise to the level of the much more worthwhile role of hacker.

3) The challenge being given in the second URL above is true-to-life versus the goofy original challenge that actually gives hackers inside access to the machine.

4) Like many thousands of Mac OS X Server users, I have had a machine running full time on the Internet for years without a single incidence of being hacked or cracked. In my case the machine has been running since August 2001. I frequently get people and bots attempting to crack in, most commonly by faking an ID and password. All attacks have been repelled. And this machine only runs lowly old Mac OS X Server 10.1.3.

So does this report of cracking of a Mac Mini make me worry? Nope! Nonetheless I am a fan of security and see nothing wrong in overdoing it: I run a frequently updated virus scanner, Paranoid Android (recently updated and still better than MOSX built-in security), and if folks have the money to buy it I also recommend using Little Snitch which provides inside firewall security not yet available in MOSX.

Lisa said: "To this day Macs wont work with many internet sites."

These sites are coded to bounce Mac systems and/or Mac browsers, especially Safari, on purpose or through coding laziness. Some sites that lock out Macs can be accessed by changing the user agent to Internet Explorer to foil the Windows bigots.

But whatever causes the inaccessability, such a site's coding does not adhere to web standards -- and these standards are not those deemed to be so by Microsoft.

I believe that macs are way overpriced and do not offer the cyber security that everyone raves about. I would not have one if it was given to me. It's almost like all mac owners are brainwashed to spew off pro-mac propoganda, even though they are mostly trash.

I'm not "jumping on TRE". I just think he's a freakin' troll.
And I also think that M$ is dying - the sheeple are just too flamin' stupid to realize it yet. They will - just give it some time...

John, you seem a tad bit derogitive towards Macs.
I have had both systems and am fully receptive to your opinion on the exorbiant pricing Apple employs, but I must say you exhibit a HATRED.
What home computer are you currently using that exceeds the Macs capabilities?

Does it matter what I'm using? I could be a pansy playing with toy trains and it would still better better that the OSX trash.

What do trains have in reference to compters?

I have a 20" IMac and have no problems with "Hacking".

What is your intended purpose for perpetrating this site?

Apple4Me, Jon S. is just another troll. All pisssed off 'cuz he bought into the M$ tripe...
They're just mad 'cuz they 'wuz had.

Jon S.
You lost me at "I believe...".

You didn't say "my extensive research shows..." or "my personal experience with Mac is...". You present no empirical evidence.

Do you also "believe" the Earth is flat and sits on a turtle's back? Do you "believe" the Sun revolves around the Earth?

The drugs don't work they just make you worse.

Microsoft do not care how good or bad OS X security is at the moment. Windows market share is still incredibly high compared to Apple's small switcher percentage and there is no shortage of money to be made by providing these anti-spyware/virus/firewall tools. If this article was written in 2008 then it may represent something closer to accurate but right now OS X is still just a baby.

To have 3 OS X exploits pop up in one week (fixed already by Apple) and the artificial hacking incident are just coincidence.

ZDNet are known for spreading innacurate information. Nothing to panic over yet boys and girls although its still worthwhile keeping an eye open for this kind of information.

To suggest that there's no problem that a system can be compromised just because the proof of concept was done with shell access is stupid.

To reflect on the way most PC exploits happen, they happen by getting the PC user to do something dumb.

On average mac users (not all mac users, just the average mac user) are less sophisticated than PC users and less hardened to a real world which includes viruses, trojans etc, or are convinced by know nothing blowhards that OSX or any other OS is invunerable, so more likely to do something dumb.

Secondly PC users by neccesity usually have second lines fo defense in the OS and in antivirus programs and in apps which warn them if they're about to do something dumb. That doesn't exist to the same degree on the Mac because of some stupid misbelief that the machine is invunerable.

If you can compromise the OS by hand from a shell prompt, you can do it programatically from something that the customer downloads, or exploit another vunerability to get unpriviliged access to the machine, then leverage that into root access.

So, beleive it or not, being able to gain priviliged access from an unpriviliged account is actually a BIG problem.

To all those who say it isn't, you're just showing your ignorance.

SO with the pc you have a situtation where a people have been exposed to a number of viruses, trojans and so on, and they and the OS have built up some immunity to them, bith to social engineering attacks and to other attacks (The smart ones anyway who actually do purchase a home firewall router and an antivirus program, and don't open every mail promising a bigger erection or naked pictures of Britney Speers and follow the links).

By comparision many MacOS customers, bouyed on by a lower current level of virus attacks, and a a misperception spread around by know nothing idiots that the OS is invunerable, are just sitting around waiting to be wiped out by the first simple virus that they catch.

To misquote Bagdad Bob:

"The Viruses are not there. They're not in MacOS. There are no Viruses there. Never. They're not at all."

"We have killed most of the Windows infidels, and I think we will finish off the rest soon."

DLMeyer -- can you at least talk your daughter into turning off auto-login? And if she's backing up her files regularly (and properly), it should be fairly easy to restore once changes are made -- just make sure the data she needs is in her user folder, not the Admins.

I don't have a separate admin account...I'm the administrator. But I don't do auto-login either, because I don't want my spouse screwing things up; he's the only person I know who crashed a Windoze box just playing Minesweeper...