Mac OS X hacked in less than 30 minutes

now i'm no OS-X fan, but the hacker was able to get in because SSH was enabled on the server. as an insecure feature, SSH is disabled out of the box.

i love seeing these stories come out because i think the "security" of OS-X is highly overrated and due simply to a small market, but i just felt like this story could use a little perspective.

I appreciate Macs for what they are. What gauls me though, is how loud the Mac crowd gets when a virus or something comes out for Windows. OS X isn't more secure than Windows and the fact that Microsoft has been working on security all this time (while Apple presumably has not) might lead one to think that Windows is more secure.

Security through obscurity is no security at all.

Had Apple/Mac become the tallest poppy, instead of MS, we'd be hearing considerably more about vunerabilities and security flaws in OS X than at present....and how long before the exploiters of Windows get bored and turn their attentions to the Mac OS X as it grows in popularity? There'd be hackers who'd just do it for the challenge, given the much publisised superior security features.

Personally, I loathe the hacking/exploitation idea, and with all the coding talent and ability these parasites obviously possess, I'd rather see them creating programs, even their own OSes, than just creating mischief/trouble for legitimate developers.

"The web site author had enabled SSH, the Unix "Secure Shell" tool that has replaced telnet as a means for accessing networked machines from the command line. He then configured an LDAP (Lightweight Directory Access Protocol) database and added a web-based interface so that visitors to the site could add their own shell accounts to the system."

http://arstechnica.com/news.ars/post/20060306-6321.html

Yes, if you give out free user accounts your machine becomes insecure. But why has the issue been reported as a Mac OS X problem?

It seems to be a vulnerability in a service (SSH) that is off by default and only work when the attacker already has a user account (which he usually wouldn't).

Had Apple/Mac become the tallest poppy, instead of MS, we'd be hearing considerably more about vunerabilities and security flaws in OS X than at present...

EXACTLY...
I don't know what is so hard about that very concept that the "Loudmouth" Mac users and Linux users fail to understand. It's an elementary concept that just escapes them.

I don't know what is so hard about that very concept that the "Loudmouth" Mac users and Linux users fail to understand. It's an elementary concept that just escapes them.

What makes you think that Mac and Linux users "fail to understand" the concept?

Should Mac and Linux users just embrace any faulty report of a remote exploit just because not believing every crap you read constitutes a failure to understand an unrelated concept?

Write it down: I am a Mac user and I understand that Macs would be targeted more often if the Mac's market share was higher. BUT I also understand (and that is what you fail to understand) that being targeted and having security flaws is not the same thing.

Any statement to the effect that Macs would be practically as insecure as Windows if only Macs were targeted more often is a hypothesis. It's not a fact, even if your faith in its truth is very very strong.

As I have said in another thread, Mac OS X has several basic security features that Windows lacks. These features do not go away when more attackers target Mac OS. They are an objective feature and part of the system. And yes, they make Mac OS more secure.

Frankly what I think most Windows users get frustrated about is that Mac users explain the security of Macs in terms relative to Windows. They describe how there are less viruses for Macs, you don't necessarily need AV software, etc. Windows users get mad in return because the security if Macs isn't tested on the same scale/scope that Windows is.

Frankly what I think most Windows users get frustrated about is that Mac users explain the security of Macs in terms relative to Windows. They describe how there are less viruses for Macs, you don't necessarily need AV software, etc. Windows users get mad in return because the security if Macs isn't tested on the same scale/scope that Windows is.

I suppose you could explain Mac security in terms relative to Linux, but that is not what most people would be interested in.

Windows NT was not designed as a secure system; Microsoft simply didn't foresee the idiocy people would come up with. Nobody knew that the Internet would be widely used to attack PCs.

I was just saying average Joe Windows (I exclude myself, I dual boot XP and Ubuntu) just gets defensive when someone says Mac security beats Windows because there are less "baddies" that affect OSX

Frankly what I think most Windows users get frustrated about is that Mac users explain the security of Macs in terms relative to Windows. They describe how there are less viruses for Macs, you don't necessarily need AV software, etc. Windows users get mad in return because the security if Macs isn't tested on the same scale/scope that Windows is.

What is funny about this (or maybe not), back in the 90s, Macs (that is pre OSX) were so poluted with Viruses it was not funny! While DOS (Forget what transpired as Windows back then) was relatively virus free. Oh, there were some, but not widespread and not as pervasive as the Mac ones. Since OSX, I think I have heard of exactly 2 Mac Viruses.

it is not that they cannot be infected, or even that they have not been targeted in the past. Maybe it is just a little harder now?

being targeted and having security flaws is not the same thing

I never said they were.
What I am saying is most "Loudmouth" mac users.. (the ones that go off the deep end any time you point out some exposed issue with Macs) Quite similar to the (

Write it down: I am a Mac

)sarcastic behavior you are demonstrating I might add.

...Fail to understand that the more popular something becomes, the more of a target it also becomes. There just isn't enough interest from hackers at this point to put forth the dedicated effort to exploit Mac and Linux as they have Windows.
Hypothesis, yes it is, but it is a very solid one. Recent events since Mac has been on an upswing in popularity lately should begin to prove that hypothesis.

They are an objective feature and part of the system. And yes, they make Mac OS more secure.

You base this on what? The currently known methods of exploits only. As new methods by hackers are developed your statement becomes less truthful.


Whatever the case, time will tell the tale however, and if I am wrong I will be the first to admit it.

You base this on what? The currently known methods of exploits only. As new methods by hackers are developed your statement becomes less truthful.

I base it on what I know about Windows and Mac OS.

New methods have nothing to do with it.

It does seem like the original hack contest was setup such that the Mac would fail. A student at the University of Wisconsin (Go Badgers!) has setup another test which is much more realistic.

Link

According to the story, the Mac Mini has held up very well so far.

I have no doubt that *any* OS can be hacked into. I just find it interesting that people are starting to aim their focus at Mac instead of Windows. If anything, this should be a good sign for our Macintosh friends; indicating that they are gaining enough popularity to be attacked.

The original test seemed to demonstrate what would happen if a stupid user shot himself in the foot, much like a windows user opening an executable file which was e-mailed to them. Windows users have sorta been trained not to do that kind of thing anymore. Similarly, Apple users will eventually learn how to stop exposing themselves to attacks (even though I understand the system comes pretty locked down by default). The point is that they have no leg to stand on in claiming that their OS is vastly more secure and I think it's time that they pipe down and start getting ready to eat some crow.

The original test seemed to demonstrate what would happen if a stupid user shot himself in the foot, much like a windows user opening an executable file which was e-mailed to them.

Well, no. A stupid user would not install a Web interface to an LDAP server on the machine. That was a custom setup by an intelligent tester. It simply cannot happen to an actual user.

It's not the same as opening a random executable file.

Windows users have sorta been trained not to do that kind of thing anymore.

On my Mac I get a warning when I start a program for the first time. I didn't need "training" not to start random programs on my computer. I just don't do it.

Similarly, Apple users will eventually learn how to stop exposing themselves to attacks (even though I understand the system comes pretty locked down by default).

The LDAP Web interface was not something that Mac users must learn not to keep around. I wouldn't even know where to find it and how to install it without using Google.

The point is that they have no leg to stand on in claiming that their OS is vastly more secure and I think it's time that they pipe down and start getting ready to eat some crow.

Why? I don't think "vastly" was ever part of the claim. But more secure it is indeed. That a Mac can be hacked by a user who has an account is sad, but it's not the same kind of problem that Windows machines apparently experience.

The LDAP Web interface was not something that Mac users must learn not to keep around. I wouldn't even know where to find it and how to install it without using Google.

Perhaps someone of the 'what does THIS button do?' mentaility will inadvertently screw their system...be it on a Mac OR a PC.

A flaw is a flaw, no matter how idiot-proof it is, the world creates better idiots.

This US vs THEM OS debate is as childish as 'my dad's bigger than your dad, so there'....and I for one grew out of that about half a century ago....[and besides...he usually wasn't].

Get a grip, guys.

Reality would be a good choice....

To turn on the LDAP interface or to open the SSH ports you have to navigate the fairly arcane OSX firewall. I doubt any ordinary mac user would ever bother to do so unless they had to use it, and I can't think of many uses the average user would have for such ports. I've never turned either on and I've had my mac for years. So the vast majority of macs would be immune to that 30 minute hack.

I for one think that all these hacking contest are a great idea..It helps the developers of these OS to find the flaws and fix them...The truth is, neither OS is bullet proof...Till it is neither camp can claim JACK CRAP........These little hack test will eventually make it so difficult for even the super idiots out there remain safe from the Super hyper smart hackers. Discussing these flaws of both OS's help to create a better eEnvironment, which benifits all of us.I loud all who hold these little chalanges and would like to see more of them in diffrent scenarios with prizes and true notiriety...These kids who practice there skills will get recognition for there ability to adapt and basicaly solve puzzles to improve the security.Hopefully leading to lucrative and profitable employment as a security programmer...MS ond Mac should hire those Russians who do the huge digital espionage and offwer them a salarie equal to what they could get from scroupulouse tactics...Wouldnt world wide notiriety as a hero be better than the secluded life of a crimminal...This can go on as a disscusion for ever...Lets see where it all ends.