Posted on 03/06/2006 10:43:40 AM PST by Senator Bedfellow
I think there's a lot of attachment to Microsoft, as it's guaranteed to keep a large IT staff employed.
Absolutely. BUT, if you have an account on a machine (even a user account) then you can get access to Terminal, and once you have that it's all over; if you know what you're doing.
If someone has NO account on a machine then they cannot run the apps on it.
In other words, local account security is basically non-existent on OS X. Well, that's useful information for anyone who might be thinking about deploying Macs, I guess.
No - not at all. In a multi-user system (i.e. schools) a competent admin wouldn't LET the kids have access to Terminal or similar utilities - they would be removed from the common apps folder (accessible to all) and kept in the admin's private folder (access denied to regular users).
I manage a small LIMS system at work and I've relocated all the 'toys' to secure folders so that the common users can't f!-up anything. AND, they can't just install anything they want without an admin's permission.
Do you have little kids? Would you leave knives in the cutlery drawer? Would you leave the outlets uncapped and leave paperclips lying around? Would you leave matches lying around?
Would you open-up r/w/d privs on all files to everyone on your system?
This kid not only left the front door open for the thieves; he took the lock out of the door.
How do you know that was the case here?
Anyway, if Terminal is known to be insecure for local users, why does it default to being available, or alternately, why hasn't it been patched so it is secure?
Terminal is not insecure [sic]. It. Is. An. Application. Apps are meant to be run; but not by people on a multi-user system who do not NEED to run them (hell - the windows systems we have at work: the admins don't even let us do our own scandisks and defrags).
Obviously, like the OS installation on your home computer, there are a limited number of users and you don't give-out accounts to people who would potentially try to hack your system (except maybe for your kids; but you can beat them if thehy f! it up).
If you don't want users to do bad things, don't give them the tools. If you're stupid enough to WANT people to try to hack your system remotely and you give them accounts on the system and you leave the tools lying-around for them to use... <shrug>
This kid screwed the 'test' by giving hackers everything they NEEDED to destroy the system.
It's. A. Non-. Story.
So despite the fact that other multiuser systems have been giving local users shell accounts for, oh, thirty years now, without it being a major security hazard, in the hands of Apple, it's a nuclear weapon that must never be entrusted to end-users. That about the size of it?
Not really. I've hammered away for days at a server before gaining access to it.
I think the longest it's taken me to crack one was a couple weeks.
This appears to be untrue.
In an improperly-configured system a user can find ways to break it.
If the guy who started the test specifically gave people accounts to hack a 'plain vanilla' system without doing any of the things that an admin would do to make a system secure from enemies, then what kind of test was it? The same thing would go with a windows system: disable the safeguards and a user can have a holiday with it.
Remember: this is a personal computer operating system; NOT a mainframe system where there is centralized processing - each OS stands-alone and only data is transferred. Tools exist to be used and it's up to responsible administration to oversee that the right tools are available to the right individuals.
In such a 'distributed computing' architecture the security is dependent from machine-to-machine. And just because someone was able to hack a system on which he had a password and access to the right tools doesn't necessarily mean that he could hack a system on which he does NOT have an account (whether or not the tools are available on that unit).
Computer security is a dynamic animal and no OS is invulnerable - especially if someone has 'keyboard access' to the unit (be it in-person, sitting AT the unit; or remotely logged-in to the unit - as was the case with the 30-minute hacker).
even you must admit: it's a whole lot easier to block intrusion by non-users than it is by a user.
And how much easier would it have been if the admin had given you an account on that system?
Well, the 'uniform' I wear on occasion earns me $150 / $200 hour, so I can't complain.
Say - that *ding* sound says that you'd best be getting back to the Fry-O-Lator lest that last batch of curly fries goes bad. And do remember to wipe the grease off your shift boss' keyboard. That got you fired last time around, didn't it?
It may be, JS... the link on the contest rigger's website on which I found that piece of information now no longer connects. I attempted to go back and find it and all I get is
"Safari can’t open the page ... because it could not connect to the server “rm-my-mac.wideopenbsd.org.nyud.net”."
Just off the top of my head,if you have an admin account, what is there to hack? If you have a user account, you shouldn't be able to get admin priveleges under any conditions. At least not without being able to boot with your own disk.
If I had a dollar for every clown on the internet that tells me they make $200 an hour, I'd make $200 an hour.
Yes, but so far the only "safeguard" in question is the "not giving people an account" safeguard. That's fine, but what are you supposed to do in an environment where others are supposed to have access to and use of the machine?
even you must admit: it's a whole lot easier to block intrusion by non-users than it is by a user.
A machine with zero users will be more secure than one with > 0 users, but it won't be particularly useful.
It must be frustrating for you to live the way you do. You have my sympathies.
But to be specific, I do pen tests and security audits for $150/hour; forensics, data recovery and cleanup go for $200/hour - those who are in that amount of trouble are happ yt opay it for reslts. I typicaly flat rate the security audit jobs, though. And those aren't big city rates, either, as other real professionals will attest.
Take those Mac blinkers off, and lo and behold, it's *nix/Windows that runs the vast majority of the business world. I call it full time employment. LAMP, AJAX, etc - it's wonderful world.
Well, TTFN - I'm off to another network engineering job (only $75.00/hour for those). Get a few certs and some experience under your belt and you could earn that sort of money, too.
Remember - don't deep fry naked.
Well, how does it work for YOU (we can assume you don't give logins on your machine to just anybody? or DO you?)?
That's fine, but what are you supposed to do in an environment where others are supposed to have access to and use of the machine?
A competent admin _should_ be setting up accounts based upon the particular user's needs - to give everyone access to everything (unless you're very sure you can trust them) is kind of stupid, no?
Sorry, where does it say that happened here?
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.