Thanks to Tubebender for the find!
|
Posted on 03/09/2006 8:10:56 AM PST by Swordmaker
To maintain public confidence in its operating system, Jobs & Co. should consider hiring a security czar The second potentially major Mac security incident in as many weeks has thankfully been debunked. Earlier this week I wrote a blog entry about a Mac Mini owner in Sweden who configured his machine as a server and challenged hackers to gain access to it. The Mini was -- as hackers like to say -- "owned" only 30 minutes after the challenge started. By "owned," I mean rooted. An outside attacker, through a remote Internet connection, was able to get "root" access -- the highest and most powerful level of administrative access on a Unix-based computer (which Macs running OS X happen to be).
Root access gives the bearer free reign on a machine, no questions asked. Files can be altered or deleted. Accounts assigned to other users can be changed or deleted altogether. The potential for misuse of the privilege has caused Apple to ship its machines with root access disabled by default. Root can be re-enabled only through a series of technical contortions understood by advanced users. Even so, the Swedish attacker said he succeeded with an "unpublished" exploit -- a method that hasn't been publicly documented. If your Mac is connected to the Internet all day, as mine is, you can see the fright such news might generate. It's like knowing a criminal gang has a master key to your home and thousands of others, and that the only defense you really have so far is that they haven't found you yet.
BIASED STUDY. That is, if it were true. . .
(Excerpt) Read more at yahoo.businessweek.com ...
Thanks to Tubebender for the find!
|
There's nothing new here that wasn't discussed on the original thread.
Any computer that is going to be part of a business network has to have user accounts that cannot be escalated.
All this FUD about Mac and security.b'shem Y'shuaThis can only mean in my mind that
the folks in Redmond are planning to
re-release NT with a new GUI and
charge big dollars for VistaI understand it will require
800 Megabytes to load Vista.
While much of this is bunk, and I hate the word "czar" (makes me think of the US drug czar), Apple should, if they don't already, have a position of head of code audit and security.
Say what?
The author is suggesting that Steve Jobs create a Department of Macintosh Security, and assign it a Public Relations budget to head off the fear, uncertainty, and doubt (FUD).
With authors like this on their side, such a position might be redundant. Just as our White House has an impossible time correcting the FUD that's out there, even though accurate and up to date information is available to all the reporters, average reporters are typically not interested in accurate. Accurate but unremarkable stories don't sell or draw readership. Finding remarkable stories is a lot of work, and usually dangerous.
And then there's the question of agenda.
Well... it isn't complete FUD... the machine was still rooted through priveledge escalation.
These kinds of "privilege escalation" vulnerabilities have cropped up on the Mac over the years and date back decades to FreeBSD, the variant of Unix on which Mac OS X is based.
I don't call that FUD at all do you?
True. But in the security biz, there's a big difference between a "local" and a "remote" vulnerability. A local vulnerability can only be exploited by a user with login privileges--i.e., the computer's owner, or someone authorised by the owner to use the machine. A remote vulnerability, on the other hand, can be exploited by any random shmoe in Chechnya.
When people say Windows is "vulnerable", they mean that within a minute of connecting a new machine to the Internet, you're probably already infested with viruses and pwned by a Russian spammer. Nothing like that is remotely true of a Mac; you can connect an out-of-the-box Mac to the internet with essentially no fear.
It isn't as bad as it used to be. MSFT used to leave tcp Ports 139 for Netbios and 135 for RPC wide open by default. My dog could get admin access. On the older versions of NT there was no way to even plug the ports. Even disabling Netbios would blow NT up.
People like J. Allard(he was MSFT TCPIP "guru", now he shaved his head and pushes Xbox's) used to claim there were no holes and that Netbios was secure... as far as I am concerned he is a putz and a friggin liar but that was the MSFT way. It cost them and everyone else a lot.
The OS's (2003 and XP-SP2) have come a long way in terms of being secure but... I think that the MSFT product groups still leave too many holes open. Outlook was just plain evil... basically it was a Hacker's VM.
The rest of my post to you addressed exactly your concerns as to whether it would be worth it.
Apple's response to the proposal was that there was no need for a security czar to oversee the actual response of coders to fix security issues.
But I also covered the fact that it doesn't matter how much accurate information Apple puts out regarding a FUD attack by the media. The media knows that FUD sells better than accurate, but unremarkable stories.
And then there is the fact that some in the media will have an agenda.
I also drew attention to the similar situation the White House has with the media and FUD. Lots of FUD, and the media ignores the accurate and factual information that would dispel the FUD. Agenda coupled with laziness. Easier to print FUD that sells than go out and get accurate facts that don't sell.
So yeah... Apple doesn't want a security czar, and it wouldn't change anything about how the media responds to FUD.
Sucks, but true.
Which is why I'm dumbfounded at the idea. Maybe the writer just wanted traffic.
I agree... but there is more and more doubt arising as to whether this event ever happened. No proof has been offered. No explanation of how it was done... and many people extremely familiar with OS X are doubting the claims of Gwerdna andf the host's owner. It is looking more and more that this may be a hoax.
Was it? Where is the proof. Nothing has been posted that proves this ever happened. We have two guys who claim it... but both are unwilling to provide either proof or methodology.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.
