"Despite the claims to Apple/Mac OS X fanboys..."

Ah yes, the way to carry on a serious discussion about a platform's security issue is with a gross grammatical error and the pejorative "fanboys". (Because, as you know, anyone who defends Apple or OS X is doing it as a completely mindless Steve Jobs-controlled robot.)

This "hacker" got his access to the machine in a very unusual circumstance and still refuses to provide any details about what happened or how he did it. Why should anyone take him seriously?

" 'root access is disabled' doesn't hold water"

Nobody with any real knowledge of OS X uses this line as a defense against any alleged exploit. Root access is enabled via the use of sudo and an admin account.

"What would be the point of losing an extremely valuable remote exploit on a bunch of .edu people to prove something to them?"

What was the point of exposing this alleged vulnerability in the Swedish contest?

"no one would waste a good bug just to show off that they could in fact hack this Mac too."

Why not? You did.

"But on the other hand, doing this let me simulate a Mac OS X server that would've been used as a server that would have arbitrary users on it. Servers used for hosting services (web), for example."

I personally don't know of any ISPs that create arbitrary shell accounts on their servers. You have to be a customer, request, and justify such an account, and then they lock it down as much as possible. No word about how locked-down this account was.

"...it would be foolish to assume you can't compromise an Apple desktop..."

Almost nobody thinks this, except those who wish to portray Apple users as "fanboys" and general idiots.

Mr. Schroeder exposed three attack vectors to that Mac Mini:
- The Apache httpd (not created by Apple)
- The OpenSSH sshd (not created by Apple)
- The Mac OS X/Darwin TCP/IP Protocol Stack (the Darwin Source hints that this was created by Apple)

The chances to attack through one of these vectors are really slim, no matter what (current) OS you choose.

The first "contest" (rm-my-mac) on the other hand showed that there are flaws in Mac OS X that allow for local privilege escalation. This is a very serious issue, because the most common way of attacking and compromising a desktop machine is through flaws in applications like web browsers, mail clients or instant messenger clients, giving the attacker (or malware) local access. The fact that the initiator of the first contest gave out ssh accounts for everyone just made it easier for attackers to target that particular Mac, and provided them with the same basis for privilege escalation attempts as malware.

. . . but it's up to you to prove I don't. It's in my desk drawer. Here. Beside me. Really.

"no one would waste a good bug just to show off that they could in fact hack this Mac too." Doesn't sound like someone who wanted to see anything other than the Mac getting hacked.

I still await actual evidence that the event even took place.

Two pseudonyms have spoken on a website. We don't even know these are different people.

They refuse to give any details about how security was compromised so no one can confirm or refute it.

They wouldn't want to "waste a good bug" on someone else's trial which also neither confirms nor denies the existence of any particular bug.

So what do we make of this? Well I wouldn't want to waste a good line just to make a point about a non-story.

So, let me get this right, the FIRST contest was worth wasting a valuable hack on, despite being a relatively easy challenge, while the second one wasn't.

If Gwerdna were a sports team, we'd be laughing. If he was a scientist, we'd challenge him to reproduce his results. Instead, he's someone who admittedly knows an as yet unfixed BSD security problem, and knows how to overplay a secret as well as Steve Jobs.

Re-reading, there is also the implication in rmm's language that he had a good idea what might have happened, and exactly why it's not happened again. . .

Is rmm actually from Sweden, or could he be George Ou?

Actually both of these guys are making good points.

Schroeder is correct that there is a big difference between using a shell account to log into a machine and then hack it and using an externally available exploit remotely. Those kinds of exploits have been very common on Windows and thus I think that most people just assumed the same thing happened with the Swedish test. I haven't paid enough attention to know if it was rmm or the media that failed to clarrify this important point. I'm going to guess the latter.

rmm makes an excellent point as well. Aaron, its not about arbitrary shell accounts. It could be an ISP with a naughty customer using a stolen identity or a company with a disgruntled employee. If a non privledged user can get root access, they can cause trouble. No OS should allow this kind of exploit. Nobody is going to use an OS that does. Assuming the exploit is real (and I see no reason why its not), then I applaud rmm and gwerdna for bring so much attention to it. Unless I hear otherwise, I will assume that the exploit has not been detailed so that Apple could be warned. That is professional courtesy. If this is true then the Swedish test has done Apple and OS X a service by setting in motion a series of events that will see this serious flaw fixed.

"...Mr. Schroeder's test succeeded only because "no one would waste a good bug just to show off that they could in fact hack this Mac too."..."

Hackers do this all the time, which is why so many viruses exist for Windows (exceeding 100,000 now). What is he afraid of? Does his "bug" run out of gas if it's released more than once?

His poor excuse reminds me of the "cold fusion" debacle some years ago. The individual who supposedly achieved cold fusion refused to show his facts, and after many attempts to repeat his so-called experiments the scientific community concluded that cold fusion was a fraud.

Quote

Guest wrote:
His poor excuse reminds me of the "cold fusion" debacle some years ago. The individual who supposedly achieved cold fusion refused to show his facts, and after many attempts to repeat his so-called experiments the scientific community concluded that cold fusion was a fraud.

LOL. "Some years ago." I'm sure it's pure coincidence that you brought this particular thing up now and I saw a story about it on CNN today. But hey I'll pretend you are just super smart and have a great memory. Poser.

Quote

Biff wrote:

Quote

Guest wrote:
His poor excuse reminds me of the "cold fusion" debacle some years ago. The individual who supposedly achieved cold fusion refused to show his facts, and after many attempts to repeat his so-called experiments the scientific community concluded that cold fusion was a fraud.

LOL. "Some years ago." I'm sure it's pure coincidence that you brought this particular thing up now and I saw a story about it on CNN today. But hey I'll pretend you are just super smart and have a great memory. Poser.

This is hard to remember? I remember it just fine and I don't think I have a fantastic memory.

And what is he posing as? This post just leaves me confused.

As best as I could determine, they are different people. The IP addresses their emails originated from were different: one was located in San Diego, the other in Stockholm.

I disagree that this is a non-story. Certainly, Apple must be taking it seriously, since they tracked down rmm at his work address to ask him more about it.

I think both of you are right; there are two separate "cold fusion" experiments.

The University of Utah false alarm occurred in 1989. Some of the history is here:
http://physicsweb.org/articles/world/12/3/8
In 2005, some folks claimed they did it, ...
http://www.physorg.com/news3938.html
...but, no other experiments have corroborated that yet.
--
Pascal

I wonder, though, Biffie, if the poor fella had footnoted his reference, would that have made the example more relevant for you?

Able to read without my ego sitting on a shoulder, I respect Guest's comments whether he saw the piece on CNN today or reached back into memory. After all, he should only be accused of self-aggrandisement if he had posited to singledhandedly exposing said cold fusion scientist as a charlatan.


But then maybe I'm off base here. YOUR post was all about YOU. If Guest is a poseur--as opposed to an art studio model--what would that make you?

Quote

BradC wrote:
I disagree that this is a non-story. Certainly, Apple must be taking it seriously, since they tracked down rmm at his work address to ask him more about it.

No facts have been given to support any of his other assertions. Why should be believe this one?

If he wasted and exposed the vulnerability he used to compromise the Swedish game, show me the public advisories released for it.

The closest i can see is the securityfocus listing of 'unspecified local vulnerability in Mac OSX'.

Apparently this vulnerability/exploit isn't wasted then, and still exists in every version of Mac OSX to date.

Hope that makes it clear for you

Quote

Biff wrote:
rmm makes an excellent point as well. Aaron, its not about arbitrary shell accounts. It could be an ISP with a naughty customer using a stolen identity or a company with a disgruntled employee. If a non privledged user can get root access, they can cause trouble.

The risk extends far beyond a naughty customer or disgruntled employee. If you allow FTP access to a shell account, usernames and passwords are being transmitted in the clear. These can be sniffed on the InterNet. Easy enough to then to use the sniffed data to telnet in and use the associated shell account.

Beyond that, most people use wimpy passwords (i.e. easily compromised by a dictionary attack.)

This, and the fact that any number of local access vulnerabilities can exist in an installation (any shell command or service can potentially be compromised), is why most ISP’s don’t allow shell access these days.

Quote

Biff wrote:
No OS should allow this kind of exploit. Nobody is going to use an OS that does.

Ever hear of an OS called Windoze? People still use it. Your logic is flawed.

Quote

Biff wrote:
Assuming the exploit is real (and I see no reason why its not), then I applaud rmm and gwerdna for bring so much attention to it. Unless I hear otherwise, I will assume that the exploit has not been detailed so that Apple could be warned.

It sounds like gwerdna doesn’t want the vulnerability plugged.

Quote

Biff wrote:
If this is true then the Swedish test has done Apple and OS X a service by setting in motion a series of events that will see this serious flaw fixed.

And if it’s false, it’s a hole which can never be fixed!

Both ftp and telnet send passwords in the clear.

I'd like to meet this "gwerdna" (probably AndrewG) personally, and this "rmm". People like them should be flayed alive... I'll do it for free.

I think it's a pipe dream to think you can protect any OS from professional interference.

But in real life not everybody is a target for that kind of attention.

The realistic danger (the type that costs the average person/business so much) is in exploits that can just walk in on their own and do damage.

Or a cleverly distributed trojan with a nasty executable. I know plenty of intelligent people who would type in name and password to see the JPEG a friend just sent them. After all, you need to type in a password for protected pdf or word files, why not for a JPEG?

Just because you and I spend more time behind our computers than is healthy doesn't mean we're the average user (or more intelligent). It just means we know more or less what a JPEG is, and that an icon isn't the same as a file.

There are btw a couple of documents online (google) that can help you harden your OS X box. If you think that's necessary.

But shouting "nonsense" isn't a viable strategy. Although for everyday purposes it amounts to the same thing. Still no real viruses out there.

Which isn't the same as saying your computer can't be hacked by a dedicated person. But unless you work for the government or have the latest nike campaign on your hard drive, chances are you won't be a target

Quote

Rainy Day wrote:
Ever hear of an OS called Windoze? People still use it. Your logic is flawed.

Could you detail for me or post a link to how one goes about getting Admin access via a non-privledged user in an NT-based version of Windows? THAT was the specific flaw I was referring to. And I guess what I really meant to say was no serious businesses are going to even consider OS X if such a flaw does exist. And assuming said flaw is real, I am very glad it was exposed because then it can be fixed.

Quote

Guest wrote:
I wonder, though, Biffie, if the poor fella had footnoted his reference, would that have made the example more relevant for you?

Able to read without my ego sitting on a shoulder, I respect Guest's comments whether he saw the piece on CNN today or reached back into memory. After all, he should only be accused of self-aggrandisement if he had posited to singledhandedly exposing said cold fusion scientist as a charlatan.

But then maybe I'm off base here. YOUR post was all about YOU. If Guest is a poseur--as opposed to an art studio model--what would that make you?

LOL. As I said I'm sure it was purely coincidence. Kinda reminds me of when someone (usually a guest who trys to stick some dictionary.com words of the day in their post) reads a rumor on appleinsider and then comes here and says "I predict such and such!" as if they discovered it themselves. Hehe. Keep up the good work.

Whilst the hacking in Sweden was the equivalent of leaving your car on the wrong side of town with the keys in the ignition and the engine running with the windows rolled down. It did prove one thing, people are gullible. Without controls and proof, this so-called hack is a bust. Not a soul could reproduce this hack on a much longer test under a stricter control. Did I mention the big neon sign saying "Steal Me".

The Mac continues to be rock solid insofar as security is concerned. Despite these occasional online stories about the spottiness of Apple's OS security, I've never met Mac user or seen a story about an actual victim of these flaws. Not one. I can recount dozens of Windows horror stories and have seen limited coverage of this in the media. So where does the security story lay? In the fact that not a single Mac user has come forward to expose an exploit on his or her system or that Windows is so exploited that every second person who owns one has had security breaches of one form or another including Bill Gates himself, who's office machine was so infected that a team of windows experts couldn't get it clean. Now THAT is news.

Digging deeper revealed that the "hacker" is a MS employee and the dude in Sweden took a shot of his "hacked" Mac in front of a pile of books with titles that imply he is a Windows fanboy. Hence the anonymity of these clever hackers. They wouldn't want to undermine any impact of this non-story with things like truth or the facts.

Damn Straight!!!!!

It's illegal to break into a house. It's illegal to steal tangible items not belonging to you. It's illegal to break into businesses. It's illegal to break into government buildings. It's illegal to access a computer without authorization.

Yet, this weenie, says they know how to do break into computer systems and won't tell the vendor about it. To me this is paramount to a person(s) who is conspiring to commit murder, planning to do it and yet says "I'm not telling anyone how I'm going to do it. You have to catch me in the act of committing murder."

Phuck him.

This is a very serious situation that can affect national security and should be taken quite seriously.

It's simnple, prosecute people for withholding exploit information if it is deemed to be a security risk. If these people are doing their exploit work at their place of employment then subpeona and/or prosecute them as well. ISP's involved should be served subpeonas as well. If the ISP's are made aware of exploit activity and do nothing then they should prosecuted as well. (similar to being associated with a crime such as murder)

When the world finally accepts that exploiting servers and clients is a very serious crime, only then will justice be served and the innocent be protected.

Sincerely,
Enemy of the enemy within.

your post reminds me of a joke i just made up:
joketeller: what did god tell "Enemy of the enemy within" to do?
jokelistener: what?
joketeller: shut up.

omfg hahaha!

Just to cover the nasty comments made about the poor guy who remembers the old cold fusion story:

In March 1989 there was an experiment that claimed to have produced excess energy. There was wide-spread belief that their experiment was flawed.

There have been more recent experiments verified that produced small amounts of energy (less than it took to cause them).

So, the original poster knew what he was talking about, jerk.

Read WikiPedia:
http://en.wikipedia.org/wiki/Cold_fusion

Re-posting as non-Guest:

Just to cover the nasty comments made about the poor guy who remembers the old cold fusion story:

In March 1989 there was an experiment that claimed to have produced excess energy. There was wide-spread belief that their experiment was flawed.

There have been more recent experiments verified that produced small amounts of energy (less than it took to cause them).

So, the original poster knew what he was talking about, Biff.

Read WikiPedia:
http://en.wikipedia.org/wiki/Cold_fusion

"Mr. Schroeder's test succeeded only because "no one would waste a good bug just to show off that they could in fact hack this Mac too."

Liar.

The actual reason you didn't hack Schroeder's Mac is because you couldn't. The only reason at all you were able to "break into" RMM's Mac is because he set up a user account for you.

But Schroeder didn't leave HIS Mac unlocked and with a welcome mat on the doorstep.

So your exploit wouldn't have worked even if you tried.

From the Tucson Citizen as reported by B. Poole:

Quote

In an incident traced to Braila, Romania, hackers in January and early February remotely took over about 20 UA Macs to attack the University of Adelaide in Australia, Wing said.
"The computers were turned into 'zombies' and all directed to attack the same place. By attack, that means to send lots of messages to them in an attempt to overwhelm the computers on the other end," he said.
The journalism department pulled all of its Mac computers - more than six dozen - off the network and reformatted the hard drives to cleanse them of bad software, Wing said.

Looks like someone else knows how to hack a Mac remotely. Here's the link.

"Looks like someone else knows how to hack a Mac remotely. Here's the link."

Someone ELSE?

Gwerdna hacked the Mac because he was spoon-fed a local account. He didn't exactly remotely brute-force his way into the thing.

What OS were the Macs running? The article doesn't even mention.

All I'm saying is that apparently "somebody" has remotely hacked into 20 Macs way back in January (and it was finally reported on in March in the Tucson Citizen). How come we didn't hear about this before!

Somebody named "Gwerdna" can take over a Mac (if he is given a user account) and that is huge news for a while. Some professor challenges "anybody" to remotely hack his Mac and nobody is able to, again, BIG news!
I say again How come we didn't hear about this before!

I also find it hard to believe!