Author |
Message |
paul e.
Joined: Sep 22, 2003 Posts: 1567 Location: toronto, canada
Audio files: 2
|
Posted: Fri Jan 27, 2006 12:18 am Post subject:
Security Researcher Slams Mac OS X |
|
|
http://www.sci-tech-today.com/story.xhtml?story_id=122000449LAM
i hate to be the bearer of bad news.. it was inevitable, i suppose, as Apple becomes a more juicy target for bug-writers etc
Security Researcher Slams Mac OS X for 'Ancient Flaws'
January 26, 2006 4:59PM
"Apple's impressive security record is likely to be tarnished if the company continues to grow its market share while undervaluing security researchers and not properly auditing its code," said security researcher Neil Archibald. |
|
Back to top
|
|
|
paul e.
Joined: Sep 22, 2003 Posts: 1567 Location: toronto, canada
Audio files: 2
|
Posted: Fri Jan 27, 2006 12:23 am Post subject:
|
|
|
should we put a 'virus protection' section in the proposed new Apple section ??
joking, but i am concerned..i have enjoyed 10 years of Mac usage without a single virus and it would not be fun to have to mess around with all that greasy kids stuff that runs in the background, or keep my mac off the 'net forever _________________ Spiral Recordings |
|
Back to top
|
|
|
elektro80
Site Admin
Joined: Mar 25, 2003 Posts: 21959 Location: Norway
Audio files: 14
|
Posted: Fri Jan 27, 2006 1:45 am Post subject:
|
|
|
This isn´t exactly new news.
Quote: | Apple's impressive security record is likely to be tarnished if the company continues to grow its market share |
This is an old one.
As for the code-auditing, well.. Apple is a company like the rest of them. Perfection is the one thing you wouldn´t expect from a computer company.
Another matter is that security issues aren´t always security issues. Many of the recent OS X security alerts haven´t really been relevant for ordinary users. Some issues have been academic rather than vitally important for ordinary users.
I must say that even though Apple has done a great job setting up OS X for max security at first-install-time, I am not pleased with how security measures aren´t being communicated to novice OS X users. That said, Microsoft isn´t doing this either, but still.. _________________ A Charity Pantomime in aid of Paranoid Schizophrenics descended into chaos yesterday when someone shouted, "He's behind you!"
MySpace
SoundCloud
Flickr |
|
Back to top
|
|
|
elektro80
Site Admin
Joined: Mar 25, 2003 Posts: 21959 Location: Norway
Audio files: 14
|
Posted: Fri Jan 27, 2006 1:49 am Post subject:
|
|
|
paul e. wrote: | .i have enjoyed 10 years of Mac usage without a single virus and it would not be fun to have to mess around with all that greasy kids stuff that runs in the background, or keep my mac off the 'net forever |
I have seen a lot of shit. Way back in 96 we had this silly timed detonator that would wipe disks and more. It was a trojan for OS 9. All this basically stopped when OS X became popular. _________________ A Charity Pantomime in aid of Paranoid Schizophrenics descended into chaos yesterday when someone shouted, "He's behind you!"
MySpace
SoundCloud
Flickr |
|
Back to top
|
|
|
Kassen
Janitor
Joined: Jul 06, 2004 Posts: 7678 Location: The Hague, NL
G2 patch files: 3
|
Posted: Fri Jan 27, 2006 2:45 am Post subject:
|
|
|
elektro80 wrote: | Some issues have been academic rather than vitally important for ordinary users.
|
That holds true for many security issues and these are very hard to judge for nearly all people. If some researcher finds a theoretical attack against some encryption algorithem that's limited to certain keylengths with reduced rounds then many people will immediately go scream stuff like "AES cracked!" which is of cource a bit exagerated. I'd bet my life on a proper AES implementation, it's likely many of you are betting your life's savings on it or something similar.
Still; a few accedemic issues here and there can suddenly become linked by new discoveries and avalanche into some seemingly minor bug exploding into a huge deal. Therefore I think that while it'd be silly to go treat OSX as insecure it's still important to apply fixes for accedemic sounding weaknesses.
Another issue is that the single largest weakspot is always people. You don't need a script if you can convince people to manually install a program (see the attched loveletter to you personally....). OSX is certainly more secure then XP but are it's users less likely to install a seemingly usefull utility without references? I never had a virus either but that's due to paranoia, if you stick to this concept of some magic protection induced by buying Mac's you're going to get fried sooner or later. _________________ Kassen |
|
Back to top
|
|
|
GovernorSilver
Joined: Apr 26, 2004 Posts: 1349 Location: Washington DC Metro
G2 patch files: 1
|
Posted: Fri Jan 27, 2006 1:45 pm Post subject:
|
|
|
OSX runs on a Unix kernel.
The first viruses were written for Unix.
No OS is 100% secure.
None of the above is a shocker.... |
|
Back to top
|
|
|
paul e.
Joined: Sep 22, 2003 Posts: 1567 Location: toronto, canada
Audio files: 2
|
Posted: Fri Jan 27, 2006 9:14 pm Post subject:
|
|
|
i should mention that in those 10+ years of virus-free operation, i never had any virus protection or firewalls installed...
now, i guess they will be standard fair in OSX _________________ Spiral Recordings |
|
Back to top
|
|
|
elektro80
Site Admin
Joined: Mar 25, 2003 Posts: 21959 Location: Norway
Audio files: 14
|
Posted: Fri Jan 27, 2006 9:25 pm Post subject:
|
|
|
You already have a wonderful firewall installed on your OS X box. It is included in the basic installation. _________________ A Charity Pantomime in aid of Paranoid Schizophrenics descended into chaos yesterday when someone shouted, "He's behind you!"
MySpace
SoundCloud
Flickr |
|
Back to top
|
|
|
paul e.
Joined: Sep 22, 2003 Posts: 1567 Location: toronto, canada
Audio files: 2
|
Posted: Fri Jan 27, 2006 9:36 pm Post subject:
|
|
|
i'm still using os 9 !! |
|
Back to top
|
|
|
elektro80
Site Admin
Joined: Mar 25, 2003 Posts: 21959 Location: Norway
Audio files: 14
|
Posted: Fri Jan 27, 2006 9:38 pm Post subject:
|
|
|
Then you are safe for now. _________________ A Charity Pantomime in aid of Paranoid Schizophrenics descended into chaos yesterday when someone shouted, "He's behind you!"
MySpace
SoundCloud
Flickr |
|
Back to top
|
|
|
seraph
Editor
Joined: Jun 21, 2003 Posts: 12398 Location: Firenze, Italy
Audio files: 33
G2 patch files: 2
|
Posted: Sat Jan 28, 2006 1:33 am Post subject:
|
|
|
paul e. wrote: | i'm still using os 9 !! |
I can't believe it come on, move up, be modern _________________ homepage - blog - forum - youtube
Quote: | Don't die with your music still in you - Wayne Dyer |
|
|
Back to top
|
|
|
brinxmat
Joined: Oct 24, 2005 Posts: 262 Location: Norway
|
Posted: Sat Feb 11, 2006 3:20 pm Post subject:
|
|
|
Just a thought: if the viruses on *NIX are so widespread, that must mean that they can take over the whole box from root without a password — just like Windows — rather than the relevant user domain — like *NIX.
And if the virus can't execute outside userland, then it can't harm the system — just like *NIX, and not like Windows.
Remember to have strong passwords, people. "No OS is 100% secure", but *NIX with strong passwords makes the opposition look more tempting.
And if you're root, make sure you know wtf you're doing. Virus at root is seldom due to anything other than root being a fwit. _________________ -- Say "&Eth;onne hit wæs hrenig weðer" |
|
Back to top
|
|
|
brinxmat
Joined: Oct 24, 2005 Posts: 262 Location: Norway
|
Posted: Sat Feb 11, 2006 3:23 pm Post subject:
Re: Security Researcher Slams Mac OS X |
|
|
paul e. wrote: | bug-writers etc
|
You mean the people at Redmond, no? |
|
Back to top
|
|
|
elektro80
Site Admin
Joined: Mar 25, 2003 Posts: 21959 Location: Norway
Audio files: 14
|
Posted: Sat Feb 11, 2006 3:30 pm Post subject:
Re: Security Researcher Slams Mac OS X |
|
|
brinxmat wrote: | You mean the people at Redmond, no? |
People???
Listen, Redmond is a Cylon territory. _________________ A Charity Pantomime in aid of Paranoid Schizophrenics descended into chaos yesterday when someone shouted, "He's behind you!"
MySpace
SoundCloud
Flickr |
|
Back to top
|
|
|
brinxmat
Joined: Oct 24, 2005 Posts: 262 Location: Norway
|
Posted: Sat Feb 11, 2006 3:48 pm Post subject:
|
|
|
Cylon. I loved that series. Are they making a new one? _________________ -- Say "&Eth;onne hit wæs hrenig weðer" |
|
Back to top
|
|
|
elektro80
Site Admin
Joined: Mar 25, 2003 Posts: 21959 Location: Norway
Audio files: 14
|
Posted: Sat Feb 11, 2006 5:06 pm Post subject:
|
|
|
Yes. The new Battlestar Galactica is really cool. I never liked BG-TOS, but this one is good. _________________ A Charity Pantomime in aid of Paranoid Schizophrenics descended into chaos yesterday when someone shouted, "He's behind you!"
MySpace
SoundCloud
Flickr |
|
Back to top
|
|
|
Kassen
Janitor
Joined: Jul 06, 2004 Posts: 7678 Location: The Hague, NL
G2 patch files: 3
|
Posted: Sat Feb 11, 2006 5:23 pm Post subject:
|
|
|
brinxmat wrote: |
Remember to have strong passwords, people. "No OS is 100% secure", but *NIX with strong passwords makes the opposition look more tempting.
And if you're root, make sure you know wtf you're doing. Virus at root is seldom due to anything other than root being a fwit. |
One critique I read on OSX security was that too many actions demanded a root password. Your analysis seems correct but remember that one of the big Windows virususes, the "I love you" one depended on a social engineering trick. You don't *need* to crack a password if you can trick users into typing it in themselves, much like you don't need a script if you can convince people to manually execute your attack, thinking they'll get a loveletter.
Last time you gave your root password, did you read the source for what you were installing? Did you verify the certificates of the website it was claiming to come from? _________________ Kassen |
|
Back to top
|
|
|
brinxmat
Joined: Oct 24, 2005 Posts: 262 Location: Norway
|
Posted: Sun Feb 12, 2006 3:52 am Post subject:
|
|
|
Note: Throughout this, I say "root", but mean "superuser"; the root account is off by default in os x.
Quote: |
One critique I read on OSX security was that too many actions demanded a root password.
|
To some extent, I agree, but the real problem is the extent of the scope of a password. Consider that you want to change the ownership of a folder to root (I assume you're admin):
"chown root FolderName" will not work, you need to have su privileges to change the owner. So, you enter: "sudo chown root FolderName". The system asks for your password. You want to change the folder back to you, you enter "sudo chown your_username FolderName". What happens? You don't have to enter a password. In fact, the scope of the sudo is now unlimited. Weird.
To alleviate this problem, issue all terminal commands via a third-party interface like freeware CLIX (http://www.rixstep.com/4/0/clix/)
Another problem is piggybacking
Look at what you write again:
Quote: |
…too many actions demanded a root password.
|
This is a bit odd, actually. If assigning root is designed to prevent unauthorized access to your system, then what commands will be protected? In a typical user scenario, a user will rarely enter a password; in an administrator scenario, you have to wonder why they are sudo-ing so often — what is it that they are doing that requires root? Surely they can't be running system setup all the time. Typical system management shouldn't require root, just admin privileges. If you turn off the root requirement, your system has a lot of potentially harmful commands that are now unprotected. What commands require root? Anything outside the domain of the active user, anything that operates on root and anything specifically flagged as a root command (and that isn't much).
A of rootables list from http://www.iodynamics.com/education/root101.html
Adding, modifying, and deleting users from the system
Changing and overriding user passwords
Installing new programs and utilities
Starting and stopping system services
Setting up boot managers, such as GRUB and LILO
Hardware and device driver configuration
Mounting file systems
Modifying system-level properties, such as network settings, web services, and e-mail configurations
Performing remote reboots (though this may vary from system to system)
Which of these should you be doing every day? And which shouldn't require root?
Quote: |
the "I love you" one depended on a social engineering trick. You don't *need* to crack a password if you can trick users into typing it in themselves, much like you don't need a script if you can convince people to manually execute your attack, thinking they'll get a loveletter.
|
Again, should root display this level of incompetence?
Quote: | Last time you gave your root password, did you read the source for what you were installing? Did you verify the certificates of the website it was claiming to come from? |
In short, no. The last time I installed something that required an Admin password, it was from Apple. Otherwise, I tend to not install stuff that requires a password.
The question is: what sort of software requires a password for installation? Stuff that can quite happily live in userland doesn't. If it requires a password, then you can safely assume that it is going to modify parts of the system that you don't otherwise have access to. Is that something that you want anyway? I looked at the installer options for Apple's PackageMaker: the "require password" option can be used without any function, and I reckon that this is what is going on, mostly. In all other cases, you have to wonder why it is necessary to deliver software in anything other than a bundle in a dmg. I don't want badly written stuff littering my system (ad it is generally the badly written stuff that requires the password): when you install the software for your mobile 'phone, and it overwrites system files with older versions, is this a good thing? _________________ -- Say "&Eth;onne hit wæs hrenig weðer" |
|
Back to top
|
|
|
Kassen
Janitor
Joined: Jul 06, 2004 Posts: 7678 Location: The Hague, NL
G2 patch files: 3
|
Posted: Sun Feb 12, 2006 4:32 am Post subject:
|
|
|
Ok, I have to admit I mainly went by one article there and your own analysis contrasts that. The only time I needed a OSX rootpassword was when I tried installing a MIDI box on a friend's computer. In a rare display of being sensible (for normal users, that is) she came from the kitchen, typed it in without telling me and I went on with the install.
One note though; you point out "should root display this level of incompetence?" and clear he shouldn't but "root" is just a person, probably the same person that forwards the funny emails. It's still somewhat implied that "root" is a experienced system admin that controlls the computer to which mere mortals can log on but that way of sharing computers has passed. These days it's more common that a single user has several computers.
Either way; I maintain that computer security isn't just a matter of installing the right OS; it's very much a continuing process and based heavily on people themselves. From that perspective OSX need not be more invulnerable then other systems. I trust you will be fine but I think there are many users that are vulnerable to that sort of thing.
About strange root behaviour; I ran into some weird trouble on my Linux box here. I had some files that came on it from my Windows laptop and that bad previously be on a cd. Windows marks everything ona cd as "read only", even if you copy it to your HD and Linux had picked up on that tag. So, my normal login couldn't move those to the trash. Actually, I wasn't allowed to change that either. Perhaps there is a better solution but the only thing I could think of was opening a root terminal, going to the dir and manually errasing those files as root. That's a bit silly.... _________________ Kassen |
|
Back to top
|
|
|
brinxmat
Joined: Oct 24, 2005 Posts: 262 Location: Norway
|
Posted: Sun Feb 12, 2006 8:34 am Post subject:
|
|
|
I didn't mean to sound arsy! I was just adding my 2p-worth. Here's some more
Quote: | The only time I needed a OSX rootpassword was when I tried installing a MIDI box on a friend's computer. |
Often this kind of thing requires some low-level system doodadery (a technical term, with which I'm sure you will be familiar) such as kernel extensions. These kind of things are rarely necessary and indicate that a product's software is poorly programmed. Read the caveats on KEXTs in Apple documentation, otherwise, low-level stuff can be OK, but maybe it should be installed in a local directory. This is just an opinion, but I think you see what I'm getting at (does the license for the software apply for multiple users anyway?)
Quote: | In a rare display of being sensible (for normal users, that is) she came from the kitchen, typed it in without telling me and I went on with the install. |
After a single dressing-down, most users get the point about security: this can only be a good thing.
Quote: | …"root" is just a person, probably the same person that forwards the funny emails. It's still somewhat implied that "root" is a experienced system admin that controlls the computer to which mere mortals can log on but that way of sharing computers has passed. These days it's more common that a single user has several computers. |
I disagree: a few years ago I had only had experience of single-user systems (Windows and OS 9). I migrated away from these to RedHat, and subsequently to OS X. This experience has made me very aware of the benefits of accounts on computers: especially as much of my life is transacted online. In fact it is this latter point that makes me especially suspicious of Windows: there is no security beyond the perimeter; if the muck gets in, it's over.
Quote: |
Either way; I maintain that computer security isn't just a matter of installing the right OS; it's very much a continuing process and based heavily on people themselves. From that perspective OSX need not be more invulnerable then other systems. I trust you will be fine but I think there are many users that are vulnerable to that sort of thing.
|
I agree that security is about attitude: you need to know what precautions you need to take, but OS X is tight from the word go. Linux needs to be configured to close vunerable ports. Windows is just insecure.
Quote: |
About strange root behaviour; I ran into some weird trouble on my Linux box here. I had some files that came on it from my Windows laptop and that bad previously be on a cd. Windows marks everything ona cd as "read only", even if you copy it to your HD and Linux had picked up on that tag. So, my normal login couldn't move those to the trash. Actually, I wasn't allowed to change that either. Perhaps there is a better solution but the only thing I could think of was opening a root terminal, going to the dir and manually errasing those files as root. That's a bit silly....
|
Where I am currently working, they use Windows and only Windows, but someone had been to a seminar where the course materials were distributed in Mac format (OS 9). The user had saved these to a server, resource forks and all. The system admin rang me up (I have the only Mac on the network) to ask if I could delete the "Macintosh files" (resource forks) because they couldn't do it through Windows (even as Administrator). That's bizarre.
This is an inherent weakness in the *NIX privileges system. I saw an article about how to change the privileges system from the standard *NIX methodology to a different way of doing things using standard command-line tools. I think that I can put up with some idiosyncracies to avoid that kind of work!
Minimization of privileges is a lot of work, and there are programs out there to deal with this (among others from the Norwegian MaXware). The *NIX privileges system is difficult to use and manage effectively and efficiently; the NTFS system is probably even less user friendly.
For a single-user or home system, privileges get in the way in a few instances (like your CD), and I have experienced the same on the Mac (mostly program Temp files). Nonetheless, I prefer having to use sudo occasionally to viruses, spyware and trojans invading my computer. Maybe the ISO-CD standard should be changed to make privileges on CDs more controlled, and maybe software authors should stop making their temp files' owners something other than the current user. _________________ -- Say "&Eth;onne hit wæs hrenig weðer" Last edited by brinxmat on Sun Feb 12, 2006 12:51 pm; edited 1 time in total |
|
Back to top
|
|
|
elektro80
Site Admin
Joined: Mar 25, 2003 Posts: 21959 Location: Norway
Audio files: 14
|
Posted: Sun Feb 12, 2006 9:09 am Post subject:
|
|
|
Perhaps a tad OT, but anyway. When using network file servers, you will pretty soon discover that the various OSes have very different ways of handling file access permissions. ( This does not always mean "better" ways aren´t possible, but simply that the admin hasn´t used what is really available. ) UNIX based OSes have been served well by the standard POSIX permission model of read, write, and execute, but it is starting to show its age. The sticky bit and various special modes have been added over time.
OS X now has ACL, as well as DAC and SCL support built in. It should be stressed that the OS X implementation is not directly a POSIX ACL model, but rather more like what can be found in MS Windows ACL model. The obvious benefit is that OS X is now "ditrectly" compatible with Windows filesystem ACLs. It must of course be noted that OS X when evaluating ACEs ( access control entries ) it will combine ACL ( access control list ) with any POSIX rights it finds for a user or group. When there are no ACEs, then OS X defaults to a POSIX only evalution of permissions. Another matter is that any "deny" will override any "allows" which is a reasonable behaviour. There is of course more to this but I guess this is of little interest in this thread. The Apple website has some white papers on this somewhere and the APPLE OS X DEV pages are great read anyway. _________________ A Charity Pantomime in aid of Paranoid Schizophrenics descended into chaos yesterday when someone shouted, "He's behind you!"
MySpace
SoundCloud
Flickr |
|
Back to top
|
|
|
mosc
Site Admin
Joined: Jan 31, 2003 Posts: 18197 Location: Durham, NC
Audio files: 212
G2 patch files: 60
|
Posted: Sun Feb 12, 2006 11:48 am Post subject:
|
|
|
Yes, there should be an open standard for ACL and all that that all OSes support. _________________ --Howard
my music and other stuff |
|
Back to top
|
|
|
elektro80
Site Admin
Joined: Mar 25, 2003 Posts: 21959 Location: Norway
Audio files: 14
|
Posted: Sun Feb 12, 2006 12:09 pm Post subject:
|
|
|
Open standard for ACLs..? Well, truth is that most "old" nixes have this kinda integrated over time because the old POSIX model clearly wouldn´t cope with more advanced permissions scenarios most admins would face in reallife server deployments. The current OS X model is one of the better around at this stage and the path chosen by the developers at Apple is a fairly sensible one. It is also well documented. There is still room for growth and development but the model itself is sound. Another point to make is that OS X now has this new permissions model implemented on OS level and it is not simply an improvised part of the filesharing APIs. _________________ A Charity Pantomime in aid of Paranoid Schizophrenics descended into chaos yesterday when someone shouted, "He's behind you!"
MySpace
SoundCloud
Flickr |
|
Back to top
|
|
|
Kassen
Janitor
Joined: Jul 06, 2004 Posts: 7678 Location: The Hague, NL
G2 patch files: 3
|
Posted: Sun Feb 12, 2006 12:55 pm Post subject:
|
|
|
brinxmat wrote: |
Quote: | …"root" is just a person, probably the same person that forwards the funny emails. It's still somewhat implied that "root" is a experienced system admin that controlls the computer to which mere mortals can log on but that way of sharing computers has passed. These days it's more common that a single user has several computers. |
I disagree: a few years ago I had only had experience of single-user systems (Windows and OS 9). I migrated away from these to RedHat, and subsequently to OS X. This experience has made me very aware of the benefits of accounts on computers: especially as much of my life is transacted online. In fact it is this latter point that makes me especially suspicious of Windows: there is no security beyond the perimeter; if the muck gets in, it's over.
|
Well, if you insist you may disagree, but I think we are saying the same thing. I'm in favour of multiple account systems, I actually have a guest account on this box. What i was hinting at was that while "root" seems to imply a certain role and a certain expertise, it's often the same physical person, just under a different name.
Just read it back, it was realy just a very small side note and in complete agreement with your take. _________________ Kassen |
|
Back to top
|
|
|
brinxmat
Joined: Oct 24, 2005 Posts: 262 Location: Norway
|
Posted: Sun Feb 12, 2006 1:07 pm Post subject:
|
|
|
elektro80 wrote: | When using network file servers, you will pretty soon discover that the various OSes have very different ways of handling file access permissions. ( This does not always mean "better" ways aren´t possible, but simply that the admin hasn´t used what is really available. ) |
This was my point about NTFS — it doesn't get used. I reckon this might be because Admins still don't get the usefulness of a secure approach, combined with its lack of user friendlyness. I generally see that permissions for documents and their containers are controlled, but not executables. The bizarrest thing is the flourishing of so-called document-control systems — cf. ProArc and Green Pasture — which (especially the latter) take weird steps towards doing the job of server admin/privileges and the client file manager. (Yes, they add a bit more to a typcial set-up, but not more than a few plug-ins manage to add for free — and if you want real version control, you need CVS or subversion).
elektro80 wrote: | OS X now has ACL, as well as DAC and SCL support built in. |
Do these help the average user, on a single system? Their application is not easily managable. Does Apple provide any sensible tools for privileges management?
elektro80 wrote: |
The Apple website has some white papers on this somewhere and the APPLE OS X DEV pages are great read anyway. |
I couldn't agree more. If only I had the time. _________________ -- Say "&Eth;onne hit wæs hrenig weðer" |
|
Back to top
|
|
|
|