Mac OS X hacked under 30 minutes

Microsoft Setup !! Raymond Cubicle -- 06/03/06 (in reply to #120130268)

I have heard from a reliable source that Microsoft setup this competition using a crippled version of MacOSX by installing Windows backdoors at certain memory locations. This allowed the hacker to gain access in more then 29 MINUTES. if it was any other operating system the IP address would of been hacked in under 30 SECONDS. I think this is proof enough that MacOSX is secure.

Ya have a problem Anonymous -- 06/03/06 (in reply to #120130269)

first off , why compare apples with pears hmm , this had nothing too do ms oparting system , but the Mac OS it self , if that is ya arguement for a belief in an OS , then with all due respects , ya avioding the main issue , and living on another planet .

P.S take a holiday will ya !

Is it April Fool's day already down under? Anonymous -- 07/03/06 (in reply to #120130283)

Get real you pathetic losers. There are more credible ways of generating traffic to your crappy site.

Microsoft Setup !! Anonymous -- 07/03/06 (in reply to #120130269)

You need to get out of your cubicle more often. That being said, I do run OS X and I seriously doubt the guy could hack my system without spending a lot more time than he would be willing to. But then I am not a typical Mac user in denial about security. I have taken other measures to ensure system security.

So relieved! Jan Klaassen -- 07/03/06 (in reply to #120130269)

I'm so relieved that this story title was just a hoax :).

For a minute there i thought the card house collapsed, but now i read that this silly guy opened up SSH to his attackers :). No wonder..

I figure it must be hard to find any real news on OS X security..

Interesting journalism ;)

Not just SSH... David Etter -- 10/03/06 (in reply to #120130471)

Not only did the guy open up SSH, but he gave a local account for them to gain access through. Everyone knows that just gaining access is the hardest part. I'm surprised it took 30 minutes...if the hacker is as good as he claims, with the "unpublished vulnerabilities". Good grief... Going back to my safe, secure, unhacked OSX system, thank you.

"backdoors at certain memory locations"? programming since before you were born -- 07/03/06 (in reply to #120130269)

LOL. Let us know when you find out what backdoors and memory locations ARE, so you don't make such ludicrous statements.

Yeah that guy is an idiot a a -- 08/05/09 (in reply to #120130472)

thank you for calling that guy out, how had it not been done prior to this, what an idiot!

riiiight Anonymous -- 26/06/09 (in reply to #120130269)

always windows fault right? anyway, (I'm under linux btw, I'm no windows lover)" if it was any other operating system the IP address would of been hacked in under 30 SECONDS." which proves how much you know about computers... wtf, hacking an IP address? thing is, mac osX has plenty of space for improvement, and not just on the security side.. ever tried to do anything complicated on a mac OS? right, sorry, you never tried to do anything on a computer beyond browsing anti-microsoft sites and playing with AppleWorks 6... fact is, it's not a very stable system, which is quite a feat on the part of the developpers, it gives a bad image on unix systems... the other major problem with mac, which should be by far it's greatest advantage, is the hardware/software incompatibilities... sad really, knowuing that they were built for each other

OSX Insecure? Codswallops I say. Melony Steggles -- 06/03/06

Interesting accusation indeed. However one requires experience when dealing with the delicate spices of OSX security configurations.

The attacker was able to have his way with this system because the end user logged the attacker in as god.

It's all about education and luckily most Mac end users are quite computer savvy. We still have a long way to go as a community, education should be a key focus. A good place to start is a Mac Users Society.

Remember MAC = beautiful AND awesome AND fast.

Thanks,
Melony

lol Anonymous -- 07/03/06 (in reply to #120130284)

Yet again another MAC owner makes a laughable comment and OSX.

MAC's account for 2-3% of the PC market they simply don't get attacked because it's not worth it. Spam and virus writers are looking for a mximum return on thier endeavours. Firefox didn't get hit until it got to 10% market share and now it's being hit regularly.

You MAC owners are going to have a very rude awakening should you ever hit the giddy heights of 10%. Then again thinking about it lol you're right you're quite safe :)

Hack the system in the link then Steve Palmhair -- 07/03/06 (in reply to #120130372)

Prove you know what you are talking about. Otherwise just shut up.

Why? Anonymous -- 07/03/06 (in reply to #120130372)

Why do you people say Mac as MAC. Each letter doesnt stand for something nor is Mac so great that it has to be put in caps. Stop it you fools.

it is an acronym Anonymous -- 29/12/07 (in reply to #120130448)

Most
Applications
Crash
If
Not
The
Operating
System
Hangs

really? Anonymous -- 26/05/08 (in reply to #320092319)

After building high end Windows machines specifically for audio, owning over 20 PC's, and being a tech for a computer company, I'd never go back to Windows.

I never have an issue with ANY of my Macs. Not to say that problems don't come up... the biggest issue I've dealt with is hard disk failures (a mechanical device that Apple does NOT manufacture themselves) and with software issues I can count on one hand every year... yeah, I'd say it's a better OS.

Though I must say Microsoft is definitely on the right track with their "copy Apple" strategy! It's the best looking Windows yet, though, the worst running as well... And why are so many people "downgrading" to an older, flawed version of Windows?

You keep your PC, I'll keep my Mac... just enjoy your viruses or your system being taken over by an anti-virus program if you prefer. Keep in mind there still has yet to be one CONFIRMED virus on Mac OS X since it's release.

Don't you think that some hacker out there would just love to be the FIRST with a confirmed virus for the Mac? I mean realistically, wouldn't you love to shut up all of us smug Mac users? I do believe that there is a reason it has not been done, and market share has nothing to do with it.

I have heard of attempts. I have heard of confirmations too, but those always resulted in the programmer saying that it would not be able to be spread due to the fact it could not be run on any other machine except for the one it was engineered for.

I'll deal with a very rare application hang for the knowledge that my system is very well protected... from the factory without additional software. (FYI, I've always had more issues with "blue screens of death" and crashing applications on a single Windows machine than I ever had on all of my Macs combined.)

butthole boobie -- 09/01/09 (in reply to #320102631)

you're an ****

Why? Anonymous -- 07/03/06 (in reply to #120130372)

Why do you people say Mac as MAC. Each letter doesnt stand for something nor is Mac so great that it has to be put in caps. Stop it you fools.

re: Why? Rob Marquardt -- 09/03/06 (in reply to #120130449)

Why do you people say Mac as MAC. Each letter doesnt stand for something nor is Mac so great that it has to be put in caps. Stop it you fools.

Usually it's PC users (like the person you replied to) that think, because "PC" is in caps, all computers ("MAC", "LINUX") are too.

You're spot-on with the "stop it you fools" line of thinking, though. Just for the wrong reasons.

lit 101 Anonymous -- 16/05/06 (in reply to #120130449)

when you write an abbreviation, you write it in capital letters.
just like PC as personal computer and MAC as machintosh.

Mac 101 Anonymous -- 31/05/06 (in reply to #120134388)

Mac is NOT an abbreviation. It is a registered trademark all on it's own.

even if... Anonymous -- 05/02/07 (in reply to #120135266)

Even if Mac is considered an abbreviation the "abbreviations are capitalized" argument is faulty. Such abreviations as km, pg., no., abbr., etc. aren't capitalized. And Thurs., Mar., Capt., Dr. (etc.) have only one capital letter.

Why? Anonymous -- 07/03/06 (in reply to #120130372)

Why do you people say Mac as MAC. Each letter doesnt stand for something nor is Mac so great that it has to be put in caps. Stop it you fools.

Probably... Anonymous -- 08/03/06 (in reply to #120130450)

Probably the same reason you posted your comments three times. Your comments weren't that great either; stop it you fool.

Couldn't have said it better Anonymous -- 30/04/06 (in reply to #120130487)

Glad I'm not the only one

Mac market share = less viruses Anonymous -- 08/03/06 (in reply to #120130372)

Which is why there are WAY more critical exploits for Apache than IIS web services right?

no Anonymous -- 02/04/06 (in reply to #120130502)

unlike OSX apache has faced the terrors of the internet since day one and every day it grew the project gained experience and security while hackers were trying to compromise that. It's called a hardening process and windows is undergoing that now too. And it's obviously time for OSX to learn from its faults too

Interesting Comment Indeed John Bowers -- 22/04/06 (in reply to #120130284)

First a bit of background: I am a Mac User who is a Security junkie. I don't claim to know a ton about security, but I really like it. I also really like my Mac, have general dislike for windows, and have had a long stint as a linux user. Currently my house has all of the following OSes installed and in use: Win2000, WinXP, Redhat 7, Fedora Core 3 (I know, update), and Mac OS X. The Mac is my main computer though.

Now to comment on your comment:
"logged the attacker in as god"
It seems from the material that he was logged in as a normal user, not a super user or "god".

"It's all about education and luckily most Mac end users are quite computer savvy."
As to the savvy, maybe, maybe not. But this flaw has nothing to do with education. If the attacker is using unpublished and unpatched flaws as he claims to be, then no amount of your education short of actually looking for these unpublished exploits yourself (and successfully finding them) is going to save you.

"Remember MAC = beautiful AND awesome AND fast."
true.

This brings up an increasingly good point: Every flaw that gets patched in a system is one less flaw that system has. We Mac users have not been tested by fire very often (and as the comments on this page suggest, really don't like it when we are). Windows is constantly having exploits discovered and patched. Now, I'm not going to say that Windows at the beginning and OS X at the beginning had the same amount of security flaws. But you can bet OS X HAS security flaws (as has seemingly been proven by this article). Claiming that YOU personally know how to make sure there aren't any is a kind of hubris only those called FANBOYS will attain. A bad couple of months will come sometime in the future where Mac is finally tested by fire, and I have confidence that Apple, as they have always done, will quickly fix and patch the holes. I look forward to it even, because afterwards the FANBOYS claim that the Mac is insanely secure might become true.

Now for the other side of the coin:
If this dude has found some unpublished bugs, why doesn't he publish them? Let's get them patched.

Interesting Comment Indeed John Bowers -- 22/04/06 (in reply to #120130284)

First a bit of background: I am a Mac User who is a Security junkie. I don't claim to know a ton about security, but I really like it. I also really like my Mac, have general dislike for windows, and have had a long stint as a linux user. Currently my house has all of the following OSes installed and in use: Win2000, WinXP, Redhat 7, Fedora Core 3 (I know, update), and Mac OS X. The Mac is my main computer though.

Now to comment on your comment:
"logged the attacker in as god"
It seems from the material that he was logged in as a normal user, not a super user or "god".

"It's all about education and luckily most Mac end users are quite computer savvy."
As to the savvy, maybe, maybe not. But this flaw has nothing to do with education. If the attacker is using unpublished and unpatched flaws as he claims to be, then no amount of your education short of actually looking for these unpublished exploits yourself (and successfully finding them) is going to save you.

"Remember MAC = beautiful AND awesome AND fast."
true.

This brings up an increasingly good point: Every flaw that gets patched in a system is one less flaw that system has. We Mac users have not been tested by fire very often (and as the comments on this page suggest, really don't like it when we are). Windows is constantly having exploits discovered and patched. Now, I'm not going to say that Windows at the beginning and OS X at the beginning had the same amount of security flaws. But you can bet OS X HAS security flaws (as has seemingly been proven by this article). Claiming that YOU personally know how to make sure there aren't any is a kind of hubris only those called FANBOYS will attain. A bad couple of months will come sometime in the future where Mac is finally tested by fire, and I have confidence that Apple, as they have always done, will quickly fix and patch the holes. I look forward to it even, because afterwards the FANBOYS claim that the Mac is insanely secure might become true.

Now for the other side of the coin:
If this dude has found some unpublished bugs, why doesn't he publish them? Let's get them patched.

GET REAL Anonymous -- 06/03/06

Oh Man! Is this guy a total n3wb or what! Everyone knows this issue was patched last year at Bl4ckHat 2004. It was just a simple offset calcuation fix in the virtual table kernel pool. Not even critical.

Looks to me like the OSX haters are at it again. Please give up i'm starting to feel sorry for you.

PEACE OUT OSX4LIFE

Thanks for posting that story Anonymous -- 06/03/06

Just a quick note to say that I appreciate this story.

Also, the idiots page on that site is haliourious, I hope to see some new comments up there once this story is more read!

Of course there are going to be vulnerabilities.. Jeremy Cade -- 06/03/06

Last time I checked operating systems, like every other piece of software is written by humans? That in itself guarantee's security vulnerabilities. To suggest mac osx is secure or more secure then any other main stream end user os is just fanboyism at it's best.

ALL MAINSTREAM END USER OS's have security vulnerabilities.. regardless of who makes them.

WAKE UP!

agreed Anonymous -- 06/03/06 (in reply to #120130287)

I believe people take too much for granted these days, like the virus issue.. to assume a mac is virus proof makes you an idiot. Why would anyone make a virus to attack 5% of the community, M$ has a larger userbase, so it's more likely to have viruses and "hackers" exploit the weaknesses of the majority used brand than the 2nd rate brands.

I myself use Windows XP, and I find OS X primative personally, and this is coming from a professional software engineer, Apple has it's ups and downs just like Windows and *nix. It's not a fact of which is better but a fact of personal prefs, all operating systems have a weakness so please get off your anti-microsoft bandwagon and accept the facts!

You have to be kidding ! Bill -- 06/03/06 (in reply to #120130305)

~ When did apple say mac's are virus proof ?!?
~ Why make a virus in the first place ? - To be a little arse, like most window users are....(Well you any ways) !
~ "2nd rate brand" - Just because M$ has more users doesn't mean its a better 'brand' ! More like its cheaper !
~ So simplicity is "primitive" - I would hate to have your life !
~ The facts the apple fixes it "security flaws" within a matter of weeks, is what counts !
~ "professional software engineer" - You like to talk yourself up don't you... loser !

It's all in what you want to do with your system Anonymous -- 08/03/06 (in reply to #120130312)

I am not a MAC fan as I don't really have any practical use for them. By this I mean I like to play high-end games and I develop .NET applications for fun and for a living.

All OS's have flaw's and hopefully the makers fix them in a reasonable time.

Calling MAC OSX 2nd rate is not fair but it is fair to say that thier small user base makes them a less appealing target to write hack at.

There is a new OSX hacker challenge being put up here http://test.doit.wisc.edu/

WOW D0zer -- 14/02/09 (in reply to #120130312)

Your are an idiot. Ever notice that there is a huge void in the amount of software available to Macs versus Windows. It sure isn't because it can't be filled its the fact that There aren't enough customers for companies to care to port their software to Mac. I have used windows since 3.1 I have had problems I am glad to admit but I have yet to have any issues with Vista other that drivers on my second computer which has x64. Now to say either is better is ignorant. Look at cars for example There are models that don't last very long before having something break and there are models that last longer. 20 years from now everybody will look back and think wow we were stupid. Get off your high horse Mac users and prepare when there is a will there is a way.

in response to "Remember MAC = beautiful AND awesome AND fast. this from same person that wote above" You abviously are living a sheltered life. Macs come in very little variety and all look the same. Sleek maybe but beautiful is absurd. I've seen some of the coolest DIY mods done to some computers one that was particularly risky but impressive was a system built into an aquarium. Awesome is ridiculous as well. I find it utterly amusing watching my friends get frustrated waiting for their Macs to finish tasks that my computer has finished in a third of the time. The have Mac Book Pro btw. Its all about utilizing the core components of the machine no matter what OS you like. OS X has its moments where I go "thats pretty cool" but thats why I've begun working with the x86 Mac OS X project. I have yet to be Amazed by either Main stream OS and I wish I had more time to devote to becoming a Linux user. Open Source all the way/

Very mature Anonymous -- 31/03/09 (in reply to #120130312)

Let's all call each other names, that's mature.

First off, if the price of the OS was a factor in market share, Linux would be a monster.

I personally prefer Window$, but have used and to some extent like both Mac and Linux. They have their place, just not as my main desktop computer.

Part of my issue is software. I don't care what anyone says, there are not alternatives to every piece of software I use if I were to make the switch from Windows.

Regardless, I would bet money that if market share flip-flopped, we'd be seeing a lot more security issues popping up for Mac or Linux. It's about more than just the challenge and bragging rights.

is this journalism? Anonymous -- 06/03/06

so ... an anonymous hacker, by unanounced means, has hacked os x by way of an unpublished and unidentified security hole.

did he also see elvis?

A shrink might help you Anonymous -- 06/03/06 (in reply to #120130288)

With comments like that , one has to think ya not very computer savvy just maybe a newbie , but don't worry . there's a shrink in ya local area , look then up .

agreed Anonymous -- 07/03/06 (in reply to #120130288)

that's what I thought :)

Couldn't have said it better myself Anonymous -- 07/03/06 (in reply to #120130288)

ROTFLMAO!!

Indeed a load of bullpoo Leon Buijs -- 07/03/06 (in reply to #120130288)

Anybody can claim something so vague.

ZD Net is a paid Microsoft site john doe3 -- 06/03/06

Both CNET and ZDNet are paid by Microsoft (e.g. for advertising, etc...) Every article they post about Apple are so biased. Check their past articles and decide for yourself.

who is andrewg Anonymous -- 07/03/06 (in reply to #120130298)

i heard he had a beard and likes to wear lyrca

Who is andrewg Anonymous -- 08/03/06 (in reply to #120130423)

I hear he world best hacer. I hear he able code virus real time.

He host TV show - very popular. You go see him blog: http://andrewg.tv/blog/

Hace the planet!

Thanks for wasting a post... Anonymous -- 08/03/06 (in reply to #120130519)

Moron!

look who's talking Anonymous -- 06/02/07 (in reply to #120130548)

trollaxor

some clarifications: Anonymous -- 06/03/06

from the website:
"That's why I set up an LDAP server and linked it to the Macs naming and authentication services, to let people add their own account to this machine."

and furthermore:
"This is the place you add yourself an account on my Mac.

To log in, simply SSH to rm-my-Mac.WideOpenBSD.ORG using the name and password you've choosen. It might take a while to log in as SSH is started from inetd and needs to generate keys upon startup.
Username:
Password: (pick a secure one)"

let me get this right, he actually enables everybody to add his own home account? and gives them ssh access to his machine? and then he wonders that it is insecure?

i dont know what to say...

other that any normal mac user doesnt have to worry because that's such a stupid, non standard configuraation that it will never happen on their machine.
++ chris

What a fake.. Anonymous -- 06/03/06

"hacked mac os x".. wake up people, what version was it? 10.0? the beta? or was it 10.4.3? who is outdated anyway..

You guys have to bring in a bit more prove to say OS X is hacked.. sry lol.

No operating system can be secure Hans-Christian -- 06/03/06

No operating system can be secure unless you seriously cripple its functionality and API's.

That being said, while there is no doubt OSX is very secure as opposed to, for example, Windows, the problem with OSX is that Apple is secretive about security issues; so it does not benefit from the openness of open source operating systems, like Linux (and this is regardless of OSX being based on BSD), nor does it have the punishing experience that Microsoft had to endure to get their act together and focus on its security issues (and, over time, be a bit more "forthcoming" about their efforts).

So the question regarding the security of OSX is a matter of trust: Do you trust Apple or do you not? Security by obscurity only masks the underlying problem and, while in the short term, it may show to be somewhat effective, in the long run that effectiveness is almost negligible. And, ultimately, by keeping security matters quiet, Apple will be at their own discretion to put their efforts into what they deem is of most benefit to themselves, which does not necessarily mean to the benefit to the Apple community.

And, finally, to point out to some of the more assertive comments on this board of virulent nature, bear in mind that the security issue with OSX is irrespective of whether OSX is a good operating system or the quality of Apple hardware. It should be in _your_ interest to be actively participating in these matters, rather than taking on a defensive and dismissive attitude (ie. "OSX rules, it is the most secure, you are just making this stuff up, stop saying bad things about Apple, nothing to see move along. w00t").

osx IS secure Gerald Rumplestein -- 06/03/06 (in reply to #120130306)

It's common knowledge that macos is the most secure operating system currently found on public networks. (Probably also the most secure operating system in classified environments - I think the NSA and CIA run macosx).

To suggest that the Apple API requires crippling is fanciful at best. Among expert programmers the Apple API is regarded as rock solid and 94.86% total secure. It's closest competitor is OpenBSD which is around 89.52% internet secure according to popular calculations. The main reason the Apple API is so secure is due to the fact that the administator must login using a secure password before any sensitive (red-zone) memory can be accessed by the API. It's simple but beautiful at the same time.

I think everyone can agree that OSX is much more secure then Windows. Just look at it's track record - no serious viruses at all. All we have seen so far are experimental prototypes developed by the worlds best virus crackers (Like KF). These viruses do not work at all in a real world environment. I think this is mostly due to the superior design choices the Apple Operating System decided to implement that just don't feature in other Operating Systems. Think non-infectable executable file format, PROTECTED MEMORY, secure file permissions (you can turn off the execute bit on all viruses), and much more. What really impresses me is how Apple managed to create such a rock solid and secure operating system but have time to make it so pretty aswell! Amazing!

I completely trust Apple %100. What reason would I have not too? They have always kept their consumers best interests as the number one priority. The thing is Apple have designed macosx to be secure from the get go, they have nothing to hide. And besides they have released the complete source code for their operating system. This alone should prove that Apple have nothing to hide - no other company is confident enough to do this. I think this really makes MS jealous hence the zdnet articles.

Mac users speak up about the operating system, because as mac users, we know we have the most god damn secure operating system on the planet, from first hand experience. Apple already thought about our interests when it designed the operating system as far as security concerns go.

BTW there is nothing wrong with expressing pride in your choosen operating system providing it's the winning side (macos). Nobody is being defensive or dismissive, we just like to point out the facts as many Microsoft users are not familiar with reality.

God Bless America

re: Hans-Christian -- 07/03/06 (in reply to #120130313)

Thank you. Your response is exactly what I hear all the time and would be exactly what I would say if I were to argue with someone why Apple OSX (Linux, Free/Open/NetBSD) is far more fundamentally secure than Microsoft Windows. However, your response betrays that either you didn't understand my point or I didn't explain well enough. Probably mostly the latter.

1. User space is good, but does not prevent that user from losing data. It is good in a system where you don't want to compromise the fundamental system, but this is really not a concern for the typical user and his photography or music collection or documents

2. Many applications/API's do not run in user space. If there is a vulnerability in Apache or hardware drivers, then there is a vunerability in my system. For example, I would not be surprised if SpotLight had kernel mode integration and, if that were the case, then SpotLight might have some vulnerabilities as well. Has anyone looked into this?

Please note: OSX is not a microkernel.

Please note: Anything that runs in the kernel and extends it's functionality through an API, for example, to user space and is found to have vulnerabilities has little or no protection for your system.

http://developer.apple.com/documentation/Darwin/Conceptual/KEXTConcept/KEXTConceptAbout/about_kexts.html#//apple_ref/doc/uid/20002364-73828

3. OSX is a direct derivative of NeXtStep, so a lot of that code is inherited to fit the Apple user experience and design. So, to understand OSX, you need to learn something about NeXtStep and it's UNIX/BSD roots. OSX was not built from the ground up since 2000/01.

4. You hinted towards that I had a particular bias towards another operating system (did you think it was Microsoft? heck no), but I never alluded to my preference, but if you are wondering, it is Debian Linux (server) and OpenSUSE (laptop).

4. A virus is a piece of code designed to exploit the mechanisms of inherent trust of the operating system, application and the user. This is the holy trinity. To make your OS as secure as possible, you have to make two of those three as secure/well deisgned/smart as possible. So, now we are in a battle of definitions, because a virus is not the only thing that is dangerous and what is defined by varying degrees of exploitation that can occur. Part of Microsoft's problem is that they implemented too much code to integrate too much functionality and ease-of-use, without thinking of the unintended consequences. For example, Outlook being able to execute code from emails automatically. Well, Microsoft probably had an idea going there which was well-intentioned, but such a trusting nature can also been manipulated. Would this matter in a UNIX-type environment? Not really. An intentionally basic thought experiment: Let's say that OSX Mail was able to execute code automatically and you are in user space, then someone could send a piece of code which acts like a keystroke logger and the code would wait until the occasion that you type in your supervisor password and it would log those keystrokes and suddenly have access to attack your underlying system and then propogate further. So, the underlying security is really not all that important compared to the cohesion of the software and the underlying system or a smart user. The important thing is that Apple made the wise decision to make their kernel as secure as _possible_, but also thought about how their applications work by default, such as leaving all services off by default, which is the opposite policy to a company such like Microsoft, which wants you it seems to have all services on by default.

So, it would be good to reflect on that philosophical difference and, bear in mind, this is the reason why most vulnerabilities in OSX applications tend to be Microsoft Office apps and such.

And, yet again, not really to come to the defense of Microsoft, but if Apple had as big a customer base as Microsoft did, they would be far less

Mail.app has an auto-execute vulnerability jazzcrazed -- 07/03/06 (in reply to #120130326)

The most serious *known* OS X vulnerability is that Safari and Mail.app are set at default to determine "safe files" by extension, thus allowing terminal scripts to be masked as *.jpg or other kinds of files (see: http://blogs.securiteam.com/index.php/archives/317). It was creepy in the least to see a JPEG spawn a terminal window and list my home directory.

Fortunately, this vulnerability *is* published, and at least users could change the default settings of the vulnerable apps. But that highlights the importance of not being secretive. Apple deserves scrutiny with this, and users are naive to assume that they already know of and can defend against all of OS X's vulnerabilities.

old news already patch Anonymous -- 07/03/06 (in reply to #120130334)

That vulnerability has already been patched.

and so is MS's WMF vulnerability... JazzCrazed -- 13/03/06 (in reply to #120130344)

My main point is that you, nor anybody, nor even Apple can claim to know every vulnerability and bug in the OS. This gwerdna fellow claims that he exploited an unknown vulnerability. Who are we to say he's wrong? Who are we to say that there aren't a hundred others? Or a thousand? Or just five?

It's a lot of code to keep track of...except that with it being closed only Apple can keep track of it, so it's up to them to scrutinize themselves and let everybody know when they find something. Their reliability with that has yet to be proven, but they'll be getting their chance soon.

It's my strong opinion that nobody can call anything secure without knowing every single bit that goes into it.

Re: Auto-Execute Anonymous -- 09/03/06 (in reply to #120130334)

Yes, I noticed that too. (That was creepy.) But the thing is, you actually need to execute the file. As compared to MS Windows viruses and trojans, you barely have to do anything at all and have a virus show up on your PC the next day.

OpenBSD Anonymous -- 23/02/08 (in reply to #120130313)

by default, out of the box, during and just after being freshly installed OpenBSD is the most secure publicly available operating system in the world that can be used to do useful things.

Folks, Windows, Linux, Solaris, The BSDs, Unices, MacOS and OSX all have any where from several to several thousands known published, fixed and unfixed security problems since they were first released to the latest versions, some critical some completely benign, some very specific to certain conditions and some because of 3rd party software...

So stop arguing about which is the most secure... and start arguing which is the right tool for the Job, and how to harden it... OSX set up as a network sever on open public internet is kind of absurd as there are much better tools for this job commercial and free... OSX is good for grandma, designers, and sound engineers... if any one thinks its a good OS as a network operating system should probably pick up the FreeBSD handbook and choose a shell to learn and find out why OSX is based on BSD... and realized all the tinkering and crap that has been layered on that underlying design has been put there for the end user desktop experience, and not to make it any better or more secure as a network operating system...

If you really want to see a secure network operating system, find a commercially harded linux or BSD distro, or check out OpenBSD, or find a really old copy of something obscure like Irix or a old Solaris distribution that no one even remembers how to hack....

Take, FreeBSD, NetBSD or OpenBSD and install PF use a default block in statement and only open the ports you need for the outside world to reach. Use the best latest and great version of those apps you will run on those ports like the LAMP stack, BIND and SSH and chroot jail them when possible and stay on top of their dev and release cycle... and patch them as quickly as you can... turn off all services that are not necessary for the box to perform is job.

Use a application aware deep inspection hardware firewall in front of that that can help a little with spoof detection, and slow down lamer DoS attacks and what ever else can give PF a hand in dropping packets that would otherwise steal CPU time from your server, a modern PIX, a Juniper, etc, etc...

and now you are as secure as you can reasonably be with out developing your own custom security patches and software...

but you are still only as secure as PF, Apache, MySql, PHP, and the Juniper Firewall code is... and there will always be new security holes that pop up in those apps and code... humans make mistakes, humans want new features, and humans want security... in that order, too.. :-) its a cycle...

Summery:

Ok, choose the right OS for the Job, don't run unnecessary services, keep all exposed apps up to date, chroot jail them, used the hardened version if available... use a reputable hardware firewall in front of them as well PF on the box itself and you are as secure as you are going to be outside of just not running any useful services and at that point just unplug the damn thing... then you are 99.9 secure... and the last thing that can happen would be the hackers knocking down your door and physically stealing your box....

eh... as far a securing the box from internal unprivileged user accounts, thats another whole different box of bugs... and in reality there are very few situations where one would do that, and if you do do that, there are some very extensive, specialized configurations for that environment...

OSX, for certain things, linux certain things and windows for certain things Anonymous -- 17/12/09 (in reply to #120130313)

"I think the NSA and CIA run OSX", LOL......, I can see it right now, at some type of inquiry on why Osama Bin Laden hasn't been caught, Agent Smith is asked why he missed intercepting calls from Osama Bin Ladens Sat phone in the hills of afghanistan, he says "sorry sir but I was busy downloading music from Itunes".....ROFL, I'm an OSX user, and it has it's problems, though as a previous windows user, I'd prefer it to OSX over windows anyday, however I think 7 is actually going to be good for microsoft, though there are still problems !!, My brother is a programmer and says that a linux system set-up properly trumps everything else, that said.... I haven't the time to be maintaining a linux system, also there are specific programs that I'm chasing that are only available for Mac, "Logic", yeh, sure there are PC options available, though I still have to use windows, which is still having problems, and yes as the MS fanboys have mentioned is attacked more often due to its higher market share...... for me it's like this, Mac for power computing within a friendly environment specifically for media related stuff, seems to be more headroom in the way it handles data..?, and Microsoft for home theatre media centre setups and or gaming !!, and Linux for internet browsing, office related stuff and maybe home theatre setups......, I'm sure the guys at the frontlines of the NSA and CIA are probably using something other than OSX, maybe something linux based...?

an OS -could- be secure... Steve Austin -- 09/03/06 (in reply to #120130306)

There is a public-domain effort underfoot managed by a friend of mine at IBM to harden Linux down to function-call level. It is conceivable that an operating system could be secure. Of course information systems are subject to human error in their configuration and accesses mistakenly granted via social engineering, but I challenge you to prove there is no way an OS can be secure.

I believe it is inevitable that -some- OS (probably Linux, or its hardended version, whatever it may be called) will be secure and those with enough affinity of code-base (or need) will follow suit. It may take 10 years but my prediction is it will happen.

A somewhat lengthy opinion about it.... Anonymous -- 25/10/06 (in reply to #120130612)

Well, I'm of the opinion that there is no such thing as a totally secure system except when it is turned off and unplugged.

The problem with designing something that is secure is that it assumes that you can achieve perfection, which is an impossibility. Programming is very much like engineering; it's about give and take, what you can and can't do, when you do one thing how it can impact something else, and so on.

That said, Mac OS X is an inherently simpler operating system than, say, Microsoft Windows XP. This does mean that less can go wrong. However, you still have to put it into perspective; Mac OS X is still a complex piece of software and it is that complexity that gives it its potential vulnerabilities that Apple may not be able to entirely account for until after such vulnerability has been revealed by an attack. It is, afterall, a man-made product with its own unique set of strengths and weaknesses that can be exploited in some way.

This is why a system cannot be totally secure. All you can do is take the most measures possible to help fortify your system's security without impacting functionality too much. And, even then, a hack or infection can still happen; all the additional safeguarding only decreases the chances that a hack can occur, but it cannot totally eliminate the risk. All it takes is a hacker with ingenuity, imagination, and determination.

You could design a security setup which can help mitigate vulnerabilities, but remember what I said about programming being somewhat like engineering. It is possible that such a setup could also introduce a different set of vulnerabilities that can also be exploited, and the more complex it is ... well, you should know what I mean.

Again, the only time a system is totally secure is when it is powered down and unplugged. You may patch everything you know about now, but that doesn't mean that you can account for what could be exploited in the future. Let the uncertainty of your system's security keep you from being naive or complacent, ergo taking all necessary precautions to help mitigate the risk as opposed to thinking that "it can't happen to you" for whatever reason and allowing this risk to propagate further. - Reinhart

MAC OSX Security DC0DR -- 15/05/07 (in reply to #120130306)

You Gentlemen hit the nail on the Head. I have yet to see a better built platform for security considering UI, GUI as well as OS.

My Pick is MAC

DC0DR

lol Anonymous -- 20/01/09 (in reply to #120130306)

"That being said, while there is no doubt OSX is very secure as opposed to, for example, Windows"

Yes, nice. That was rather stupid, if you had OSX in a configuration you set you believe it could not be hacked, if I have my PC in my own configuration I believe it will not be hacked. Stop throwing useless **** into your quality posts.

Pathetic Anonymous -- 06/03/06

How absolutely pathetic is this? Just give it a rest, you dont go off your tits every time microsoft has a small flaw.

See what I mean? Hans-Christian -- 06/03/06 (in reply to #120130309)

See what I mean?

These commenters are literally children. prgramming since before you were born -- 07/03/06 (in reply to #120130311)

I wouldn't get my knickers in a twist over the comments here.

idiots?! Anonymous -- 06/03/06

did anyone see the idiots page on that website??????

it looks perfectly reasonable, why would some moron put those things up???

??? Anonymous -- 06/03/06

I 'm not an Apple fanboy. In fact, I like Windows XP too, I just use OSX because Apple happens to sell the only 12" laptop that 's affordable for me. And yes, I think it 's good, maybe even better than Windows and a lot of Linux systems, but that depends entirely on what you want to do with it. I also never had any virus infections, malware or hacks while using Windows XP.

That being said, I think this gwerdna person is trying to just get some press attention, and maybe discredit Apple because they 're selling proprietary software and making a profit off it while he 's at it.

I 've seen the website. There 's no explanation whatsoever as to how this supposed takeover ever happened. Lesson number one in being credible: try to bring up at least some decent evidence.

Other than that, he does have this machine configurated in a rather unusual way, to say the least.

I stand corrected Anonymous -- 07/03/06 (in reply to #120130316)

It seems I stand corrected ... Someone 's posted some code snippets on the site, that appear to me like they prove his point.
Maybe someone really savvy of these things (unlike me, I must admit) should take a look at it.

he said it was an unpublished exploit programming since before you were born -- 07/03/06 (in reply to #120130316)

Do you know what "unpublished" means? Publishing an unpublished exploit is irresponsible.

MAC OS X hacked? Anonymous -- 07/03/06

I have been on Macs for years now and have no serious complaints about their products, including OS X, and I can't see myself ever going back to the MS world.

I don't believe OS X is invulnerable and I am not complacent about security, but given the initial access level granted to the hackers for this 'challenge' their success can hardly be described as a real world threat. The only information the hackers should have been given was the IP address and the OS type. If they had hacked that at all, let alone in under 30 minutes, then I would be very concerned.

Those who say that the only or main reason that OS X security has not been compromised yet is because of its small market share, should consider the kudos of being the first hacker to genuinely crack OS X. It would be instant fame. I bet that there are many dedicated hackers trying like buggery to crack OS X. I don't buy the small target and low interest explanation as the main reason OS X hasn't been cracked.

There does seem to be an awful lot of Mac OS X security scare stories posted on this site, which then turn out to be just more FUD nonsense. Pity, because this site is otherwise a good source of info.

same as above Anonymous -- 07/03/06 (in reply to #120130322)

> but given the initial access level
> granted to the hackers for this
> 'challenge' their success can
> hardly be described as a real
> world threat.

can you say "server"?

server? you call that server? Anonymous -- 07/03/06 (in reply to #120130342)

> can you say server?

a server that allows everybody to set up a new account and ssh into it?

try to set that up with any OS, and see it go down real fast.
++ chris

A non-issue Rob klein -- 07/03/06 (in reply to #120130322)

I wouldn't even be very worried if they could break into OS X using only IP and OS type...

There is undoubtely a way to attack OS X from the remote using yet unknown vulnerabilities.

Every year there is a very small percentage of OS X (or any OS for that matter) systems that get broken into by unpublished flaws.

However these flaws come out and fixes are might. Add a good firewall to this, and a doses of common sense you are at very low risk of becoming a victim in general.

This type of "news" is ofcourse useless. The only value it has is entertainment, i find it very entertaining that someone would invite attackers to break into such a insecure setup and expect it to fail :-).

MAC OS X hacked? Anonymous -- 07/03/06

I have been on Macs for years now and have no serious complaints about their products, including OS X, and I can't see myself ever going back to the MS world.

I don't believe OS X is invulnerable and I am not complacent about security, but given the initial access level granted to the hackers for this 'challenge' their success can hardly be described as a real world threat. The only information the hackers should have been given was the IP address and the OS type. If they had hacked that at all, let alone in under 30 minutes, then I would be very concerned.

Those who say that the only or main reason that OS X security has not been compromised yet is because of its small market share, should consider the kudos of being the first hacker to genuinely crack OS X. It would be instant fame. I bet that there are many dedicated hackers trying like buggery to crack OS X. I don't buy the small target and low interest explanation as the main reason OS X hasn't been cracked.

There does seem to be an awful lot of Mac OS X security scare stories posted on this site, which then turn out to be just more FUD nonsense. Pity, because this site is otherwise a good source of info.

Um who is the editor here? do they have a clue? Anonymous -- 07/03/06

just plain bad

Wake up apple users kevin Davies -- 07/03/06

I grew up with apples, I do use apple as well as windows (admittedly windows is my primary system).
You can't shove random statistics in the story. Apple have a nice track record yeah but how can you argue about popularity. Because Microsoft may have the majority of uses doesn't make it better though it does make it a bigger target. Soon all these ignorant "we're invincible" OS X users will be infested as sales go up.
Whoever said it is common knowledge that osx is the most secure is also full of **** It's common knowledge that Linux is the most secure. This is because hardass people sit there and try to find vulnerabilities and then those same hardass coders fix that problem. Anyways i've just waisted a fuckload of time replying to this because 1 way or another it won't effect me I just know I’ll laugh when interest dies rise and there are apple hacks all over the place. I'll laugh that Microsoft have had years of experience in security and will always be years ahead.

More Proof... Mac Master -- 07/03/06 (in reply to #120130330)

that Windows users are ignorant. The guy gave the hacker access to the box with a SSH login. Do you morons know what SSH is? It stands for Secure Shell. Obviously the system is not secure when you let a stranger in. This is is no way a typical setup. Besides, this happpens to you #$%!* Windows users all the time, it's called SPYWARE!!!! And to all those posers (that's you Kevin Davies) that say they use Apple computers, keep trying to pass that off to your ignorant Windows users. Peace Out!

P. S. I work as a Sys Admin in a Windows shop but use my 12" Powerbook for all my work. Booh Yah.

Dam **** you're hardcore Kevin -- 07/03/06 (in reply to #120130331)

Again. it all points back to the Apple having a share in the market that isn't worth wanting to bother with. The only thing I use my powerbook for is to download torrents. Spyware, Well alot of that can fall under common stupidity. Microsoft having the dominant share are no doubt going to be targed the most and anyone stupid enough to go to a porn website, Accept the install file prompt (just clicking yes like so many do) deserve to have their computers rooted over. Which makes me wonder, how Hypocritical can you get. You're raving on about being "let in" and yet when someone clicks the yes button when visiting porn that says "Do you wish to allow *site* to install software on your machine" it's all microsofts fault for being insecure.

Damn...you're a phony Mac Master -- 07/03/06 (in reply to #120130332)

More proof that you are another phony "I use Macs" user. There is no such thing as a "Click on Yes" dialogue box in Mac OS X. IT ASKS FOR YOUR FRIGGEN ADMIN PASSWORD!!!! Jeez, how many times time does this have to be repeated!!!

Please, Kevin and the other tools here, quit showing your ignorance. I'd like to also note, like a previous post, the guy running the test is a Windows programmer looking to spread FUD. Look at the photo of his Mac mini and note the books on the shelf. It says it all.

. Anonymous -- 07/03/06 (in reply to #120130331)

lol all you losers that try to add credibility to your worthless comments by flopping out your e-**** thinking we care what sort of totally awesome job you have should go home to your macs and stay there so the rest of the world doesnt have to put up with your ****

kevin is the most on the money so far

um, no. kevinISaTool -- 07/03/06 (in reply to #120130333)

kevin is a tool, and is completely off base. he obviously doesn't understand how spyware works. some spyware is installed without the user clicking "Yes, please pwn me". Windows fan-boys hopped onto this thread a lot quicker than I expected.. in 10 years when Apple owns Disney and has a 50% (and climbing) pc market share, what will the fan boys do?

Kevin Anonymous -- 07/03/06 (in reply to #120130333)

Bullshit....Let kevin prove it. Here ya go Kev. Take a shot you **** poser.

http://test.doit.wisc.edu/

Codswallop Anonymous -- 07/03/06

As comments before me have noted: this article is horribly researched, and, in its current state, nothing more than a sad example of sensationalist FUD. What type of server? What software?

I run a Mac based server near 24x7, and have never been "owned" --- more details, or take this ridiculous article offline!

Boulderdash! Anonymous -- 07/03/06 (in reply to #120130335)

This comment is horribly researched. What type of server? What software?!

What kind of proof do you have that you've never been "owned"? You're some kind of omnipresent system administrator aware of all activity on the machine?

more details please, or take this ridiculous comment offline.

No firewall and gives user account on mac Anonymous -- 07/03/06

It seems that the mac is set up to give anyone a user account on the mac with admin privileges (so they can use one of the "vulnerabilities" that would require actual physical access to your computer and a user password.)

ssh account Anonymous -- 07/03/06 (in reply to #120130336)

i doubt that he was dumb enough to give them an account with admin privilegues.. otherwise the machine would have been "hacked" in mere seconds (using sudo)

but still, setting up a machine with remote login and a LDAP server that everybody can access is bound to be hacked unless you know *very* well what you're doing.
++ chris

windows developper set this up Anonymous -- 07/03/06

check out the picture of the computer, holding a windows device driver programming book. kind of funny, it does not look the challenge was setup by a newbie, but more by a windows developer... tired of being laughed at by OS X users ?

ZDNet - 1 more nail in your coffin Anonymous -- 07/03/06

I'm not going to launch any attack against the Windows programmer who set up this bogus experiment, or even the author, Munir Kotadia, who reported it. The fault for printing this piece of blatantly misleading information is ZDNet. And it certainly isn't the first time I've seen ZDNet publish such as this.

So now when I see an article with zdnet in the link, I'll just go about my business and not bother, cause it too will probably be just another pile of bulls**t.

Try Again, gwerdna Wingsy -- 07/03/06

Someone else has posted a Hack-the-Mac challenge, but this time WITHOUT doing the utterly ridiculous thing of giving local access to anybody and everybody on the internet.

So, gwerdna, see if you can hack it without someone first giving you the keys. We'll be waiting (but I certainly won't be holding my breath).

http://test.doit.wisc.edu/

gwerdna neutered by reality Cowicide -- 07/03/06 (in reply to #120130345)

Hahaha... yeah... c'mon, gwerdna... let's see you "hack a mac" that doesn't have the owner hand you the keys to your own user account. Gawd, once again... these idiots will go to desperate lengths in order to avoid admitting they made the wrong platform choice.

I love how the marketshare BS keeps being brought up. Guess what, idiots? Apple Mac OS 9 had over 40 viruses when Apple has LESS MARKETSHARE. How do you explain that? OS X has been out since 2001 and there are NO widespread viruses in the wild that make the average Mac user insecure... at all. LEAP is a joke.

Here's the deal... OS X is FAR more secure than OS 9 and is FAR more secure than Windows, period. OS X was built on open source where many holes that Microsoft overlooked (or didn't even care about) were plugged.

Does that mean I think Mac OS X is invulnerable? Only a complete idiot like the moron who wrote this article would think I thought that. NO... there is NO OS that is invulnerable. But... I'd love to hear the explanation for why there were over 40 viruses for OS 9 when the marketshare was much LESS for Apple. Hmmmm? Aww... does that hurt your little pea brain and pride? I'm sorry.

Well, that blows your little marketshare theory out of the water.

FUD Anonymous -- 07/03/06

1. This was a competition to see if anyone could 'rm -rf' his box.
2. He opened his security to allow people to create accounts to SSH into.
3. It took 6 hours for the site to be defaced.
4. The box has to date not 'rm -rf'ed.
5. Root is disabled... so the person in this is obviously lieing and has no clue about MacOS security.
6. If he did have root, he failed the contest because he did not 'rm -rf' the box.
7. The author of this article intentionally left all this information out of his article.
8. This is very similiar to the other over-hyped stories about security holes and viruses in Mac OSX that have as of yet to be unproven and non-verified. All from anonymous sources.

Please read the following for background information:
http://rm-my-mac.wideopenbsd.org/
http://macdailynews.com/index.php/weblog/comments_opinion/8795/
http://www.wired.com/news/columns/0,70257-0.html
http://arstechnica.com/news.ars/post/20060220-6221.html

SSH access? Anonymous -- 07/03/06

I think you failed to mention that the attackers were given local ssh access. That makes quite a difference, you know.

More FUD Anonymous -- 07/03/06

More complete bolocks about market share spouted by the "security" industry.

No facts, just hearsay and innuendo.

hearsay Anonymous -- 07/03/06

This article doesn't offer any specifics. I'd be more likely the article if it offered some objective information. Before writing articles in the theme of the journalistic profession, please give some real information.

Apache? Anonymous -- 07/03/06

Using SSH and breaking Apache ? Hacking MacOSX.

More FUD - who lets random users have local user access to a server? Joe Block -- 07/03/06

Getting the local user access you handed out to the hackers is 80% of cracking a unix box.

Write an article when a box that doesn't have guest accounts on it like that gets 0wned, and maybe someone will take it seriously

LOCAL USER Anonymous -- 07/03/06

So the "Hacker" was a USER on the machine! This article is misleading at best by not making it obvious that the "hacker" was set up with a local user account on the machine they "hacked".

Unlocked car with keys in ignition stolen shock.... Sir Josmould Herringpole -- 07/03/06

Yes, this story is about as newsworthy. Inviting crackers to have a go at a Mac deliberately (if unknowingly) set up with gross security compromises is as about useful as feathers to a lobster. Less useful probably.

Contest back up again, just ZDNet FUD Anonymous -- 07/03/06

The webapge wasn't cracked remotely. Someone within the company modified the webpage. The contest is back up again at:

http://test.doit.wisc.edu/

Different contest Marty -- 07/03/06 (in reply to #120130368)

Actually, the original contest allowed user to create their own user/password on the system. The Mac was cracked FROM WITHIN, not from without... a totally bogus test case.

The new contest is by someone else to crack a properly locked down Mac.

Check you're details Anonymous -- 07/03/06

http://rm-my-mac.wideopenbsd.org.nyud.net:8090/

And you check you're speling and grammer Anonymous -- 07/03/06 (in reply to #120130369)

Moron.

CoralWebPrx Anonymous -- 07/03/06

This guy sucks, that's all.
How to config your brain for dummies.

NOT HACKED ON THE INTERNET! Anonymous -- 07/03/06

One thing that has not been very well pubicized is that the hacker came in as a LOCAL USER. This was not accomplished over the internet as 99.9% of Windows exploits are.

Another case of Windows apologists looking for ANY excuse to bash a superior operating system. One that will not allow them to make any $$ off the backs of the poor sheep who are foolish enough to continue using it.

Re: 'Security' Anonymous -- 07/03/06

Why is ZDNet Australia on this strange anti Mac OS X mission? It would be one thing if the facts where right, but when they're not you start to wonder. Viruses? Eh, check the background info. Alas, a lot of online 'journalism' doesn't seem to work that way.

Oh, wait. I just saw the sponsored links - Microsoft and Linux....could it...? Nah...or?

Apple's 'Unix' Runs Arbitrary Code on Boot Anonymous -- 07/03/06

Apple's 'Unix' Runs Arbitrary Code on Boot
<http://rixstep.com/1/20060306,00.shtml>
Rogue code and trojans resident on an OS X machine don't have to work overtime to 'get root'. If they're patient they'll have it on next boot with no effort made at all.

Any process running in an admin account (and sometimes below) can corrupt the OS X boot sequence to get arbitrary code to run as root.

<ftp://rixstep.com/pub/BootRooter.tar.bz2>

Fixed with Tiger Brian Milby -- 08/03/06 (in reply to #120130377)

This vulnerability was corrected with the release of Tiger. So, if you're not running 10.4 you need to read the article and follow it's advice (or simply upgrade to Tiger).

Shame on ZDNet... Stephen Bone -- 07/03/06

The failure to mention that this "hack" was accomplished locally is shameful example of corrupt or incompetant jounalism. Shame on ZDNet.

Challenge to ZDNet Anonymous -- 07/03/06

OK, ZDNet, show us your real colors. Are you going to post an article on the REAL Hack-A-Mac contest results, or lay quiet while you continuously virus-scan all your Windows boxes?

Say, give it a week? A month? And then report back to all your readers about this real-world security test.

I'm giving 5-to-1 odds that we'll never see ZDNet mention it.

http://test.doit.wisc.edu/

Wrong Anonymous -- 07/03/06 (in reply to #120130381)

Actually no, anyone reading this article will NOT understand the Mac in question was compromised FROM THE INSIDE which is very different from having your machine attacked simply from being connected to the net. Is OS X invicible? of course not. But this is just a badly written article designed to get hit. And btw "OS X Sucks" : real mature of you.

What a mature response... Stephen Bone -- 08/03/06 (in reply to #120130381)

If this is state-of-the-art for Windows advocacy, then Apple has nothing to worry about. No wonder s/he didn't sign their name.

The point here had to do with jounalistic competency, not platform choice.

Challenge DOS ZDnet Australia anonymous -- 07/03/06 (in reply to #120130380)

Ok guys. I got two words for you-- YOU SUCK.
Zdnet Australia is not journalistic. All this cheesy urban legends about the MAC stinks.
You're so pathetic.
So here is my challenge:
The first one to D.O.S Zdnet Australia or to change the homepage will gain my whole respect for the rest of his life.

Unethical Journalism Anonymous -- 07/03/06

Wow, don't they have journalism schools there in Australia? Or perhaps ZDnet is just a glorified electronic gossip column.

C'mon guys, do a little homework on these things and report real news with facts. Are there any details to this story, or all heresay and opionions?

Lost all your credibility Anonymous -- 07/03/06

I am very disapointed in ZDNet In my book and no doubt anyone with any knowledge of this setup will see that you have lost all credibility with such erroneous misleading articles. And if you didnt know then thats almost as bad !!
The article fails to mention, however, that the Mac OS X system that was "hacked" had an LDAP server setup which was linked to the Mac's naming and authentication services, to let people add their own account on the machine. So the contest allowed the user to create their own account and local SSH access -- a precarious set-up to say the least.
Come on guys let me see how good your home security is by giving access to your codes to the local burglers or anyone else then say the alarm system is at fault !
Your shame will not go unnoticed by the public

Priviledge escalation on a shell account? Article really should have mentioned M Caracio -- 07/03/06

The article implies that every MAC on the planet is a timebomb, but as far as I understand it, shell access is turned off on OSX.

If you open up the port, and give the user the ability to execute normal Unix commands, sooner or later they will break through. Even a brute force 'sudo' password attack might work.

I feel that should have been mentioned in the article. The server was not set up as secure in the first place.

More Journalistic CRAP Bender -- 07/03/06

A mac hack doesn't bother me as much as the journalstic CRAP to get hits.

Total nonsense Scott Ellsworth -- 07/03/06

The conclusion - that Apple has been safe because of lower marketshare - is total nonsense.

Look at the actual reports. The vulnerabilities on the MacOS just do not lend themselves to the massive security holes that exist in the Windows world.

The recent worms both required a user to launch a trojan application, and the vulnerability was closed within a few weeks, all without a major breakout.

This ssh exploit requires an account on the computer, and allowed privilege elevation.

Many of the vulnerabilities cited in the recent 'MacOS X has many vulnerabilities' reports fail to point out that PHP, while installed, is not even activated unless the user edits their apache conf. Many similar utilities that will not be activated without special effort are included in such lists, inflating the exploit stats.

Certainly, Apple does need to stay on top of security, but that nobody has managed to find a serious remote exploit that works without user intervention says to me that the system is fairly secure as it stands.

poor, poor journalism Anonymous -- 07/03/06

Giving partial information is often more misleading than out and out lying. ZDnet is now ZDnyet to me.

Interesting read Anonymous -- 07/03/06

http://www.osnews.com/story.php?news_id=13891

Easy Security challenge for gwerdna freejazzis -- 07/03/06

here's a real security challenge for gwerdna...
...so he can backup his claims in a real situation.

http://test.doit.wisc.edu/

*linked from Slashdot.

Easy Security challenge for gwerdna freejazzis -- 07/03/06

here's a real security challenge for gwerdna...
...so he can backup his claims in a real situation.

http://test.doit.wisc.edu/

*linked from Slashdot.

Easy Security challenge for gwerdna freejazzis -- 07/03/06

here's a real security challenge for gwerdna...
...so he can backup his claims in a real situation.

http://test.doit.wisc.edu/

*linked from Slashdot.

worst journalism ever Anonymous -- 07/03/06

here is a real test

http://test.doit.wisc.edu/

do your best, buddy.

Okay, try this one Anonymous -- 07/03/06

Here's another challenge. This time OS X has not been tweaked to allow local access.

http://test.doit.wisc.edu./

03/06/05 8:15pm EST http://test.doit.wisc.edu/ STILL UP Bob Barker -- 07/03/06 (in reply to #120130424)

Well? What are those hackers waiting for?

OOPS! Screwed up the date Bob Barker -- 07/03/06 (in reply to #120130427)

:-O

Why do people want to mislead the public so much? Anonymous -- 07/03/06

Really, as I'm sure a lot of people on here have said and perhaps many others already know. This 'hacker' was given a local account on a computer and asked to break in. This is equivalent to having a unlocked car with the keys hidden inside it somewhere and asking someone to be able to start it.

This example in no way represents true vulnerabilities in OS X. OS X is certainly not invulnerable, but this pretend example that Mac haters love to use is really nothing more than an excercise to mislead the public.

this article is pure false propoganda and disgracefully bad journalism. Anonymous -- 07/03/06

all of you need to read this:
http://test.doit.wisc.edu/

"... The original article was not fair, because it did not note, or even imply, or hint in any way, that local account access was granted. ... It's unfortunate that the initial coverage was so journalistically poor and sensationalistic on what might otherwise have been an article about an interesting local vulnerability. Instead, it chose to leave people with the impression that a Mac OS X machine can be "hacked" just by doing nothing more that being on the Internet. That is patently false."

Direct access was given! Anonymous -- 07/03/06

With Windows, I don't need direct access to penetrate a vulnerability. A real test of a weakness of the Mac vulnerabilities would have tried to show someone gaining access remotely. If they succeeded at doing that, without an internal ssh account, I would be a lot more impressed. With direct access I could have swapped the logicboard in 10 minutes to gain direct access to a machine with firmware password. Of course anyone stupid enough to give the key to their house to a hacker should get hacked. Windows you don't need to give the key to anything. Just be someone downloading e-mail with Outlook, or running an ActiveX plugin in a game or website. No such vulnerability in Mail.

Gone in 30 minutes Anonymous -- 07/03/06

[URL=http://newzofdaworld.blogspot.com/]Gone in 30 minutes![/URL]

Story updated by Author Munir Kotadia -- 07/03/06

Thank you very much for your feedback.

To clarify the terms of the hacking competition i have added a paragraph to clarify that participants were given a local account and challenged to take root control of the computer.

i hope this clears up any confusion.

BS-1....Integrity Zero Anonymous -- 07/03/06 (in reply to #120130432)

Well this should keep your advertisers happy. How the hell did you get this job. You retraction is a post on your article? Not only are you a hack you're also a coward.

agreed, thats lame man kenneth pelletier -- 07/03/06 (in reply to #120130439)

what a **** poor job of taking a cut at apple. go settle your platform grudges elswhere.

gwerdna Anonymous -- 07/03/06

This is for ZDnet

Does gwerdna work for a security firm?
How did gwerdna learn of the exploit ?
Find it on his own, briefed at work .

Was he a user on the system?

Thanks

Please reporter... GET FIRED!!! Ian Graham -- 07/03/06

MY GOD... the writer comes back on and say that he added a paragraph that the hacker was given a user account etc... HOW ABOUT APOLOGIZING AND REMOVING THE ARTICLE!!! IT'S ALL TOTAL BULLS#$T!!! Like other forum posters said... unlocked car with the keys hidden. I will love to see if any one breaks into the univ. of wisconsin website... highly doubt it. Again there mister Kotadia... you need to take down the article and tell the TRUTH! Why do people have such a hatred for Apple... they've totally shown the way to having a FUN safe computer experience. M$ is such a dirty company... do you really want to keep supporting a company that would love to be a monopoly and MAKE you use what ever fud they put out... I seriously think the world is getting stupider by the minute!

Put your money wgere your mouthis Anonymous -- 07/03/06

Here ya go...give it a shot. Maybe the Windows Zealots at ZDNET that keep publishing this FUD could take a crack at it.

http://test.doit.wisc.edu/

Come on losers....put up or shut up.

REALITY Anonymous -- 07/03/06

To everyone who thinks they know something about security and Apple.

Fact: OSX is not a secure operating system. This shouldn't come as a suprise to you, seeing as its a relatively new OS. No amount of fanboyism will change this. If you don't believe me check out some of suresec's work.

Fact: Security is a fairly underground scene. Those that think it isn't obviously aren't part of it. People actually researching new vulnerabilities and writing exploits know that there few other people doing the same thing. This makes them a valuable commodity. Making money from the craft is usually the goal. You should be glad that gwerdna took the time to give you a free lesson. Be paranoid. Don't expect another free lesson. Unpublished exploits are with money and things that are worth money are rarely given away for free.

To those that are trying to say that the other OSX Security challenge is the true test of OSX security, consider this. There is no prize and little recognition to be had from breaking that system. There is the risk that his exploit could be stolen from that system as it is not a controlled environment.

Why would any hacker waste a remote exploit on it?

hmmm... Anonymous -- 07/03/06

http://2005.recon.cx/en/s/agriffiths.html Any comment, mate?

Ya have a problem Anonymous -- 07/03/06

Learn how to spell, you'll be much more convincing after you pass the third grade.

http://test.doit.wisc.edu/ Anonymous -- 07/03/06

http://test.doit.wisc.edu/

if you listen close enough, you'll notice the editor's janitorial job at work gt: peyote -- 07/03/06

lol. clean this up! & get the writer to do something as well.

SENSATIONALIST BULLCRAP kenneth pelletier -- 07/03/06

you mislead and slander with articles like this. you also stir up missplaced fears in people. you should be ashamed of your poor journalism tactics.

"Gone in 30 Minutes" The Mac OSuX story Ron Doe -- 07/03/06

Told you all Apple sucks and as usual, I was right. That is what Apple get's for using old "borrowed" code.

"Gone in 30 minutes" Anonymous -- 07/03/06 (in reply to #120130457)

Yes, gone in 30 minutes ---> http://newzofdaworld.blogspot.com/
LOL.

Stop kidding.. anonynous -- 07/03/06

C'mon the guys has physical access to the computer for god sake, ask him crack any unix based OS over the network.

ZDNet should stop kissing Bill Gates **** just be real for once.

Dodgy OS X hack prompts genuine challenge - vnunet.com Gabriel Radic -- 07/03/06

Read the news article here:
http://www.vnunet.com/vnunet/news/2151455/false-hacking-report-prompts

HACKMYMAC.COM will be more realistic! Brad Freeman -- 07/03/06

Hacked from a LOCAL account with shell access and no firewall! Gimme a break!

Try hacking into a default setup Mac from the internet and it is a no go!

HACKMYMAC.COM (also from Sweden) will be online next week with a more realistic challenge for the world! And sponsored by an Internet Security Expert. I challenge you ZDNET to cover this also to prove you are not biased towards Windows!

Mac OS X hacked under 30 minutes Anonymous -- 07/03/06

The headline is downright misleading if not a lie.
Given a local account and remote access is effectivly disabling security.

Without an account how long would it take this 'hacker' to break the ssh key for instance?

Is MS worried? Cool! So Mac OS X is better! Arimathéia -- 07/03/06

When you read an article like this you think how small is the writer's capacity of thought. How much is the price of the truth here? Poor slow writers.

Soo lets get this right Anonymous -- 08/03/06

The "hacker" had a local ssh account. It took his 30 minutes to break in and all he did was deface the web server..

"gwerdna" claims to be an expert hacker If so why is the Mac still up and running?

ZDNET Credibility Ruined - I will no longer read your crap Anonymous -- 08/03/06

"Participants were given local client access to the target computer and invited to try their luck."

yeah, thanks for pointing that out at the beginning. I will no longer read ZDNET garbage.

Typical ZDNet Anonymous -- 08/03/06

This is why I don't buy any ZDNet products, it's a biased view influenced by anyone who cares to pay them.

Misleading (as usual) link Anonymous -- 08/03/06

http://test.doit.wisc.edu/

Poor journalism at it's best, sensationalism.... Eric Caldwell -- 08/03/06

Nothing more that the half truth from a ZDNet article. I'm not a Mac zealot and would actually point other Mac users to this article if it were accurate, but it's not. Why not tell the world that the contest owner opened the kimono to OSX by giving hackers SSH access? Because you want to drag something through the mud instead of doing objective reporting.

well... eeef -- 08/03/06

as you know the whole story is somehow faked and can NOT be reproduced just by using the internet.

http://test.doit.wisc.edu/

Vulnerabilties in OS X are real Jack Noel -- 08/03/06

Despite arguments to the contrary, a proof of concept for a hacking of OS X has been posted at rixstep.com. This vulnerability is because Apple's "version" of Unix lets arbitrary code execute during the boot sequence.

No other Unix system offers this open door, Apple purposely 'allowed it' as part of their anxiety over losing the "old maccies" - some of whom still work for Apple and have influence.

We've been had, ladies and gentlemen.

Bull Anonymous -- 08/03/06 (in reply to #120130494)

Oh, yeah, all I have to do is to run up to the machine and reboot it, or something equally "realistic", and run some code on boot. Yup, crystal clear, we should all burn our macs and go back to Micro$it Windronez.

sensationalistic and misleading! Anonymous -- 08/03/06

It wasn't until the community at large raised a stink that ZDNET updated the article to include the VERY important statement "...given a local user account..."

As if that didn't make ALL the difference in the world......

What is ZDNET's agenda here? Sensationalistic "reporting", with phrases like "Apple comes under fire" for recent vulnerabilities, etc. It's an obvious pattern of misleading and deceptive journalism, rife with FUD and designed to reduce positive perceptions?

No-one is (or should be) blind to the fact that no operating system is 100% secure. Including OSX. But it is based on one of the most secure among them, *nix, and that in itself is laudible. But we-the-user, and Apple, are actively finding and helping to plug anay gaps in OSX's security.

I've been a mac-user for about 7 years, and have had not one single exploit, intrusion, virus, trojan, worm, or ad-ware install hit my machine. It could happen, but I am not losing sleep over it. Even if ZDNET tries to misrepresent the level of vulnerability, I know otherwise from direct experience...

I'd like to see that same hacker get root access in 30 minutes, without being given a user account.

Then I'll sit up and take notice!

Otherwise, quit "inventing" the news ZDNET, and do something productive with your voice!

try again ~ Anonymous -- 08/03/06

http://test.doit.wisc.edu/

This article has no value Anonymous -- 08/03/06

This article has no value, as it doesn't respect simple scientific methodology or approach.

Face the facts you foolish people Bubba Tbone -- 08/03/06

(1) This is called market Hype. An unknown user uses an unknow method that is unpublished to change a webpage locally when given SSH and local access to machine and user account. No logs, no suporting evidence, no names, just a website, some photos, and Tada! By basing this "journalism" on this smoke and mirrors it has no credibility. I mean look here. I just defaced this ZDNET website by writing here on this webpage. I just hacked it. I mean by typing this I did the same thing right. Yet it didn't take me 29 minutes, it took under 3. OMG WTF OWNED. Im so kewl. Im a hacker! <shaking head> and you people call yourselves experts? I know a 10 year old that tells more believable lies. Where is the proof? If you base all your opinions on what a website says all I can say is your are a complete idiot. Please go kill yourself now and save the oxygen for brains that will actually use it for more than "fictional disbelief".

(2) Always I hear whining from inexperienced Windows users complaining about OSX. And you wonder why all your bosses are outsourcing your jobs? You probaly are the ones that thought war of the worlds is real. Fact: OSX is MORE secure than windows. This has already been proven. I can prove it with 2 simple statements.
(a) A Mac ships with services of (secure) a Windows machine does not(insecure).
(b) You are prompted for an admin password (secure) to INSTALL a program on OSX on Windows you do NOT (insecure).

So look at it like this. No matter how INSECURE OSX is.......WINDOWS IS WORSE. Does that sink in?

Now lets talk about Viruses. On a Mac running the most CURRENT software you would be prompted before something is installed. So a USER would have to say "OK" and type in an admin password. This is not a virus. This is called a Trojan. You would need social engineering in order to make the user go "oh ok" and type in the password. Windows you DO NOT. ( There are hundreds of IE exploits alone)

So all those misled idiots out there that claim "Oh its market share is the reason no one writes viruses for macs"
NO, its because you would have to put forth a greater effort of SOCIAL ENGINEERING to get the Mac User to say "Oh ok" and type in the admin password than to just write something that takes only around 5 minutes for some script kiddie to hack together to infect a Windows box.

I can prove it.

Market share Scenario........

iPOD over 70% market. Connects to BOTH PC and MAC has a small OS and runs applications.

Now how many iPod viruses are there in the wild?
Yeah now your pissed. Put down the starbucks and tell me why with the most widely used MP3 player there is and not 1 virus on it? Oh wait but there are some already on bluetooth cell phones.... Oh watch your coffee..I know your mad now becuase your long sought after theroy just went the way of the Loch ness Monster and Big foot.

There goes that theroy. Wave bye to it as it floats out the window. That load of BS does not float.

Ok now it seems funny that most of the people that complain about MACOSX work in a WINTEL/LINUX environment. Seems to me that it would be job security if the Mac did NOT gain marketshare because you might be out of a job. I mean a computer that you don't need an overloaded IT department to support? Is not complex, easy to setup and maintain, better performance, better support. Oh I see the long lines at the unemployment office now. Monster.com is gonna have a field day! Hmmmmmm Sounds like some are scared of their job security.

The computer industry is so bloated with all these "experts"
Bah!
I laugh at you.
If you get all bent out of shape on a story that has no evidence, no logs, no supporting facts, and is basiclly just heresay and FUD I say no wonder coporate america is farming your Jobs out. And all of this comes to light on a website where the ONE big add is BUY A DELL.

Moron is not good to describe such a failure.
If you have any dignity just throw yourself out a window now and save the rest of

Oh noes Anonymous -- 08/03/06

So if someone breaks into my house and sits down at my Mac they could gain Admin access. I think the last thing I'd be worried about is someone gaining admin privs if they broke into my house to gain local access to the system. I'd be more worried about them actually stealling my TV and movies and taking the computer itself.

Oh noes Anonymous -- 08/03/06

So if someone breaks into my house and sits down at my Mac they could gain Admin access. I think the last thing I'd be worried about is someone gaining admin privs if they broke into my house to gain local access to the system. I'd be more worried about them actually stealling my TV and movies and taking the computer itself.

Bwah-ha! Anonymous -- 08/03/06

Mac hacked in under 7 mins! Yeah this one might be as funny as your 'article' Munir.
http://www.mac360.com/index.php/mac360/comments/mac_mini_os_x_hacked_in_under_7_minutes/

1100 Macs Ready to be hacked Anonymous -- 08/03/06

These 1100 Macs aren't even running the newest OS X. Why haven't they been hacked? They've been there since before Oct 2004 according to CNET...

http://news.com.com/Virginia+Tech+beefs+up+Mac+supercomputer/2100-1016_3-5426091.html>news.com.com ariticle

If it's so dang easy, why hasn't it been done?

http://www.tcf.vt.edu/systemX.html

article correction Anonymous -- 08/03/06

generally when legitimate online news sources make corrections or additions to already published material they make note of it... yet, this article has been modified without any notation... what does this say about ZDnet reporting ethics?

Good job Anonymous -- 08/03/06

Very good job. I have two things to say. 1) The article has achieved its purpose - to misinform the unknowledgeble people and perhaps influence them. This is nothing new (for example MS do it so do apple). 2) I understand the motivation of the experiment (trying to test the system not the third party server software SSH, Apache). However this experiment has little (no) real value. ACCEPT THE FACTS. Just for the record I am one of the experts in the area, so just swallow the FACTS if you are unable to reach the same conclusion.

DO NOT VISIT ZDNET!! Microshat! -- 08/03/06

Delete your bookmarks of ZDnet and CNET! They are obviously a front for Microshat. Don't give them the satisfaction of gerneating traffic.

Bookmarks > Ctrl + Click > DELETE!

Guess ZDNet was Wrong... Anonymous -- 08/03/06

Surprise, surprise... ZDNet continues to spread the FUD. Looks like the guys at the University of Wisconsin showed just how lax your journalistic standards are.

There's a reason I quit reading ZDNet long ago--this is an excellent example of it.

NEW CONTEST ( http://test.doit.wisc.edu/ ) CLOSED. RESULTS?? Bob Barker -- 08/03/06

Sorry for the HTML crap in my pasted text from another forum. The forumware here SUCKS (no line breaks?>? Gimme a break! Anyway, the results are:

Nothing.

After traffic spiking at 30Mbps...
After two concentrated DoS attacks where the host remained up...
After numerous web exploit scripts, ssh dictionary attacks and having its rear probed by scanning tools...
After OVER FOUR THOUSAND login attempts...

ALL ATTEMPTS FAILED!
(unless he's lying)

Next??

PS: I LOVE the "Objections to this test" section of the page. It shows perfectly how Mac users truly have the best of both worlds. At its core, Mac OS X enjoys the benefits of using open-source technologies (Apache, OpenSSH). And yet, OS X users also benefit from the concerted effort and vision of ONE COMPANY designing and implementing these and many other technologies, both open and closed-source, making sure (to the best of their abilities) that "it all just works". This is a benefit that neither Linux (fully open source but "headless" in it's implementation -- and challenging to implement across the hardware "soup" of the x86 PC platform) nor Windows can offer (totally a closed technology, requiring all that it is to emanate from a single source or brain/talent pool: Microsoft... and ALSO subject to the hazards of doing so in the "soup" of the x86 hardware platform).

To all of this, I say GO APPLE!!! I GOT FOUR WORDS FOR YA: I... LOVE... THIS COMPANY!!! EEEEEYYYYYEEEAAAAHHHHHHHH!!!!!!

the 30 Minute Test WAS FALSE Billy -- 09/03/06 (in reply to #120130547)

I knew someone would find out the truth. I know that 30 Minute to gain root access would have meant that the person made PASSWORD as the password for ROOT. That would have been really easy. Plus you have to enable root on the Apple to have that account active. Not alot of users know how to do that.

To be honest Bob Barker -- 09/03/06 (in reply to #120130584)

we don't know what the password was. It could have been easy or tough. In either case, once any of the participants of the "rm my Mac" contest were logged in VIA ACCOUNTS THEY WERE ALLOWED TO CREATE THEMSELVES (SHEESH!), there are programs out there to try and hack passwords. But, the weight of that contest is rendered inert due to the fact that these strangers were given basic user accounts in the first place!

What that "contest" shows is that there appears to be a privilege escalation problem with OS X, meaning that someone "on the inside" could wreak some havoc if they wanted to and they knew what thy were doing. But this test showed NOTHING regarding the strength of an OS X system that is typically connected to the internet. That is what the second test at the University f Wisconsin was all about, and all attempts to gain access to that computer (analogous to your or my Mac -- or almost all Mac OS X Macs out there) FAILED.

While no one or no company is safe from "inside jobs" or employees "going postal" (apologies to any sane postal employees out there), it appears that -- to date -- mac users are so far safe from being hacked by total strangers or their evil-coded software minions from gaining access.

LOL! Hide the beer! The folks are home! Bob Barker -- 09/03/06 (in reply to #120130547)

WOW! I cannot believe this! While you can if you go to http://test.doit.wisc.edu/ (the big hacker test at University of Wisconsin), you are greeted with this plain text message:

"Yesterday we discovered the Mac OSX "challenge" was not an activity authorized by the UW-Madison. Once the test came to the attention of our CIO, she ended it. The site, test.doit.wisc.edu, will be removed from the network tonight. Our primary concern is for security and network access for UW services. We are sorry for any inconvenience this has caused to the community."

So... the guy staged this challenge on the university bandwidth -- and network -- without proper authority! Bad move! Like, what IF someone got through? How much collateral damage could have been done? In the back of my mind I wondered if this was sanctioned by the university, but then I thought the guy couldn't be THAT dumb! Turns out he was! It doesn't negate the results... but it could negate his employment!

Poor journalism Mike -- 09/03/06

The sensationalist headline, the poorly explained facts... Sloppy.

Wake up.. Anonymous -- 09/03/06

http://test.doit.wisc.edu

ok now?

journalistic standards xxxxmaximumxxxx -- 09/03/06

it seems as though ZDNet Australia has a very low bar for journalistic standards, I also wonder what the real goal of the person who set up the test was. both reporter and tester were dishonest, disingenuous and unethical. as for AndrewG. certain eastern countries "mafia" would pay very big money for his "hack." of course they would also cut his balls off if it failed. maybe thats his reason for remaining quiet.

I agree, poor journalism. Jay Eorkin -- 09/03/06

A report like this needs to be done by someone with some technical knowledge.

Munir hacked by MS Not Buying It -- 09/03/06

MS so desperate to pay clowns like him to write crap?

Equal Time! Matt -- 09/03/06

Okay Munir...you seem to like to run these stories and project the Mac like a scary Dr. Jekyll and Mr. Hyde.

I want to do my own story. Right here. And I want to quote the experts who talk about Microsoft's security holes. I want to tell people via your website how many times Windows has been hacked in say, the last 6 monts, and how long it took. What do you say...can I do a story on the vulnerabilites of Windows for ZD Net Australia?

Here is a direct question: Did you or your managers or anyone at ZD Net receive a favor in ANY way to start pursuing the line of biased stories about the Mac vulnerabilities? A simple yes or no. Email me please, because I do want equal time and would like to see ZD Net do this story from the other perspective. Thanks.

Latest Results on Attempted Mac Hacking Matt -- 10/03/06

This is posted on macintouch.com today:

10:43 EST We got an update from Dave Schroeder on his Mac OS X Security Challenge, now discontinued (at the behest of his university):

* The response has been very strong, and the test has illustrated its point.

* Traffic to the host spiked at over 30 Mbps.

* Most of the traffic, aside from casual web visitors, was web exploit scripts, ssh dictionary attacks, and scanning tools such as Nessus.

* The machine was under intermittent DoS attack. During the two brief periods of denial of service, the host remained up.

* The test machine was a Mac mini (PowerPC) running Mac OS X 10.4.5 with Security Update 2006-001, had two local accounts, and had ssh and http open with their default configurations.

* There were no successful access attempts of any kind, including during the 38 hour duration of the test period, nor have there been any claims of success.

* The site received almost a half a million requests via the web.

* There were over 4000 login attempts via ssh.

* The ipfw log grew at 40MB/hour and contains 6 million events logged.

* Several social engineering attempts were received, including one purporting to be from the government of Sweden, which apparently uses GMail. ;-)

* More test results and information may be published at a future date.

See the Dell AD's on the page? Yo Daddy -- 10/03/06

Gee, lets see. You have ads for Dell computers running Micro$oft Winblows on the "Mac's are insecure" Page?? Go figure! I think this is Znet's way of collecting OUR email adresses to resell! You had to give it to em to post!

Dear angry mac users Happy Linux User -- 10/03/06

Wow you mac guys sound really upset, sorry your favorite OS sucks. You should get a Linux machine and just chill out a bit.

Linux?? Bob Barker -- 11/03/06 (in reply to #120130683)

Thanks but no thanks, boltneck. We'd rather do work WITH our computer than have to work ON our computer. Mac OS X is the *NIX Linux wishes it was.

Happy kernel patching!

the supposed hack was an inside job Anonymous -- 11/03/06

http://www.macnn.com/articles/06/03/09/mac.mini.weathers.attacks/

I hacked into mac osx Anonymous -- 11/03/06

I have managed to hack into Macintosh OSX before - just like I seen Jesus, Elvis and had a conversation with 12 movie stars all in a room back in the 1500's.

I have no doubts that Mac OSX could be hacked, but providing local access to a computer - well, yea - anyone with half a brain could break in aswell with the amount of access given to the hacker.

Irresponsible ZDNet Reporting Joseph Lang -- 12/03/06

Posting this article is a demonstration of ZDNet's irresponsible behavior when it comes to Mac news. Antics like this that intentionally mislead the public get you fired in any ETHICAL company. How can ANY operating system be protected from malicious activity when the world is 1) given a user account, with 2) secure shell access? This was not a security test of a real world case. This was a case of opening all your house doors and windows and then advertising to the world to try to steal your stuff. Sorry ZDNet - YOU'RE FIRED.

OS X remains unhacked Joseph Lang -- 12/03/06

ZDNEt - here is responsible reporting and objective testing of the Mac OS X security. Note that it could not be hacked with SSH and HTTP open - not typical settings. http://www.vnunet.com/vnunet/news/2151531/apple-security-withstands

Any OS is hackable... Matthew Harlum -- 12/03/06

Being a Sysadmin for an ISP you sorta get to know how things work.

While MacOS X is an Excellent operating system (i own two macs :P) there will always be a vulerability somewhere, just not as bad as all the windows ones

in most Unices you have a root account and a normal user account, on windows you usually do not and virii and etc end up sticking themselves into your startup, or seize control of the system

MacOSX having unix cert means something, and the flaws in it are severely different, instead of just executing code you need to find a way to do just that, through the use of exploits.

For instance, there was an exploit found in osx regarding the StartupItems folder in /library (which has since been patched with tiger)

any code placed in /Library/StartupItems on a pre-tiger system is executed as root, and the folder permissions do not prevent this from happening.

Think your mac is safe from a local attack? - http://www.securemac.com/macosxsingleuser.php

Although that guy is an idiot suggesting to get rid of single-user...

The moral of the story is that there is not one secure OS, but there are OS'es that are more secure than others ;)

Mac Hack the usual half-truths... Scave Dott -- 14/03/06

From a Macworld Article:

There has been a lot of talk in the press recently about how secure Mac OS X really is and how much Mac users have to be concerned about security. While Apple said they are very serious about security concerns, Mac users, for the most part, have been unaffected.

�Proof of concepts are out there but end users have not been affected by exploits in the wild the way they typically are with some other platforms,� Bud Tribble, Apple�s vice president of Software Technology, told Macworld. �It�s never good to say don�t be concerned about security, however, the actual effects on users of our platform are minimal.�

Tribble � who worked for Apple as manager of the original Macintosh Software team where he helped to design the Mac OS � said often times there is more to the story than what is originally reported by the press.

One such incident happened earlier this month when a Swedish man set up his Mac mini as a server and invited people to try to break into the system and gain root control. Within hours of the challenge going live, it was over, as a hacker gained root control of the Mac mini.

What was not initially reported, however, was that anyone that wanted to hack the machine was given access to the computer through a local account (which could be accessed via SSH), so the Mac mini wasn�t hacked from outside � root access was actually gained from a local user account.

�There is certainly a tendency to make news out of every potential exploit on the Mac simply because it is more unusual than on some other platforms,� said Tribble. �A lot of times when you look behind the news, it is a little bit of a stretch.�

That said Apple does fix security issues in Mac OS X whenever they arise, but most times, these are before the issues are even known publicly.

�These updates tend to be more preventative,� said Tribble. �They aren�t exploits in the wild that you are actively trying to prevent. Users should never be complacent about security � we aren�t here. We are extremely proactive in paying attention to these things and eliminating them when we find them.�

Many Mac users openly boast about the lack of antivirus and security software they use on their computers because the Mac is a safe platform. Apple points out that a lot of security measures are looked after for the users, so even the most inexperienced computer user can feel safe when using a Mac.

�We actually build a lot of security functionality into Mac OS X including things like download validation, flagging junk mail, making sure the ports are turned off, and we have a firewall there if you need it. There are a lot of things we do,� said Tribble.

Hoping for good, unbiased criticism kj -- 11/04/06

I had hoped, on seeing such a vague article, to find some good, unbiased, criticism and research in the responses (somewhat like you would find on say... snopes). Instead, every reply that has picked apart the article, or highlighted that every OS will have some form of security vulnerability, has been hung-drawn-and-quartered by the uneducated (or educated people giving a good impression of being uneducated) ravers who only want to shout "macosxrules" or "windowssucks" or the opposite. And then "validating" their statement with something like "america rules" or "good hacin 4eva" (sorry, can't you spell hacking or forever?).

How brave of them to post under "Anonymous". How educated of them to use barely comprehensible "netspeak" that most people resort to when they're chatting online and 3am and their fingers are too sore to bother with full words.

Worse, perhaps, are the smug *nix users who sit back and gloat about just how secure their system is.

The truth is simple. The most commonly used systems are going to be targeted the most. There's no point putting sharp tacks on the road if no one is using inflatable tyres.

And the number of hackers is always going to vastly outweigh the number of people working to program security patches for each system. It's far easier to spread the disease than it is to treat it.

Mac OSX is not the most secure system in the world. Nor is Windows or any of the Unix or Linux based systems. All have their security strengths and weaknesses. Often, it's the user that determines just how strong these systems are with the precautions they take. The most secure system in the world sits in my study, or the study of any other user who can't afford to connect to the internet at this present time. Once connected to the internet, your computer is opened to new attacks every day. And it's not necessarily receiving new patches everyday, is it?

For the record, I am not particularly for or against any of the operating systems. I'm not the most educated in computers (hell, I'm not even 20 yet, I'm humble enough to know that I need a LOT of education), but I know that the best automatic security system, whatever that may be, can easily be made vulnerable by it's user, as seems the case in this article, or by an experienced person who knows exactly what to look for.

Speaking of facts... Anonymous -- 31/05/06

get your's straight. The Mac user base is AT LEAST 10%, and it's growing by leaps and bounds.

http://www.lowendmac.com/musings/statistics.shtml

I've been using PC's daily for over 15 years, and Mac's about half that time. Bottom line - PC's suck, even without Apple in the picture.

lies. MacOS it the most secure OS. Impossible to hack John Jackson -- 13/10/06

It it lies. Everyone know that MacOs is impossible to hack and zero viruses exist on a mac. That is why macs are better than pc's and always will be. Apple has been using the intel chips for ages and now the pcs are finally catching up. MacOS rules!

So give a thief the keys and Anonymous -- 03/01/07

get surprised that he opens the lock?

On this basis, even Fort Knox is insecure.

Try harder with the FUD. It didn't work for zdnet's Linux reporting, (Linux grew like wildfire, remember? and still is) I can't see it working for MacOSX either, but maybe ZDNet's negative reporting is just an indicator that like Linux, OSX has hurting their master.

Wow Fanboyism is alive with mAC users Anonymous -- 09/08/07

Probably true of a lot of users.
Last word? no.
I use many operating systems all have their flaws, for one, Macs can get quite unstable at times but the Fanboys won't tell you that. They don't mention the easily accessible "Force Quit" function. Finder too is a bit poor. (Not that I am promoting any M$ alternative). At the end of the day, Macs can be hacked and so can most other operating systems. I honestly thought most Mac users would be enlightened enough not to just shout their praises and slam all others, real paranoia. (Feeling Vulnerable?) You should be, go read a book on internet security then unplug it when not in use :p Honestly be rational, if you know how, they can all be hacked to some degree, and if your worried, close off your services and route your internet. That helps. Portscan your own computer.
Respect...

_,.-'EAÂ§Y TiGâ�¬R'-.,_

Obviously... Eric Ludzenski -- 26/11/07

Of the hundreds of Windows vulnerabilities and viruses out there, and of the, what, zero known for OS X, would it not be more glorious for a hacker to hack OS X and be the FIIRST at doing so, rather than just be another to have hacked Windows?

All of this "It's just because Apple has a small market share and isn't worth the time" is utter bollocks.

I read half the comments on this page Grow The HELL Up -- 30/01/08

can I get that 5minutes back? man you guys are childish.

seeriously Renee -- 06/02/08 (in reply to #320094503)

i did too, and i agree. chill the **** out. it's an ARTICLE.
(oh god, i'm not abbreviating!!!!!!!!!!!!!!!!)

you are wrong Anonymous -- 29/02/08

the guy made it able to share files with other people... which is a feature that can be turned off VERY SIMPLY. OS X is designed not to allow viruses which really matters.

thank you

Mac ****~ mac hater -- 05/03/08

why even bother using a "Mac"?
1. cant play games for ****
2. slow as ****
3. based of unix
4. microsoft had to make their office cause they to stupid...
5. mac just suks...

~~from a guy with a large experience of computing, programming and technician work~~

shallow minds typical of thick people Anonymous -- 29/06/08 (in reply to #320096826)

ok ur right mac are useless with games
slow... well i beg to differ alright its not super light weight like xubuntu but the os runs fairly sweet on a low spec machine. im running os x 10.4.12 on a 500mhz processor 576mb ram and a 8mb graphics card. show me a windows machine run vista at that spec... ur a moron. microsoft made the office package and in my opinion its the slowest peice of crap iv ever run on my mac. using an apple machine is just easy no worries about being screwed over every min by some trojan. i used windows for years and thought mac sucked but after owning one i would never go back.

So you say Apple have original thoughts. Rolf -- 24/09/08

If so, how come there are so many copyright infringements. Then how come Stardock among other used "widgets" six years before they were available in macs?

I've been handling computers since -79, not to say that I am an expert but I have been around them for a long time. Most people have Pc:s at home because Macs are Pc.s too.
People seem to have forgotten what Pc stands for.
Albeit The macs are arguably safer than Pc.s but there are wuite a few reasons for that. The chief reason would be the simple fact that a Mac is a static entity.
During its lifecycle it stays the same whereas a computer running windows is an adaptable machine. It's quite simple for anyone to change hardware as they please.

Also there is a plethora of software available for the Pc that Microsoft have nothing to do with or any chance to integrate safely into the OS.

To mak a MTV generation example the mac used to be a nice shiny cadillac. Nothing really exiting about after it's reached the third year of its life.
Invite Xibit and he'll pimp it for you changing the GUI around alot doing some welding here and there, adding random functions making the car heavier and in thirstier for amps and fuel.
You get something that looks good and may be a bi faster but its not really what the people over at Cadillac designed or can take responsibility for.

The key thing that Apple has done is taken away the possibilities for said upgrades thus minimizing chances of a breakdown.

If it makes a Mac better or not is a personal opinion not a fact. I use a Mac at work because my boss decided we should have Macs there. I like fine, at home I use Vista which I like and don't think is a copy of any Mac OS (again I've used both over lots of years).

On my laptop I use Ubuntu, mainly because I have been using Linux for a long time and it easily works with both my homeputer and workputer. Also a nice OS.

In the end, you should get a computer that fits your needs or your style. Some want a Mercedes, a Ferrari, a VW, a Volvo and some even like the Pinto, in my opinion they are all fine as they my **** from point a to point b.

If I want to dig a ditch however I'll go for a Tractor or similar workoriented machinery. It's all about choosing the right tool and not one single tool can do everything

Happy Mac user here! Cherwally -- 04/11/08

I've seen this is a very old thread but after reading all the comments i felt like tell you my own experience with Mac's!
I am a truly happy user from 10 years ago!
I could say i used most of the OS from Mac...
starting with the "antique" OS 7 going to OS 9.2.2 (last version of the OS Classic) and going to the latest OS X today!
Well, like all the operating systems, at their beginning they had enough problems and i am talking here only about Mac Classic OS's when the computers were freezing so quick...
Things are totally changed with the arrival of OS X, a brand new architecture, great stability and gorgeous interface!
Along all these 10 years I have NEVER found any trace of ANY VIRUS on my Macintosh computers ( i had quite a few ;) ) but since i used Windows before i still kept that "fear of viruses" so i was doing periodical virus scans!
In fact i never traced any virus on any Mac i used of repaired for friends ever!
I am wondering how many of the Mac users ever had (discovered) any virus!
As a extra info...i had always browsed "nasty" websites...(porn, warez, crack, hack...)
Taste & argue with this real facts Windows lovers;)
PS: Maybe they are a few things which i would love to see extra on Mac's as they are so easy to find for Win users (games & more various applications) but believe me, i will NEVER give the beauty, security, stability and simplicity of Mac's against the s**t coming from Microsoft!
Yes!
NEVER had any virus in 10 years!
How many of you (Win users) can EVER say you've browsed almost daily unsafe websites like me and never had any virus?
PS. 2:
Never kept active firewalls or any special protections!
My single infection is the Apple "Trojan" :D

I did not have any viruses on windows either ... :) abpectore -- 31/05/09 (in reply to #320115524)

I installed windows XP on my dad's machine when XP came out. I configured automatic upgrades installed the required productivity applications and I set up my dad as a regular user (not the default admin option). That was it. Five year later (today) no viruses no trojans, no problems whatsoever. For him the PC is just like a TV or a typewriter - on and off and no worries.

I am proficient in both mac os x and windows. With windows I started with 2.1 (yes there was windows 2.1). I did not like the performance of 95 and in fact back then I combined the the graphical system of 95 with the core of 3.1 and it was cool. Since win XP i never had any viruses or any OS malfunction worth mentioning. Today my preferred windows distro is 2008 server configured as a workstation which is fast, slick and useful.

I looked into Apple after they switched to x86 platform because for me power PC was a showstopper (from performance and compatibility standpoint) and I saw good. Today my personal laptop is 17" macbook pro. I have no viruses, trojans or any other issues whatsoever. In fact today I run all my software on apple hardware (the windows installations also) because I found that macmini is one of the most efficient server choices and as I am getting older I rarely upgrade hardware and I appreciate beauty a little bit more...

Currently my home server is Mac OS X 10.5.7 (on a mac mini of course). I have full desktop replication LDAP, mail, wiki ... and the full shebang and it works. All that being said however, my personal (I repeat PERSONAL) opinion is that Windows 2008 Ent. Server is way ahead as speed, manageability and usability.

I constantly use and really like Apple hardware and software and at the same time I really despise Apple marketing and business practices. :)

Apple fanboys (specifically) irritate me a lot more than linux and windows fans. Perhaps because the majority of linux users are educated and savvy (they have to be in order to consistently use linux) and the majority of windows users are pragmatic "bang for the buck" is their game and I understand them.

I am not making any points. I am just sharing as an anonymous alcoholic (technoholic) ... so chill out

interesting... Will van Zyl -- 08/04/09

...to note that if there were no big commercial race for market perception of quality, we probably would all simply agree that we have different preferences in OS, aesthetics and UX.
That said, my productivity and the stability of my machine has increased significantly since moving to the more stable, more considered and less frequently patched OS.
Play nice, kids. :)

Exploit Anonymous -- 09/09/09

The point he breaked into the mac was using an exploit which was new. How can mac secure itself against something like that? We all know linux is open source and therefore easier to find bugs so they can be easier fixed.

Macs are ok Anonymous -- 22/11/09 (in reply to #320277148)

Macs are ok computers, but they still have some holes here and there. I'm not saying that it's bad, because i have both Macs ans Pcs, but still it is only the early 21st century, and computers are not going to be absolutely perfect like in star trek, but at the same time Macs aew Waaaaay better than Pcs.

the 2 major common flaws of an average pc:

1. Professoinal software doesn't have dancing paper clips.

2. microsoft is a pre-internet era os. why bother patching up and covering up security holes and putting them under the hood instead of re-writing the OS like mac did when they introduced Mac OS X 10.0? Windows 7=Windows 1.0 with major theme mods.

Although i have used Pcs for much longer than macs, it only took me a little while to realize what i was missing. I still use pcs today, but only for stuff like gaming and common apps. Unfortionately, since the most common applications are written for Windows and not Mac OS X, i have to use the crappy twig foundation that microsoft built for me.

News > Security

By Munir Kotadia

06 March 2006 01:58 PM

Tags: rm-my-mac, root, competition, osx, vulnerability, hacked, tiger, os x

Related stories

Alerts

Talkback 204 comments

Microsoft Setup !! Raymond Cubicle -- 06/03/06 (in reply to #120130268)

Ya have a problem Anonymous -- 06/03/06 (in reply to #120130269)

Is it April Fool's day already down under? Anonymous -- 07/03/06 (in reply to #120130283)

Microsoft Setup !! Anonymous -- 07/03/06 (in reply to #120130269)

So relieved! Jan Klaassen -- 07/03/06 (in reply to #120130269)

Not just SSH... David Etter -- 10/03/06 (in reply to #120130471)

"backdoors at certain memory locations"? programming since before you were born -- 07/03/06 (in reply to #120130269)

Yeah that guy is an idiot a a -- 08/05/09 (in reply to #120130472)

riiiight Anonymous -- 26/06/09 (in reply to #120130269)

OSX Insecure? Codswallops I say. Melony Steggles -- 06/03/06

lol Anonymous -- 07/03/06 (in reply to #120130284)

Hack the system in the link then Steve Palmhair -- 07/03/06 (in reply to #120130372)

Why? Anonymous -- 07/03/06 (in reply to #120130372)

it is an acronym Anonymous -- 29/12/07 (in reply to #120130448)

really? Anonymous -- 26/05/08 (in reply to #320092319)

butthole boobie -- 09/01/09 (in reply to #320102631)

Why? Anonymous -- 07/03/06 (in reply to #120130372)

re: Why? Rob Marquardt -- 09/03/06 (in reply to #120130449)

lit 101 Anonymous -- 16/05/06 (in reply to #120130449)

Mac 101 Anonymous -- 31/05/06 (in reply to #120134388)

even if... Anonymous -- 05/02/07 (in reply to #120135266)

Why? Anonymous -- 07/03/06 (in reply to #120130372)

Probably... Anonymous -- 08/03/06 (in reply to #120130450)

Couldn't have said it better Anonymous -- 30/04/06 (in reply to #120130487)

Mac market share = less viruses Anonymous -- 08/03/06 (in reply to #120130372)

no Anonymous -- 02/04/06 (in reply to #120130502)

Interesting Comment Indeed John Bowers -- 22/04/06 (in reply to #120130284)

Interesting Comment Indeed John Bowers -- 22/04/06 (in reply to #120130284)

GET REAL Anonymous -- 06/03/06

Thanks for posting that story Anonymous -- 06/03/06

Of course there are going to be vulnerabilities.. Jeremy Cade -- 06/03/06

agreed Anonymous -- 06/03/06 (in reply to #120130287)

You have to be kidding ! Bill -- 06/03/06 (in reply to #120130305)

It's all in what you want to do with your system Anonymous -- 08/03/06 (in reply to #120130312)

WOW D0zer -- 14/02/09 (in reply to #120130312)

Very mature Anonymous -- 31/03/09 (in reply to #120130312)

is this journalism? Anonymous -- 06/03/06

A shrink might help you Anonymous -- 06/03/06 (in reply to #120130288)

agreed Anonymous -- 07/03/06 (in reply to #120130288)

Couldn't have said it better myself Anonymous -- 07/03/06 (in reply to #120130288)

Indeed a load of bullpoo Leon Buijs -- 07/03/06 (in reply to #120130288)

ZD Net is a paid Microsoft site john doe3 -- 06/03/06

who is andrewg Anonymous -- 07/03/06 (in reply to #120130298)

Who is andrewg Anonymous -- 08/03/06 (in reply to #120130423)

Thanks for wasting a post... Anonymous -- 08/03/06 (in reply to #120130519)

look who's talking Anonymous -- 06/02/07 (in reply to #120130548)

some clarifications: Anonymous -- 06/03/06

What a fake.. Anonymous -- 06/03/06

No operating system can be secure Hans-Christian -- 06/03/06

osx IS secure Gerald Rumplestein -- 06/03/06 (in reply to #120130306)

re: Hans-Christian -- 07/03/06 (in reply to #120130313)

Mail.app has an auto-execute vulnerability jazzcrazed -- 07/03/06 (in reply to #120130326)

old news already patch Anonymous -- 07/03/06 (in reply to #120130334)

and so is MS's WMF vulnerability... JazzCrazed -- 13/03/06 (in reply to #120130344)

Re: Auto-Execute Anonymous -- 09/03/06 (in reply to #120130334)

OpenBSD Anonymous -- 23/02/08 (in reply to #120130313)

OSX, for certain things, linux certain things and windows for certain things Anonymous -- 17/12/09 (in reply to #120130313)

an OS -could- be secure... Steve Austin -- 09/03/06 (in reply to #120130306)

A somewhat lengthy opinion about it.... Anonymous -- 25/10/06 (in reply to #120130612)

MAC OSX Security DC0DR -- 15/05/07 (in reply to #120130306)

lol Anonymous -- 20/01/09 (in reply to #120130306)

Pathetic Anonymous -- 06/03/06

See what I mean? Hans-Christian -- 06/03/06 (in reply to #120130309)

These commenters are literally children. prgramming since before you were born -- 07/03/06 (in reply to #120130311)

idiots?! Anonymous -- 06/03/06

??? Anonymous -- 06/03/06

I stand corrected Anonymous -- 07/03/06 (in reply to #120130316)

he said it was an unpublished exploit programming since before you were born -- 07/03/06 (in reply to #120130316)

MAC OS X hacked? Anonymous -- 07/03/06

same as above Anonymous -- 07/03/06 (in reply to #120130322)

server? you call that server? Anonymous -- 07/03/06 (in reply to #120130342)

A non-issue Rob klein -- 07/03/06 (in reply to #120130322)