rm the idiots
Regarding the test.doit.wisc.edu site:
Yesterday we discovered the Mac OSX "challenge" was not an activity authorized by the UW-Madison. Once the test came to the attention of our CIO, she ended it. The site, test.doit.wisc.edu, will be removed from the network tonight. Our primary concern is for security and network access for UW services. We are sorry for any inconvenience this has caused to the community.
So, it appears some sysadmin ran a hot headed competition, without authorization by his employers, on their network, their time, and their resources, and further more, may have caused immense collateral damage to the university's network?
Congrats, you're awesome at life.
Update: As you'd expect from this guy's cowboy antics, it's rumoured he was close to being fired, probably rightfully so.
I'm sure there are a few small quirks in the millions of lines of code that make up OS X. I'm sure someone could write an app to take advantage of at least one and do some stuff I wouldn't like.
But for that to happen, I have to enter my password. The point is: OS X can't be compromised by simply visiting a website with some malware that automatically downloads and runs. I know - I've tried. Safari simply tells me: "This is an application. Are you sure you want to download it?"
-- Bryan Jones. (Read this post in all its stupidity and retardedness).
"Mac OS X has quite lousy security, eh?"
Lousy security? Compared to what? Why don't you wipe it then, smart ass!
From the Notes section.
There will be a time when OS X will have virus'. Never say never. But there is a big difference in the security of Windows and OS X. Virus have easy access to the Kernel on windows, not so on OS X.
-- Anonymous
Windows has had what, like 200,000 Virus's in the last year? Apple has had two or three theoretical exploits that either require the user to run code by hand or else target services that most mac users don't turn on. Sounds like Apple is doing its job to me. And honestly this idea that as Apple gets more popular there will be more viruses is largely a load of crap. The notoriety of writing the first real virus for OS X would be vastly more than for writing yet another windows virus. The reason why no one writes viruses for Apple is most likely because people like Apple and want them to succeed. I think if people start writing viruses for Apple it will be because Apple gets lazy and stops innovating, or else stops at least trying to fix the bugs in its software. Because right now both the means and the motive or there, but it's just not really happening.
-- pHatidic
That so called bug was patched several months ago. And the only way it could have been exploited is if someone has physical access to the computer.
-- steve
When someone actually starts exploiting these flaws, then I'll care. That's assuming the flaws aren't fixed before the exploits become popular.
Personally, and I think this goes for a lot of people, I'm not interested in a "flaw", unless it stands at least a small chance in hell of actually affecting me.
For example, this "dsidentity" flaw. The malicious user seems to need to actually have physical accesses to the machine. Shit, IMO that's not not much of a flaw.
-- SignOfZeta
This story seems to get rehashed every few months and the same lines get tossed back and forth. Once Mac OS X gets more of a user base, viruses will exploDE on thE MACS OMG!! Windows still requires no effort to install malicious programs, however, and by comparison Mac OS X at least asks for an admin password.
-- Know-it-all Tards
The reason OS X is secure is not because of market share. It's because you're not logged in as root by default. Why don't these morons get it?
You have to enter the admin password to install software, dummy!
-- Mr_Strat
It's time us Mac users stood up to these irresponsible security practitioners. Exposing vulnerabilities in OSX is just not on guys. For now i've never had any problems with viruses or worms and it's jerks like this Neil guy who are making things bad for all of us. I'm a graphics artist by trade and I don't want to have to worry about this nerd hacker bs.
-- Jim Bobbins
Macs are not virus proof. Note the "Security Updates" when you run software update -- Apple has found a hole is is seeking to fix it before someone writes a virus to take advantage of it. If only Microsoft worked so pro-actively.
-- George Bridges
The whole mac sook asshats. -- You guys are clearly awesome at life, and understand everything.
<@anonymous> "mac owners support group"?
<@anonymous> "hi, my name is neil and i own a mac"
<@anonymous> "hello neil"
<@anonymous> (chorus)
Rediculous story. It wouldn't have hurt to mention OS X has a more advanced permission system, "root" user is disabled by default on all systems, Admin password is required for all system file additions or modifications, and various other security features that Windows Vista is adding and XP could only dream of.
-- Brent Billman
Technically the Mac cannot get a Virus, it's not designed in anyway similar to Windows. In 10 years, Authors will be saying the same thing. "Just wait, Macs will get a Virus sooner or later" Well, it is later, and the Mac cannot get them... Here are the reasons: ...
4) All administrative actions require a password. In other words, for Virus to move from machine to machine, a Virus writer must go into every house/office then figure out the user's password, then hit return. (now you know why there are Zero viruses on Macs)
Finally, many of Mac OS X's security problems are only theoretical and can never materialize, nor propagate in the wild. Apple contracts agencies to find security holes in its operating system before the hackers do. ... In short Apple takes security seriously and if you work with Macs as I do you'd know it.
-- James Jones. Read this twit's post in full here.
According to the good doctor malware writers must have an 'address' to install their applications against. UNIX has none. Windows is totally 'memory addressed' based. So was the original Mac Classic OS. And each installation of the OS is the same as the machine sitting next to it.
Remember, this was developed for DARPA, which had to be extremely secure. Let us also remember that UNIX was designed to be shared from day one. MS-DOS/Windows was never designed to be shared from the get go.
-- Anonymous
Sorry but 99.9% of Macs don't have Root access enabled - and to get root access you have to intentionally grant yourself access to it (and just the sight of Terminal will scare enough of the tinkerer's off!). Apple doesn't recommend it, and almost nobody does because you should never need to, it's not necessary to install software.
Essentially Macs come with three levels of security: Root with disabled access, Admin - the user account for installing software (which can't be used for shell updates/changes) and finally a standard user.
-- Anonymous
The attacker was able to have his way with this system because the end user logged the attacker in as god.
Remember MAC = beautiful AND awesome AND fast.
-- Melony Steggles
so ... an anonymous hacker, by unanounced means, has hacked os x by way of an unpublished and unidentified security hole.
did he also see elvis?
-- anonymous
Any hacker sophisticated enough to hack MacOSX would probably come up with a better handle than his name and last name initial spelled backwards.
-- davin8or
SSH is off by default. Why would he turn it on?
-- aristotles
So the guy who hacked the machine only hacked Apache? I thought the intention was to rm the box. Has anyone hacked anything beyond the Apache pages?
-- From the notes page
The "hacker" had a local ssh account. It took his 30 minutes to break in and all he did was deface the web server..
"gwerdna" claims to be an expert hacker If so why is the Mac still up and running?
-- anonymous
Some of the comments at http://rm-my-mac.wideopenbsd.org/notes say that the weakness is in ping, traceroute and malloc. If true, it's certainly a problem. But not a problem any normal user needs to worry about, since it requires the hacker to have an account to exploit.
If I had my own account on a machine, I think I'd be able to do that in half an hour or so, too, and I wouldn't need to do anything all that fancy. There are several password crackers for OS X and other Unix variants. I've helped people use them a couple times (for perfectly legitimate reasons!). Once you get the admin password, you just call 'sudo rm...' and you're done. Of course, a solid admin password might make that impractical.
The lack of confirmed details makes it hard to say anything for certain. But I'm not worried.
-- Mikuro
I love how hackers call themselves "bug finders". No your not .bug finders., and no, your not providing a valuable community service. You.re a hacker plain and simple. People like this supposed .bug-finder. should be flushed out and prosecuted to the fullest extend of the law, have their computers confiscated from them and have severe economic penalties applied as well.
I'd like to meet this "gwerdna" .. personally, and this "rmm". People like them should be flayed alive... I'll do it for free.