The ZDnet Austrailia article, Mac OS X hacked under 30 minutes has sporned a myriad of of factually incorrect blog posts. OS X wasn’t hacked remotely, it was hacked from someone sat in front of the box. If someone has physical access to your computer it is already comprimised.
… and now I’m seeing bloggers reposting that “Mac OS X can be hacked in less than 30 minutes” adding to the echo chamber of misinformation. This machine was compromised from the inside with a known user account and password and with a granted attack vector (ssh)!
Dave Schroeder, of the University of Wisconsin wrote:
The ZDnet article, and almost all of the coverage of it, failed to mention a very critical point: anyone who wished it was given a local account on the machine (which could be accessed via ssh). Yes, there are local privilege escalation vulnerabilities; likely some that are “unpublished”. But this machine was not hacked from the outside just by being on the Internet. It was hacked from within, by someone who was allowed to have a local account on the box. That is a huge distinction.
In response Dave has placed a Mac mini on the Internet, weakened the default security by enabling SSH and HTTP, and invited it to be hacked. As yet no-one has managed it. OS X is Darwin, a BSD flavoured UNIX, BSD has one of the best security records of any OS in history. Anyone saying otherwise simply hasn’t done there research.
Another Look at Mac OS X Security - The Unofficial Apple Weblog (TUAW)
0 responses so far ↓
There are no comments yet...Kick things off by filling out the form below.
Leave a Comment