rm-my-Mac – what ZDNet didn’t say….

ZDNet published a very misleading article today announcing that Mac OS X had been hacked in under 30 minutes in response to a “Hack My Mac”-type challenge. It differs to previous “Hack My Mac” challenges however in that the “hackers” were given local access. In other words, they already had SSH access to the machine. … Continue reading “rm-my-Mac – what ZDNet didn’t say….”

ZDNet published a very misleading article today announcing that Mac OS X had been hacked in under 30 minutes in response to a “Hack My Mac”-type challenge. It differs to previous “Hack My Mac” challenges however in that the “hackers” were given local access. In other words, they already had SSH access to the machine. This makes a huge difference, and no, I’m not splitting hairs. To my mind, that’s like daring anyone to rob my house but leaving the windows open. Sure, it’ll deter some people who can’t fit through but it’s still a gross security hole. ZDNet presented the information as if it was as bad as some of the Windows XP remote exploits, where you can take charge of the computer without having your own account on it.

Dave Schroeder, a generally nice guy from the University of Wisconsin, has set up a comparable machine – a G4-based Mac mini running Mac OS X 10.4.5 with Security Update 2006-001. It has two local accounts, neither of which will be left wide open to attackers, and has ssh and http open – a lot more than most Mac OS X machines will ever have open. He invites some enterprising hackers as an education issue.

Is this a big deal? I don’t think so, but it is worthwhile to reiterate some security truths that we may have forgotten.

  1. Don’t give local access accounts (even non-admin) to people you don’t trust.
  2. Never give out your password to anyone. Not even me.
  3. Don’t use a crappy USB ADSL modem. Use a NAT router with a Firewall.
  4. Keep patched and up to date with Software Update
  5. If you experience any odd behaviour (like files deleted mysteriously), do something about it

I’d add that Apple needs to get moving on some of these exploits (though whether they are in the open source underpinnings or in Apple code remains to be seen) and get them patched. We STILL have a long way to go before we’re at the level of Windows. The media, desiring us to remain in a state of Fear, Uncertainty and Doubt, will continue to obfuscate facts, in computers as well as in the recent wars, in order to sell newspapers, drive website hits and make names for journalists.

Related posts:

  2. What Microsoft can teach Apple about software updates
  3. Mobile/Portable Computing Caveats
  4. ADBE: Nearly there

Leave a Reply