#FF00AA

You’re likely to read (over and over again, on each and every tech website) a derivative of the “Mac OS X hacked under 30 minutes” story that was published today. What you may not read, however (depending on whether you read Mac-apologist websites, mostly — well, you do, since you’re reading this blog), is the (semi-)rebuttal, so I thought I should mention it here.

The story, as reported: someone put up a challenge on the net to hack the Mac mini he’d setup as a typical web server; the challenge worked so well (well, they tend to), the machine was actually hacked in thirty minutes. Ooh, OS X is so much crap. One wonders how come three to five percent of the online population (and not necessarily the least interesting, in terms of stealable personal or professional data), and a few servers, too, can actually be running this OS at all, what with the “undisclosed vulnerabilities” that any hacker can exploit.

Well, that’s if you only read the ZDNet story (or the myriad copycats that’ll no doubt be published over the next few days) and don’t try to get more facts. If you do, you’ll find out that the challenge was very much rigged: all it took was filling out a form to create a user account you could ssh to. That is, you could remotely login to the machine, as a regular user. And that never ever happens in real life: whether you’re using your home computer on the internet or setting up a webserver, outside people don’t have a valid login and password to your computer (unless your password is easily guessed, which is the case of most people but, hey, their loss) — not to mention that your ssh daemon (i.e., the remote-login server) is unlikely to be running at all (unless you decided to enable it for some reason, in which case it’s really, really your fault if your password is too easily guessed).

Not to minimize the vulnerability that was exploited here — it does exist, and it shouldn’t. Well, unless it’s a hoax, but it’s believable enough: not so long ago, if you had an account, you could actually exploit fast user switching to record everything other users viewed or typed on the computer while you had an open session in the background. But privilege escalation is a staple of computing, it’s inevitable, it’s everywhere, and even on Unix systems it’s a race between hackers and coders (which is where OS X get its vulnerabilities — as I understand it, Apple tends to lag in implementing security patches as they are developed for its parent, BSD). That means you shouldn’t trust any stranger with an account on your machine, whichever operating system is installed.

Geez, and a few days ago I was criticizing how John Gruber was blaming the hypothetical user for opening a downloaded file without double-checking what it was. Well, there’s a difference here — in that case Windows is far from better (historically, I figure it’s been rather worse). Although OS X suffers from being based on a well-documented open-source operating system, the vulnerabilities of which are just well documented, and not being fixed as quickly as it should because Apple engineers do seem to share a bit the delusion that they’re safe no matter what. And that, as I said before, is worrisome indeed.

[03/07] As a reply, the more realistic Mac OS X Security Challenge, undefeated so far after 24 hours [via]:

Some have objected to this [new] test as doing nothing more than testing the security of apache or ssh on a PowerPC architecture. That is correct. And that is how most of the world will see Mac OS X externally. […]

The ZDnet article has been updated to include the sentence, “Participants were given local client access to the target computer and invited to try their luck.” [But with no explanation of what that implies.]