On Fri, 27 Apr 2001, Michael S Kluskens wrote:

> You definitely don't follow network security.  There is one Unix
> system after another with such-in-such subsystem installed by default
> with a remote root level exploit.  I have several of the more recent
> ones referenced in my notes at work.  Some of the best ones off the
> top of my head, SGI ObjectServer controls part of the user interface
> and allows remote admin, for 2+ years there was a remote exploit to
> add a new user/password pair to the password file, this is 2 years
> where it was not publicly acknowledged by SGI or anyone.  Okay, all
> us smart boys are running TCPWrappers to restrict access our
> machines, what do I discover, the X-Windows login (which can not be
> wrapped) does not obey it's own Xaccess file, so you could pop a new
> account in remotely since ObjectServer can't be wrapped, then access
chop
> waiting for the next version of X-windows because it "is not their
> problem."  Okay, one you can read about was for Sun, subsystem
> installed by default with remote root exploit, pretty new, I think
> less than a month old.

What X-Windows and SGI have to do with OS-X I'd like to know.  The flaws
in the X-Window server do not translate over to Aqua's window server. Even
with the BSD subsystem installed, nearly all server features even remotely
like the services you describe are disabled by default.  So where does the
average user justify his fear of OS-X being hackable?

> Of course you must have missed the big one, what was it four or five
> vulnerabilities in BIND publicly revealed all at once earlier this
> year, since you obviously don't know what BIND is lets make it
> simple, virtually the entire Internet was at risk because of this, it
> was that bad.

I quite well acquainted with BIND, and if I am not mistaken, it has a)jack
to do with OS X for everyday users, and b) BIND was patched to fix its
various exploits from 8.2.2 and down.  Under the forthcoming OS-X Server,
I would be interested in learning about any exploits I can find out about
before running it, but just about all Macs right now running OS-X are
using it as a workstation and possibly just running Appletalk for file
sharing.  Nobody using Photshop and surfing the net will have to worry
about this.

All these exploits you describe deal with services used on industrial
strength servers.  Explain to me why I should worry someone will hack my
Mac when telnet, ftp, and http, dns, etc are all disabled unless I
specifically turn them on in order to act as a server.

> Most of the experienced crackers won't tell you the time of day.  A
> company just got burned by a "well" known bug in Solaris 7 running on
> Intel chips, "well" known means you would not find it written up
> anywhere but to the crackers it is well known.

I do keep up with the cracking scene and while I won't pretend I know
everybody out there, I know enough people to know that there is no magic
key to turn that will break OS-X while I chat on hotline.

Sounds to me like you hate unix servers.  Why not try some of your
exploits on X yourself first before comparing it to Solaris?

-