People are way too paranoid these days. Especially mac users. They're going completely insane lately. You've got Symantec claiming that Mac OS X is at risk for malware. Despite the fact that in 4 years since OS X's release (Happy Belated Birthday, Mac OS X!) there hasn't been one virus or "valid" trojan. Downloading an under 200k file off a peer to peer network that claims to be Microsoft Word (one of the most bloated apps on the mac) is not valid. Nor are concepts. Then you've got that silly root kit called John the Ripper. The problem with root kits is that they're only really useful if you already have access to the machine. In the case of John the Ripper/Opener you had to have already had administrator access to install the thing. So chances are the guy that had it installed on his computer had let someone use his computer that he shouldn't have.
Now Symantec has vested interest in making mac users paranoid and scared. The more paranoid or scared their customers are, the happier Symantec is since they sell anti-virus software. The funniest thing about them trying to say that OS X is a malware target is the fact that just a few months ago a vulnerability was found in Symantec's file scanning libraries. So their antivirus software could be used as a vector to spread viruses. Go figure. My point is that even if viruses on the mac increased two thousand percent, that'd still mean zero viruses on the mac.
What's worse is that people always try to claim OS X has nothing because it is such a small target. That claim doesn't work. We have a virus for mobile phones and a virus for a firewall that less than a hundred thousand people use (which I can't seem to find right now). These things are much, much smaller targets than OS X yet they have viruses written for them. Why is it so hard to believe that there are no viruses for OS X just because OS X is better engineered? Most of the things I see now days exploit buffer overflows. And you see security fixes for such overflows on OS X all the time. The issue here is it is much harder to run executable code from a buffer overflow on the PowerPC than it is from an x86 chip. On the x86 basically any memory is executable. On the PPC you have to make sure it goes into the two separate caches (data and instruction) in a very specific manner. Depending on the program, such an exploit may only run executable code 16% of the time. The rest of the time, it will just crash. People much smarter than I have explained this much better than I am capable of. See Harvard architecture for more information.
The entire point of my putting together these random assortment of sentences is due to a recent posting to MacInTouch. This posting has got to be the most paranoid thing I've read in a while. People are assuming that just because a specific command shows results that their computer must be the target of a hacking attempt. Someone is definitely out to get them. It can't possibly be a problem that lies between the keyboard and chair, can it? The command given is:
sudo grep "failed to auth" /var/log/secure.log \
| sed 's/^.*user \(.*\) for.*$/\1/' | sort | uniq -c
And based on the result of this command, people are totally freaking out. News flash: the results mostly mean nothing. /var/log/ecure.log logs every failed authentication attempt. This includes when the user types in a bad password or a bad username in an authorization dialog. For example, if I open /System/Library/ in the finder and try to delete the "Fonts" folder, the Finder will show me an authorization dialog. If I type in "Silly Monkey Banana" and any random password, it gets logged to secure.log. As such:
[aluminum-stability:~] rosyna% sudo grep "failed to auth" /var/log/secure.log | sed 's/^.*user \(.*\) for.*$/\1/' | sort | uniq -c | grep -i monkey
1 Silly Monkey Banana
See, this does not mean someone one the internets was trying to attack my computer. It just means that I'm an idiot and typed a name that couldn't possibly exist on my machine. Same thing that goes for the guy that said: I just tried the tip which suggests this unix command: as a way of checking if someone's trying to break in. I was extremely disturbed to see, in the list, my actual password, in cleartext! Is this a huge security flaw, or what? Please advise! No, no one is trying to break into his computer. He's just typed his password into the username field of an authorization dialog. Who hasn't at least once?
The only valid output from this is how often root is listed. The majority (if not all) of the others are due to user error. The other accounts listed such as mysql, nobody, whatever don't even have shell accounts. On my G5 root is listed 8358 times which likely means there is a scanner out there searching for computers with SSH open, root accounts, and weak passwords. Since OS X ships with the root account disabled, there is no reason for me to worry. Furthermore, the root account on OS X should never be enabled. There is no reason for it and there is a huge security risk. I've got these 4 years without ever enabling root. Being root assumes you know exactly what you're doing and making typos could mean the death of your computer. It also won't bother to check if a file is in use or not before allowing you to delete it. If you need to do anything as superuser, use sudo, You can even launch individual applications with sudo. And because of the huge security (and accident) risk involved with being root, we've designed APE to not even run under root. And if the root account isn't enabled, dictionary attacks against it can't possibly work.
Posted by rosyna at 03:24 PM
| Comments (22)
| TrackBack (2)
Related:
- Betas, Twitter and WTF - Feb 16, 2010
- Quick Status Update - Feb 12, 2010
- It's Winter, Right? - Jan 26, 2010
- Hiya Kids, it's Theming Time! - Oct 06, 2009
- Mighty Mouse with Some Theme Sauce - Jun 02, 2009
Thank you, Rosyna, for finally setting the record straight. *High five*
Posted by: Joe Kohlmann on March 27, 2005 5:04 PMso wait.
What you're telling me is that the sky is NOT falling in?!
You've told and proven this to me for years, but this time there is just too much hype, I don't think I can believe you.
See you on the (at least honest) windoze side!
Good bye cruel mac world!
Posted by: Saint on March 27, 2005 5:04 PMI actually had to enable root once or twice back in the day but since 10.3 I have never had the need.
You know a little more about it than I do (that stuff about caching and whatnot) but I have been meaning to cover this exact topic on either my personal blog or The Apple Blog.
Posted by: Twist on March 27, 2005 5:18 PMIn general I've found that people are way too paranoid about these "advisories". No ones says that OS X is perfect, otherwise Apple would have called it final already and stop throwing money at it. But simply OS X doesn't see the kinds of vulnerabilities that Windows has.
As Rosyna points out, x86 (until very recently, and only with OS support that didn't exist until XP sp2) doesn't differentiate between instruction and data pages, allowing you to scribble code anywhere and execute it. And the fact that all processes by default share a 2GB memory segment just makes it that much easier.
And for YEARS security experts have been saying that security through obscurity is meaningless. It seems that when a virus appears on a platform with
Posted by: Rincewind on March 27, 2005 8:27 PMRosyna wanted me to explain the harvard architecture a bit, so here goes.
The biggest issue in system design is getting stuff to the CPU as fast as possible. This is where caches come in. And the more specialized a cache is, generally the faster it is. Specifically the Harvard architecture specifies separate Instruction and Data caches (technically it specifies separate data/instruction memory systems, but this is usually far too expensive). This is why you often hear and see terms like L1I and L1D cache. The L1I cache is more specialized than a typical cache. Specifically, it doesn't allow you to write to it. This means that if you want to reload code (for example self-modifying code tricks that used to be used back in the 70s/80s) you need to flush the cache line that it belongs to in the L1I cache.
What this means for buffer overflow vulnerabilities is that you need a specific sequence of events in order to get your code into the cache. In addition, Mac OS X supports execute permission tests on each page in system memory, so if you write your carefully crafted code into a data-only page, you will almost certainly not be able to execute it. And if you try to write to an executable page, you will typically cause the program in question to terminate since OS X marks executable code pages as read-only. It is possible for a page to be marked as writable and executable, but this is a rare configuration in practice.
Now, assuming you manage to get your code somewhere that it can execute. The most likely method that you did this was to overwrite some code on a page that was marked writable. You have no idea when your code will be executed. Why? Simple, it goes back to the caches again. Since L1I assumes that instruction memory is not writable, if it is still caching the code that was there previously then your code won't execute. If this is "hot" code (code that executes fairly often) then it may never be removed from the cache. And even after all this, unless the application in question has a vulnerability in it, you only have the permissions level of that application. All that work and you don't even get an escalation for free.
Posted by: Rincewind on March 27, 2005 9:05 PMVery insightful post mate! These kind of posts inspire others to blog. http://theflanneleffect.com/?p=28
Posted by: Chris McElligott on March 28, 2005 2:12 AMhow come the icon of this site looks just like the windows symbol ?
Posted by: Bonkers on March 28, 2005 5:39 AMI was in no hurry to bog down my system with useless Symantec software. Great post.
Posted by: NetworkShadow on March 29, 2005 8:09 AMSo all this means is that I mistyped my password 15 times and once as sudo. Wow, its great that I can go back and see how many times I've been an idiot and put in the wrong password. Well, time to get back to real work.
Thank you Rosna. Great article - which is another reason why I beleive OS X will never be hacked like windows. Our user base is more informed, and (dare I say it) more loyal. Nothing personal against wintel users (some are both Mac and win users), but we take our platform choice very personally - we've had to - we've put up with years of immature Mac-bashing from uninformed people, friends, circuit city employees and pseudo-journalists.
I am glad to finally hear real Mac users explain that reason OS X is more secure is that its considerably more difficult to hack, while windows is a playgound of exploits. Kudos.
Posted by: Jason on March 29, 2005 11:43 AMis there a more detailed document regarding the "do not activate root" statement?
Posted by: redAPPLE on March 29, 2005 12:48 PMThis is very much the voice of reason. While there are few threats to OSX as of now, one still is the worst- the user. When in some near time, a true OSX virus shows up, it will likely only be a threat to those that don’t follow proper computer sanitation. Every viral infection at my work was started by some user downloading and/or installing malicious code with out intending to. I bet that some inventive person will manage to create an email for OSX users that shows them how to enable Root and delete some sort of important file to “protect” their computer. Social engineering is a much easier way to create damage to a computers system, than writing code.
Posted by: Eniregnat on March 29, 2005 1:16 PMAs I said on my DT blog, virus writers and hackers are pretty proud people and with the amount of bragging from Mac users you would have expected to see a virus or something by now if it was possible to do damage. But as has been shown the most dangerous thing you can do so far is trick the user into thinking your virus (now classed as a trojan) is something else and even then the worst you can do is delete files made by that user (ie their home folder).
Posted by: Pilky on March 29, 2005 1:32 PMJust a heads-up: Root is enabled by default on XServe, and I had more than 3,200 failed attempts against it in a little less than 48 hours this week.
The box (primarily a webserver) has two admin accounts, mine and one that has only been used once.
It has been up roughly five weeks.
Posted by: jdwest on March 29, 2005 7:30 PMWell redApple, basically root is god on that computer. You can do anything, and you are never challenged as to if you should be able to do it or not. The only thing more dangerous than activating the root account is doing so with a weak password. And lets face it, 90+% of us use relatively weak passwords, simply because it is difficult to remember strong passwords (for most of us at least). A strong password is something like "thI51s@s+r0ng55478pa5sw0rd". Something like "banana22" is not. People who want to break passwords typically have time on their side - they can afford to run a dictionary attack and hope for low hanging fruit. But a dictionary attack is worthless if the login they are attempting to attack doesn't exist (or is disabled).
Posted by: Rincewind on March 29, 2005 9:55 PMway more intersting is:
sudo grep " authenticated user" /var/log/secure.log \
| sed 's/^.*user \(.*\) for.*$/\1/' | sort | uniq -c
here you see who actually got in
Posted by: _lars on March 30, 2005 1:17 AMIf you want to have a secure ssh why don't you add just one account under 'AllowUsers' in your /etc/sshd_config? Only the pattern listed here are allowed to login. If you don't put root here you should be relatively safe (e.g. root can never login even if the attacker guessed the right password).
Posted by: _lars on March 30, 2005 1:25 AMI ran the grep command and i got only 13 root attempts between December 31st and March 30th - and i am ALWAYS on the internet.
I guess the Mac both hardware and software designs are so sexy that they don't attract unhealthy attention :-)
I would never activate root, even though i had that bad habit in my previous Unix (System V, HPUX...) incarnation. sudo works perfectly and covers ALL situations.
Thank you very much for the clarification specially regarding the "Harvard Architecture". Very instructive.
I just wanted to point out that viruses don't require exploits or buffer overflows. The definition of a computer viruses is a self replicating bit of code that spreads.
There's nothing that makes OS X more immune to this sort of code than any other operating system. The only thing keeping the 200k fake Office malware from being a virus is a mail server and a disk image or .sit of itself.
I think the only thing that protects us as Mac users is that we, in general, are not the kind of weenies that Windows users are. The fact that Mac users are in many ways a very self selecting group helps us immensely.
Posted by: Tom on March 31, 2005 6:36 PM