Another Look at Mac OS X Security

I take security exploits seriously. I'm responsible for many hundreds of Macintosh computers that reside in many different environments, not to mention half-a-dozen X-Serves, several of which are production boxes open to the world. When a security exploit is announced, I look to see if it will impact my workstations and servers and whether I need to take immediate action. And with the exception of the recent Safari exploit that was patched last week by Apple's Security 2006-001 Update, there hasn't yet been a single vulnerability that significantly affects my computers' operations. [Note, reader Brent points to a ZDnet article just published a few hours ago that claims Apple hasn't adequately fixed the Safari exploit in question].

So when an article claiming "Mac OS X hacked in less than 30 minutes" popped up on my news radar last night, I read through it and quickly dismissed it as a non-story, and a journalistically unsound one at that. Neither this article or any of its copycats (up to more than six now), has bothered to even attempt to actually explain the "hack" or the "exploit." Plain and simple, folks, these articles are full of hype, empty of facts, and are bunk:

1) the person who set up this "hacking challenge" set up a script that created a non-admin user and password for anyone who wanted to try. SSH was enabled for each of these users. I mean, of course someone was able to get access to the box--he allowed them in! After which the "hacker" then was able to take advantage of an unpublished exploit to escalate his non-admin account to execute administrative tasks. This violates the very first and most important rule of securing a computer, by giving external access to users who shouldn't have it and don't need it. I certainly don't go around enabling SSH for my Mac users, do you? For the record, SSH (called Remote Access in FileSharing System Preference) is disabled by default on Mac OS X workstations, and on Mac OS X Tiger Server, there's even a GUI for allowing or disabling SSH access to different users. Mac OS X workstation users can modify the sshd_config file in /etc.

2) the built-in firewall in Mac OS X doesn't appear to have been turned on. Nor was this machine reportedly behind any other kind of firewall. Yes, of course some people are going to connect their Macs directly to their broadband lines without any kind of firewall or NAT/router in between, but I bet it's a lower number than you might think. Even a simple layer of NAT is better protection than nothing. Go ahead, Mr. Hacker/Script Kiddie, you can pound on my router all you want, but without port forwarding, you're probably not going to get very far unless you hijack the router itself, and then the security flaw is with the router, not the OS.

Look, I'm not even trying to defend Mac OS X here. Yes, there are certainly some security vulnerabilities that Apple (and others) have uncovered and then patched. And there are definitely some that are undisclosed and undiscovered. However, this schmoe's "hacking contest" is ridiculous. It's like someone parked their car in a public lot and then taped keys to the car all over its hood.

I'm also not saying that us Mac users should ignore security measures. Of course we should pay attention to the security incidents that come about in Mac OS X, just as we should pay attention to the inevitable viruses and/or Trojans that will attempt to invade our computing platform. However, these articles are poorly-written and laughable jokes and now I'm seeing bloggers reposting that "Mac OS X can be hacked in less than 30 minutes" adding to the echo chamber of misinformation. This machine was compromised from the inside with a known user account and password and with a granted attack vector (ssh)!

Good sysadmins are paranoid and we're going to watch the development of our operating system and take measures to protect it as it grows in popularity. But when it comes to evaluating the security of this operating system, I'm going to pay attention to the people who work with it every day, not the PC-oriented technologist writers who've likely never even used Mac OS X, let alone configured its excellent built-in security measures. Such people can be found on the Mac Enterprise and Radmind mailing lists,, and Apple's Mac OS X Server mailing list, just to name a few. And so far, they're not running around screaming that the sky is falling (unlike some PC magazine "technologists"), so why should we.

In the meantime, Mac sysadmin Dave Schroeder at University of Wisconsin Madison has set up a Mac of his own as an "out-of-the-box" security challenge. You can read more about it here and even take a shot at compromising it. Note that Dave's Mac security challenge does not give you the crutch of a user account and ssh access, which is a much more realistic scenario.
This article was originally published on Tuaw.