I recently overheard two techies in my college talking of course about Linux then they talked about Mac OS X which really interested me. First they were talking about how bad windows security is which I agree with them, then if LInux and Macs only existed and Windows has a small market share the world would be a better place. Then one of the techies said "but in OS X you could log in as root and "reset" the password". I think he was insisting that anybody could just walk on by and change the password and have total control over the Mac. I just would like to know your people opinion on this. Thanks

I can't see how... even if you have automatic logon switched on you would still need to supply your current password to change your password or do anything that needs root privileges.

Although if someone has physical access to your computer then unless you store everything encrypted you are pretty much screwed no matter what with any operating system as they could just pop in something like a Knoppix Live CD, mount your file systems and do whatever they like.

Physical security is somethign people often overlook when locking down their systems.

Well, yes, on most Macs you can - with an OS X install DVD - boot from the DVD and reset the root password and log on. Assuming no one bothers you while doing that.

If you've locked down your Mac appropriately, then that person would need to open the Mac, change the RAM configuration, then boot from the DVD and change the root password.

It's not like you can just walk over and, ten seconds later, control the machine.

Of course, if they think it's that easy, just have them show you at a local Apple Store.

you can do that with windows too. booting into Safe Mode activates the hidden "Administrator" user, which is able to reset passwords, and change other user settings. ive done it many times.

It's not nearly as easy as it sounds. It's not posible to log in as root and change the password without having the current password. Like it was already mentioned, the only way to change the password is with an install DVD. They make it sound easy, but it's really not possible. FileVault is even more impossibe to get past.

I guess this is a reason never to keep your Tiger DVD with your computer - dope.
But my computers are either behind lock and key or in my bag (both ususally).
Of course, if someone has physical access to your Mac, and they are at all tech savvy, they could do all sorts of things - for one they could simply steal the Mac!
On the other hand, OS X is EXTREMELY difficult to hack remotely, which is the main point these days, and it's what windows doesn't have.

It is unheard of that someone has hacked a Mac from a remote site without the user giving them (manually) an administrator password as far as I know.

i think os x is secure as it is... i mean heck, the irony here is that most of its code is open source and available on apples dev page so you would think that if hackers really wanted to hack os x they could easily do so.. but then i figure because os x only has 5% of the market... there probablity of getting attacked is virtually small.

It is unheard of that someone has hacked a Mac from a remote site without the user giving them (manually) an administrator password as far as I know.

Not true at all. There are a variety of attack vectors. Unpatched apache, ssh, OS pieces, etc. It's definitely happened. Unfortauntely, the easy of setting up OS X and some of it's nicer services makes it a rich target for attack. Grandma Jones doesn't know or care about security, but she does want to show those pictures of her grandchildren on her website!

My problem with the whole market share thing is yes, Windows is a riper target. Yes, Mac OS X has a significantly smaller market share. But we're talking about 10s of millions of Mac OS X boxes out there! If a hacker wanted to hit a Mac, there's plenty to choose from. It might take you a little longer to find one, but they are there.

You can follow all sorts of "best practices" to protect yourself, but if malicious dude A has physical access to your comptuer (no matter what flavor it is), you are in danger. End of story.

As for needing root to change passwords, naah..

Single User Mode -> use niutil to change the password properties. That should work, no?

Good time to use the OF Password!

Single User Mode -> use niutil to change the password properties. That should work, no?

Good time to use the OF Password!
Wow. I'm so used to setting up the OF password that I completely forgot that it isn't something everyone does....

Wow. I'm so used to setting up the OF password that I completely forgot that it isn't something everyone does....

Same here. I expect because it's 1) not something they think/know about and/or 2) yet another password they fear to forget.

Not true at all. There are a variety of attack vectors. Unpatched apache, ssh, OS pieces, etc. It's definitely happened. Unfortauntely, the easy of setting up OS X and some of it's nicer services makes it a rich target for attack. Grandma Jones doesn't know or care about security, but she does want to show those pictures of her grandchildren on her website!
So surely someone has created a way to infiltrate OS X? I can't believe that if it is possible no-one has done it yet, even out of pure interest?

P.S. Don't you need administrator passwords to change anything in the system folders?

So surely someone has created a way to infiltrate OS X? I can't believe that if it is possible no-one has done it yet, even out of pure interest?
Beyond proof-of-concept viruses & rootkits? Apparently not. But, I don't run in hacker/cracker circles, so I'm certainly not in the loop on this one. I suspect that there are people working on it. If not a MS-fanboi looking to shut up all the Apple-fanbois, then a serious hacker. But I think it's more subjective then looking for viruses and trojans. All it takes (generally) is a talented individual who took the time and energy. Probe, probe, probe until you find a hole to exploit. Exploit it and you're in. Then leave it alone until you need it. I think there's a low % of Mac OS X users that are serious about their security. They might never notice. I might never notice and I like to think I'm fairly serious about security.

I'm curious about "Switchers". Will people jumping ship because of security problems mean that there will be more Macs with better security because these people are using to doing things that way? Or will there be more Macs with less security because "you don't have to worry about that on a Mac", and people get lazy? Only time will tell. IF Apple gains any marketshare out of this, it'll be years before we see it.


P.S. Don't you need administrator passwords to change anything in the system folders?
Not in Single User Mode. In SUM, you're automatically equivalent to root. Unless you're meaning something else.

Good time to use the OF Password!Okay, I'll bite. What the hell is the OF Password?

Okay, I'll bite. What the hell is the OF Password?

Open Firmware Password.

http://www.apple.com/support/downloads/openfirmwarepassword.html

Open Firmware Password.

http://www.apple.com/support/downloads/openfirmwarepassword.htmlSweet. I've downloaded and will be running it here shortly.

Just don't forget that you've got it installed (and don't forget that password!) and freak when you can't boot from a CD. Which I did shortly after I started using it back in the day. :D Much cursing and sobbing ensued..

Just about every *nix I know of can be booted into single user mode, and have the root password changed. That is unless you put a password on your bootloader.

This thread just made me remember how dumb the IT department is for the company with whom I am employed. We use all Windows 2000 pro machines at work and one of our graphics designers got a DP G4 system a few years back. He never hooked it up to the network and we went on like that for a few years. Then, when he was let go the new designer wanted to network the mac so he could use our high resolution laser printers for photo sheets and what not. The IT guy actually told us "there is no way I'm putting a MAC on this network! Those things are full of viruses and they have horrible security!" I almost soiled myself right there. It took A YEAR for us to convince him to let us put the mac on the network.... yes, this is what I have to deal with at work..... :(

That seems to be a pretty common excuse for IT people who know nothing of Macs. Since that excuse always works for Windows, why not apply it to a Mac? :)

How many people actually use an open firmware password? Granted it's the ultimate lock-down for the Mac, but outside of a computer lab environment, how useful is it really?

Sweet. I've downloaded and will be running it here shortly.
Note that this is only for pre-Tiger versions. The Tiger version comes on the install disk.

but outside of a computer lab environment, how useful is it really?

That depends on your level of paranoia, I think.

Note that this is only for pre-Tiger versions. The Tiger version comes on the install disk.Yup, I'm pre-Tiger on my work box still. At home I'll have to search out the install disk.

That depends on your level of paranoia, I think.The IT guys at work are out to get me, so it's in my best interest to install this.

i think os x is secure as it is... i mean heck, the irony here is that most of its code is open source and available on apples dev page so you would think that if hackers really wanted to hack os x they could easily do so.. but then i figure because os x only has 5% of the market... there probablity of getting attacked is virtually small.

Are you kidding? Imagine the acclaim and prestige a hacker would gain by defeating an "impenetrable" system.
There have a been a few rewards offered by various companies with cash prizes to those able to hack into Apple computers using only regular security settings. It has not been accomplished yet.

Not true at all. There are a variety of attack vectors. Unpatched apache, ssh, OS pieces, etc. It's definitely happened. Unfortauntely, the easy of setting up OS X and some of it's nicer services makes it a rich target for attack. Grandma Jones doesn't know or care about security, but she does want to show those pictures of her grandchildren on her website!

But Grandma Jones isn't going to run an Apche server on her computer & serve the files up from there and I don't se how using iPhoto to publish photo's to .mac posts a security risk for her local computer.

As for needing root to change passwords, naah..

Single User Mode -> use niutil to change the password properties. That should work, no?

Good time to use the OF Password!

So in single user mode you can change the pasword without knowing the current one? That isn't too smart...

I hadn't even thought of setting up an OF password though as unlike Wintel machines you don't get to see the usual BIOS stuff on Macs that sets off that little reminder in your head that you really should setup BIOS passwords one day.

You CAN create an open firmware password that will require anyone who wants to start up from anything other than the HD know the password, therefore disabling the ability to even have a chance to guess the user password.

But Grandma Jones isn't going to run an Apche server on her computer & serve the files up from there and I don't se how using iPhoto to publish photo's to .mac posts a security risk for her local computer.

I'm not talking about .Mac. And it's not hard for Grandma to start apache. All she has to do is click on the Personal Web Sharing Start button in the Sharing prefpane. She puts her pictures in her ~/Sites and away she goes. This stuff is all in the Mac Help.

I'm confused, what do you guys mean when you say OSX "hasn't/can't be hacked"?

Probably the most dangerous security risk (spyware) could be implemented quite easily on OSX, and distributed as a Trojan.

That depends on your level of paranoia, I think.

Sure, but I was wondering how often open firmware passwords are actually used. I work in a home-office situation so obviously I'm not worried, unless the cats decide to get creative (the only hacking they ever do... oh, never mind!).

The way I look at it, if anybody really wanted my data that badly they'd just boost my entire computer.

Just don't forget that you've got it installed (and don't forget that password!) and freak when you can't boot from a CD. Which I did shortly after I started using it back in the day. :D Much cursing and sobbing ensued..
I have 300-400 wireless laptops and wanted a way to safeguard them if stolen. I tried a product called MacPhoneHome, but it could be easily deleted with an install CD. I then looked at OF password. Guess what? It can be easily bypassed.
(1) Install or remove a stick of ram.
(2) Zap the Pram 3 times in a row.
(3) your done.
SO what is the solution? None beside making sure you have insurance and a few spares. When a REAL method for security is invented, get back to us.

Open firmware prevents those who don't know the password from bypassing the option to start up from a different drive or cd. So, even though they had your computer, the password protection wouldn't be bypassed.

Open firmware prevents those who don't know the password from bypassing the option to start up from a different drive or cd. So, even though they had your computer, the password protection wouldn't be bypassed.

Not really. They could remove the hard drive and put it in an enclosure or another computer. Not being able to boot off the drive does not secure the data on the drive.

What is this root password? Is it the same as the admin account password? :confused:

I have 300-400 wireless laptops and wanted a way to safeguard them if stolen. I tried a product called MacPhoneHome, but it could be easily deleted with an install CD. I then looked at OF password. Guess what? It can be easily bypassed.
(1) Install or remove a stick of ram.
(2) Zap the Pram 3 times in a row.
(3) your done.
SO what is the solution? None beside making sure you have insurance and a few spares. When a REAL method for security is invented, get back to us.
An attacker with that kind of time and access can do whatever they want to whatever computer regardless of platform. Computer security (and car security and chaining your bike and locking your front door) isn't based on thwarting all possible attacks in all possible situations, it's designed to either slow someone down enough that they can be caught in the act or to make it so hard that the risk/reward ratio isn't in their favor.

SO what is the solution? None beside making sure you have insurance and a few spares. When a REAL method for security is invented, get back to us.
Well, there's always FileVault (which I personally find a bit too worrisome - everything goes kaput if a bit gets twiddled by accident on the disk) or using encrypted folders, which seems pretty solid.

Yes, you can gain control of any Mac if you have it alone long enough, but that doesn't mean you can get to the data, which is what's important.

What is this root password? Is it the same as the admin account password? :confused:
"root" is the super-user on any *nix platform. That account can do anything, see anything, change anything. It's dangerously powerful. On OS X, it's disabled by default. You need to go into Utilities->NetInfo Manager->Security, Authenticate yourself, and then turn it on. Unless you know what you're doing, there's no reason to use that account or even to allow it to be enabled.

"root" is the super-user on any *nix platform. That account can do anything, see anything, change anything. It's dangerously powerful. On OS X, it's disabled by default. You need to go into Utilities->NetInfo Manager->Security, Authenticate yourself, and then turn it on. Unless you know what you're doing, there's no reason to use that account or even to allow it to be enabled.

Thank you.

Is there a separate password for the root though? The way I read this thread it seems as though the root password is different from the normal account password(s)?

SO what is the solution? None beside making sure you have insurance and a few spares. When a REAL method for security is invented, get back to us.

Heh, this seems like a bit of an attack on me. :) I am well aware of being able to defeat OF passwords.. now... This was before the work-around for OF became so highly publicized. 3 years ago or so.

And to quote myself:

You can follow all sorts of "best practices" to protect yourself, but if malicious dude A has physical access to your comptuer (no matter what flavor it is), you are in danger. End of story.

What is this root password? Is it the same as the admin account password?

If you have to ask, I wouldn't worry about it.