this does not look good

[Choppaface]

http://www.theregister.co.uk/content/4/25891.html

considering OS X comes with apache, php, OpenSSH (be sure to check out about the new vulnerbilty), perl, etc etc....won't this mean big do-do?

 

[evildead]

ms IS EVIL

They sertanly are trying to make it hard for anyone else arnt they.

As for the SSH vulnerbilty, the was a fix for it a few days ago that disabled all the effected parts of OppenSSH, and today they came out with OppenSSH3.4. It fixes the problem and a few other little things. I have not compiled it for OS X yet and Im haveing some problems getting it to compile for Solaris8. Some kind of problem with finding some version of the ssl libcrypto. When I get home I will see if I can get it to work with OSX.


and if your not using SSH, then just turn it off. most home ussers dont use sshd. You can block it at your firewall (port 22) or turn off the deamon (sshd)

-evildead

 

[Choppaface]

is it on by default? i didnt see it in top

 

[krossfyter]

hey hey woooh whooh hold on...

can someone lay this down to me in "layman" terms. im sorry but im not a tech guy. just need someone to sum it up in a sentence or two using real worl ananlogies or what not.

 

[evildead]

laymans terms

ssh is a internet protocal for secure ftp and telnet. ftp and telnet are known for secrity problems. ssh is much better. OpenSSH is a open source version of it and very widely used. OS X comes with it built in. When you boot up, you should see it starting up in the window at boot time. I will have to look at home to see how to disable it at boot time in OS X. I think its in the system preffs. In unix, apps that run in the background are called demons. In this case its sshd that is running in the background. If your on a dial up or a frequently changing dinamic IP address, then you probably dont have anything to worie about.

Basicly, if you dont use it and you have a "on-all the time" internet connection, then you should turn it off the be safe or block it at your firewall. If you don't know if you using it or not... your not. There should be a new version of it rolled into what ever the next version of OS X is.

For the other tech talk I was doing... open source software is often distributed as just raw source code. You have to compile the code with a compiler for the particular computer language that it is writin in. Compilers take source code that is easy for humans to understand and write and change it into machine code or binary code (all the ones and zeros) If you installed the developer CD with OSX then you have the gcc C++ compiler all ready installed. Once a new open source app is out for a while, some one will test it and make whats called a package for each UNIX like OS. packages are installers that have all the pre-compiled binary files ready to go for your OS.

if you want to know about compilers, packages, or ssh, let me know... I could go on for hours... and I dont want to bore you if you dont want any more information than that.

-evildead

 

[Gelfin]

If you're worried, all the affected services can be turned off in the "Sharing" Preference Panel.

On the "File & Web" tab, if you see "Web Sharing On" click the Stop button underneath it. If "Allow FTP access" is checked, uncheck it.

On the "Application" tab, if "Allow remote login" is checked, uncheck it.

There you go. Hopefully Apple will roll out a security patch soon on Software Update.

 

[evildead]

Originally posted by Gelfin
If you're worried, all the affected services can be turned off in the "Sharing" Preference Panel.

On the "File & Web" tab, if you see "Web Sharing On" click the Stop button underneath it. If "Allow FTP access" is checked, uncheck it.

On the "Application" tab, if "Allow remote login" is checked, uncheck it.

There you go. Hopefully Apple will roll out a security patch soon on Software Update.

SSH is a separet package. Are you sure that those control panels turn off SSH? ftp has nothing to do with ssh. ssh is the alternative to ftp

 

[Taft]

Off by default

If you look at the Sharing pref pane, you'll see that allowing other computers to access your own is turned off by default.

You can see the effect of this by mucking through files in the /etc directory from the command line. ssh will be blocked by default.

Same goes for apache which has a vulnerability that was discovered a week or two ago. The average mac user has nothing to worry about.

STILL, it would be nice if Apple moved quickly on this. Security holes aren't good no matter how many users they effect.

Taft

 

[evildead]

I hear

I hear that there are some extra packages that Apple adds to ssh before they install it in OS X. That will make compiling the new version more difficult for OS X. I cant even get it to compile for Solaris right now!

-evildead

 

[evildead]

its out

For anyone that didnt know yet. All the SSH security problems have been fixed and Apple has put out a security udate package that will bring us up to date on SSH, and SSL.

Now if only I could get it to compile for my Solaris Servers. I havent seen any one put out a pre-compiled package yet.

-evildead

 

[sparkleytone]

who here has ever thought that m$ may in fact have a team of hackers that work full time trying to hack things like apache, ssh, etc??? i pretty much guarantee it happens...too bad for them those things get fixed faster than greased lightning

 

[FelixDerKater]

OpenSSH

Just download the Security Update Apple put out and the problem is solved...

 

[evildead]

Originally posted by sparkleytone
who here has ever thought that m$ may in fact have a team of hackers that work full time trying to hack things like apache, ssh, etc??? i pretty much guarantee it happens...too bad for them those things get fixed faster than greased lightning

Its a funny thought but it woudnt make a lot of sence to do it. MS has sooo many holes in their stuff that they should be worring about those and not Open source proplems (well... they do need to worrie about the open source code they deny that they use in Windows)

Normaly these secutiry problems found in open source code is found by the open scurce community. Thats the great thing about open source, its self policing. As soon as a problem if found, they jump right on it. MS finds a wecurity hole or some one points it out to them and they put out a gagorder for 30 days to any one that knows about it. They work on it, try to fix it, and then annouce 30 days after the fact, that it even exsists. Many open scurce programmers find MS holes and report them, one letter to MS and one posted for all too see. Its funny when geeks like me hear about the problem, disable the effected apps, then hear a month later that MS posted a security buliton about it.


-evildead