MAC OS X SECURITY? OVERHEARD A STUPID.....

jc0481

macrumors regular
Original poster
Mar 16, 2005
222
0
I recently overheard two techies in my college talking of course about Linux then they talked about Mac OS X which really interested me. First they were talking about how bad windows security is which I agree with them, then if LInux and Macs only existed and Windows has a small market share the world would be a better place. Then one of the techies said "but in OS X you could log in as root and "reset" the password". I think he was insisting that anybody could just walk on by and change the password and have total control over the Mac. I just would like to know your people opinion on this. Thanks
 

jaseone

macrumors 65816
Nov 7, 2004
1,245
57
Houston, USA
I can't see how... even if you have automatic logon switched on you would still need to supply your current password to change your password or do anything that needs root privileges.

Although if someone has physical access to your computer then unless you store everything encrypted you are pretty much screwed no matter what with any operating system as they could just pop in something like a Knoppix Live CD, mount your file systems and do whatever they like.

Physical security is somethign people often overlook when locking down their systems.
 

jsw

Moderator emeritus
Mar 16, 2004
22,819
41
Andover, MA
Well, yes, on most Macs you can - with an OS X install DVD - boot from the DVD and reset the root password and log on. Assuming no one bothers you while doing that.

If you've locked down your Mac appropriately, then that person would need to open the Mac, change the RAM configuration, then boot from the DVD and change the root password.

It's not like you can just walk over and, ten seconds later, control the machine.

Of course, if they think it's that easy, just have them show you at a local Apple Store.
 

JeDiBoYTJ

macrumors 6502a
Jun 22, 2004
859
0
Ft. Lauderdale, FL
you can do that with windows too. booting into Safe Mode activates the hidden "Administrator" user, which is able to reset passwords, and change other user settings. ive done it many times.
 

dsharits

macrumors 68000
Jun 19, 2004
1,639
0
Plant City, FL
It's not nearly as easy as it sounds. It's not posible to log in as root and change the password without having the current password. Like it was already mentioned, the only way to change the password is with an install DVD. They make it sound easy, but it's really not possible. FileVault is even more impossibe to get past.
 

James Philp

macrumors 65816
Mar 5, 2005
1,494
0
Oxford/London
I guess this is a reason never to keep your Tiger DVD with your computer - dope.
But my computers are either behind lock and key or in my bag (both ususally).
Of course, if someone has physical access to your Mac, and they are at all tech savvy, they could do all sorts of things - for one they could simply steal the Mac!
On the other hand, OS X is EXTREMELY difficult to hack remotely, which is the main point these days, and it's what windows doesn't have.

It is unheard of that someone has hacked a Mac from a remote site without the user giving them (manually) an administrator password as far as I know.
 

CubaTBird

macrumors 68020
Apr 18, 2004
2,135
0
i think os x is secure as it is... i mean heck, the irony here is that most of its code is open source and available on apples dev page so you would think that if hackers really wanted to hack os x they could easily do so.. but then i figure because os x only has 5% of the market... there probablity of getting attacked is virtually small.
 

yellow

Moderator emeritus
Oct 21, 2003
15,925
1
Portland, OR
James Philp said:
It is unheard of that someone has hacked a Mac from a remote site without the user giving them (manually) an administrator password as far as I know.
Not true at all. There are a variety of attack vectors. Unpatched apache, ssh, OS pieces, etc. It's definitely happened. Unfortauntely, the easy of setting up OS X and some of it's nicer services makes it a rich target for attack. Grandma Jones doesn't know or care about security, but she does want to show those pictures of her grandchildren on her website!

My problem with the whole market share thing is yes, Windows is a riper target. Yes, Mac OS X has a significantly smaller market share. But we're talking about 10s of millions of Mac OS X boxes out there! If a hacker wanted to hit a Mac, there's plenty to choose from. It might take you a little longer to find one, but they are there.

You can follow all sorts of "best practices" to protect yourself, but if malicious dude A has physical access to your comptuer (no matter what flavor it is), you are in danger. End of story.

As for needing root to change passwords, naah..

Single User Mode -> use niutil to change the password properties. That should work, no?

Good time to use the OF Password!
 

jsw

Moderator emeritus
Mar 16, 2004
22,819
41
Andover, MA
yellow said:
Single User Mode -> use niutil to change the password properties. That should work, no?

Good time to use the OF Password!
Wow. I'm so used to setting up the OF password that I completely forgot that it isn't something everyone does....
 

yellow

Moderator emeritus
Oct 21, 2003
15,925
1
Portland, OR
jsw said:
Wow. I'm so used to setting up the OF password that I completely forgot that it isn't something everyone does....
Same here. I expect because it's 1) not something they think/know about and/or 2) yet another password they fear to forget.
 

James Philp

macrumors 65816
Mar 5, 2005
1,494
0
Oxford/London
yellow said:
Not true at all. There are a variety of attack vectors. Unpatched apache, ssh, OS pieces, etc. It's definitely happened. Unfortauntely, the easy of setting up OS X and some of it's nicer services makes it a rich target for attack. Grandma Jones doesn't know or care about security, but she does want to show those pictures of her grandchildren on her website!
So surely someone has created a way to infiltrate OS X? I can't believe that if it is possible no-one has done it yet, even out of pure interest?

P.S. Don't you need administrator passwords to change anything in the system folders?
 

yellow

Moderator emeritus
Oct 21, 2003
15,925
1
Portland, OR
James Philp said:
So surely someone has created a way to infiltrate OS X? I can't believe that if it is possible no-one has done it yet, even out of pure interest?
Beyond proof-of-concept viruses & rootkits? Apparently not. But, I don't run in hacker/cracker circles, so I'm certainly not in the loop on this one. I suspect that there are people working on it. If not a MS-fanboi looking to shut up all the Apple-fanbois, then a serious hacker. But I think it's more subjective then looking for viruses and trojans. All it takes (generally) is a talented individual who took the time and energy. Probe, probe, probe until you find a hole to exploit. Exploit it and you're in. Then leave it alone until you need it. I think there's a low % of Mac OS X users that are serious about their security. They might never notice. I might never notice and I like to think I'm fairly serious about security.

I'm curious about "Switchers". Will people jumping ship because of security problems mean that there will be more Macs with better security because these people are using to doing things that way? Or will there be more Macs with less security because "you don't have to worry about that on a Mac", and people get lazy? Only time will tell. IF Apple gains any marketshare out of this, it'll be years before we see it.

James Philp said:
P.S. Don't you need administrator passwords to change anything in the system folders?
Not in Single User Mode. In SUM, you're automatically equivalent to root. Unless you're meaning something else.
 

yellow

Moderator emeritus
Oct 21, 2003
15,925
1
Portland, OR
Just don't forget that you've got it installed (and don't forget that password!) and freak when you can't boot from a CD. Which I did shortly after I started using it back in the day. :D Much cursing and sobbing ensued..
 

csubear

macrumors 6502a
Aug 22, 2003
613
0
Just about every *nix I know of can be booted into single user mode, and have the root password changed. That is unless you put a password on your bootloader.
 

Chrispy

macrumors 68020
Dec 27, 2004
2,126
1
Indiana
This thread just made me remember how dumb the IT department is for the company with whom I am employed. We use all Windows 2000 pro machines at work and one of our graphics designers got a DP G4 system a few years back. He never hooked it up to the network and we went on like that for a few years. Then, when he was let go the new designer wanted to network the mac so he could use our high resolution laser printers for photo sheets and what not. The IT guy actually told us "there is no way I'm putting a MAC on this network! Those things are full of viruses and they have horrible security!" I almost soiled myself right there. It took A YEAR for us to convince him to let us put the mac on the network.... yes, this is what I have to deal with at work..... :(
 

yellow

Moderator emeritus
Oct 21, 2003
15,925
1
Portland, OR
That seems to be a pretty common excuse for IT people who know nothing of Macs. Since that excuse always works for Windows, why not apply it to a Mac? :)
 

IJ Reilly

macrumors P6
Jul 16, 2002
17,915
1,466
Palookaville
How many people actually use an open firmware password? Granted it's the ultimate lock-down for the Mac, but outside of a computer lab environment, how useful is it really?
 

emw

macrumors G4
Aug 2, 2004
11,177
0
jsw said:
Note that this is only for pre-Tiger versions. The Tiger version comes on the install disk.
Yup, I'm pre-Tiger on my work box still. At home I'll have to search out the install disk.
 

emw

macrumors G4
Aug 2, 2004
11,177
0
yellow said:
That depends on your level of paranoia, I think.
The IT guys at work are out to get me, so it's in my best interest to install this.
 

tdhurst

macrumors 601
Dec 27, 2003
4,003
101
Phoenix, AZ
Riiight...

CubaTBird said:
i think os x is secure as it is... i mean heck, the irony here is that most of its code is open source and available on apples dev page so you would think that if hackers really wanted to hack os x they could easily do so.. but then i figure because os x only has 5% of the market... there probablity of getting attacked is virtually small.
Are you kidding? Imagine the acclaim and prestige a hacker would gain by defeating an "impenetrable" system.
There have a been a few rewards offered by various companies with cash prizes to those able to hack into Apple computers using only regular security settings. It has not been accomplished yet.