this seriously screwed my os. it went to the loading services screen then got stuck on "waiting for xSan filesystem", went passed it, returned, then went to loading login screen and went no further. left it on all last night and no joy. Just finished restalling the whole os but havn't got al lthe updates yet. I'm scared to put this update back on now. Was a bigger pain that i had a dvd in the dirve so had to find out how to eject it when the computer wouldnt boot (alu 15" powerbook)
Got a tip for us?
Let us know
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
Security Update 2004-12-02
- Thread starter MacRumors
- Start date
- Sort by reaction score
Toe
macrumors 65816
I agree with your sentiment, but just want to quibble with two of your points...SiliconAddict said:
First, unless they changed it recently, OS X does give admin rights to the first user... how else would you set up an admin unless somebody already has admin rights? Apple has tried to make the Unix user-based architecture transparent to users still stuck in the Classic world of undifferentiated user/system.
I'd also take issue with the idea of tweaking resulting in good security for Win 2K or XP. I know a MCSE who really knows his stuff and who spent weeks locking down a Win2K web server (he read all the MS whitepapers, followed all the procedures, ran all the supplemental analyzers and updaters, applied third-party extra measures, updated and secured all of those, etc.). His server got smacked the moment he went live with it... turns out a new, lethal virus (which specifically targeted a newly-found exploit in his intrusion-detection system) had come out just as he was flipping the switch. Took down his whole ISP for the day, and ruined the entire OS on his weeks-of-effort server. 😡
AidenShaw
macrumors P6
keep things in context
Or, you can figure that making a "honeypot" of an XP.sp1 system which is deliberately missing over 2 years of security patches and putting it on the net will get some good hits from the hackers who know exactly how to exploit those well-publicized holes!
Note further in the story:
"There were no successful compromises of the Macintosh, the Linspire or the two Windows XPs using firewalls. [SP2 and SP1 with ZoneAlarm] That pattern was not surprising, as Windows PCs make up 90% of the computers connected to the Internet, and the vast majority of automated attacks are designed to locate and exploit widely known Windows security weaknesses."
Unfortunately, the setup for the OSX system is not described, but in order to be fair I would hope that they used a completely unpatched version of OSX from August 2002, not a more recent build.
So, the article says both "XP SP1 compromised in minutes" and "XP SP2 stayed clean". Funny that only the first message is being emphasized on Mac boards, not the second....
What I'd take away from the article is that firewalls work...and that SP2 has fixed both security holes and some structural security problems in Windows.
Rower_CPU said:
Or, you can figure that making a "honeypot" of an XP.sp1 system which is deliberately missing over 2 years of security patches and putting it on the net will get some good hits from the hackers who know exactly how to exploit those well-publicized holes!
Note further in the story:
"There were no successful compromises of the Macintosh, the Linspire or the two Windows XPs using firewalls. [SP2 and SP1 with ZoneAlarm] That pattern was not surprising, as Windows PCs make up 90% of the computers connected to the Internet, and the vast majority of automated attacks are designed to locate and exploit widely known Windows security weaknesses."
Unfortunately, the setup for the OSX system is not described, but in order to be fair I would hope that they used a completely unpatched version of OSX from August 2002, not a more recent build.
So, the article says both "XP SP1 compromised in minutes" and "XP SP2 stayed clean". Funny that only the first message is being emphasized on Mac boards, not the second....
What I'd take away from the article is that firewalls work...and that SP2 has fixed both security holes and some structural security problems in Windows.
Good idea... I installed the BLuetooth update in my iMac 1.8 and it froze during the update and I had no mouse or keyboard control. I used my other mouse ansd restarted and all was fine but the update did not install sucessfully, and I am not doing it again.
asif786 said:
Toe
macrumors 65816
He was migrating from an NT4 box to a new 2K box, so he still had all the databases, etc. in the NT box, but the configuration of the new box was totally compromised. From what I understand (I don't do much in Windows), it is not exactly easy to back up and restore the complete system in Windows. He was able to restore some of his work from backup, but I think a lot of the low-level stuff had to be re-done.AidenShaw said:
The Red Wolf
macrumors regular
Try it again, if the problem happens, shutdown and startup.
Honestly, I think if you shutdown and restarted you would have been fine without the reinstall. I run X-Grid on my system which is similar to Xsan in some respects. It seems that we ran into the same issue. However a simple restart after shutting down manually resolved it.
dstorey said:
Honestly, I think if you shutdown and restarted you would have been fine without the reinstall. I run X-Grid on my system which is similar to Xsan in some respects. It seems that we ran into the same issue. However a simple restart after shutting down manually resolved it.
i KNOW what you mean...(i think its funny that if i buy os x i c an hijack aschool machine) but it is STILL amusing to hear "As long as someone can get their hands on your Mac he can hack it."
protect your comp. apple is presupposing that you WON'T LET sombody get on to your comp PHYSICALLY who shouldnt be on it.
i knwo a house can have more than one person..but if you don't trust the people there you wouldnt lett htem touch your comp anyway...and so on and so forth.
protect your comp. apple is presupposing that you WON'T LET sombody get on to your comp PHYSICALLY who shouldnt be on it.
i knwo a house can have more than one person..but if you don't trust the people there you wouldnt lett htem touch your comp anyway...and so on and so forth.
The Red Wolf said:
tried that a number of times and did the same thing. I even tried the cmd option r p on start up to get the two chimes and it did the same.
Toe
macrumors 65816
My PowerBook is usually at home, but it never lets anyone in without a password. I need a password to log in, to wake it, and to pass the screensaver. For a laptop, I think that's a no-brainer. I don't mind the extra 5-10 seconds of wait time to know that my laptop's not just sittin' there spread-eagled.Surreal said:
And before the next time I travel, I'm going to turn on FileVault and encrypt my entire hard drive. Taken together, those measures make for pretty good security. Probably not 100% locked down, but stong enough to keep most people out completely.
I would encourage any Mac user, and particularly any laptop user, to have a look at the Security panel in System Preferences.
If you want to go one step further... set up another Admin user on your computer, then take away Admin privledges from yourself. That way if someone gets into your account for any reason, they still can't get to anything good (not that they can get to much without some sort of Admin password).
Toe said:
This is not true. Even when the "first user" has admin rights, he does not have 100% "root" access. Root is way more powerfull and dangerous in the wrong/nubile hands. Every action that requries root access requires a password to be entered by the "first user", and only access to that function is allowed. So if you want to install software that is all you can do. (if you use the terminal, you are still protected, but much less so.) try "cd /; sudo rm -R *" on an OSX machine, won't work. Try it on Linux and you better hide from the administrator because you will be hunted down and flogged.
slightly
macrumors regular
msconvert said:
Let's tie down some definitions here, guys.
Apple's "admin" users are not "root" users, it's true, but they do have pretty much godlike powers over the system. (I wrote a FAQ on this at the Apple Discussions site here:
http://discussions.info.apple.com/webx?50@191.clVya70pDyS.0@.68953bc9
http://discussions.info.apple.com/webx?50@191.clVya70pDyS.0@.68953bcd
)
For a one-person or household system, there's not much between the two. One person will (generally) be in charge of setting up users, (re-)installing software, and looking after the nuts and bolts of the system. And it's questionable here whether root is actually more important than your user account - which is more important to you, losing your OS installation, or losing all your user files? I suspect for most people, they'd be happier having to re-install OS X than re-create all their documents. And for this type of system, it's relatively easy to get physical access to the machine and, unless you have Open Firmware password turned on (and even then, there's a way around it), any interloper can re-install the system with themselves as admin, and lock you out completely.
For a corporate system, of course, physical access to the server is much more tightly controlled, and the only other way into the system - "logical" security - makes much more sense.
Matt
Rower_CPU
Moderator emeritus
AidenShaw said:
My post was getting at the argument that Macs aren't attacked as often as PCs - this study shows that isn't the case and destroys the "security through obscurity" myth perpetuated by both sides. I also acknowledged that section you quoted ("This is mostly attributed to that fact that automated attacks target PCs primarily[...]").
I, too, would be interested in seeing the config of the OS X system and comparing an XP SP1 install with a peer OS X build as well as an SP2/10.3.x runoff.
AidenShaw said:
I agree Mac users have a tendancy to gloat: <gloat>Have a look at Symantec's "danger" list - 60 new viruses reported on XP... in the last MONTH 🙂</gloat>
However, what I note with the whole XP vs XP sp2 battle is that
(1) XP sp2 hosed a LOT of machines. I know, I did a lot of installs. I know OS X has been getting bad press lately, but of the 30 odd XP machines we sp2'd within a week of it getting into the wild, ONE of them went off without a hitch. Let's not get into the whole "Apple's updates are just as bad" thing - Apple releases more often, but frankly nobody I know directly has ever had a problem with an OS X update - I have to come on to the geeky mac sites to hear the problems. Not saying they don't exist, but they're not 29/30 🙂
(2) XP sp2 has only been in the wild for a little while. Sure, it stayed clean, but is it possible that it's only because a lot of the new exploits in sp2 simply aren't as widely known? Firewalls are good, yes, but one of the main issues I had when installing XP sp2 was that the firewall lockdown broke a large number of apps that relied on that security hole. OS X is built from the ground up to understand that a firewall is an integral part of the system. XP has been "locked down" and doesn't get it in a lot of cases. It's like trying to train your dog NOT to run after the stick when he's 7 years old - "Hunh? But I USED to be able to do that? Why are you hitting me?"
The point is that I suspect a lot of users will find themselves being advised to "open port X" to get App Y running again. And then where are you?
And forget the firewall - that's only part of it. Bear in mind that the browser is one of the weakest links in any network security system... it's always on and it lets stuff in. And what does XP use to manage its files?
Anyway, this is a ramble. What I'm trying to say is that OS X and other Unix flavours have security built in by keeping various crucial things separate. You crack our mysql root password? Oh crap, but at least that doesn't automatically give you access to my finances and porn 😉
AidenShaw
macrumors P6
Toe said:
Did he buy his MCSE or earn it? 🙄
NT/2K/XP/2003 include a Veritas-developed backup utility that can do the backups just fine.
The only wrinkle is that you can't restore the boot block from the standard backup utility, so you need to do a quick Windows install (which will create the low-level boot files), then restore your backup into another partition. Fixup "boot.ini" to point to the restored partition, and you're back...
I usually create a small (128 MB) partition as the first partition on the disk, then install Windows into a large second partition. This puts the funky boot files in the first partition, and Windows without the boot stuff into the second.
Apache update is different to one stated in kb article.
http://docs.info.apple.com/article.html?artnum=300422
My last section from httpd.conf is below:
<DirectoryMatch ".*\.\.namedfork">
Order allow,deny
Deny from all
Satisfy All
</DirectoryMatch>
Apple say it should be:
<DirectoryMatch ".*..namedfork">
Order allow,deny
Deny from all
Satisfy All
</DirectoryMatch>
Note the difference:
<DirectoryMatch ".*..namedfork">
<DirectoryMatch ".*\.\.namedfork">
Does that make a difference?
The rest is as they state.
http://docs.info.apple.com/article.html?artnum=300422
My last section from httpd.conf is below:
<DirectoryMatch ".*\.\.namedfork">
Order allow,deny
Deny from all
Satisfy All
</DirectoryMatch>
Apple say it should be:
<DirectoryMatch ".*..namedfork">
Order allow,deny
Deny from all
Satisfy All
</DirectoryMatch>
Note the difference:
<DirectoryMatch ".*..namedfork">
<DirectoryMatch ".*\.\.namedfork">
Does that make a difference?
The rest is as they state.
but none of your manuevering matters if i can reboot your comp with a cd in. that is the point being made earlier.
your examples were right though...you don't rtust random people not to use your comp...so stop them 🙂 it's a simple concept that should be taken for granted.
your examples were right though...you don't rtust random people not to use your comp...so stop them 🙂 it's a simple concept that should be taken for granted.
Toe said:
Toe
macrumors 65816
I thought that was the whole point of FileVault. Once my data is encrypted, you can't read any of it without the encryption password. Period.Surreal said:
Otherwise... someone could just boot my PowerBook in target mode and mount it as a hard drive on their Mac. Though this raises the question of whether common theives use Macs. 🙂
Rower_CPU
Moderator emeritus
mrzippy said:
Not really. The second one blocks "..namedfork", and in the first, the periods are interpreted by the regexp parser as "any character"...so "unnamedfork" would be blocked, etc. It looks like the first just forgot how regexp worked, but who knows...
slightly said:
I completely agree but just wanted to add a few thoughts. What harm could be done when somebody breaks into your computer (via a direct attack, worm, virus, trojan, etc.).
a) Your system or parts of it could get hosed with or without the intention of the intruder:
You are left with a non-working computer, which can be desasterous for people who need the computer for their job. You need time to reinstall everything, clean your back-ups etc. and may also loose data.
b) You loose data. Needs time to restore them from back-up assuming you have current (daily) ones.
c) Personal information is stolen (credit cards).
Non-admin user accounts in principle only protect you from a) but they might make b) and c) more difficult for the intruder, and therefore less likely, and also easier to detect. Any intruder who can modify the system can more easily prevent detection.
However, if e.g. a worm manages to install a keylogger with only non-admin account priviledges, I would guess, the next time your entering a admin password to accomplish a certain task your system is lost as well.
Security is never absolute, it relies on the hope that the holes in the software are found by the good guys first and on making the life for the intruder as difficult and unrewarding as possible.
