 |
 |
Major security hole in X
|
|
|
|
|
Mac Enthusiast
Join Date: Jun 2003
Location: Kalifornia
Status:
Offline
|
|
|
|
|
PIXAR Animation Studios
|
| |
|
|
|
|
|
|
|
Professional Poster
Join Date: Jun 2001
Location: Northwest Ohio
Status:
Offline
|
|
Big deal. Yes, Apple will fix this, and they should, but anyone using just the built-in password protection on the screen saver as the "only" way to "protect" their Mac would not have a very secure machine.
It's certainly not something that would compromise the machine over the internet. Someone would need physical access to the machine, and as we all know, once someone has physical access, all bets are off 
I'd hardly call this "major."
|
|
|
| |
|
|
|
|
|
|
|
Grizzled Veteran
Join Date: Sep 2000
Location: Netherlands
Status:
Offline
|
|
Originally posted by Person Man:
Big deal. Yes, Apple will fix this, and they should, but anyone using just the built-in password protection on the screen saver as the "only" way to "protect" their Mac would not have a very secure machine.
It's certainly not something that would compromise the machine over the internet. Someone would need physical access to the machine, and as we all know, once someone has physical access, all bets are off
I'd hardly call this "major."
What interests me is why the hell someone decides to hold a key for 5 minutes.
|
Derk-Jan Hartman, Student of the University Twente (NL), developer of VLC media player
|
| |
|
|
|
|
|
|
|
Mac Elite
Join Date: Apr 2003
Location: The City Of Diamonds
Status:
Offline
|
|
Originally posted by The DJ:
What interests me is why the hell someone decides to hold a key for 5 minutes.
I was wondering the same thing, how the hell do you discover that, using that method ? maybe after falling a sleep on your keyboard ?
|
|
|
| |
|
|
|
|
|
|
|
Senior User
Join Date: Sep 2000
Location: Torrance, CA
Status:
Offline
|
|
I think that's the second security "bug" related to the Screensaver. The other involved remotely logging in and killing the Screensaver process. Sounds like it's best to just not use it until we see what the Panther lock screen function is like. LOL
|
|
|
| |
|
|
|
|
|
|
|
Professional Poster
Join Date: Sep 2002
Location: New York, NY
Status:
Online
|
|
Originally posted by derekn:
The other involved remotely logging in and killing the Screensaver process.
How is that a security bug?
|
|
Vandelay Industries
|
| |
|
|
|
|
|
|
|
Addicted to MacNN
Join Date: Oct 2001
Location: Yokohama, Japan
Status:
Offline
|
|
Originally posted by Art Vandelay:
How is that a security bug?
Indeed, one would need the user's password to log in remotely anyway.
I can't say this concerns me.
|
|
|
| |
|
|
|
|
|
|
|
Dedicated MacNNer
Join Date: Aug 2001
Location: California, USA
Status:
Offline
|
|
Yup. If you have physical command of the machine, just boot off the Installer CD, reset the password, and there ya go. I believe someone left a book or something on the keyboard, and that kept the key depressed for so long, and then hit return, screen saver crashed, voila.
|
|
|
| |
|
|
|
|
|
|
|
Moderator Emeritus  Join Date: Mar 2001
Location: Austin, MN, USA
Status:
Offline
|
|
I agree with the majority here. It is a bug that should get fixed, but if it doesn't come out before Panther, I won't be too upset. It's not like every OS X machine out there is any more subject to hack attacks. All it does is let Joe's little brother access his stuff if Joe doesn't log out. Sorry Joe, you should log out anyway if it's a multi-user machine.
Speaking of multi-user machines, wouldn't it be cool if the screen saver password prompt in Panther had the ability to switch to another user? Right now, I believe you can only switch if you have control of the current desktop. That way, if you leave your screen saver running and someone sits down, they don't have to interrupt whatever is going on, or even see what's going on, in the background.
|
|
|
| |
|
|
|
|
|
|
|
Mac Elite
Join Date: Aug 2001
Location: Australia
Status:
Offline
|
|
Originally posted by Powaqqatsi:
I was wondering the same thing, how the hell do you discover that, using that method ? maybe after falling a sleep on your keyboard ?
Other screensavers have had this problem, it's not new, he probably tryed just to see. I tryed doing it once, but I got bored after 28 seconds 
|
|
|
| |
|
|
|
|
|
|
|
Posting Junkie
Join Date: Feb 2000
Location: Washington, DC
Status:
Offline
|
|
I wouldn't call this "Major". Like many have said, you need to be in the same room as the computer. I could just take out the hard drive and walk away... (it only takes a few seconds)
|
|
|
| |
|
|
|
|
|
|
|
Mac Enthusiast
Join Date: Jun 2003
Location: Kalifornia
Status:
Offline
|
|
Originally posted by mitchell_pgh:
I wouldn't call this "Major"
i know, I jumped the gun on that one.
|
|
PIXAR Animation Studios
|
| |
|
|
|
|
|
|
|
Senior User
Join Date: Nov 2002
Location: US
Status:
Offline
|
|
At least for me it has no effect - tried using ctrl-a, ctrl-k, and ctrl-y to dump tons of characters in Screensaver, got lots of beachball thingies but this thing didn't crash and burn...
10.2.6 on 1Ghz PB with 1GB RAM. Weird...
|
|
|
| |
|
|
|
|
|
|
|
Mac Elite
Join Date: Feb 2002
Location: USA
Status:
Offline
|
|
If someone has already gained physical access to your computer, it is already too late to be worried about a screensaver.
|
|
|
| |
|
|
|
|
|
|
|
Mac Enthusiast
Join Date: Jun 2003
Location: Kalifornia
Status:
Offline
|
|
Come to think of it though, what about work colleagues snooping in on your email when you're out to lunch? Not sure how big a problem that'd be, but again, maybe for some.
|
|
PIXAR Animation Studios
|
| |
|
|
|
|
|
|
|
Forum Regular
Join Date: Jul 2003
Status:
Offline
|
|
you guys would be pounding this security hole into teh ground. yes it is a big hole.. and yes it is a big deal.. and yes apple effed up. I am not a ms zealot, i much prefer macs.. but cmon.. this is a big deal when MANY MANY companies rely on ss locks to make sure users don't leave their machines unattended and logged in. Now we know it doesn't matter. You can't train a company of 500 users to log out for 5 mins to goto the water cooler. Point is.. if this was MS, you guys would be dissing hard...so at least be objective.. a security hole is a security hole. They need to get this patched asap.
|
|
|
| |
|
|
|
|
|
|
|
Professional Poster
Join Date: Jun 2001
Location: Northwest Ohio
Status:
Offline
|
|
Originally posted by h00ligan:
you guys would be pounding this security hole into teh ground. yes it is a big hole.. and yes it is a big deal.. and yes apple effed up.
It is still not a "major" hole. If you look at my original post, I said it should be fixed, but that type of problem is not "major." I mean, who is going to sit there and hold a key down for 5 minutes, just to get into someone's computer???
|
|
|
| |
|
|
|
|
|
|
|
Professional Poster
Join Date: Jun 2001
Location: Northwest Ohio
Status:
Offline
|
|
Originally posted by h00ligan:
this is a big deal when MANY MANY companies rely on ss locks to make sure users don't leave their machines unattended and logged in.
Yes, but those "MANY MANY" companies are probably using Microsoft Windows, in which case somebody breaking into a system through the Screen Saver password would be the LEAST of their worries.
I would expect someone using a Macintosh to not rely solely on the screen saver password for protection... but I could be wrong there, too.
|
|
|
| |
|
|
|
|
|
|
|
Professional Poster
Join Date: Nov 2000
Location: Tasmania, Australia
Status:
Offline
|
|
Originally posted by Person Man:
Yes, but those "MANY MANY" companies are probably using Microsoft Windows, in which case somebody breaking into a system through the Screen Saver password would be the LEAST of their worries.
I would expect someone using a Macintosh to not rely solely on the screen saver password for protection... but I could be wrong there, too.
Most computer users (Mac or otherwise) don't know much about security, and they do trust the screen effects to keep people out and to secure their system. Most people do not want to have to log out all the time, or even overnight, if it means taking extra time to log in again and restart all their applications.
And yes, there would not be many people who would sit there for 5 minutes with their finger on someone elses keyboard, but there would be some who would lean a book on someone elses keyboard and come back and hit ENTER. Then they can sit down and do whatever they want. All without looking the slightest bit suspicious. This is such an easily exploited hole.
I think it is a "major" hole. Not so much because of the severity of the access it allows, but because of the ease of which it can be exploited. In fact, in many cases, it would grant full admin permissions, and therefore with sudo, full root permissions. So actually, yes, it is also a major hole due to the access it allows, because in many cases it would allow root access. (many users are admin users on their own machines).
The other point that people have been raising is the issue of physical access. Well, yes, in a locked server room if someone has physical access, all bets are off. But in an office it's not quite the same. If somebody comes in and opens a machine and removes a hard drive, or even if they come in and reboot from another CD, that looks at least a little bit suspicious. But if somebody leans a book on the keyboard then comes back a few minutes later, and just sits down and apparently just "logs in" and starts work, that doesn't look terribly suspicious at all.
Yes, I'd say this is a "major" flaw, but keep in mind that "major" is a relative term. It's certainly not as major as allowing root access via the network.
|
|
|
| |
|
|
|
|
|
|
|
Senior User
Join Date: Feb 2003
Location: Atlanta
Status:
Offline
|
|
This is NOT a major security hole. Nothing is going to stop a thief from getting your data if they have physical access to your computer. Reset the password with an install disc, Firewire TD mode, single user mode, etc. all already get you full access without any passwords.
|
|
|
| |
|
|
|
|
|
|
|
Mac Elite
Join Date: Apr 2002
Location: Illinois
Status:
Offline
|
|
Originally posted by Brass:
I think it is a "major" hole. Not so much because of the severity of the access it allows, but because of the ease of which it can be exploited. In fact, in many cases, it would grant full admin permissions, and therefore with sudo, full root permissions. So actually, yes, it is also a major hole due to the access it allows, because in many cases it would allow root access. (many users are admin users on their own machines).
You STILL have to know the password to get super user (AKA root) privileges. Yes this method is sneaky but Apple just has to set a limit on how many letters can appear in the input box (Have it match the top limit that passwords are allowed.)
|
|
|
| |
|
|
|
|
|
|
|
Professional Poster
Join Date: Nov 2000
Location: Tasmania, Australia
Status:
Offline
|
|
Originally posted by King Bob On The Cob:
You STILL have to know the password to get super user (AKA root) privileges. Yes this method is sneaky but Apple just has to set a limit on how many letters can appear in the input box (Have it match the top limit that passwords are allowed.)
That's true, I was jumping the gun a bit there. But they still get admin privileges, and easy access to the logged in user's data.
I wouldn't think that putting an upper limit on the password input would be the best fix (although it would work). It should simply handle whatever is entered without crashing (probably a buffer overflow problem?)
|
|
|
| |
|
|
|
|
|
|
|
Dedicated MacNNer
Join Date: May 2002
Status:
Offline
|
|
Just out of total curiosity has any one actualy tired it to see if it
works? Just to be repetetive once some can touch your computer you can say good buy to any security maesures you have. But in term's
of privacy it is a little diffrent.
|
|
|
| |
|
|
|
|
|
|
|
Professional Poster
Join Date: Nov 2000
Location: Tasmania, Australia
Status:
Offline
|
|
Originally posted by coolmacdude:
This is NOT a major security hole. Nothing is going to stop a thief from getting your data if they have physical access to your computer. Reset the password with an install disc, Firewire TD mode, single user mode, etc. all already get you full access without any passwords.
All the methods you mention require somewhat obviously suspicious behaviour. If I walked out of my office, and someone else walked in and tried any of the things you mentioned, they would be questioned by my colleagues. However, if someone walked in, and apparently just sat down and logged in, they would be less likely to be questioned. I'm hopeful that the common sense of my colleagues is what will stop people with physical access to my desktops from breaking into them. However, this is less likely with this method than with the methods you mentioned.
Of course the difference is even more greatly exaggerated in the (admittedly rare) occasions where people are netbooting their machines, or have them physically locked in a cupboard (except keyboard/mouse/screen) or access is via VNC/timbuktu/remote desktop. Also none of your methods would work if the startup disk is password locked, which it probably should be on any mahcine with secutiry implications that is not in a locked server room.
As I said before "major" is a relative term. I consider this major, others may not. It doesn't mean I'm wrong, or that you are. I don't think anyone here has mentioned a scale by which we are measureing major or not, or some way of defining major. So to get all hung up on whether or not it actually is major is a tad useless.
(Last edited by Brass; Jul 6, 2003 at 08:38 PM.
)
|
|
|
| |
|
|
|
|
|
|
|
Senior User
Join Date: Feb 2003
Location: Atlanta
Status:
Offline
|
|
Originally posted by theory:
Just out of total curiosity has any one actualy tired it to see if it works?
It worked for me. Tibook 800 10.2.6, here is the crash log:
2003-07-05 23:25:41.258 ScreenSaverEngine[9993] Exception raised during posting of notification. Ignored. exception: *** -[NSCFArray objectAtIndex:]: index (0) beyond bounds (0)
Jul 6 00:10:42 localhost crashdump: Crash report written to: /Users/jonathan/Library/Logs/CrashReporter/ScreenSaverEngine.crash.log
|
|
|
| |
|
|
|
|
|
|
|
Professional Poster
Join Date: Nov 2000
Location: Tasmania, Australia
Status:
Offline
|
|
Originally posted by theory:
once some can touch your computer you can say good buy to any security maesures you have.
What about the security measure of password protected NVRAM and password protected startup disk?
This whole idea of once someone has physical access they can do anything is nonsense. It's true for most servers which are locked away in a server room, but for personal computers is should not be so. And with password protected firmware it is not so.
|
|
|
| |
|
|
|
|
|
|
|
Mac Elite
Join Date: Jan 2001
Location: Somewhere in the land surrouding Fenway Park
Status:
Offline
|
|
Originally posted by Brass:
What about the security measure of password protected NVRAM and password protected startup disk?
This whole idea of once someone has physical access they can do anything is nonsense. It's true for most servers which are locked away in a server room, but for personal computers is should not be so. And with password protected firmware it is not so.
You could just take the hard drive, and boot off a CD or HD on a seperate computer. If somebody is has physical access to your computer, they can pretty much get the data on your HD without question.
|
|
|
| |
|
|
|
|
|
|
|
Professional Poster
Join Date: Nov 2000
Location: Tasmania, Australia
Status:
Offline
|
|
Originally posted by foobars:
You could just take the hard drive, and boot off a CD or HD on a seperate computer. If somebody is has physical access to your computer, they can pretty much get the data on your HD without question.
If somebody walked into my office and attempted to take a hard drive out of one of the computers, they would definitely be questioned!
Besides, they'd have to break open the case first. At least with a screwdriver, if not a seam splitter! If anyone is that worried about security, their machines case is going to be locked, and the machine will be attached to a security cable (as is the case in most computer labs and many offices).
|
|
|
| |
|
|
|
|
|
|
|
Junior Member
Join Date: Jan 2003
Status:
Offline
|
|
There are COMPLETELY legitimate reasons for expecting a screensaver password to be a secure method of locking the machine. When I am carrying my laptop around (asleep and logged in) my keychain is unlocked and I have ssh-agent running with a couple decrypted ssh keys. These are by far the most important things on my laptop with regards to security, and if an attacker is forced to reboot the machine to gain access, poof, they are only available in an encrypted form. I know someone is going to say "just lock your keychain when you leave your computer" but is there any difference between locking my keychain and using the built in screen locking aside from the added bonus of protecting my ssh-agent process?
Just because it doesn't apply to you doesn't mean a bug isn't potentially very harmful.
|
|
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
 
|
|
|
Forum Rules
|
|
|
|
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
|
HTML code is Off
|
|
|
|
|
|
|
|
|
|
|
|
|
Top
