Briefly: AAPL history; Macs in botnets

This is the first I've ever heard of any OS X systems hacked with malware. If this is true (that they were used as bots, then why haven't we heard of this before? Methinks something is bogus.

Unfortunately, it's not at all bogus. Some of the vulnerabilities common to all Unix-based systems are also present in the Mac. The attacks are mostly done by script kiddies though. A number of them rely on trivial passwords, some rely on existing security holes (haven't seen many of these, though) and others rely on holes in 3rd party software (i.e. phpBB). One of my friends with an iMac had his machine botnetted because a friend of his with an account on it was an idiot and used a trivial password. It's definitely not bogus.

In what way was your friend's imac turned into a member of a botnet? Just curious.

Here is a claim that Mac can be owned in 30 mins http://www.zdnet.com.au/news/security/soa/Mac_OS_X_hacked_in_less_than_30_minutes/0,2000061744,39241748,00.htm

but what it doesn't tell you is this link

http://macdailynews.com/index.php/weblog/comments/bona_fide_mac_os_x_security_challenge/

and this is what finally happened http://www.informationweek.com/security/showArticle.jhtml?articleID=181502434

So get the fact straight.. Mac is still one of the most secure OS in the WORLD!!!

:)

Mac OS is one of the most secure OSs available, but nothing will protect you from stupid passwords.

It took me about 8 hours to clean up after one of my clients got a server hit by a paypal phisher. They came in through an account with a VERY weak password (account "pc" password "pc") that was used for a windows machine to connect. I had been saying to them for months that they had inadequate passwords, they didn't want to hassle with good ones.

The hacker came in through ssh - which actually needed to be on, since it's a server that has to be remotely managed. And ssh login attempts are CONSTANT these days.

And of course the client's passwords are better now, and ssh is significantly more locked down. So, while the Mac is better than most, you shouldn't take that as an excuse to get careless.

Oh, and after an incident, you REALLY need to back up all your data, reformat & reinstall, and restore ONLY the data, NOT the apps. Unless you're 100% certain that an attacker didn't get root, anything less is asking for trouble.

I agree..

If they get your password then it's over..

I think that goes for every single OS out there.. Until we have some kind of widely used biometric identity for a password, we'll have this problem..

Here are the straight facts. The follow-up article (http://blog.washingtonpost.com/securityfix/) explains the exploit used. The botnet was created using a known security hole in something that runs on top of the operating system. This is PHP, a development programming language built specifically for Web sites. By leveraging this PHP flaw, the attackers were able to seed the Mac systems with several tools designed to turn them into drones for distributed denial of service attacks.

So, despite the fact that the Mac OS is relatively secure, a false sense of invulerability is dangerous. As is a false sense of smugness.