Army Dumps NT as Web Server, Moves to Mac 189
kootch writes "This sounded too funny to believe, but I think it's true. The US Army, after being the victim of a script baby and having their web pages vandalized, has moved their site from an NT box to a Mac box running WebStar as their server software. Don't believe me? Go here!"
Security Through Impossibility (Score:5)
Ah, yes. There's nothing like a brick wall to prevent someone from breaking the lock.
MacOS actually gets some bonuses from its, uh, quaintly anachronistic operating system tendancies. (This is not a flame. I think it's cute to tell an application how much memory it gets. See disclaimer. Tweak. Tweak.) For example, the fact that the entire OS is really built to communicate over Appletalk instead of TCP/IP means there's absolutely *nothing* open by default for abuse on the general Internet.
Those who remember these kind of things will note that *the* definitive, original WinNuke was a bug in the TCP handling of an "Out Of Band" packet sent to port 139 on a Windows box. Open door. Boom.
As much as I love Linux, there are more open ports in your standard issue distribution than you're likely to find in an average brothel. Unix in general is hooked into TCP/IP addiction on a practically native level.
The speed on the mac might not be great. The stability probably won't be perfect, but who knows. With much less embedded functionality, there's Just Less To Break.
"We here at the US Army know that the most secure computer is the one that isn't plugged in. We use the next best thing."
Yours Truly,
Dan "Must Never Post When He's This Tired" Kaminsky
DoxPara "Will Have No Memory Of This Post" Research
http://haveasenseofhumor.www.doxpara.com
Once you pull the pin, Mr. Grenade is no longer your friend.
Re:Wow! (Score:1)
The price they pay for the security is that they may need to reboot the Macs a few times a week or month
Re:Not exactly sure why this is funny.. (Score:1)
open source software, on the other hand, allows you to check the source yourself (eg, grep strcpy *.c) and quickly fix known bugs.
using mac os stuff and saying it's more secure cuz there's no logins is false. saying it's more secure cuz less crackers try to crack mac os apps or cuz there's less spoilt scripts out there for mac os apps is security though obscurity.
'Zorb (was:Re:Better yet... ugh...) (Score:1)
as a mac webmaster.. (Score:4)
the article says:
yes, the macOS has no 'root' or shell-type access, and, by itself, is arguably one of the most secure platforms available, if only for the same reason that is is one of the most virus-immune - very few hackers, crackers, or virus writers use macs (despite all the movies like 'hackers' and 'the net')
and, by that same token, any web server just serving up http and ftp is fairly secure. adding on all the other services, and opening up ports to who-knows-what is asking for trouble. simpler is better. and a mac as a webserver is a very simple solution.
since when has the w3c been in the business of security surveys? oh well.. they're right on a few accounts, but may not be totally up to speed on the software they're talking about. the mailing lists are/have been alive with reports and fixes for security holes in open transport, os8, webstar, and all the various plugins that come along with it.
if i were choosing the most secure server for the mac, however, would have gone with webten, an apache-based port by tenon, over webstar (if one were to go with a commercial package). it's fast, reliable, and simple - no fluff. the latest issue of webstar folds in all kinds of services that are unnecessary, and have proven to be security risks in the past. my sites are running on webstar 3, but that's because of how easy it is to add new domains and administer/monitor.
the press-release tells us the mac 'does not allow remote logins'. well, if you open it up via appleshare or install timbuktu it does. even if you don't, and you stick entirely to the webstar package, you get lasso (database), a pop/smtp mail server, proxy server, ftp server, and remote admin tools by default.
i expect the army has disabled lasso - as it has been shown to be a gaping hole in previous, standalone releases - and probably use a dedicated mail server, proxy, etc., but the main webstar server cannot be administered without either a separate admin tool (which can be run locally or remotely via tcp/ip) or web-based admin, whose security is, in my experience, pretty easy to get around.
all that aside, the mac makes an excellent web server. pare down the software to the essentials, give it plenty of RAM and a steady power supply, and it should be happy and stay that way for a good while.
as for apple's PR picking this up, i think they would prefer it if the army had chosen osX server with apache, since os8.x is not really a server product.
Re:Maybe this is a pretty good choice... (Score:1)
I have to disagree with this statement. I have a 7200/90 sitting next to the k6-2 system I'm working on right now and I used to run Apache on it under LinuxPPC R4. For static content it does great. I never load-tested it, but it would have no problem serving a low-volume site.
joeRe: Really the same? (Score:1)
Lord (Score:3)
OPEN YOUR SMURFING MINDS!!!!!!
All this "haha, web server on a Mac" crap is really getting to me. This place is so Linux-bigoted that it simply amazes me. You don't bother to find any facts or think about the situation at all. If you did, you would realize that Macs are the most secure mainstream web server available for this sort of task. Sure, they may not perform nearly as well as Apache et al, but how are you going to hack a box that has no facilities, no conception, of remote administration or control?
Sure it'll be slow, but good luck breaking in without actually sitting down in front of the thing.
Kneejerk response (Score:1)
Spoilsport that she is, she seems to think that a system with no real security measures, memory protection or multitasking is a pretty poor choice for a server platform.
Of course, being a design company, macs are the perfect client machine, since they are painfully easy to use, and fairly easy to untrash. However, as a server? The expression "dumber than a box of rocks" springs to mind...
Re:Great! (Score:1)
Their page loaded very quickly for me.
Maybe the Mac webserver is doing a good job :-)
New host, new problems. (Score:1)
No Root == Everybody is Root (Score:4)
Yeah, you don't have to worry about someone getting root, because once they're on the box, they *are* root. They can delete the system folder, install software, anything. I bet there's not sandbox for CGI either - one buffer overrun and you can trash the operating system.
Olive Drab (Score:1)
Chuck
Re: The Army can't be using OS X (Score:1)
BTW, I think your characterization of the CGI bug is exaggerated. But that's okay; it's fair game.
Smarter than your average script kiddie! (Score:1)
But not by much. He still got caught!
Wouldn't it be cool if he went to jail and his # was 31337?
imac there for i am (Score:1)
but this is the military so i cant say what is right in there case. but rara ra for the switch from nt , i never realy liked nt it kept blue screening me , i have had my linux box up for a month or more now. which comeing form windows for 10 years i have to saythat is one heck of a good thing.
A small step for the Army (Score:1)
I must say that any step away from Microsoft is a good one. Although BSD/Apache would probably handle the load better than the Apple (as would Linux) the Apple is a valid choice when looking for a webserver to serve static pages.
I also see a little bit of the 'security through obscurity' showing here; Not too many people run Apples of this caliber, therefore less people will try to hack them, therefore fewer exploits will be discovered, therefore the server is more secure.
static content easier (Score:3)
Now the problems you're likely to see are when a server gets
It looks like www.army.mil is learning about
What does it matter? (Score:1)
Makes sense (Score:2)
Wow! (Score:1)
-awc
Re:mac != mac os (Score:1)
mac os (and mac firmware) do have good plug and play support (much better than windows and x86 bios). the only time i ever had to worry about irqs and other stuff in linux was on an x86 machine which had a pnp 3com nic that i couldn't seem to get working until i disabled pnp on it.
as for "a cold heartless box", is that opposed to a warm and caring mac os box?
one thing mac os definetly doesn't have, is configurability. you can't override irqs, you can't rewrite things (closed source), and most apps hide advanced options from the user (that's if they even allow you to change them at all). my biggest gripe about mac os is that apps always seem dumbed down to the lowest common denominator, and hidden options to protect users from themselves.
(btw, i used mac os for years on a 68k; then i got a 7100 and stuck mklinux on it. i've been using linux ever since then.)
First the commercial, now this.... (Score:1)
Still, this is pretty damn cool, especially after seeing the G4 commercial. I hope Apple doesn't blow this marketing opportunity as they have blown many others in the past.
Re:BSOD -> Bomb (Score:2)
So much for people having a sense of humor. ;)
(For the sarcasm-impaired moderators: that last smiley was a wink. To show I'm being sarcastic and silly. Don't get riled up because I'm indirectly flaming moderators. I've been a moderator on many occasions. And I can take a joke. I see the 'flamebait' moderation of my previous post as a joke. So there. :)
---
"'Is not a quine' is not a quine" is a quine.
Re:absurd (Score:1)
Most people break into systems with the intent of using that system as a gateway into the other machines on the network.
So people can hack into a unix box, hide the traces of their break in, install a nice packet sniffer and such, and otherwise, use the machine to scope out the network, figure out the topology etc. etc.
A mac isn't so great at TCP/ip. In fact, the mac doesn't have a means of running a program remotely, so therefore, the worst that a scriptkiddie cracker can do is dump the harddrive. (Which can easily be remedied by backups, disk images and such) Of course, you could give me a counterargument by saying the said cracker could construct a buffer overflow such that he can write a sniffer program into the buffer, but such a cracker would have to know the inards of the MacOS inside and out, and write really, really compact code, which is pretty hard with Risc Cpu's.
Steve Jobs (Score:1)
Re:Wow! (Score:1)
Of course, if they were really smart, they would probably use something like Apache on Linux or FreeBSD, but I suppose Macs are better than Windows at least
The new G4 commercial (Score:3)
-Vel
Re:Great! (Score:1)
Its funny though.. (Score:1)
Re:Not MacOS X, no CLI (was: BSOD -> Bomb) (Score:1)
Mac OS X is a weirded up BSD system with a bag on the side^w^w^w^w MacOS on the top.
Regards,
Sascha
You'd be surprised... (Score:2)
I know of Mac boxes that have had over a year of uptime (this was a while back, and as a consequence they were still running System 7.6, one of releases which wasn't exactly known for stability). It's all a matter of taking care of the thing.
Admittedly, though, I'm dumbfounded as to why they didn't use Apache (which does have a Mac port; a company called Tenon maintains it under the name WebTen, though I think they might have closed off their branch of the code). WebStar does have its own advantages, though.
I wonder if they'll switch to Apache/OSX when it comes out (hell, why didn't they do it now? OSX Server comes with it; even Darwin comes with it, and yes the CGI bug has been fixed).
Re:mac != mac os (Score:1)
Performance doesnt matter anyway (Score:1)
Re:Security Through Impossibility (Score:1)
apple's tcp/ip stacks have been vulnerable to the same bugs as MS, linux, and *bsd stacks have been; eg, ping o' death (oversize ping packet).
Re:Not exactly sure why this is funny.. (Score:1)
It's not that simple to erase a disk on a Mac. You have to have pretty good knowledge of the machine's configuration (including I think the HD name and a few other things that would be hard to get remotely) and it's not like the Toolbox has a single "format c:" command. Also, remember that nobody won the Crack-a-Mac contest.
Re:absurd (Score:2)
Re:BSOD -> Bomb (Score:1)
Re:Wow! (Score:1)
As possibly stated elsewhere:
If you have to reboot a mac server every week or so, then you should probably find someone who actually knows how to set up a mac. I have a mac server up right now used for AFP-TCP/SMB/FTP file sharing and it has been up for over a month with no problems (besides some idiots putting it on a bad cable).
Summary: Anyone who says that Macs are unstable doesn't know how to set them up.
- jsitz
Of herfs, g4s, and tanks (was: something else) (Score:2)
it might, but I know for sure those tanks wouldn't. Oh the joys of anachronistic paradox.
How to make the MacOS unassailable... (Score:3)
To kick it to the next level, every directory or file can have its own password. Once you are in on a Unix box as root, you have the keys to the candy store.
So if a wily cracker were able to take advantage of a mythical overflow, and by some miracle managed to upload executeable code, when it tries to modify the read-only files, the system it will prompt for a password. Recieving none, it trips all sorts of alarms.
Some of these security programs can also encrypt/decrypt on the fly.
So, the MacOS, alone, is more secure than all but the most carefully audited Unix box. Add something like folderbolt, and security is no longer an issue...even for the Army.
SoupIsGood Food
Dosent running a web server make it a server? (Score:1)
eof
Netcraft result (Score:1)
Mac is the best choice for them, let them live! (Score:2)
If they choose NT in the first place, it's probably because the webmaster have little knowledge about Linux or *BSD. They wanted to have a web server that is easily administered.
Linux/Apache does not offer a platform that is easily administered and it is not secure out of the box. You have to tweak the system configuration to disable some services and install several patches to make it really secure. Even with some graphics tools for Apache, this is a combo that is far less easy to maintain than IIS or WebStar.
Because there where too many security issues with NT/IIS, they choose the most secure platform that is easy to administer wich is MacOS/WebStar.
This is the best option for them, Linux/Apache will be the best option for somebody else.
Stop thinking that Linux/* is the best solution for everybody. This is not a perfect platform nor any other platform is perfect. You want people to be able to choose their OS, then stop commenting theyre choice with "they should use Linux", "Linux is the best", "Linux/Apache can be made as secure as MacOS/WebStar", "Linux all the way",
I'm running Linux on my latop, I have two Win98 box at home, at work I use a NT box and a Solaris box... Diversity is great!!!
I'm probably wrong (Score:1)
I really haven't followed that sort of thing, but I could swear I read something about a list of prducts that are OK'd for use by them.
This is security through obscurity. (Score:1)
Re:Maybe this is a pretty good choice... (Score:1)
I mean, the army needs the net to display certain types if data. IMHO, 95% of that data will be static(i.e. not generated on the fly from a db like
[Note 1]
Now, let's say that there's a conflict going on that the army is involved in.
--Would it make more sense to be trying to display troop movements online, or to use their radios instead?
--What would be the point of telnet access durring an armed conflict?
--Do tank repair schedules really need to be dynamically generated?
[/Note 1]
Therefore, switching to a single-user OS on really fast hardware with a small server running a limited amount of processes seems to be that way for them to go.
Just my $0.02...
Re:Garfinkel says... (Score:3)
That's a heck of a weird theory. On a single-user system, *everything* runs as root.
I've used WebStar and Pictorius before on a Mac (prefer the latter, myself), and it's not half bad as a web server, but I wouldn't put anything stressful on 'em, as I'd be afraid of stability problems.
Remember, Apple was the last big OS vendor to fix the ping-o-death problem (took 'em until MacOS 8).
--
Interested in XFMail? New XFMail home page [slappy.org]
Re:Not exactly sure why this is funny.. (Score:3)
Um, it's the unknown bugs that are the problem. Making source available does not always result in fewer bugs. At all. There are plenty of rock solid closed applications, and plenty of flakey open source applications*. People who want stability go with stable software, wherever it is from.
The fact that there are fewer crackers or scripts targetting Mac OS does not make Mac OS more secure - but it makes it much less likely to be compromised.
In real life (i.e. the time spend earning your rent/mortgage), running a web site that is unlikely to be hacked is often more useful than running a theoritically more secure one that is likely to be hacked.
*If you really don't believe this, email me for a list
but.. um.. (Score:1)
_________________________________________________
I could be way off my rocker on this one, but I'm just wondering...
Re:Better yet... ugh... (Score:2)
It is true from what I recall that the major radar-evading mechanism of the f-117a is the physical structure which causes the radar energy to be reflected by flat surfaces, rather than by rounded surfaces on traditional aircraft that provide the tell-tale signatures that radar systems key on.
But, in addition, radar absorbing materials are used in the construction that reduce the energy returned from critical areas like bomb-bay doors and the canopy.
Don't agree? Check out howstuffworks.com [howstuffworks.com]
Re:Solaris and Netscape (Score:1)
Haven't really seen this ad (Score:1)
Re:Security Through Impossibility (Score:3)
On a related note: when I was in college, a friend of mine and I found an easy way to crash Macintoshes. Just send a couple of pingfloods from different hosts. MacOS locks HARD (even the mouse stops responding). We had to do this to take care of some joker who kept changing his IP address to be the same as the Macs we were trying to use (all of the Linux boxes in the lab were full at the time, leaving just Macs - yuck).
---
"'Is not a quine' is not a quine" is a quine.
Re:yes, this is a pretty good choice... (Score:2)
Custom OS for security? (Score:1)
Of course the down side.. it'd be a major pain to work with. I work with Windows & Macs daily, they make me want to commit suicide, so it's about the same situation. Also is it really that important to keep your web site from being hacked? I mean keeping people from hacking in and jumping to other computers in your network is important but what the @$%*# do I care if they change a few web pages? I keep backups for exactly that reason, just restore and start looking for the security hole. The MOST I'd do is reformat and install again to make sure they didn't leave any trapdoors. Last time I had to restart Linux I had all my data files in a sepperate partition so that was simple, the entire install took less then 15 minutes and about another 15 minutes to restore my settings and all user information. If you're really concerned about the security you can always recompile with all the security on, better optimization, etc and save it to a cd-r.
Re:BSOD -> Bomb (Score:2)
---
"'Is not a quine' is not a quine" is a quine.
Better yet... (Score:1)
A stealth Mac.
Tres-cool, IMHO.
OSX (Score:1)
Re:Security Through Impossibility (Score:2)
(I like the italicizing method.)
Hurm. That's right. They're all the same TCP/IP stack, barely rewritten. How ironic! The ultimate interoperable protocol only existed not just because of open specifications but literal *open source*...and *every* OS player agrees, if not in their words, then in their actions.
Fascinating.
Yours Truly,
Dan Kaminsky
DoxPara Research
http://www.doxpara.com
Once you pull the pin, Mr. Grenade is no longer your friend.
Mac is a great secure Web server (Score:5)
As for security. Most of the apple web servers use Apples fairly old ACL per directory for file shareing. The Permission are secure and have stood up to time. As far as connecting to the files system from remote if you use another Mac it does indeed encrypt the passwd.
The Mac has very limited functionality for networking built in on MacOS, this makes it more secure. Apple fixed the TCP/IP large packet bug back in 1995. The current IP stack is fairly fast and based on the System V steam type TCP/IP stack.
Most of the Apple web site security issues have been from Filemaker integration. Filemaker is a GUI DB for MacOS (it has issues).
One of the other advantages to not having any cosole based applications, no concept of standard in and standard out, is if you do run an application on the Mac it doesn't do anything usefull. Also MacOS doesn't have any sensible kind of IPC or RPC support so even if you can compromise a single application it is extremly difficult to get to the operating system or another application.
If you did use Perl, your perl scripts need to be safe. But again on a Mac, there is no plain text file that you could grab security information.
Open BSD could be made equally secure, but it would take lots of customization and intelligence about it, the Mac is VERY high security for default configuration. Though flexibility is an issue with Macs.
Re:heh a mac (Score:1)
We've run mac servers for various things. Guess what- they all work well, and they all handle a load just fine. Just because the OS doesn't support pre-emptive multitasking, it doesn't mean that the applications can't be multithreaded. If you only have one process running on the machine, which is a well written multithreaded server application, your machine should be solid. The application can handle all preemptiveness itself between its own threads. Sure, this makes programming a little bit trickier, but it can be done. The only thing that you may end up taking a hit on are the creation and destruction of threads, and I/O if the theads are requesting I/O at the same time.
Oh, and one more thing MacOS's TCP/IP stack is multithreaded as well- something that Linux is currently lacking (not to mention a main performance roadblock).
Re:Mac is the best choice for them, let them live! (Score:1)
try going to
http://www.army.mil/
i dont know about other people, but for me it won't load completly, and sometimes when i try again the server drops the connection. I'm on a T3 here, so dont even try to tell me my end is the problem.
of course i doubt that this server is ever going to be under this much load again.
slashdotting is harsh shit.
that server is choking
Um... (Score:1)
Re:Great! (Score:1)
-awc
Re:A Mac better choice than Linux/Unix/*BSD? (Score:5)
Re:Why not linux? (Score:1)
An OpenBSD box would probably be nice and secure though with "only httpd".
Re:Maybe this is a pretty good choice... (Score:1)
That's funny. I do just that. A 7200 running LinuxPPC r4. Granted, it only has an ISDN line it can saturate, so that's not too hard...but if people tout 486s running Linux for a web server...well, a 7200 has quite a bit more muscle than that.
Re:Maybe this is a pretty good choice... (Score:1)
Server [131.227.180.82]
There's nothing there now though, all the real content has been moved but the server still exists
I also have some friends that run a pretty huge commerce site using Macs running Webstar and Filemaker Pro AV-Store [av-store.co.uk] as their main set-up very happy with it although they will probably move to OS X Server with Apache and Web Objects soon......
Troc
Macs (Score:1)
NT maroons Navy "Smart Ship" (Score:2)
I found the 'divide by zero' excuse really amusing, and the response that a $2.95 calculator cannot be crashed in this manner is priceless!
======
"Cyberspace scared me so bad I downloaded in my pants." --- Buddy Jellison
Re:heh a mac (Score:1)
remy
http://www.mklinux.org
Re:A Mac better choice than Linux/Unix/*BSD? (Score:4)
In the June 1999 issue of MacTech Magazine there was an interview with Chuck Shotton. He is the guy who created, in 93, the first Mac http server MacHTTP, which later became Webstar.
In the interview he explains how they made Webstar into a high-performance web server. To summarize:
a) use of caching to avoid hitting on the dog slow MacOS filesystem
b) optimizations to have the right balance between I/O time and calculation/processing time
c) taking advantage of the MacOS thread manager and the fact the MacOS 8.x is NOT a premptive multitasked OS.
c) will sounds odd to most; what they do is that since the app has control over the premption (rather than the OS) they use that advantage to minimize the number of context switches, etc. i.e. they have their own highly tuned and specific scheduler rather than relying on the generic scheduler of the OS.
This is pretty cool on a dedicated MacOS box that do just web server.
As for MacOS crashing, my router is running MacOS 8.6, it has been up & running nicely since I last booted it, one month ago; it has never crashed so far.
Note: I'm not saying MacOS is the best, fatest and most stable OS out there; just that for some applications a Mac can be stable and fast plenty.
As far as security go, since you can't remotely login on a Mac and since there is no shell, you don't have any risk of someone exploiting some buffer overflow bug or remotely using the box. (Note tho that you could add softwares to control you Mac remotely, like Timbuktu or VNC, but then you are taking risks, as on any other OS with such means.)
Just my $0.02
Janus
Well, lets see... (Score:1)
Makes sense, right? That's what you said...
MacOS isn't a server OS, so you can't run a web server on it...server OS's are either Unix or Variants thereof, or have the word "Network" or "Server" in the title.
So you can't share files with a ton of networked users reliably, let alone run say, a website that's been online for years, serving like, what close to a million hits a day, with virtually no downtime or successful intrusions.
It just can't be done
-K
Re:A Mac better choice than Linux/Unix/*BSD? (Score:1)
This is a very ignorant comment. If you don't want to run any daemon on Unix it is very easy: just strip everything in /etc/inetd.conf and everything useless in /etc/init.d/* ; should take about 2 minutes. Reboot and do a "ps -awux" to double check.
Netcraft says Solaris (Score:1)
www.hqda.army.mil is running Netscape-Enterprise/3.5.1 on Solaris
I know Netcraft say that they are not 100% though.
Mac stability, secure network setup, and more (Score:2)
What you need is the Mac, and a second NIC. Running non-MacOS X set up the web server. Set the first NIC in OpenTransport to use TCP/IP and set it up appropriately. Now run a cable from the _second_ NIC to the backup/storage(EMC?) server that should be behind the firewall. Have this NIC run AppleTalk though the AppleTalk control Panel. THIS IS SECURE vecause without 3rd party extensions or AppleShareIP Server a Mac CANNOT communicate TCP/IP over 2 NIC's or Appletalk over 2 NIC's. Thus you have the webserver using TCP/IP and the backups and updates coming in through File Sharing using Appletalk. It's very easy to set up and it works very well.
Since the Mac has no command line by nature it is very hard to breech security, and any breech would come through the web server itself or directly through memeory manipulation of the TCP stack (ha!). The only way to get into the other network qould be to have GUI access to the SErver, which can only be done with more 3rd party extensions.
my login may not be working, but i am chainsaw1 (chainsaw1@hotmail.com)
Need Better Linux Dist (Score:2)
Linux on the other hand can be very secure, but only after it has been properly set up, by someone who knows security and Linux well.
Which brings up the question, "Why has no one offered a distribution of Linux specifically geared towards web serving" . Such a distribution would be great. One that leaves off all the unneccessary protocols, daemons, and such. One that forces you on initial configuration to set up all the neccessary security blocks. And finally, one that makes it easy to begin webserving, by supplying Apache already with SSL, PHP, and mod_perl; MySQL; Perl with DBI and a CPAN that works, etc... Such a distribution would firmly seat Linux as the best webserver platform.
But as it is, its tough getting a webserver up securely and with all the bells and whistles under Linux. I wish it were easier.
Rikkers
Re:Single user systems ARE more secure (Score:1)
More mundanely, you can restrict root login to the console, then using a combination of encrypted connections (such as SSL), proper security management of running services (um, Webmasters, read the WWW Security FAQ...and other info at: http://www.w3.org/Security/), and such tools as IPchains you CAN make UNIXen secure...
Kernel hackers can put together very secure UNIXen when needed. In fact, there are UNIXen which have been made C2 secure, but I am unaware of Mac or Win systems that have done this.
Yes, if you use a less feature-rich OS like the MacOS you need to do less work to make it secure (to the levels it can be)... just like it's easier to repair a Volkswagen than a Ferrari...
Re:Garfinkel says... (Score:2)
While I respect the opinions of the author, I'm not entirely sure I agree with everything he has to say.
Re:Garfinkel says... (Score:2)
remy
http://www.mklinux.org
Re:Hacking AppleTalk (was: Its funny though..) (Score:1)
Never seen a hack to start AppleTalk on a machine where it was off.
Regards,
Sascha
Sensible thing to do (Score:1)
One of the key things in security is not putting doors where you don't need them. MacOS doesn't have any doors by default. You can laugh at this or you can judge it by it's merits as the U.S.Army did.
Message on our company Intranet:
"You have a sticker in your private area"
What?!?! (Score:1)
They got smart and dropped NT?!?!
Does this mean we have to take Army Intelligence off the Official Oxymoron List :-)
Re:Why is this so suprising? (Score:1)
Perhaps if you were to offer supporting arguments/historical examples then your statement might be a tad more believable...
Note: I am not a *bigot. I fully expect that any existing operating system/hardware currently in use will be fully replaces by some revolutionary new concept within 20 years. Thus I try not to get attached to any of the current systems.
Re:Wow! (Score:1)
The comment isn't redundant (as it's currently been moderated)It's an observation.
I'm not sure moderation and meta-moderation are working.
In the meantime I'd like to point out I've been running a MacOS based server (Webstar as well) for 4 years and I've found it to be rock solid and increadibly secure.
Bet this post gets an 'offtopic' flag
John
Why All the Ignorance? (Score:3)
I've been reading the replies to this article and I have to say I am simply *astounded* by the ignorance towards the Mac and MacOS that I have read.
I logged onto the Army site and it came up really fast. It was not Slashdotted as many other sites get after being listed on Slashdot. One ignorant reader even jumped to blame the MacOS because he was not able to get onto the site. I've got news for that person, there are many reasons *you* can't reach site, the most likely is that the problem is the connection between your client machine and the server. Also, does that same reader blame Linux when Slashdot had all the frequent downtime not too long ago?
Another reader mentioned that the server probably cost "1000s" of times what their (certainly hypothetical) presumably Linux server would cost. When is the last time he/she shopped for a Mac? I've got news for you, Macs use all the same compenents as PCs these days and cost about the same for a *comparable quality* PC. Apple simply chooses higher quality parts than the crappy machines one can buy at CompUSA and, worse, Circuit City. Oh let me guess, that person is going to "put together" their own hand built machine. Good for you, I just wouldn't want to be the poor sap who has to maintain your little computer project when it has a hardware problem. I mean who would I call for customer support? You? Give me a break. You just want an excuse to bill your client.
Then there's the *cost* of maintanence. The Mac server will be configure and forget. Configuration will take about 15 minutes. Let's use a 14 year boy who can do it at minumum wage, that's about $1 for his time. Now a Linux server is going to take, what, all day, to configure with security. At $100+/hr that's about $800 setup fee. Oh and what happens when your Linux server gets cracked because you didn't hire the supreme Linux security gurus (for much more $/hr) - or the latest security flaw of the month in Unix is discovered? That costs money to fix too.
And then there's the people who think the Mac needs to be re-booted once a week. That was about 5 years ago with MacOS 7.6. Today's Macs with MacOS 8.6 will probably need to be re-booted only when replacing the hard drive or an extended power failure. No, the memory is not protected, but at least the web page is from crackers.
It's not like the Mac does not have protected memory. Apple makes a server OS called MacOS X Server and it does. But it also has the underlying security issues because it is based on Unix. The (wise) managers don't want to have to deal with crackers - Get it?
To all you Linux bigots, I hope you don't break your arms patting yourselves on the back for putting down the Mac server. The Army's Mac is running great and makes a great web server. To Roblimo I have to say that the only thing that is funny is the attitude that Linux is superior to all OSes for everything. Some of us just want the job done and don't need to show our "superior" computer skills because we understand a CLI and our manager does not. Enjoy yourselves in your hacking, I've got work to do!
mac != mac os (Score:3)
Maybe this is a pretty good choice... (Score:2)
One of the things a Mac has going for it, as a web server platform, is that it is not multiuser. Neither is NT, really, but Microsoft has added enough multiuser features to it to make it exploitable (install IIS and you get a dozen services by default, like echo, time, chargen, and other services). With a Mac, there is none of that. Run a web server without CGI access (put a few CGI scripts on another machine running a Mac-native scripting language/environment like Frontier) and you have a near unexploitable machine. One that is of limited functionality, but why should a web server do dozens of things? Most sites are not like slashdot, and use 99+% static content.
With the new G3 and G4 (I haven't used a G4 but the G3's are very fast) processors, Macs are becoming fast machines. Would I run a web server on a 7200? No thank you. Not even on one running NetBSD or Linux, the machine just doesn't have the capacity. But MacOS 8.6 (or whatever) on a G3 or G4, running a dedicated web server program could potentially be a great idea.
darren
Re:Better yet... (Score:2)
absurd (Score:3)
If you exploit a buffer overflow in Apache on a multiuser system you end up with access restricted to whatever user the daemon is running as. But if there is a buffer overflow in Webstar or any scripts it calls on the Mac, then exploiting it gives you root-level access to the entire system. Sure, you have to do something more clever than just spawning a
MacOS 9 and MacOSX are multi-user... (Score:2)
Re:Wow! (Score:3)
that is, if you rely on the intruders' ignorance as your primary line of defense, you are completely screwed the moment you encounter an intruder whose knowledge includes information about the holes in your system.
much better to have a system whose exploitabilities are known and repairable than to have a system whose holes are unknown and unrepairable.
Remember to advocate Linux when it Makes Sense (Score:3)
Keep in mind what these army folks were looking for: a secure, virtually administration-free, relatively stable webserver that is resistent to remote attacks. For that application, a Mac server makes sense.
Why didn't they choose *nix? The admins probably aren't big tech heads, and the fact that several flavors of UNIX are free probably scared off their superiors anyway. But for this application (remeber, they're concerned with remote attacks) I'd say MacOS is definately more secure for a couple of reasons:
- No shell, thus no root shell (duh!)
- The lack of publicly known kernel knowledge (has anyone even tried hacking a Mac?)
- Not multi-user
- No remote access
My point is, thinking Linux is the correct OS for every application (and advocating it that way) is just plain naive.
--Mid
Re:No Root == Everybody is Root (Score:2)
You can not delete the active System folder in MacOS. The worst you can do is remove key files from it which whould cause it not to boot up properly (or at all).
--
Garfinkel says... (Score:3)
A Mac better choice than Linux/Unix/*BSD? (Score:3)
So any knowledgable hackers want to enlighten the ignorant among us as to the virtues of Mac web servers? I'd be really interested how they stack up to the favorite Slashdot choices such as Linux, OpenBSD (I mention it over other *BSDs because of its emphasis on security, but obviously hearing about {Free,Net,*}BSD would be cool too), and even commercial Unices like Solaris. Any takers?
----------
Wow.... (Score:3)
www.army.mil is running WebSTAR/4.0 ID/70636 on MacOS
And it's not a G4.... the headlines on www.army.mil [army.mil] tell us that it is a G3...
Re:Actually (Score:3)
The heavily trafficked MacIntouch [macintouch.com] uses Webstar. So, I would say that MacOS is a stable platform for a webserver, but no barn burner by any means.
remy
http://www.mklinux.org
Re:Wow! (Score:2)
With *nix, even if you deleted telnetd, ftpd and what have you from the system altogether, there are still too many potential holes.
The abscence of a command shell of any kind in Mac OS makes it harder to trick a network service into executing commands or code.
The OS is not readily available to hackers and not widely used in any case. Likewise the web server.
Of course in functionality terms its a mess, and in reliability terms it's not great. But if I was asked to create a secure web server for flat files, I'd get a Mac with a http server and nothing else. Transfer data to it via floppy or CD-Rom. Access it via direct keyboard/monitor only. Run nothing except ping and http. NOTHING except those.