Articles tagged in slashdot

  1. Mac OS X Root Escalation with AppleScript

    Read this story on Slashdot.

    "Half the Mac OS X boxes in the world (confirmed on Mac OS X 10.4 Tiger and 10.5 Leopard) can be rooted through AppleScript:

    osascript -e 'tell app "ARDAgent" to do shell script "whoami"';

    Works for normal users and admins, provided the normal user wasn't switched to via fast user switching. Secure? I think not." On the other hand, since this exploit seems to require physical access to the machine to be rooted, you might have some other security concerns to deal with at that point, like keeping the intruder from raiding your fridge on his way out.

    In the comment section it has been confirmed that

    1. It only works if the user is logged into the Mac, but not via fast user switching.
    2. Disable Apple Remote Desktop does not work.
    3. It works over ssh if the same user also happens to be logged in.

    Saying "physical access is required" is simply irresponsible. People might click on strange attachments or weird files downloaded from the net, which might run commands to get root privilege. Or maybe there are other exploits in Mac OS X that can get remote hackers local user privilege, and then use this to gain root.

    Actually it is not hard to get physical access either. Sydney Apple Store opens tonight. Watch out for those pimple-faced teens typing vigorously in from the tonight!

  2. Slashdot going CSS

    Slashdot, ones of the grand-daddies of the weblog, is finally throwing away the aging HTML 3.2 with massive table-based layouts, and replacing it with more compliant HTML + cascading stylesheet. It is currently beta testing on Slashcode, the Perl-based CMS that powers Slashdot.

    It almost validates to... Oh wait?! To HTML 4.01 with ISO-8859-1, W3C's recommendation back in 1999, when the whole world is moving onto XHTML 1.0 and UTF-8?! Wow. Slashdot has finally adapted to the technology of the last millennium!!

    Try harder, Taco! Maybe until next time...

    At least it got rid of all these HTML tables, replacing with DIV's and proper fluid layout. Interestingly there was a workshop article on Australian Personal Computer in September's issue, titled "Turning the Table", authored by David Emberton, whom should be remembered for writing against web standard and accessibility. How time (and acknowledgement of reality) will change!

    Update 22 September 2005: Apparently Slashdot in CSS is now live on their website. Still HTML4 strict. But it feels so much faster...

    Slashdot's own news item on their conversion.