Can an old Mac actually ignore network security?
August 5, 2004 10:41 AM Subscribe
MacCruftFilter: a guy i know told me yesterday that he discovered he had the ability to wander around the network using an old macintosh SE (linked through a newer one, as it's too old to connect directly). the funny thing was that in browsing appletalk he realized he could look at and open files - not just specifically shared files, but any files - on any networked mac on campus (he didn't say if he meant OS X too, or only OS 9 or older). he figures the new macs don't recognize the old one as even existing, and the old one is too old to recognize the security setup on the new ones - so they ignore each other and he's free to open someone else's files. he didn't try creating or deleting anything, though. so here's the question: can any mac people tell me if is he right about why this works, and, if not, is this just a fluke? am i potentially opening a can of mac-security worms by even asking this?
You definitely should set up some experiments to test this. if need be recruit some mac geek on the network who would love the opportunity to play with an SE. That is, of course, assuming that your interest is purely academic and not exploitative.
You may be able to see files, even create/delete, but what are you going to be able to open on an SE? I'd say text files are probably the only thing you might be able to open from any modern mac. If you can copy/duplicate the files and/or move them to other machines, then you might have found something interesting...
posted by rorycberger at 12:24 PM on August 5, 2004
You may be able to see files, even create/delete, but what are you going to be able to open on an SE? I'd say text files are probably the only thing you might be able to open from any modern mac. If you can copy/duplicate the files and/or move them to other machines, then you might have found something interesting...
posted by rorycberger at 12:24 PM on August 5, 2004
Response by poster: well, the guy who discovered this is trustworthy - he does network and website admin for some of the departments on campus. although i'm pretty sure he trusts me not to do anything malicious (i also do some computer maintenance + web admin for my dept.) i don't think he'll let me borrow his SE to learn more about this, although i might be able to get him to give me more details. he keeps the old mac around mostly just because it still works. don't know anything more about the system itself; we were just talking about old computers. i mentioned that my friend occasionally pulled his mac classic out to mess around with, then he pointed at the SE and said it was older, that it also still worked, then pointed out the network thing in passing. he didn't have it plugged in at the time (it was just sitting on a shelf) so he didn't show me how he did it.
good point on the ability to open files though - didn't think to ask him what he was actually opening. i imagine copying onto local disk or deleting files from a networked computer would be the biggest damage he could do. although networking through a second computer (i imagine it's something like localtalk to the newer mac, then appletalk on the ethernet from there) would mean he can possibly copy files from a random mac on the network to the system he uses as a go-between pretty easily, and open things from there. then again i mostly do windows, and don't know a whole lot about macs. haven't used one regularly since the above-mentioned mac classic my buddy and i used freshman year, way back in '92-93, so i don't know if this scenario would realistically work.
as far as the SE goes my guess is that it runs whatever OS it originally came with. this guy is not at all fond of upgrading software or OS unless he absolutely has to... and he does like to keep his cruft as authentic as he can. he applies windows patches grudgingly, and generally waits months to actually apply them lest they break something else (these are desktop machines with standard MS office programs, not mission-critical servers with proprietary software here - yet he's very reluctant to change them anyway). he keeps his very first DOS motherboard in a shadowbox frame above his desk.
posted by caution live frogs at 12:52 PM on August 5, 2004
good point on the ability to open files though - didn't think to ask him what he was actually opening. i imagine copying onto local disk or deleting files from a networked computer would be the biggest damage he could do. although networking through a second computer (i imagine it's something like localtalk to the newer mac, then appletalk on the ethernet from there) would mean he can possibly copy files from a random mac on the network to the system he uses as a go-between pretty easily, and open things from there. then again i mostly do windows, and don't know a whole lot about macs. haven't used one regularly since the above-mentioned mac classic my buddy and i used freshman year, way back in '92-93, so i don't know if this scenario would realistically work.
as far as the SE goes my guess is that it runs whatever OS it originally came with. this guy is not at all fond of upgrading software or OS unless he absolutely has to... and he does like to keep his cruft as authentic as he can. he applies windows patches grudgingly, and generally waits months to actually apply them lest they break something else (these are desktop machines with standard MS office programs, not mission-critical servers with proprietary software here - yet he's very reluctant to change them anyway). he keeps his very first DOS motherboard in a shadowbox frame above his desk.
posted by caution live frogs at 12:52 PM on August 5, 2004
The SE did not have Ethernet built in. It had LocalTalk. Your friend must have been going through some sort of LocalTalk-Ethernet router to connect to the campus network. (Many campuses built huge LocalTalk networks in the '80s and early '90s). Perhaps the modern Macs give that router's Ethernet MAC address special permissions for some reason?
If your friend is reluctant to let you borrow his SE, you can borrow your other friend's Mac Plus--it's actually older, but it should run the same system software versions as the SE.
posted by profwhat at 2:13 PM on August 5, 2004
If your friend is reluctant to let you borrow his SE, you can borrow your other friend's Mac Plus--it's actually older, but it should run the same system software versions as the SE.
posted by profwhat at 2:13 PM on August 5, 2004
I don't believe he was accessing files which weren't purposefully shared. I don't believe he could access just any files he wanted. If he's right, then even in the best days of OS 9 this same trick should have been possible. I had every hack and crack in the universe and never found one to do such a thing. There were some nice Chooser replacements which would show if Guest access was turned on in a shared device listed in the Chooser right next to its icon (which saved from having to double-click on the thing), but it didn't give any extra access. There also was JChooser which provided its own back-door sharing between computers, but it had to be installed first on any Mac you wanted to access.
To believe your friend, I'd need to see a screen shot of all the zones in the Chooser, a screen shot of the list of all the Macs listed in at least a few of those zones, screen shots of *all* of the login screens of *all* the Macs in at least one of those zones. If your friend is right, the login screens would show "Guest" access turned on for all of them, or would accept any user/password combo. If Guest access is off or and they do not accept any login, then your friend is wrong. Passing that, then I'd need to see screen shots of all the partition-choice screens for *all* the available partitions (which appear after logging in) for *all* the Macs in that same zone. If any of those partitions are greyed out, then he's wrong. Passing that, then I'd need to see screen shots of all the drives (root level is fine) in Icon view. If any of them have a "locked" icon, then your friend is wrong.
I might settle for a screen shot of the contents of the System Folder for every OS 9 computer in a single zone, in Icon view.
That's a hell of a lot of screen shots, but if you get them, let me know and I'll send you FTP instructions for uploading them. Then we'll see.
In my opinion, either you misunderstood your friend, or he's full of shit.
posted by Mo Nickels at 3:02 PM on August 5, 2004
To believe your friend, I'd need to see a screen shot of all the zones in the Chooser, a screen shot of the list of all the Macs listed in at least a few of those zones, screen shots of *all* of the login screens of *all* the Macs in at least one of those zones. If your friend is right, the login screens would show "Guest" access turned on for all of them, or would accept any user/password combo. If Guest access is off or and they do not accept any login, then your friend is wrong. Passing that, then I'd need to see screen shots of all the partition-choice screens for *all* the available partitions (which appear after logging in) for *all* the Macs in that same zone. If any of those partitions are greyed out, then he's wrong. Passing that, then I'd need to see screen shots of all the drives (root level is fine) in Icon view. If any of them have a "locked" icon, then your friend is wrong.
I might settle for a screen shot of the contents of the System Folder for every OS 9 computer in a single zone, in Icon view.
That's a hell of a lot of screen shots, but if you get them, let me know and I'll send you FTP instructions for uploading them. Then we'll see.
In my opinion, either you misunderstood your friend, or he's full of shit.
posted by Mo Nickels at 3:02 PM on August 5, 2004
I've heard of this somewhere. Evidently, your guess is correct, the SE is too old and OSX is built on a unix platform so the SE just ignores the permissions. The SE doesn't know it isn't allowed free reign through the network. On the dual-boot machines, one could boot into OS9 and have control of all the files. I read about this in one of the after market computers for stupid-heads manuals. I'll try to see if I can find a direct reference that is more informed than I am.
mo makes me doubt. I'm thumbing right now.
posted by elwoodwiles at 3:07 PM on August 5, 2004
mo makes me doubt. I'm thumbing right now.
posted by elwoodwiles at 3:07 PM on August 5, 2004
Crap. I can't find the reference I was refering to. Its mentioned in the MacOSX Missing Manual by David Pogue. I gotta get some work done.
posted by elwoodwiles at 3:13 PM on August 5, 2004
posted by elwoodwiles at 3:13 PM on August 5, 2004
SE "just ignoring the permissions" doesn't make sense to me. Permissions aren't just a matter of telling a remote system what it should and shouldn't do, and then trusting it to be good. Security doesn't work that way--unless something's gone very, very wrong. I'm with Mo on this.
posted by Acetylene at 3:17 PM on August 5, 2004
posted by Acetylene at 3:17 PM on August 5, 2004
I don't think it's completely inconceivable that there could be a minor bug in the AFP server on OS X that misreports the permissions when talking to such an ancient client. I wrote an AFP server, many years ago, and even back then Apple had released several different versions of the protocol. I think 2.1 was current when I was working with it, and there were a handful of weirdnesses you had to account for if you wanted to let machines using AFP 1.1 or 1.0 connect to your server. I think it is possible that there is some code in there that only applies to really old Macs, and that it's somehow misbehaving.
A quick scan of Apple's developer site shows that they're up to AFP 3.1 by now; unhelpfully, they don't seem to have any documentation for the older versions, so I can't see what's changed. Still, it's not hard to imagine that the command for requesting file parameters might have changed, and that some obscure piece of emulation code for the old version of the command might be converting the data improperly.
But this would just fool the SE's Finder into thinking you had access to those files; if you tried to open one of them, you'd get an error. A bug deep enough to let you actually get at the contents of any old file would be a big deal indeed, and seems very unlikely.
Most likely, I think, is that your friend misunderstood what he saw; failing that, I suspect a minor bug in the AFP server's handler for whatever the Jurassic equivalent of FPGetFileDirParms was.
On the dual-boot machines, one could boot into OS9 and have control of all the files.
That's different. OS X inherits the unix system of file ownership. You log in under some particular user account, and your account may or may not have access to all the files on the disk. OS 9 has no such system and lets anyone with physical access to the machine look at any file. Rebooting an OS X machine to OS 9 thus gives you access to files you might not otherwise have been able to use.
This has nothing to do with files living on some other machine. You can only get data if the server will give it to you, and unless there's a bug in the server it won't care which operating system you use.
posted by Mars Saxman at 5:49 PM on August 5, 2004
A quick scan of Apple's developer site shows that they're up to AFP 3.1 by now; unhelpfully, they don't seem to have any documentation for the older versions, so I can't see what's changed. Still, it's not hard to imagine that the command for requesting file parameters might have changed, and that some obscure piece of emulation code for the old version of the command might be converting the data improperly.
But this would just fool the SE's Finder into thinking you had access to those files; if you tried to open one of them, you'd get an error. A bug deep enough to let you actually get at the contents of any old file would be a big deal indeed, and seems very unlikely.
Most likely, I think, is that your friend misunderstood what he saw; failing that, I suspect a minor bug in the AFP server's handler for whatever the Jurassic equivalent of FPGetFileDirParms was.
On the dual-boot machines, one could boot into OS9 and have control of all the files.
That's different. OS X inherits the unix system of file ownership. You log in under some particular user account, and your account may or may not have access to all the files on the disk. OS 9 has no such system and lets anyone with physical access to the machine look at any file. Rebooting an OS X machine to OS 9 thus gives you access to files you might not otherwise have been able to use.
This has nothing to do with files living on some other machine. You can only get data if the server will give it to you, and unless there's a bug in the server it won't care which operating system you use.
posted by Mars Saxman at 5:49 PM on August 5, 2004
whatever the Jurassic equivalent of FPGetFileDirParms was
"Miss Jones, get me the Whitley contracts!"
posted by mwhybark at 8:55 PM on August 5, 2004
"Miss Jones, get me the Whitley contracts!"
posted by mwhybark at 8:55 PM on August 5, 2004
« Older Help me identify this software- is it spyware? | Can anyone suggest a site that has good... Newer »
This thread is closed to new comments.
1. What version of the OS is on the SE?
2. What networking protocol was used to connect the SE to the other Mac? (Since it's an SE, some pretty old and obscure networking methods might be available)
3. Is your buddy certain that the files he was seeing weren't deliberately shared? Can you provide an example, ideally of a file to be found on every one of the machines?
I do have a vague recollection of non-congruent networking permissions observed in early-version releases of Mac OSX, but nothing I can nail down. I may be recalling the well-known differences between OS9 and OSX. Since OS9 does not have user-level perms, it was common in the early transition era to reboot into 9 to deal with knotty local perms issues by deleteing or moving stubborn files in 9.
My recollection (hallucination?) is that the networking issues were resolved in later releases of OS X and I don't recall that the problems were noted to have been retained in earlier system releases.
I guess, on balance, I'm skeptical, but freely admit that I could be totally wrong.
posted by mwhybark at 11:45 AM on August 5, 2004