As the Apple Turns    About    Reruns    Contact    Preferences Thu 5:20 AM

Security Breach In Sector 7 (7/8/03)
SceneLink
 

Heads up, security mavens! If you're always feeling left out because your Windows-using buddies are off having oodles of fun trying to keep up with incessant patches and holes in Microsoft's Big Stinkin' Ball O' Code, you can now take solace in the fact that the Mac has a hole, too. (Finally, Windows users have no excuse not to switch!) The one that everyone's talking about right now is the buffer overflow in Screen Effects. Faithful viewer Anthony tipped us off to this doozy over the weekend: as described by SecuriTeam, if you're running Mac OS X 10.2.6 and leave your system "locked" by turning on Screen Effects and requiring a password, all anyone needs to do to access your Mac is wedge an eraser in your keyboard and come back five minutes later. D'oh!

See, it seems that Screen Effects is expecting people to enter a password that's maybe ten or twelve characters long; cram an extra thousand or so down its throat and it chokes something fierce. SecuriTeam claims that the overflow is triggered by entering "between 1280 and 1380 characters" into the password field and then pressing return, but we take that to mean at a minimum, and not that, say, 1400 characters is just fine and dandy. Although if it's the latter, that's pretty keen.

Now, it turns out that this could have been a real inconvenience here at the AtAT compound, since, paranoid dweebs that we are, our passwords tend to be sorta long. Like, for example, Act I, Scene iv of Hamlet. (We've always felt that the extra two or three hours we spend typing in lengthy passwords each day is more than offset by the feeling of security such a precaution imparts.) We don't actually use Screen Effects to lock our Macs, and now that we know it'd be less than thrilled with our impression of an infinite number of monkeys, we're not about to start. But what about the security implications for folks with sane passwords?

Well, basically, what this exploit means is that someone who has physical access to your Mac for five minutes can crash your screensaver and get at your stuff. Of course, if they only had three minutes, instead of dorking around with overflowing your screensaver they could always just restart your Mac in single-user mode-- and get at your stuff. And even if you set an Open Firmware password, with physical access to your Mac they could just remove some RAM and reset it-- to get at your stuff. Sensing a pattern, here, people? We're pretty sure that this all means that-- brace yourselves, folks-- if someone has physical access to your Mac, they can get at your stuff. (Dadadadummmmmmm!)

"Ah, but what if I set an Open Firmware password and physically locked the enclosure of my Power Mac to prevent the removal of RAM?" Well, then, genius, you're obviously not the type of person who would be relying on a frickin' screensaver for security in the first place, so the point's sort of moot. That said, the moral of the story is, physical access equals, well, access. If you're really worried about people getting at your private stuff, don't let them get near your Mac, especially if they're carrying erasers and five-minute egg timers.

 
SceneLink (4061)
And Now For A Word From Our Sponsors
 

Mash-ups and original music by AtAT's former Intern and Goddess-in-Training

Prim M at YouTube
 

The above scene was taken from the 7/8/03 episode:

July 8, 2003: Horror of horrors-- the G5 is 64-bit, but Panther's only 32! Meanwhile, somebody discovers a nifty way to crash the Mac OS X screensaver and bypass the password prompt, and the iTunes Music Store seems to be making some bigger waves in the music industry than we originally anticipated...

Other scenes from that episode:

  • 4060: "Hey! Give Us Back Our Bits!" (7/8/03)   So as a Mac user, you're feeling pretty smug these days, right? The Power Mac G5 is slated to ship next month as the world's first 64-bit personal computer (because, as we all know, the Power Mac is a "personal computer" and not a "workstation"-- for some reason), and despite the peals of vehement denial ringing from the PC camp, you're confident that Apple's claim that it's the fastest personal computer ever will turn out to be completely and totally true...

  • 4062: Most Peculiar, Mama (7/8/03)   Looks like the iTunes Music Store is really making an impact on the music industry, at least if the frequency of its recent appearances at Billboard.com is any indication. We found out about both of them via The Mac Observer, who noted that the iTMS isn't just distributing exclusive tracks anymore; now it's starting to sell exclusive albums...

Or view the entire episode as originally broadcast...
Vote Early, Vote Often!
Why did you tune in to this '90s relic of a soap opera?
Nostalgia is the next best thing to feeling alive
My name is Rip Van Winkle and I just woke up; what did I miss?
I'm trying to pretend the last 20 years never happened
I mean, if it worked for Friends, why not?
I came here looking for a receptacle in which to place the cremated remains of my deceased Java applets (think about it)

(1242 votes)

As an Amazon Associate, AtAT earns from qualifying purchases

DISCLAIMER: AtAT was not a news site any more than Inside Edition was a "real" news show. We made Dawson's Creek look like 60 Minutes. We engaged in rampant guesswork, wild speculation, and pure fabrication for the entertainment of our viewers. Sure, everything here was "inspired by actual events," but so was Amityville II: The Possession. So lighten up.

Site best viewed with a sense of humor. AtAT is not responsible for lost or stolen articles. Keep hands inside car at all times. The drinking of beverages while watching AtAT is strongly discouraged; AtAT is not responsible for damage, discomfort, or staining caused by spit-takes or "nosers."

Everything you see here that isn't attributed to other parties is copyright ©,1997-2024 J. Miller and may not be reproduced or rebroadcast without his explicit consent (or possibly the express written consent of Major League Baseball, but we doubt it).