Slashdot is powered by your submissions, so send in your scoop


Forgot your password?

Mac OS X Security Competition Ends in 30 Minutes 388

ninja_assault_kitten writes "ZDnet is running an article on how a Swedish Mac OS X enthusiast held a competition to prove how good security was on his new fully patched Mac Mini was. Unfortunately, 30 minutes after the competition began, a hacker known as 'gwerdna' had broken in and defaced the website, thus winning the contest. According to gwerdna, 'Mac OS X is easy pickings for bug finders. That said, it doesn't have the market share to really interest most serious bug finders.'." It's also worth noting a piece that says all the security news is much ado about nothing, in practical terms. The security contest also allowed people to have local access via SSH, so that had a lot to do with the crack.
This discussion has been archived. No new comments can be posted.

Mac OS X Security Competition Ends in 30 Minutes

Comments Filter:
  • by good soldier svejk ( 571730 ) on Monday March 06, 2006 @12:00PM (#14858298)
    Or at least restrict by host at the firewall. On OS X, remember to turn on ipfw's statefulness. []
  • by leonmergen ( 807379 ) <(lmergen) (at) (> on Monday March 06, 2006 @12:03PM (#14858318) Homepage

    That's one of the first things you turn off to protect the machine.

    Because the goal was to test the mac mini's security, not the ability of the system administrator to secure the box...

  • by AKAImBatman ( 238306 ) * <akaimbatman&gmail,com> on Monday March 06, 2006 @12:04PM (#14858331) Homepage Journal
    What was this fool trying to prove? He allowed direct SSH access to the machine! Of course someone is going to hack it! Once you're inside the system, it becomes incredibly easy to find configuration mistakes, and exploit holes in priviledged programs. Remember, this system runs much of the same software as Linux and FreeBSD. Much of that software hasn't been properly audited and locked down. Why? Because this is a desktop machine.

    Mac OS X security primarily stems from not doing anything stupid by default. Which means that there are no remote services enabled, the system tries to be intelligent about handling executable files (like most Unixes), and super-user functionality is handled by Sudo. But that's not a bullet-proof vest. There's nothing in the system that makes it automagically secure against all attacks. So if you want security, don't turn on those remote services, and don't give out SSH accounts!
  • by falkryn ( 715775 ) on Monday March 06, 2006 @12:05PM (#14858346)
    it was setup as a typical server. without ssh, how exactly would you propose enabling access to it? telnet?? unless you actually like having to console in to 100+ servers via a serial cable...
  • by RichDiesal ( 655968 ) on Monday March 06, 2006 @12:09PM (#14858383)
    I'm not really sure why this competition happened in the first place. If you were a Mac OS X enthusiast wanting to show the "amazing" security of your OS, why would you leave the first major door wide open?

    And who gains from this publicity? It would seem like sponsoring a hacking competition that took MORE than 30 minutes (seemingly the goal of such an event) would be good for Apple, but then why leave the system more vulnerable at the start of the contest? And if it was really sponsored by an anti-Apple group posing as an pro-Apple group, why have the hacker claim that Macs are essentially "small pickin's"?

    It just doesn't make sense...
  • by tpgp ( 48001 ) on Monday March 06, 2006 @12:09PM (#14858389) Homepage
    Yes, there are local privilege escalation vulnerabilities; likely some that are "unpublished". But this machine was not hacked from the outside just by being on the Internet. It was hacked from within, by someone who was allowed to have a local account on the box. That is a huge distinction.

    Whilst I agree that this is not the same as a remote exploit, do not underestimate the seriousness of local privilege escalation.

    For instance, an unpatched local privilege escalation, used in conjuction with the vulnerability discussed in this article [] could result in a rooted machine - simply from visiting a hostile website (or even a website you visit regularly, that runs IIS and has been hacked itself)

    I don't believe (as some pundits seem to) that Mac OS is a Microsoft style security disaster only awaiting the attention of hackers to happen - but I do believe that Mac owners are going to have to start paying a little more attention to security matters then they currently are.
  • Re:The only way.. (Score:2, Insightful)

    by ArcherB ( 796902 ) on Monday March 06, 2006 @12:13PM (#14858438) Journal
    To fully protect a Windows/Linux/BSD/OS X box, is to plug out the network-cable

    You forgot to lock the door and remove the keyboard, mouse and monitor.
  • by shotfeel ( 235240 ) on Monday March 06, 2006 @12:13PM (#14858439)
    Or in this case, the ability of the system administrator to open up the box...

    SSH is off by default, the admin had to turn it on.

    Hackers don't generally have shell accounts -the admin had to set them up.

    So if you take steps to make the Mac Mini less secure, then advertise you've done so, it gets hacked. Expect all major tech outlets to cover this new and amazing Mac vulnerability (you think I'm joking?).
  • by falkryn ( 715775 ) on Monday March 06, 2006 @12:14PM (#14858451)
    true, though a timeshare box on a college campus is somewhere you would easily see such a setup. remember though, this is (supposed to be) a *nix we're talking about. local user accounts should not be able to inflict such damage due to better seperation of priviliedges that exist in this world.
  • by Hrothgar The Great ( 36761 ) on Monday March 06, 2006 @12:15PM (#14858453) Journal
    I think you are missing the really obvious point here - the fact that granting shell access over SSH leads to a non-administrative user gaining root access in 30 MINUTES makes the OS entirely unsuitable in a server environment.

    True, a Mac Mini isn't typically going to be used as a server, but if Apple decides to make some kind of Intel based server, this kind of thing is a HUGE problem.
  • by Golias ( 176380 ) on Monday March 06, 2006 @12:17PM (#14858478)
    Why does the word "astroturf" slowly creep into my waking mind as I read more and more about this bogus contest.
  • by jd142 ( 129673 ) on Monday March 06, 2006 @12:18PM (#14858485) Homepage
    without ssh, how exactly would you propose enabling access to it?

    Restrict the ip addresses of the computers that can access the ssh connection. Ah, you'll say, then all the attacker has to do is get access to the computer that is on the allowed ip address list. True, but let's say you are a company with the web server That's a nice public target running apache, mysql, php, etc. All the things a good lamp server should run. That's going to be the public target.

    If I want to ssh in, I first have to connect to a different box. The thing here is that this ssh box (I'll just call it that to save typing) doesn't have to run anything but the os and ssh, thus lowering the number of software packages that can open a vulnerability. Remember, every daemon you run, every piece of software you install, every service that's enabled is another potential whole. The second part to this is that the ssh box is not a big target. It's dns name may be something like or ideally its name isn't even registered in dns. Either way, the bullseye is going to be on for the casual cracker. Only someone who is specifically interested in my company is going to try to find a way in. The script kiddies will just see that ssh doesn't respond and go on to the next webserver.
  • by AKAImBatman ( 238306 ) * <akaimbatman&gmail,com> on Monday March 06, 2006 @12:26PM (#14858563) Homepage Journal
    remember though, this is (supposed to be) a *nix we're talking about. local user accounts should not be able to inflict such damage due to better seperation of priviliedges that exist in this world.

    But you need to remember that OS X is not designed for remote, multi-user usage. The features are there, but mostly for adminstrative purposes. The machine is first and foremost a Desktop machine that is intended to keep good guys in and bad guys out.

    Also keep in mind that it is incredibly difficult to properly configure a Unix system to be completely secure against users with shell accounts. Such security requires a complete system lockdown, complex partitioning, reassignment of services to non-root accounts, jailing of priviledged services (or equivalent), and several other procedures that I sincerely doubt that this guy performed. (In fact, the article confirmed that he could have locked the system down further, but didn't.)

    By handing out shell accounts, he might as well have been handing out the root password to his system.
  • by Bogtha ( 906264 ) on Monday March 06, 2006 @12:26PM (#14858569)

    Mac OS X security primarily stems from not doing anything stupid by default.

    And, apparently, the assumption that you trust all of your local users. So what if most people use Macs for desktops? Plenty of people use them for servers as well, and apparently OS X isn't secure by default for them.

    Even in the desktop case alone, you can't seriously consider denying local access to be enough as far as security is concerned. Decent security has multiple levels, and this is a case where one of those levels has failed in a very public way. Spinning it as "oh, but he shouldn't have done that" ignores that failure.

  • by JustASlashDotGuy ( 905444 ) on Monday March 06, 2006 @12:29PM (#14858592)

    What to have some fun? Count how many post show up that try to make excuses
    for the Mac. Man, if this were a windows box, I assure you that 99% of the
    the post would be slamming MS w/o a second thought.

    Although people want to point out that they shouldn't have allowed people to
    have a SSH connection, you need to keep in mind that an SSH connection was
    allowed because they thought the config was secure enough to handle it.

    I do give them kodos for allowing the hack contest to take place. The best
    way to test your software is to allow others to try and break it. Hopefully
    they will fix the exploit and run the contest again.
  • by Chemisor ( 97276 ) on Monday March 06, 2006 @12:29PM (#14858598)
    Excuse me, but if your OS can be rooted in 30 minutes from a local account, you have no business calling it secure. UNIX is supposed to have multiple local accounts and still be secure with them all running. If you close down every network port on a machine and say "come get me now", that's really not saying much. I, for one, would really like to know how he managed to get root from a local account, so I can verify I don't have the same problem on my server, which really does have ssh access to more than one person.
  • by adolfojp ( 730818 ) on Monday March 06, 2006 @12:30PM (#14858604)
    The safest computer that you can get is one that is not connected to the wall. Then again, it will not be very usefull.

    Turning off functionality because of security is not acceptable. It the OS offers certain features, they should be secure, otherwise, they are flawed. Stop apologizing for Apple computer and its defects.

  • by Jack Johnson ( 836341 ) on Monday March 06, 2006 @12:32PM (#14858626)
    This is hardly irrelevant.

    I'm disturbed by the attitude that anything but a remote exploit against an ideally (not typically or justifiably) configured box is meaningless or misleading.

    What good is a door if it's welded shut? Wouldn't a proper lock be more useful?

    Security should be about maximizing functionality securely, not limiting it.

  • by shotfeel ( 235240 ) on Monday March 06, 2006 @12:34PM (#14858636)
    Yep, cuz' we know stupid Mac users are always going around enabling SSH and giving shell accounts to total strangers.

    Oh, wait, 99.9% of Mac users are blissfully ignorant of what security defaults to change to make their system more hacker-friendly.
  • by Phanatic1a ( 413374 ) on Monday March 06, 2006 @12:40PM (#14858703)
    So SSH was on and accessible?

    My ISP, Panix, will gladly sell you a shell account. You can SSH into it, or telnet, if you don't care. And yet, they're not rooted every 30 minutes. Or, ever.

    If giving someone SSH access is 30 minutes away from giving them root, that's not secure.
  • by Bert64 ( 520050 ) <bert&slashdot,firenzee,com> on Monday March 06, 2006 @12:43PM (#14858741) Homepage
    Yes, local security holes are an issue...
    But a much worse issue, would be simply running as a privileged user already (no privilege escalation necessary). So no matter how many local privilege escalation holes OSX has, it's still not as bad for an end user as default installs of windows are.
  • by AKAImBatman ( 238306 ) * <akaimbatman&gmail,com> on Monday March 06, 2006 @12:46PM (#14858776) Homepage Journal
    Like all systems, tradeoffs have to be made. I'm sitting next to a Sun Solaris system with JDS on it right now. To get the system running like I want it, I constantly have to resort to the root account to install the simplest of software. (Replace root access with sudo as you prefer.) I have to do this because it is a locked down machine intended to run software packages approved by management. Under this configuration, it's pretty hard to gain root access even with a local account.

    This configuration absolutely sucks for a home user.

    A home user can't install new software without providing a root (or sudo) password everytime they want to try a software package, they can't update the system configuration from the GUI, they can't start and stop their personal webserver, they can't look at the drive space remaining without having to decode a complex partitioning scheme, they can't do a lot of things that Mac OS X lets them do without interfereing. If Mac OS X *did* restrict these activities, users would balk at the user-unfriendliness and go back to Windows.

    So it comes back to a matter of design. It's easy to say, "that should have been secure!", but the costs of making that secure would have been too high for the average home user. Mac OS X's security has been proven to date to be sufficient for what it was designed to do, and has been shown to be at least as secure (perhaps moreso) than your average FreeBSD or Linux desktop. Show me the beef of the problem (i.e. everyday machines being compromised on a scale similar to Windows) and I'll agree with you that Mac OS X is insecure for its intended purpose. Until then, however, I'm going to go with the fact that this guy wasn't thinking straight.

    Plenty of people use them for servers as well

    Which is why Apple produces OS X Sever Edition.

    and apparently OS X isn't secure by default for them.

    You show me a server situation that involves hundreds of anonymous, remote logins to a system without any lockdown of the services to move it from a home server to a full-blown webserver, and I'll agree with you. I, personally, can't think of such a situation. Some webhosts provide SSH access, but they certainly don't run a default Linux or FreeBSD installation unless that distribution has been preconfigured for the security they need.
  • by gowen ( 141411 ) <> on Monday March 06, 2006 @12:46PM (#14858777) Homepage Journal
    But you need to remember that OS X is not designed for remote, multi-user usage
    That excuse was bullshit when it was used to defend Windows boxes, and, amazingly, it remains bullshit when applied to fashionable platforms, too.
  • Re:RTFM guys... (Score:3, Insightful)

    by MBCook ( 132727 ) <> on Monday March 06, 2006 @12:54PM (#14858869) Homepage
    The rm-my-mac challenge was setup similar to how you would have a Mac acting as a server[...]

    Wrong. He was using OS X, not OS X Server. Running a little website behind a firewall is probably safe with OS X. Handing out shell accounts on a desktop os?

    From his site: It runs a default install of Mac OS X Tiger, plus fink and some decent versions of Apache, MySQL and PHP. Software Update recently updated it to Mac OS X 10.4.5 and fixed some security issues.

    Default install of Mac OS X Tiger.

    Apple has a server operating system. If you want to run your Mac as a server out on the internet, you should be running the server operating system, not one that is optimized for being a desktop.

    Think he could have done this as easily with a computer running a proper server OS? Ask MS about how easy it is to hack your internet server running XP Pro and they would probably tell you that you should be running 2003.

    Go ask Rackspace, CI Host, DreamHost, or anyone else if they would put up shared servers running XP Pro or OS X. My guess is they would all laugh at you. They would run 2003 or OS X Server.

    Macs aren't perfect. But in perspective, this guy had to hand out accounts to the computer. Compare that to Windows vulnerability that we have all seen where the computer can be hijacked while it is still booting. I'd say I still have the more secure OS, of the two.

  • by AKAImBatman ( 238306 ) * <akaimbatman&gmail,com> on Monday March 06, 2006 @01:02PM (#14858956) Homepage Journal
    That excuse was bullshit when it was used to defend Windows boxes

    That excuse would work for Windows if Windows didn't ship with remote vulnerabilities built-in. Unfortunately, it does. Regularly. Without fail.

    When someone can prove that OS X has the same problems (which is pretty difficult with zero open ports, and 2 degrees of separation between attachments and executable code) then I'll jump on the "OS X isn't secure" bandwagon. But for now, it remains far more secure than Windows which can be so easily exploited thanks to the number of services it exposes to the Internet by default, and the ease with which executable files can be disguised as legitimate documents.
  • by Anonymous Coward on Monday March 06, 2006 @01:08PM (#14859012)
    If my Linux box was exploitet in 30 minutes I would admit there was a bug and try to fix it. It's serious if you can't even trust basic unix security. It shouldn't be able to be rooted no matter what desktop programs where sitting on it.
  • by ChrisA90278 ( 905188 ) on Monday March 06, 2006 @01:17PM (#14859106)
    That's one of the first things you turn off to protect the machine. No, you don't have to turn it off. Just don't give out user accounts to other people. These guys who broke in where gien accounts with passwords. SSH is very secure as long as you closely control what accounts may be accessed via ssh and varify that these accounts use strong passwords. But if you machine has an account with username "bob" and uses "bob" as the password your sytem is wide open, or at least Bob's account is.
  • not good test (Score:1, Insightful)

    by jonathanduty ( 541508 ) on Monday March 06, 2006 @01:23PM (#14859180) Homepage
    The security contest also allowed people to have local access via SSH, so that had a lot to do with the crack." Thats like giving someone the keys to your house and seeing if they can steal something.
  • by Anonymous Coward on Monday March 06, 2006 @01:34PM (#14859305)
    There are two lessons to learn here.

    First, if you're running services from your Mini-Mac workstation connected directly to the internet, don't enable ssh without a strong upstream firewall.

    Secondly, don't hand out local accounts to someone named 'gwerdna'.
  • by adolfojp ( 730818 ) on Monday March 06, 2006 @01:52PM (#14859487)
    SSH was designed to be a secure comunications protocol.

    It is not an open door or window like your analogy suggests. It is a door with a lock. Locks can be picked, but the solution is not to build houses without doors, but to improve and fix the locks on them.

    SSH will be insecure only if it is implemented wrongly. Disabling it should not be the solution, just an ugly patch. What should be the alternative if you needed to use SSH on your system?

  • by k2r ( 255754 ) on Monday March 06, 2006 @02:00PM (#14859576)
    Then he should put his gpg public key at [] and sign and publish on slashdot an invitation to hack this machine to prove that he's the owner of this machine.

  • Grammar facism (Score:3, Insightful)

    by nasch ( 598556 ) on Monday March 06, 2006 @02:03PM (#14859608)
    "Would HAVE", not "would OF".
  • by Coryoth ( 254751 ) on Monday March 06, 2006 @02:24PM (#14859797) Homepage Journal
    So SSH was on and accessible? Dumb move. Like saying "I dare you to steal my jewelry from my bedroom -- oh, and my house is unlocked with the windows open."

    There have been SELinux security competitions that gave out SSH access as root and the boxes remained quite safe. There do exist standards of security which make your standards look remarkable poor and forgiving. Good security does exist, and pretending that it doesn't does not make you any more secure.

  • by Kadin2048 ( 468275 ) <> on Monday March 06, 2006 @02:37PM (#14859936) Homepage Journal
    I believe that Mac OS X Server has sshd running by default -- if you think of how it's intended to be used, this is not just a feature, but possibly quite necessary. Setting up a rack of headless servers could be quite a PITA if they didn't have ssh running by default -- you'd have to connect to them over the serial port and turn it on for each machine (or create a custom HD image where it was enabled and load it to each machine).

    I think there are probably some also remote-administration services running by default on Server, but don't quote me on that. I know for sure that ssh is not running on regular, consumer MacOS, however. (I just set up a new G5 a few days ago and I had to turn it on manually.)

    I think it's also worth pointing out that based on my understanding of the article in question here (the second link in the summary doesn't point to what I think it originally did), ssh wasn't just running on the machine, attackers were allowed to log-in as a non-root user. So really what happened wasn't a cracking in the strict sense, but privilege escalation. Still bad -- and I'm rather annoyed that "gwerdna" or whatever his name was didn't tell us what this great "unpublished and unreported vulnerability" was that he used, but I don't think that it means that any box is compromisable simply by virtue of running sshd.
  • by Vernalex ( 565965 ) <> on Monday March 06, 2006 @02:38PM (#14859949) Homepage
    No, it's not like leaving your doors open. No, it's not like leaving your windows open. No, it's not like leaving both open. It's not a house, it is a computer. And they are not doors or windows; it is a daemon that is extremely popular. If you're going to use metaphors then at least come up with a better comparison. Such as, it's like letting someone walk into a bank and giving them a bank account. But, metaphors suck and people just use them to muddle the topic they're arguing so their side of the argument sounds better.

    Mac fanboys are always screaming about how their OS is so much better. It used to be that their computers were easier to use, and then Apple tossed out their easy OS. It used to be that SCSI was better, and Apple threw that out. It used to be that G3s, then G4s, and then G5s were better than Intel equivalent, and Apple switched to Intel. And next we're going to find out what we already know, that their computers aren't much, if any, more secure.

    And this guy proved that this OS was just as insecure as Windows, Linux, or any other network aware OS. And you can't say it wasn't a remote vulnerability, because it was accomplished through a network and the person was able to do what they shouldn't have been able to do, thus a remote vulnerability. It's an OS, written by imperfect people with imperfect tools. If this were a Windows box that was hacked through TS or RDP then you'd be all over calling Windows so easy to hack.

    And yes, this wasn't an anonymous crack but that is no excuse. A password could be guessed through many means and you're saying if that someone guesses a user password then it doesn't matter that they can elevate tasks, and that's a bunch of crap. All computers are firewalled now out the box, but a server is only as good as the services it provides which means you need to open it up. This means that a computer is only as secure as it is when it's doing things.
  • by Anonymous Coward on Monday March 06, 2006 @03:04PM (#14860213)

    If my Linux box was exploitet in 30 minutes I would admit there was a bug and try to fix it. It's serious if you can't even trust basic unix security. It shouldn't be able to be rooted no matter what desktop programs where sitting on it.

    Unless you're running one of the super locked down Linux distros, if you give anyone who wants it a shell account it will be rooted in 30 minutes too. This is not news. Mac OS X and most Linux desktop distros are in the middle of the security spectrum. They are hard to break in remotely unless you're really good. They are non-trivial to compromise locally, but a middling competent security guy or cracker can do it. This means they are both pretty robust against script kiddies and worms from the outside and are "good enough" for the average university campus. The bright students will be able to hack them from their (or another user's) account. A really good cracker will probably be able to get in remotely.

    If your data is likely to be the subject of attack by experts you have no business storing it on most Linux distros or OS X. You want OpenBSD or SELinux, or the like. Anyone who follows security already knows all this though.

    Is the local escalation a bug? Yes it is. Should it be fixed? Yes it should. Is this news? No this is over-hyped nonsense. Local escalation exploits are always appearing and always being fixed. Any security guy will tell you if someone is on the box and has a clue, they will find one, unless you're running jails or some other high security setup. Once you give them a valid account and password you've bypassed all of the main defenses and a smart guy will find a hole. OS X is a casual desktop environment, not a ultra-secure server. If this is news to anyone, then they are not a security person.

    P.S. I work on a ultra-secure device, used by security experts in the government and other large organizations. We have some really good security guys who review it. Even so we had a trivial local privilege escalation in one version. It was no big deal because once someone has access, it is expected that they will find some hole. Very few OS's would claim to provide real security at that point and most of them do so by providing either a specialized interface (not general purpose computing) or using a virtual machine strategy.

  • by Kadin2048 ( 468275 ) <> on Monday March 06, 2006 @03:12PM (#14860300) Homepage Journal
    It was six hours, thirty minutes, not thirty minutes absolute. The linked article is full of vague claims and a few outright mistakes, that being one of them.

    I would like to know the guy's methods also, but apparently he's not revealing how he accomplished the escalation (although he does make some rather ridiculous-seeming claims that it would still work against a locked-down machine, which implies remote root-ability).

    I agree that local priv escalation exploits are a problem, but they're a different sort of problem than a 30-minute remote-root exploit, which is what the article suggests is the case on first glance.

    Personally I would really like to see similar competitions against default-installs of some other OSes: a "workstation" install of Ubuntu perhaps, maybe Red Hat Enterprise Desktop, and Windows XP. I think you'd find that there are quite a few ways to escalate privileges on these systems also, once you have a user account.
  • by RetiredMidn ( 441788 ) * on Monday March 06, 2006 @04:52PM (#14861467) Homepage
    I don't know what this guy was trying to prove, but his blind faith in Apple got him burned.

    Considering that the picture of the machine posted on the web site (which now seems to be unavailable) showed it sitting on a shelf next to Windows programming books, I'm guessing that his "blind faith" is in something other than Apple, and his motiviation was to generate the misleading buzz that ZDNet and Cnet are facilitating.

  • by Thrudheim ( 910314 ) on Monday March 06, 2006 @05:01PM (#14861550)
    "Man, if this were a windows box, I assure you that 99% of the the post would be slamming MS w/o a second thought."

    If it were a Windows box that were hacked by someone who was given an ssh account on the machine, nobody would be surprised, for one thing. The Windows defenders would be arguing, just like Mac users here, that such a setup does not represent anything like what the average person will use, and they would be right.

  • by kimble3 ( 736268 ) on Monday March 06, 2006 @06:19PM (#14862252)
    While the implications of this "test" are debateable, what I would really like know is how the hack was done. Is there some flaw in OS X that was exploited? Or did the admin do something else silly like make the root password something simple like "hello" and it was guessed/dictionary attacked. Is this a Mac OS X specific hack? Or did they use a vulnerabilty that is common to other UNIX flavors as well?
  • by IdahoEv ( 195056 ) on Monday March 06, 2006 @09:01PM (#14863283) Homepage

    You're describing an OS that hasn't been sold in 4-5 years, will not run on any currently-produced hardware, and because it is closed-source and nonstandard, cannot be easily used with the vast majority of modern server applications, languages, and tools being used these days.

    I have faithfully used the mac for 15 years and I agree there were some strong security benefits to the classic OS. At the same time, when I am working as an admin and/or developer these days I want recent versions of MySQL and PHP, and I want to be able to shell into my server remotely to be able to administrate it.

    If I just happened to have an ultra-security-required web application that didn't need much throughput or capability I might run it on OS 9 on an old G3. But that's definitely a tiny niche. Everything else I'll do with a modern mix of OS X and LAMP, thank you very much.

"The eleventh commandment was `Thou Shalt Compute' or `Thou Shalt Not Compute' -- I forget which." -- Epigrams in Programming, ACM SIGPLAN Sept. 1982