In response to the woefully misleading ZDnet article, Mac OS X hacked under 30 minutes, by Munir Kotadia () the academic Mac OS X Security Challenge was launched yesterday morning by The University of Wisconsin’s Dave Schroeder. The ZDNet FUD piece failed to mention that local access was granted to the Mac OS X system and left some readers with the false impression that any Mac OS X machine connected to the Internet can be taken over in just 30 minutes. As Schroeder notes, the Mac OS X “machine was not hacked from the outside just by being on the Internet. It was hacked from within, by someone who was allowed to have a local account on the box. That is a huge distinction.”
So, with a real Mac OS X challenge sitting online, 30 minutes came and went, folks. Long ago. The Mac OS X remains “unhacked” more than 24 hours later.
More info here.
Advertisements:
• Apple’s brand new iPod Hi-Fi speaker system. Home stereo. Reinvented. Available now for $349 with free shipping.
• Apple’s new Mac mini. Intel Core, up to 4 times faster. Starting at just $599. Free shipping.
• MacBook Pro. The first Mac notebook built upon Intel Core Duo with iLife ’06, Front Row and built-in iSight. Starting at $1999. Free shipping.
• iMac. Twice as amazing — Intel Core Duo, iLife ’06, Front Row media experience, Apple Remote, built-in iSight. Starting at $1299. Free shipping.
• iPod Radio Remote. Listen to FM radio on your iPod and control everything with a convenient wired remote. Just $49.
• iPod. 15,000 songs. 25,000 photos. 150 hours of video. The new iPod. 30GB and 60GB models start at just $299. Free shipping.
• Connect iPod to your television set with the iPod AV Cable. Just $19.
Related MacDailyNews articles:
University of Wisconsin launches bona fide Mac OS X Security Challenge – March 06, 2006
Mac OS X ‘hacked in under 30 minutes?’ Why Mac OS X security is all the rage recently – March 06, 2006
Spate of recent Mac security stories signal that Microsoft, others getting nervous – March 06, 2006
Apple Mac OS X clearly offers superior security over Microsoft Windows – March 02, 2006
Apple Mac OS X has a lot more vulnerabilities than Windows XP? – February 28, 2006
Enderle: Security vendors see Apple as next big opportunity – February 28, 2006
As Apple Mac grows in popularity, will security issues increase? – February 27, 2006
The Idiot’s Guide to Mac Viruses For Dummies 101 – February 24, 2006
Wired News: ‘Mac attack a load of crap’ – February 22, 2006
Report: Apple developing fix for automatic execution of shell scripts – February 21, 2006
Ars Technica: Fears over new Mac OS X ‘Leap-A’ trojan pointless – February 20, 2006
Atlanta Journal-Constitution asks: Is ‘Mac virus’ all just propaganda from Mac haters? – February 20, 2006
Mafiasoft: Microsoft to charge $50 per year for security service to protect Windows – February 07, 2006
ZDNet Australia publishes latest Mac OS X security FUD article – January 26, 2006 (Kotadia)
IDC: Apple Mac 2005 U.S. market share 4% on 32% growth year over year – January 20, 2006
Analysts: Apple Mac’s 5% market share glass ceiling set to shatter in 2006 – January 09, 2006
ZDNet Australia publishes latest Mac OS X security FUD article – September 09, 2005 (Kotadia)
Joke of the month: Gartner warns of Mac OS X ‘spyware infestation’ potential – March 30, 2005 (Kotadia)
Symantec warns about Mac OS X security threat – March 21, 2005 (Kotadia)
and lets hope that timer just keeps tiking people
Of course CNet will ‘conveniently’ forget to report this or refute their OS hacked in under 30 minutes story.
MS must be dammed scared of OSX to force ZDNet to publish this nonsense…
MW: Wrong –> as in ZDNet was terribly WRONG!
Yea, this report from CNet was dumb. If I have physical access to a machine I could just boot it up from my iPod. That takes about 3 minutes. Fer cryin’ out loud.
Hacked or not, this sort of challenge good for Mac OS X. No hack means good press. A hack while someone is watching is good, too. A hole the community knows about can be addressed. Apple has a good track record along these lines. It’s a win/win.
We must FLAME ZDnet. This kinda crappy, missleading reporting (with an obvious agenda) must stop.
External firewire drive (iPod) + carbon copy cloner isn’t a hack. That’s ownership. Why hack the box when you just take it home.
Ipod? We don’t need no steenking iPod! All I need is the OSX install CD so I can enable root user. Then it’s MINE.
But yeah, an iPod, FW drive, hell, a USB drive would do it too.
I saw that article on ZDNet yesterday, I couldn’t believe how lame it was, it had all the marks of Ballmer’s sweaty hands all over it…
Overheard being said by some guy named ‘MacDude’ yesterday:
MacDude: “Mmmm . . . I like pie!”
I agree with one of your claimed fixes.
Please try this and post a reply Mr trains4m.
Boot from a FireWire drive and then Get Info on the internal hard drive and select “Ignore permissions on this volume” and then copy whatever you want including the /private/var directory. You can also use DiskEditorX from Norton Utilities to find the hash or even over-write the hash
By looking at a 10.2.8 Samba hash next to the new 10.3 hash it suddenly makes perfect sense if you claim to be a Mac expert.
I anxiously await your results.
C|net, Zdnet, et al are lapdogs for the Windows and IT industry economic ecosystem.
The advertisers of C|net, Zdnet, et al don’t pay good money to have them report the truth and expose the scam that is the windows and IT industrial complex.
When the sham that is Longhorn (a.k.a. Vista) is reveal in a few months, expect the FUD about Macintosh to step up a notch.
If the reported 30 min hack was true, why don’t they turn that UW box into their bitch? Bastards!
It’s great that Mac OS is as secure as it is, but it isn’t perfect. What the test with on computer accounts (the 30 min thing) shows is that a Mac could be hacked behind a firewall in a shared use environment (multiple user accounts).
That is a common condition in business, government and education. It is a legit concern for IT people, and anybody with an interest in security. Go ahead, grin if you want, but ask anybody with real world IT responsibility if they care that someone can hack from one user account into the rest of a client or system.
Is the ’30 minute hack’ a legit concern for any personal Mac user? Not really.
Is it a concern for anybody whose job, business or clients depend on data security? YES. That’s not FUD– it’s a reminder to not be cavalier about security.
murka, synthmeister:
Not if I have set a firmware password, you won’t.
From Apple’s web site:
Open Firmware Password
About this update
The Open Firmware Password application allows you to enable security features in Open Firmware. You can use it to prevent others from starting your computer using a CD or other disk with an operating system on it. You can use Firmware password protection to enhance access security to your computer.
When you set a Firmware password, it prevents others from starting up the computer from a volume other than the one you have chosen as the startup disk (chosen in the Startup Disk preference panel within the System Preferences.) Once security is enabled, you cannot startup from other devices such as an external FireWire disk, a CD-ROM drive, or another partition or disk inside the computer.
What I found interesting about the story is that even with the total, artificial conditions under which it was done, it took 30 minutes even with local access.
Didn’t I read somewhere that the average unprotected XP box takes only 20 minutes to compromise from the net?
The 30-minute crack is professionally biased, but the numbers show that it’s still better than the run of the mill windoze box. ZDNet themselves inadvertantly “proved” that OS X has better security, even with local access granted.
This challenge is faulty. To be fair, they need to setup two other servers as control. In another words, setup a Windows and a Linux servers with latest patch and have everyone try to break into those servers too. Then we will know which server gets broken into first. They can even give Windows and Linux servers, handicap.
He has opened up services that are NOT active by default. That makes this Mac EASIER to hack than a real consumer Mac somebody just unboxed.
It probably WILL get hacked today, but that doesn’t mean a Mac you buy is the same.
s:
What you describe would not be a “controlled” experiement. It would be a dilluted one. You are proposing a race.
A person can only hack one machine at a time.
A company/user only has one kind of machine/OS. So the challenge, logically, should only have one machine/OS.
A race is not “fair.” It would be completely unrealistic.
About Open Firmware passwords… The Intel Macs don’t use Open Firmware. They use EFI. Does EFI offer the same option?
The ZD fuck ups are dumbass liars, plain and simple. Liars and bafoons.
Uh…. hello, where is that smart hacker who did it in under 30 minutes now? FUD!
Don’t Miss Something –
You do have a point about the importance of security in the profession / IT world. Agreed there is a security risk if an approved user can hack his or her way to sysadmin.
I really am curious. Do you have any data on hacking one’s way to sysadmin on a Windows platform starting from a “trusted” user account? If it is possible on a Mac, it surely must be possible using Windows. And yet, corporations still stick with the Windows platform.
Peace.
“Don’t Miss Something” + “Lurker_PC”-
MS black PR A-holes.
some of you guys are mixing up “local access” with “physical access”. the original rm-my-mac challenge didn’t give the hackers physical access, but instead local “limited” account.
in a server environment, a regular user should have no way of esculating his privilege to root and therefore, gain control of the box. the fact that it happended pointed to some undiscovered flaw in the OS and it should be reported to Apple for a future patch.
granted, most of us aren’t going to go around handing out shell accounts (limted or not) to other people, so we’re still safe. =)
“We must FLAME ZDnet. This kinda crappy, missleading reporting (with an obvious agenda) must stop.”
Well sure, it’s pretty lame what they’re doing, and I agree that it should stop, but listen to yourself, man. We *must* “flame” ZDnet? How is that going to change anything?
ZDnet Editor: “Well, we’ve seen an astonishing increase in trolling by Mac fans. I guess we better stop what we’re doing.”
“Shot-from-the-hip” comments like yours only harm our position, CandTsmac, and make people less willing to take us seriously.
I can break into Fort Knox if they remove all the guards, diconnect the security systems, and leave the doors open.