“In response to the woefully misleading ZDnet article, Mac OS X hacked under 30 minutes, the academic Mac OS X Security Challenge has been launched,” Dave Schroeder writes for The University of Wisconsin. “The ZDnet article, and almost all of the coverage of it, failed to mention a very critical point: anyone who wished it was given a local account on the machine (which could be accessed via ssh). Yes, there are local privilege escalation vulnerabilities; likely some that are ‘unpublished.’ But this machine was not hacked from the outside just by being on the Internet. It was hacked from within, by someone who was allowed to have a local account on the box. That is a huge distinction.”
Almost all consumer Mac OS X machines will:
• Not give any external entities local account access
• Not even have any ports open
• In addition to the above, most consumer machines will also be behind personal router/firewall devices, further reducing exposure
Schroeder writes, “The challenge is as follows: simply alter the web page on this machine, test.doit.wisc.edu. The machine is a Mac Mini (PowerPC) running Mac OS X 10.4.5 with Security Update 2006-001, has two local accounts, and has ssh and http open – a lot more than most Mac OS X machines will ever have open. Email das@doit.wisc.edu if you feel you have met the requirements, along with the mechanism used. The mechanism will then be reported to Apple and/or the entities responsible for the component(s). There is no prize but recognition (if desired). This is an academic effort.”
More info here.
[Thanks to MacDailyNews Reader “Rory” for the heads up.]
Advertisements:
• Apple’s brand new iPod Hi-Fi speaker system. Home stereo. Reinvented. Available now for $349 with free shipping.
• Apple’s new Mac mini. Intel Core, up to 4 times faster. Starting at just $599. Free shipping.
• MacBook Pro. The first Mac notebook built upon Intel Core Duo with iLife ’06, Front Row and built-in iSight. Starting at $1999. Free shipping.
• iMac. Twice as amazing — Intel Core Duo, iLife ’06, Front Row media experience, Apple Remote, built-in iSight. Starting at $1299. Free shipping.
• iPod Radio Remote. Listen to FM radio on your iPod and control everything with a convenient wired remote. Just $49.
• iPod. 15,000 songs. 25,000 photos. 150 hours of video. The new iPod. 30GB and 60GB models start at just $299. Free shipping.
• Connect iPod to your television set with the iPod AV Cable. Just $19.
Related MacDailyNews articles:
Mac OS X ‘hacked in under 30 minutes?’ Why Mac OS X security is all the rage recently – March 06, 2006
Tally Ho!!!!!
This is just a silly little PR stunt.
The damage is done a well documented article on the revered technology information news site ZDnet has rocked the Apple cool-aid drinkers party. Multiple viruses and now a proof of concept hack on OS X that allows a remote user root access in less then 30 minutes… wow the party is over for apple.
We in the “real IT world” never had much interest in the unproven and insecure Apple platform and with the soon to be released IE 7 and Vista OS the final nail will be driven into the Apple coffin.
Maybe the new Intel based Apple hardware will have a future running Vista but the dream of enterprise level workstations running OS X has vanished into thin air…
©
Release the Hounds!!!!
Sounds like it’s you who drank the Kool-Aid, sputnik.
sputnik , stfu
7.5/10
sputnik, let me guess, you have neon lights under your car.
S– you’re back! Let me introduce you to MacDude…
Interesting that it takes 30 minutes to supposedly hack a Mac that is setup as a webserver with a lot of things enabled that usually are not, but I have read that it takes as little as 10 minutes for a DEFAULT WINDOWS XP installed machine to get hacked.
MDN Magic word: “Known” as in sputnik is a known cross dresser and idiot.
Thank you U of W for putting it out there in a common sense application. I look forward to seeing the results. The real question is, will ZDNET do an article about this, since it doesn’t support their “Microsoft Superiority” platform?
good. Hope this clears things up.
sputnik says:
We in the “real IT world” never had much interest in the unproven and insecure Apple platform……….
Well, of course you wouldn’t – you’d probably be unemployed otherwise. The one thing you can count on is Microsofts high maintenance requirements that will keep your job perfectly safe for years to come.
Well it’s time for ZDNet to put their money where their mouth is and hack the UW machine.
I hope that the school lawyers were informed about this. If not, they may be getting calls from some sort of enforcement official from the federal government.
No money prize = weak challenge. Money talks, these academic challenges walk. How about 10 free ipods, or something worth the time.
5 hours and no cracking yet!
sputnik is hilarious….. seriously, anybody that is THAT delusional that he in convinced windows is a better platform, it’s kinda like watching a train-wreck every time he posts. simply hilarious….. in a weird sick kinda way… lol
I’ve always been fasciated by corporations and IT departments especially that will go out and get 3 bids on whatever and just simply rely and pay whatever price is charged for their OS system.
Doesn’t make good business sense to rely on 1 vendor for anything.
Choice makes for better products.
Although, it probably makes life easier for IT people to only be eductated enough to operate in a Windows environment, it would make sense to be well versed in both. Besides, the entire world doesn’t speak one language. There are many and as American’s we better wake up and smell that coffee before all we can drink is Kool-aid.
Sputnik, will you marry me?
Well, the U-of-W Hack-A-Mac challenge has been up for 6 hours now, and it certainly has gleaned a lot of attention.
6 hours…. and counting.
I expect we’ll finally see U-of-W take down the challenge after a couple of weeks, since they probably want to use that Mac Mini for something more useful than sticking it to ZDNet’s reporters.
If by chance that Mini is compromised you can bet ZDNet will be all over it.
If it stays secure you can bet your life that ZDNet won’t ever mention it.
So let me see if I understand…
I’m no expert, but it seems that the only way this “hacker” was able to do anything to the machine was by being granted a local user account on the machine.
Do understand correctly that this is like creating a new user account and giving it to someone locally (just not making it an admin account)?
If that’s the case, I’ll be sure not to invite any “hackers” over to my house and give them an account and all the time they need to wreck my iMac.
Unless I don’t get what happened here, this doesn’t really make me nervous.
I mean, I already knew I could get something bad as long as I found it, downloaded and and gave my password to install and run it. This seems very similar.
If I am missing something important about this, let me know. Otherwise, call me when some Mac user gets a real virus just by being hooked to the internet (like my Dad’s HP).
~M
The mechanism will then be reported to Apple and/or the entities responsible for the component(s)
That ain’t going to work, you got go on a Linux site and troll hard, say you like to screw penguins and buttfscked Linus Torvalds or something.
Then you’ll see something happen, beleive me, I know.
By the way penguins bite.
A wonderful academic challenge. From Kaos comes profit!
R, R you my dad?
I’m no Apple fanatic, but Sputnik may have a point, even though he didn’t mean to make it.
The problem is people read just the headlines, and guys like Sputnik don’t read the actual article and instead spread vile.
The “hacker” was given an account on the computer he hacked.
This, “break-in” proves absolutely nothing.
Sputnik, next time spend a minute reading the article so you don’t look so stupid.