“In response to the woefully misleading ZDnet article, Mac OS X hacked under 30 minutes, the academic Mac OS X Security Challenge has been launched,” Dave Schroeder writes for The University of Wisconsin. “The ZDnet article, and almost all of the coverage of it, failed to mention a very critical point: anyone who wished it was given a local account on the machine (which could be accessed via ssh). Yes, there are local privilege escalation vulnerabilities; likely some that are ‘unpublished.’ But this machine was not hacked from the outside just by being on the Internet. It was hacked from within, by someone who was allowed to have a local account on the box. That is a huge distinction.”
Almost all consumer Mac OS X machines will:
• Not give any external entities local account access
• Not even have any ports open
• In addition to the above, most consumer machines will also be behind personal router/firewall devices, further reducing exposure
Schroeder writes, “The challenge is as follows: simply alter the web page on this machine, test.doit.wisc.edu. The machine is a Mac Mini (PowerPC) running Mac OS X 10.4.5 with Security Update 2006-001, has two local accounts, and has ssh and http open – a lot more than most Mac OS X machines will ever have open. Email email@example.com if you feel you have met the requirements, along with the mechanism used. The mechanism will then be reported to Apple and/or the entities responsible for the component(s). There is no prize but recognition (if desired). This is an academic effort.”
More info here.
[Thanks to MacDailyNews Reader “Rory” for the heads up.]
• Apple’s brand new iPod Hi-Fi speaker system. Home stereo. Reinvented. Available now for $349 with free shipping.
• Apple’s new Mac mini. Intel Core, up to 4 times faster. Starting at just $599. Free shipping.
• MacBook Pro. The first Mac notebook built upon Intel Core Duo with iLife ’06, Front Row and built-in iSight. Starting at $1999. Free shipping.
• iMac. Twice as amazing — Intel Core Duo, iLife ’06, Front Row media experience, Apple Remote, built-in iSight. Starting at $1299. Free shipping.
• iPod Radio Remote. Listen to FM radio on your iPod and control everything with a convenient wired remote. Just $49.
• iPod. 15,000 songs. 25,000 photos. 150 hours of video. The new iPod. 30GB and 60GB models start at just $299. Free shipping.
• Connect iPod to your television set with the iPod AV Cable. Just $19.
Related MacDailyNews articles:
Mac OS X ‘hacked in under 30 minutes?’ Why Mac OS X security is all the rage recently – March 06, 2006