University of Wisconsin launches Mac OS X Security Challenge

“In response to the woefully misleading ZDnet article, Mac OS X hacked under 30 minutes, the academic Mac OS X Security Challenge has been launched,” Dave Schroeder writes for The University of Wisconsin. “The ZDnet article, and almost all of the coverage of it, failed to mention a very critical point: anyone who wished it was given a local account on the machine (which could be accessed via ssh). Yes, there are local privilege escalation vulnerabilities; likely some that are ‘unpublished.’ But this machine was not hacked from the outside just by being on the Internet. It was hacked from within, by someone who was allowed to have a local account on the box. That is a huge distinction.”

Almost all consumer Mac OS X machines will:
• Not give any external entities local account access
• Not even have any ports open
• In addition to the above, most consumer machines will also be behind personal router/firewall devices, further reducing exposure

Schroeder writes, “The challenge is as follows: simply alter the web page on this machine, test.doit.wisc.edu. The machine is a Mac Mini (PowerPC) running Mac OS X 10.4.5 with Security Update 2006-001, has two local accounts, and has ssh and http open – a lot more than most Mac OS X machines will ever have open. Email das@doit.wisc.edu if you feel you have met the requirements, along with the mechanism used. The mechanism will then be reported to Apple and/or the entities responsible for the component(s). There is no prize but recognition (if desired). This is an academic effort.”

More info here.

[Thanks to MacDailyNews Reader “Rory” for the heads up.]

Advertisements:
Apple’s brand new iPod Hi-Fi speaker system. Home stereo. Reinvented. Available now for $349 with free shipping.
Apple’s new Mac mini. Intel Core, up to 4 times faster. Starting at just $599. Free shipping.
MacBook Pro. The first Mac notebook built upon Intel Core Duo with iLife ’06, Front Row and built-in iSight. Starting at $1999. Free shipping.
iMac. Twice as amazing — Intel Core Duo, iLife ’06, Front Row media experience, Apple Remote, built-in iSight. Starting at $1299. Free shipping.
iPod Radio Remote. Listen to FM radio on your iPod and control everything with a convenient wired remote. Just $49.
iPod. 15,000 songs. 25,000 photos. 150 hours of video. The new iPod. 30GB and 60GB models start at just $299. Free shipping.
Connect iPod to your television set with the iPod AV Cable. Just $19.

Related MacDailyNews articles:
Mac OS X ‘hacked in under 30 minutes?’ Why Mac OS X security is all the rage recently – March 06, 2006

59 Comments

  1. This is just a silly little PR stunt.

    The damage is done a well documented article on the revered technology information news site ZDnet has rocked the Apple cool-aid drinkers party. Multiple viruses and now a proof of concept hack on OS X that allows a remote user root access in less then 30 minutes… wow the party is over for apple.

    We in the “real IT world” never had much interest in the unproven and insecure Apple platform and with the soon to be released IE 7 and Vista OS the final nail will be driven into the Apple coffin.

    Maybe the new Intel based Apple hardware will have a future running Vista but the dream of enterprise level workstations running OS X has vanished into thin air…

    ©

  2. Interesting that it takes 30 minutes to supposedly hack a Mac that is setup as a webserver with a lot of things enabled that usually are not, but I have read that it takes as little as 10 minutes for a DEFAULT WINDOWS XP installed machine to get hacked.

    MDN Magic word: “Known” as in sputnik is a known cross dresser and idiot.

  3. Thank you U of W for putting it out there in a common sense application. I look forward to seeing the results. The real question is, will ZDNET do an article about this, since it doesn’t support their “Microsoft Superiority” platform?

  4. sputnik says:
    We in the “real IT world” never had much interest in the unproven and insecure Apple platform……….

    Well, of course you wouldn’t – you’d probably be unemployed otherwise. The one thing you can count on is Microsofts high maintenance requirements that will keep your job perfectly safe for years to come.

Reader Feedback

This site uses Akismet to reduce spam. Learn how your comment data is processed.