“In response to the woefully misleading ZDnet article, Mac OS X hacked under 30 minutes, the academic Mac OS X Security Challenge has been launched,” Dave Schroeder writes for The University of Wisconsin. “The ZDnet article, and almost all of the coverage of it, failed to mention a very critical point: anyone who wished it was given a local account on the machine (which could be accessed via ssh). Yes, there are local privilege escalation vulnerabilities; likely some that are ‘unpublished.’ But this machine was not hacked from the outside just by being on the Internet. It was hacked from within, by someone who was allowed to have a local account on the box. That is a huge distinction.”
Almost all consumer Mac OS X machines will:
• Not give any external entities local account access
• Not even have any ports open
• In addition to the above, most consumer machines will also be behind personal router/firewall devices, further reducing exposure
Schroeder writes, “The challenge is as follows: simply alter the web page on this machine, test.doit.wisc.edu. The machine is a Mac Mini (PowerPC) running Mac OS X 10.4.5 with Security Update 2006-001, has two local accounts, and has ssh and http open – a lot more than most Mac OS X machines will ever have open. Email das@doit.wisc.edu if you feel you have met the requirements, along with the mechanism used. The mechanism will then be reported to Apple and/or the entities responsible for the component(s). There is no prize but recognition (if desired). This is an academic effort.”
More info here.
[Thanks to MacDailyNews Reader “Rory” for the heads up.]
Advertisements:
• Apple’s brand new iPod Hi-Fi speaker system. Home stereo. Reinvented. Available now for $349 with free shipping.
• Apple’s new Mac mini. Intel Core, up to 4 times faster. Starting at just $599. Free shipping.
• MacBook Pro. The first Mac notebook built upon Intel Core Duo with iLife ’06, Front Row and built-in iSight. Starting at $1999. Free shipping.
• iMac. Twice as amazing — Intel Core Duo, iLife ’06, Front Row media experience, Apple Remote, built-in iSight. Starting at $1299. Free shipping.
• iPod Radio Remote. Listen to FM radio on your iPod and control everything with a convenient wired remote. Just $49.
• iPod. 15,000 songs. 25,000 photos. 150 hours of video. The new iPod. 30GB and 60GB models start at just $299. Free shipping.
• Connect iPod to your television set with the iPod AV Cable. Just $19.
Related MacDailyNews articles:
Mac OS X ‘hacked in under 30 minutes?’ Why Mac OS X security is all the rage recently – March 06, 2006
It’s always interesting to attempt to understand the reasoning behind posters like Sputnik who is clearly not a professional in any sense of the word.
IT Professionals NORMALLY have little time to post on message boards and especially IT professionals herding a bunch of Windows machines. They actually have to spend their time keeping those systems running. I currently maintain over 35 macs, all running OS X in various locations. Hence my ability to post here, take long lunches, and spend my time actually enjoying my work. Things don’t break. They just keep running. When I DO have to act in my capacity as the head of IT it is invariably a user knowledge problem. Oh I run Disk Warrior, and keep an eye on things but these machines are otherwise so incredibly stable that my job is easy.
MDN word “How” as in “how can people using Windows even face the day knowing they have to use such backward computer?”
Almost all consumer Mac OS X machines will:
• Not give any external entities local account access
Ok, but the OS should be secure from escalation exploits regardless.
• Not even have any ports open
There is over 65,000 ports on computers and scanning software only does the first 1500 or so, what about the rest?
• In addition to the above, most consumer machines will also be behind personal router/firewall devices, further reducing exposure
Well that’s not fair, the computer should stand on it’s own, it’s a test of the operating system, if it has a chaperone how can a full test be done?
And then your going to snitch if someone does get in, so hackers are just going to give up their secrets?
Dave, your a fscking idiot and this is nothing but a publicity stunt, you’ll only get a few white hats cooperating
That gay cowboy movie not winning the oscar proves my point, Macs suck!
Ummm, folks? Sputnik is being funny. For some time now, whoever posts under the name Sputnik (I’m not sure it’s always the same person) will post the most ridiculous anti-Mac rhetoric conceivable as satire – a way of showing how moronic the Windows fanboys really are. I find it humorous but it’s also disappointing because then the rest of the thread consists of rebuttal from people who don’t recognize the satire.
MacDude, on the other hand, appears to be a real idiot.
Fanatics are generally buttheads. Mac or windows, it doesn’t matter.
Carry on.
MDN magic word: “death”
Read into it what you will.
University of Wisconsin-Madison
Computer Systems Lab
1210 W Dayton St Rm 2350
Madison, WI 53706 USA
Step One Completed
muhahahahahaalalalalalala
to sputnik – missed you! glad to you pop up again.
to MacDude – hee hee.
to all idiots – .|..
to all morons – if you can’t figure out the above, turn the card over (other side – “if you can’t figure out the above, turn the card over”)
and my magic word – girl. seriously. use girl in a sentence everyone.
Let ’em spread the FUD.
I for one like the obscurity of using Macs
More people using Macs won’t drive the price of them down anyhow.
Mac & iPods only get cheap when they are EOL
If you refuse to acknowledge Macs are better then you are SOL
Phooey!!!
No surprise here — more macs sold, more security problems found. Considering that OSX is the swiss cheese of operating systems when it comes to security I was surprised that it actually took 30 minutes to crack it. Wait until all the automatic virus writing software comes out for OSX and the only thing mac users will be doing is formatting their hard drives and reloading the OS.
This is the end of Apple as a computer company. They may be good at making MP3 players and overpriced stereo systems, but their computers are 400% slower than the competition (thanks to Rosetta), $1000 more expensive, and are impossible to buy because of Apple manufacturing screw ups. Apple has so many problems I’m not sure how long they are going to be able to stay in business as a computer company. Maybe if they buy Disney they can at least sell movies?
Lets all watch Apple stock crash as viruses come out of the woodwork and there are no patches or fixes. Time to purchase that PC with XP on it now and Vista at the end of the year to get a fast, efficient, and secure computing environment.
I’ve been checking back all day. Couldn’t this guy have done in the mini during his/her lunch break and made everyone’s chin drop? Get your arse in gear hacker dood and show us how it’s done. I want to see this happen. Back up your claims by being able to redo it on another box. I don’t see any reason why someone with this knowledge would give it up though. If they had found a system to own with some bank account access it would be profitable to keep it quiet. I only know a few people with Macs and they didn’t have any worries about affording the box. I’ve always quipped that Mac users generally have more money than not. I’m one of the exceptions to this rule. I’m a Windows admin.
” width=”19″ height=”19″ alt=”wink” style=”border:0;” />
Port scanning 128.104.16.150
Been 20 minutes and no response.
ssh open my asse, lying sack of %$@#$^
40 minutes and no response.
1: Either it’s a publicity trick or
2: Our dear friend Dave has gone home for the night.
I CRY FOUL!!!
Time to take drastic action, set the alarm on the computer lab Dave?
Dave? Can you hear me Dave?
I’m feeling much better now Dave.
Dave?
Hack an online Mac so that it runs Windows XP without an Admin account. This is from outside, no insider help. I’ll buy you a friggin Dell.
BTW
From: macromancer
sputnik, let me guess, you have neon lights under your car.
That’s the funniest thing I have seen all day. Very Good.
Hey, Mac “Realist” . . .
If you’re so fscking smart (= as financially intuitive as you PROFESS to be), let’s see you put your money where your gargantuan mouth is!
I DARE you to follow through with your dire predictions and buy 1000 shares of AAPL short in tomorrow’s market. You’ll have to put up only a miniscule amount of that as earnest money, so you’re not really risking much capital at all TO PROVE HOW BRILLIANT YOU REALLY ARE!
If you’re not already in bed, respond. Let’s get this party started and see if you have any cojones at all!
Arnold
“40 minutes and no response.
1: Either it’s a publicity trick or
2: Our dear friend Dave has gone home for the night.
I CRY FOUL!!!”
Scan port 22 and port 80 exclusively… you will see them, otherwise it takes forever doing a full scan. They are open though.
The Dude abides
Damn! I just had my car stolen. I was doing this challenge and I gave this guy the keys to my car to see if he could steal it. And he did it under 5 minutes! Chrysler cars are so insecure, or unsecure or something…
Sputnik was abused as a child, only now he likes it!
It never ceases to amaze me when Windows users get “holier than thou” when ANY negative press concerning MAC OS security hits sites like this.
Hey, Microsuckers . . .
In your floating point math minds does 100,000+ really equal 0 real world (not theoretical) exploits/corruptions of your personal computer? Does it REALLY?
If so, George Orwell was absolutely right: Double-think CAN and DOES exist in weak minds like yours!
I thought the ZDNET article was full of it and now this proves it. Let see if Mr. smarty pants who did it in under thirty minutes has any luck this time.
” width=”19″ height=”19″ alt=”rolleyes” style=”border:0;” />
I really doubt it.
Hacking a machine with an account setup for you is not hacking at all and I don’t see how anyone could write a story like ZDNET did. Total FUD! Hacking is when you break in through a firewall which in many cases will be two firewalls. The one on a users router and OSX. Good luck. Then somehow you have to get logged in with a username you don’t have and password. Good luck. Then get admin rights to do anything with it. Really, good luck. I’m sure the 30 minute deadline has come and gone long ago already. Maybe in 30 days, 30 months, 30 years….
flappo –
“sputnik , stfu”
Rude, flappo, very rude. I don’t know if Sputnik’s rants are tongue-in-cheak or genuinely ignorant, and I’m not shy about inviting particularly offensive trolls to leave, but there’s no excuse for hostile vulgarity on this forum. Keep the language civil, please.
Sputnik has a point because the damage is already done, however, MacOSX is inherently a much more secure operating system than anything i have ever used on Windows and while people say because hackers have turned a blind eye to MacOSX, well then that’s a good thing. However, if hackers did try to attack my Mac, me being an informed consumer would just retaliate by putting more internal safeguards on and being more consious about what I download and how I navigate the internet.
I personally think the economy built around Windows flaws and computer security companies are looking for new revenues because of Apples new found popularity.
Point blank, when your on top / the rising star, you’ve got a cross hair on your back and everyone wants a piece of you. Apple may just add some interesting features in the next security update but overall, I don’t see MacOSX even in the near future (1 year from Today, March 7th, 2006) being hacked or attached by any viruses, spyware, trojans, etc that floatt around Windows PC’s. The only way that crap will get on my Mac is if I am dumb enough to allow it access!
some damage is done because news outlets will take the story and publish it without question. Yahoo has already done this.
R said: “S– you’re back! Let me introduce you to MacDude…”
Imagine if the two of them actually have sex one day and (Heaven help us all) produce offspring?
” width=”19″ height=”19″ alt=”shut eye” style=”border:0;” />
If Sputnik is intended to be funny, he does a lousy job if it. If he wants to be satirical, he should be satirical. As it is, he sounds like a cheap troll.
“Sputnik.” Sounds like a commie bastard to me. Deceitful, sneaky, propoganda spewing commie bastard. Hate commies. Can’t trust ’em. Good cigars, but lousy cars. And they want to take your money. Are you a commie bastard, “Sputnik?” Didn’t you know you lost? Spewing more commie nonsense here won’t help your case. I say you’re fired. And I can do it. You know why?
Name on the door.
You’re fired.
-Denny Crane