“In response to the woefully misleading ZDnet article, Mac OS X hacked under 30 minutes, the academic Mac OS X Security Challenge has been launched,” Dave Schroeder writes for The University of Wisconsin. “The ZDnet article, and almost all of the coverage of it, failed to mention a very critical point: anyone who wished it was given a local account on the machine (which could be accessed via ssh). Yes, there are local privilege escalation vulnerabilities; likely some that are ‘unpublished.’ But this machine was not hacked from the outside just by being on the Internet. It was hacked from within, by someone who was allowed to have a local account on the box. That is a huge distinction.”
Almost all consumer Mac OS X machines will:
• Not give any external entities local account access
• Not even have any ports open
• In addition to the above, most consumer machines will also be behind personal router/firewall devices, further reducing exposure
Schroeder writes, “The challenge is as follows: simply alter the web page on this machine, test.doit.wisc.edu. The machine is a Mac Mini (PowerPC) running Mac OS X 10.4.5 with Security Update 2006-001, has two local accounts, and has ssh and http open – a lot more than most Mac OS X machines will ever have open. Email das@doit.wisc.edu if you feel you have met the requirements, along with the mechanism used. The mechanism will then be reported to Apple and/or the entities responsible for the component(s). There is no prize but recognition (if desired). This is an academic effort.”
More info here.
[Thanks to MacDailyNews Reader “Rory” for the heads up.]
Advertisements:
• Apple’s brand new iPod Hi-Fi speaker system. Home stereo. Reinvented. Available now for $349 with free shipping.
• Apple’s new Mac mini. Intel Core, up to 4 times faster. Starting at just $599. Free shipping.
• MacBook Pro. The first Mac notebook built upon Intel Core Duo with iLife ’06, Front Row and built-in iSight. Starting at $1999. Free shipping.
• iMac. Twice as amazing — Intel Core Duo, iLife ’06, Front Row media experience, Apple Remote, built-in iSight. Starting at $1299. Free shipping.
• iPod Radio Remote. Listen to FM radio on your iPod and control everything with a convenient wired remote. Just $49.
• iPod. 15,000 songs. 25,000 photos. 150 hours of video. The new iPod. 30GB and 60GB models start at just $299. Free shipping.
• Connect iPod to your television set with the iPod AV Cable. Just $19.
Related MacDailyNews articles:
Mac OS X ‘hacked in under 30 minutes?’ Why Mac OS X security is all the rage recently – March 06, 2006
Sputnik is really Steve Ballmer – f U
Through a lucky guess (or just looking at clues above), one of the two local user accounts is das
This is a valid page from the computer:
http://test.doit.wisc.edu/~das/
Does this help anyone?
Please upgrade if you are not running Tiger. Or harden your boxes.
http://www.rixstep.com/1/20060306,00.shtml
One of the unusual things about the “hacked” machine was that Fink was installed. This most likely means that the developer tools were installed (although Fink can install precompiled binaries).
Fink lists a catalog of 6359 open source projects that can be installed, many of which are tools that could help a hacker exploit a machine or that are exploitable in themselves.
what is up with ZDnet?
they really are the worst tech journos you could find.
well i suppose someones got to dislike the mac, and it might as well be scum like zdnet.
Majikthize – stfu 2
For what it is worth, here is a repost of a note I posted elsewhere about this questionable event:
To understand what has happened in this spurious story it is important to read the exact challenge that was made:
http://rm-my-mac.wideopenbsd.org/
And to read the page that reveals the fallacy of the original report as well as provides a REAL – ACTUAL challenge:
http://test.doit.wisc.edu/
My observations:
(1) The original challenge was, as the URL itself points out, to ‘rm-my-mac’. ‘Rm’ specifically means erasing the hard drive. This never happened. The challenge was not exactly met, and I am wondering why this obvious point has been ignored in the press reports. Nonetheless, according to the hacker ‘gwerdna’, he did work his way up from a provided ssh accessible user account up to root access and make changes to the machine.
(2) Gwerdna is NOT actually a ‘hacker’ by definition. Note that I am sticking to the traditional and honorable definition of ‘hacker’, not the abused and stupid definitions floating around the net these days. A real hacker provides the specific method they used to break into a system. Gwerdna never did this. Instead he keeps his methodology a secret. This means that (A) gwerdna is a ‘cracker’, that being someone who breaks into a system for no other purpose that to perpetrate damage. Crackers have no interest in improving the system the ‘crack’. Yes, gwerdna chatters on about related information, but never provides any useful knowledge to prevent similar cracks in the future. (B) Since gwerdna’s methods remain unknown they are, from a scientist’s perspective, unreproducible and therefore unprovable. Apparently gwerdna was on the machine with a level of access that allowed him to change aspects of the machine. That is ALL we actually KNOW about what happened. Talking about some undocumented method of cracking a Mac does NOT at all PROVE that the crack even exists. For all we know this entire event is a perpetrated joke and anyone believing it is being laughed at. That is how very poorly this event has been documented and understood. Let gwerdna prove how he cracked the Mac. Then he will gain credibility and will rise to the level of the much more worthwhile role of hacker.
3) The challenge being given in the second URL above is true-to-life versus the goofy original challenge that actually gives hackers inside access to the machine.
4) Like many thousands of Mac OS X Server users, I have had a machine running full time on the Internet for years without a single incidence of being hacked or cracked. In my case the machine has been running since August 2001. I frequently get people and bots attempting to crack in, most commonly by faking an ID and password. All attacks have been repelled. And this machine only runs lowly old Mac OS X Server 10.1.3.
So does this report of cracking of a Mac Mini make me worry? Nope! Nonetheless I am a fan of security and see nothing wrong in overdoing it: I run a frequently updated virus scanner, Paranoid Android (recently updated and still better than MOSX built-in security), and if folks have the money to buy it I also recommend using Little Snitch which provides inside firewall security not yet available in MOSX.
The guys homepage just in case…
http://das.doit.wisc.edu/
I guess without a user account on the system, it is just too hard for the mighty “hacker” to do anything.
Maybe Wisconsin could give him an Admin account and let him take the Mac and a Peach Pit Press book home for the weekend.
Would that help you “Andrew”?
~M