Mac OS X ‘unhacked’ over 24 hours and counting in genuine security challenge

In response to the woefully misleading ZDnet article, Mac OS X hacked under 30 minutes, by Munir Kotadia () the academic Mac OS X Security Challenge was launched yesterday morning by The University of Wisconsin’s Dave Schroeder. The ZDNet FUD piece failed to mention that local access was granted to the Mac OS X system and left some readers with the false impression that any Mac OS X machine connected to the Internet can be taken over in just 30 minutes. As Schroeder notes, the Mac OS X “machine was not hacked from the outside just by being on the Internet. It was hacked from within, by someone who was allowed to have a local account on the box. That is a huge distinction.”

So, with a real Mac OS X challenge sitting online, 30 minutes came and went, folks. Long ago. The Mac OS X remains “unhacked” more than 24 hours later.

More info here.

Advertisements:
Apple’s brand new iPod Hi-Fi speaker system. Home stereo. Reinvented. Available now for $349 with free shipping.
Apple’s new Mac mini. Intel Core, up to 4 times faster. Starting at just $599. Free shipping.
MacBook Pro. The first Mac notebook built upon Intel Core Duo with iLife ’06, Front Row and built-in iSight. Starting at $1999. Free shipping.
iMac. Twice as amazing — Intel Core Duo, iLife ’06, Front Row media experience, Apple Remote, built-in iSight. Starting at $1299. Free shipping.
iPod Radio Remote. Listen to FM radio on your iPod and control everything with a convenient wired remote. Just $49.
iPod. 15,000 songs. 25,000 photos. 150 hours of video. The new iPod. 30GB and 60GB models start at just $299. Free shipping.
Connect iPod to your television set with the iPod AV Cable. Just $19.

Related MacDailyNews articles:
University of Wisconsin launches bona fide Mac OS X Security Challenge – March 06, 2006
Mac OS X ‘hacked in under 30 minutes?’ Why Mac OS X security is all the rage recently – March 06, 2006
Spate of recent Mac security stories signal that Microsoft, others getting nervous – March 06, 2006
Apple Mac OS X clearly offers superior security over Microsoft Windows – March 02, 2006
Apple Mac OS X has a lot more vulnerabilities than Windows XP? – February 28, 2006
Enderle: Security vendors see Apple as next big opportunity – February 28, 2006
As Apple Mac grows in popularity, will security issues increase? – February 27, 2006
The Idiot’s Guide to Mac Viruses For Dummies 101 – February 24, 2006
Wired News: ‘Mac attack a load of crap’ – February 22, 2006
Report: Apple developing fix for automatic execution of shell scripts – February 21, 2006
Ars Technica: Fears over new Mac OS X ‘Leap-A’ trojan pointless – February 20, 2006
Atlanta Journal-Constitution asks: Is ‘Mac virus’ all just propaganda from Mac haters? – February 20, 2006
Mafiasoft: Microsoft to charge $50 per year for security service to protect Windows – February 07, 2006
ZDNet Australia publishes latest Mac OS X security FUD article – January 26, 2006 (Kotadia)
IDC: Apple Mac 2005 U.S. market share 4% on 32% growth year over year – January 20, 2006
Analysts: Apple Mac’s 5% market share glass ceiling set to shatter in 2006 – January 09, 2006
ZDNet Australia publishes latest Mac OS X security FUD article – September 09, 2005 (Kotadia)
Joke of the month: Gartner warns of Mac OS X ‘spyware infestation’ potential – March 30, 2005 (Kotadia)
Symantec warns about Mac OS X security threat – March 21, 2005 (Kotadia)

29 Comments

  1. Hacked or not, this sort of challenge good for Mac OS X. No hack means good press. A hack while someone is watching is good, too. A hole the community knows about can be addressed. Apple has a good track record along these lines. It’s a win/win.

  2. Ipod? We don’t need no steenking iPod! All I need is the OSX install CD so I can enable root user. Then it’s MINE.

    But yeah, an iPod, FW drive, hell, a USB drive would do it too.

    I saw that article on ZDNet yesterday, I couldn’t believe how lame it was, it had all the marks of Ballmer’s sweaty hands all over it…

  3. I agree with one of your claimed fixes.
    Please try this and post a reply Mr trains4m.
    Boot from a FireWire drive and then Get Info on the internal hard drive and select “Ignore permissions on this volume” and then copy whatever you want including the /private/var directory. You can also use DiskEditorX from Norton Utilities to find the hash or even over-write the hash

    By looking at a 10.2.8 Samba hash next to the new 10.3 hash it suddenly makes perfect sense if you claim to be a Mac expert.
    I anxiously await your results.

  4. C|net, Zdnet, et al are lapdogs for the Windows and IT industry economic ecosystem.

    The advertisers of C|net, Zdnet, et al don’t pay good money to have them report the truth and expose the scam that is the windows and IT industrial complex.

    When the sham that is Longhorn (a.k.a. Vista) is reveal in a few months, expect the FUD about Macintosh to step up a notch.

    If the reported 30 min hack was true, why don’t they turn that UW box into their bitch? Bastards!

    ” width=”19″ height=”19″ alt=”cool mad” style=”border:0;” />

  5. It’s great that Mac OS is as secure as it is, but it isn’t perfect. What the test with on computer accounts (the 30 min thing) shows is that a Mac could be hacked behind a firewall in a shared use environment (multiple user accounts).

    That is a common condition in business, government and education. It is a legit concern for IT people, and anybody with an interest in security. Go ahead, grin if you want, but ask anybody with real world IT responsibility if they care that someone can hack from one user account into the rest of a client or system.

    Is the ’30 minute hack’ a legit concern for any personal Mac user? Not really.
    Is it a concern for anybody whose job, business or clients depend on data security? YES. That’s not FUD– it’s a reminder to not be cavalier about security.

  6. murka, synthmeister:

    Not if I have set a firmware password, you won’t.

    From Apple’s web site:

    Open Firmware Password

    About this update

    The Open Firmware Password application allows you to enable security features in Open Firmware. You can use it to prevent others from starting your computer using a CD or other disk with an operating system on it. You can use Firmware password protection to enhance access security to your computer.

    When you set a Firmware password, it prevents others from starting up the computer from a volume other than the one you have chosen as the startup disk (chosen in the Startup Disk preference panel within the System Preferences.) Once security is enabled, you cannot startup from other devices such as an external FireWire disk, a CD-ROM drive, or another partition or disk inside the computer.

  7. What I found interesting about the story is that even with the total, artificial conditions under which it was done, it took 30 minutes even with local access.

    Didn’t I read somewhere that the average unprotected XP box takes only 20 minutes to compromise from the net?

    The 30-minute crack is professionally biased, but the numbers show that it’s still better than the run of the mill windoze box. ZDNet themselves inadvertantly “proved” that OS X has better security, even with local access granted.

  8. This challenge is faulty. To be fair, they need to setup two other servers as control. In another words, setup a Windows and a Linux servers with latest patch and have everyone try to break into those servers too. Then we will know which server gets broken into first. They can even give Windows and Linux servers, handicap.

Reader Feedback

This site uses Akismet to reduce spam. Learn how your comment data is processed.