A recent challenge from a Mac owner prompted hackers to come in and take control of his system. While the debate continues over the validity of that contest, the University of Wisconsin put out a challenge to see if, under standard, protected conditions, someone could get into the vaunted Mac.
|Macs Being Badgered In Wisconsin|
Badger Mac dude Dave Schroeder put this competition together to see where the holes are so to speak. He said in the challenge statement, “Mac OS X is not invulnerable. It, like any other operating system, has security deficiencies in various aspects of the software. Some are technical in nature, and others lend themselves to social engineering trickery.”
With the article originally posted in ZDNet about the 30 minute hack, the initial stories weren’t clear and didn’t specify that it was an inside hack because users just asked the contest sponsor to open an account and the users were granted access.
He also said there had been some objections, “Some have objected to this test as doing nothing more than testing the security of apache or ssh on a PowerPC architecture. That is correct. And that is how most of the world will see Mac OS X externally. The original article was not fair, because it did not note, or even imply, or hint in any way, that local account access was granted.
“The whole point of Apple using proven open source services like OpenSSH and apache on Mac OS X is exactly because of their secure nature as a result of years of scrutiny by the community. Most users of Mac OS X in a consumer or desktop setting will never even enable any of these services at all. It’s unfortunate that the initial coverage was so journalistically poor and sensationalistic on what might otherwise have been an article about an interesting local vulnerability. Instead, it chose to leave people with the impression that a Mac OS X machine can be “hacked” just by doing nothing more that being on the Internet. That is patently false.”
The basic challenge is this:
Simply alter the web page on this machine, test.doit.wisc.edu. The machine is a Mac mini (PowerPC) running Mac OS X 10.4.5 with Security Update 2006-001, has two local accounts, and has ssh and http open – a lot more than most Mac OS X machines will ever have open. Email email@example.com if you feel you have met the requirements, along with the mechanism used. The mechanism will then be reported to Apple and/or the entities responsible for the component(s). Going after other hosts/devices on the network is out of bounds.
So, for hackers who say there are lots of exploits out there that are usable on the Mac, now is the time to rip them apart if you can. While Mac has enjoyed much security through obscurity, a scientific opportunity is available to see just how good or bad the Mac system really is.