Comments on: Another Mac OS X hack challenge launched

A university systems engineer invites attacks on his Mac after an earlier challenge was criticized for being too easy.

[ssidiouss]

Message has been deleted.

[Thomas, David]

This is Response to the previous "Story"

... So you should not be irked by this current contest. It is far more legitimate than the first "contest". Giving someone nearly complete access to your system is not a measure of security. In this instance, we will see well documented data collected, and be able to review it.

I look forward to the results of this competition. By the way, for those of you with fractioned grey matter, a denial of service attack is not hacking a computer.

[ssidiouss]

Message has been deleted.

[techguy83]

not non news, this is legit

http://test.doit.wisc.edu/

Is his link. He's taking it down earlier than what he posted: (tonight) according to his site.

[Joe Blow]

Finally, A Reasonable Test, but Still Not a Typical Desktop ...

configuration. It's reasonable because it doesn't rely on an insider (e.g., a user allowed to create a "local" account via SSH as the "Gwerdna" attack used on the previous "test", which allows them to upload cracking tools). However, it's still not a typical out-of-the-box configuration, as SSH and HTTP access have been enabled, and a typical desktop user wouldn't immediately know how to do it, much less go to the trouble to accomplish it (including navigating a number of dialog boxes, acknowledging clear security warnings in enabling SSH and HTTP).

Of note, the "30 Minute Man" apparently hasn't managed to use his allegedly publicly-unknown exploit to break into this machine, so if it exists, it requires inside access to a system (the weakest part of any system is the "loose nut behind the keyboard"). It does suggest that there is a user-to-root escalation vulnerability that would need to be fixed.

We still need to hear what the bottom line is with Apple's latest security update vs. the recently-publicized vulnerabilities, but if history is any guide, they will be addressed within a week or so (if not already), and not the months it can take for some manufacturers to respond - if ever.

It would be interesting to hear what Apple uses to test the vulnerability of their code before it ships, and I'll ask my contacts in the OS X group to find out, so we can gauge how effective their internal testing should be.

All the Best,
Joe Blow

[System Tyrant]

Reasonable?

I'm not sure this is reasonable either. If this were a business using a Mac as a web server is this how they would set it up? If this were a home user who wished to use a Mac Mini as a private home page is this a reasonable setup? If this were a business using a Mac as a file server is this a reasonable setup? Maybe it is I don't know, but the only way any Mac Hack is going to carry any weight is if it not setup to be hacked. In other words the target Mac system will have to be setup in a normal secure way that doesn't leave known doors open.

[ssidiouss]

bah

its a NON-STORY.

His mac isnt set up like an out of the box setup. Its total fraud.

Let someone hack an out of the box mac set up on the net..
thats something.. all this open stuff is ridiculous and means
nothing.

[wysiwyg22]

A legit test

You're right. . . most out of the box mac mini's wouldn't be configured to allow HTTPD connections (hosting webpages) nor to allow SSH (to allow remote user login). . .

So, he's made it slightly less secure than a typical desktop mac. . . but it looks like the typical webhost configuration for OSX. Right out of the box.

[wysiwyg22]

Truer Test

Agreed. . . the previous contest was a joke when I found out they gave user access. . . the system is half crippled that way.

I'm anxious to see the results here, knowing this configuration is a bit more typical.

[prothe113]

The interesting thing

The interesting thing is that most of the elevation-of-privilege attacks on the Windows platform (most, not all) require either physical or logon access as well. But you never hear outcries about this being an "unfair" testing methodology; it's simply assumed that the system should be secure. Period. This is fair; but why isn't the Mac being held to the same standard?

If I had a day to lock down a Windows XP box (you know, firewalls, closing known exploits, shutting off unneeded or risky services, etc.) I could achieve similar results.

I dunno. I'm not holding my breath; if the Mac is hacked, I'm sure we'll hear some huge outcry about how the test wasn't fair and how it was all a conspiracy by someone to do something. If the Mac ISN'T hacked right away, there'll be a lot of smug back-patting as Apple enthusiasts congratulate themselves on being the only operating system in history without E.O.P. bugs.

I see this as a PR stunt, not any kind of valid test. I'd love to see a comparative study with hardened Windows, hardened Mac, and hardened raw Unix. I'm sure the Unix platforms (and yes, I know OS X is just a thin shell over Unix, but the point is that it's NOT Unix; not exactly...) would win, but I'd be curious to see by how MUCH...

[wysiwyg22]

Umm. . . What?

Quoting "The interesting thing is that most of the elevation-of-privilege attacks on the Windows platform (most, not all) require either physical or logon access as well."

Umm. . . what? I personally can think of dozens of readily available windows attacks that can root out the box without the need of an established remote account or physical logon.

If you grant local access, a windows box is pretty much toast.

It's not even in the same catagory of protection. And they're not spending an hour hardening their systems, these are basic Mac OS configurations out of the box. . . the only difference is a basic configuration for hosting, (by default, the OSX firewall prevents this).

This is more like the Unix / Linux world. People take a wack at it from the outside and see if they can get in. You don't hand them the user access first then see what they can do.

[pariank]

Funny...

"If I had a day to lock down a Windows XP box (you know,
firewalls, closing known exploits, shutting off unneeded or risky
services, etc.) I could achieve similar results."

This guy didn't spend a day locking down his Mac Mini. It
probably took him like 5 mins to connect to the ethernet
(internet), turn it on and go to System Preferences and click on
firewall.

I know that Mac's are vulnerable too somewhere and no one has
found that little pin hole yet. Let's be realistic though. I bet you
90% of Windows users don't even know what processes are. Let
alone throw them a box and tell them to seal it up for a mass
attack that this guys Mac Mini got.

[Mendz]

The point is...

... Macs are vulnerable as well. Maybe not as easy or as common as with Windows, but the threat is there and present.

PERIOD.

:-p

[j3st3r]

A reasonable analogy?

As a non Apple user I'm taking a stab here in regards to the reduced security of the sacrificial mac mini.

Would it be fair to compare the mini's state to a home that still has the windows and doors locked but the steel bars have been removed? The security is reduced, but there's still a requirement to get a brick through the glass or kick the door down to gain access.

[Deelron]

Yes...

The brick to the glass window would do it fair justice to the first
"hacking."

[MacDuff]

CONTEST CLOSED. RESULTS??

Nothing.

After traffic spiking at 30Mbps...
After two concentrated DoS attacks where the host remained
up...
After numerous web exploit scripts, ssh dictionary attacks and
having its rear probed by scanning tools...
After OVER FOUR THOUSAND login attempts...

ALL ATTEMPTS FAILED!
(unless he's lying)

Next??

PS: I LOVE the "Objections to this test" section of the page. It
shows perfectly how Mac users truly have the best of both
worlds. At its core, Mac OS X enjoys the benefits of using open-
source technologies (Apache, OpenSSH). And yet, OS X users
also benefit from the concerted effort and vision of ONE
COMPANY designing and implementing these and many other
technologies, both open and closed-source. This is a benefit
that neither Linux (fully open source but "headless" in it's
implementation -- and challenging to implement across the
hardware "soup" of the x86 PC platform) nor Windows can offer
(totally a closed technology, requiring all that it is to emanate
from a single source or brain/talent pool: Microsoft... and ALSO
subject to the hazards of doing so in the "soup" of the x86
hardware platform).

To all of this, I say GO APPLE!!! I GOT FOUR WORDS FOR YA: I...
LOVE... THIS COMPANY!!! EEEEEYYYYYEEEAAAAHHHHHHHH!!!!!!

[Seaspray0]

A more reasonable test

I agree the conditions set forth this time were more reasonable. I don't think the time allowed was. I would have liked to see the computer up for a month verus hours. It gives the test more credibility. If it doesn't get hacked in that time, it would dispell the claim there wasn't enough time to find an exploit. After all, many computers are online for weeks at a time.

I doubt it would get hacked but I still would have liked to see more time than a day. By the time I found out about it, the test was over. To me, this makes it about as bogus as the first test.

Ballmer??

Is that you?

[MacDuff]

LMAO! :D

I was wondering if somebody'd pick up on that ;)

[Andrew J Glina]

Interesting

I have learnt a lot about security lately.

1. Privledge escalation is not a big deal.
2. If there are no attacks in the wild it does not count.
3. Attacks on a unpatch OS are unfair.
4. It is not a fault of the OS if an expliot involves user interaction.
5. Adding a warning is a good solution to a core OS fault.

Think Different.

[keyboard55]

English lesson time

"Learnt" is not a word.

"Irregardless" (from a previous post of yours) is also NOT a word.

What grade are you in?

[MacDuff]

Not all wrong -- but wrong enough

1. Privledge escalation is not a big deal.

Actually, privilege escalation is a big deal. But does it mean that
widespread raping and pillaging can take place on a typically
configured Mac by a stranger? Like say, my Mac and the Mac of
most every OS X user? No. So far, no one has proven beyond
Trojan programs propagated via social engineering that Macs
can be CONTACTED and infected with impunity across the
internet. And unfortunately, NO OS can prevent social
engineering (i.e.: stupid end-users putting in their admin
password).

2. If there are no attacks in the wild it does not count.

No. They do indeed count. And there are weaknesses in OS X.
But how bad (a Bluetooth exploit?? Gimme a break), but how
many and how bad? Who knows? And in reality given Apple's
market-share? Who cares? Apple will cover them off and will
always try to maintain security, but THIS is not the embattled,
beleaguered OS platform of the world, my friend. No, the war is
elsewhere; somewhere over the horizon.

3. Attacks on a unpatch OS are unfair.

Given how fast Windows systems can be detected and exploited,
unpatched systems seem to be fair game.

4. It is not a fault of the OS if an exploit involves user
interaction.

Unfortunately, it's not. And that goes for any OS at the hands of
a stupid or careless end-user.

5. Adding a warning is a good solution to a core OS fault.

No matter what an OS does, an end-user can still command the
system to fry itself. It's just the way it is. (in fact, be very scared
if this changes ;) )

[dragonbite]

ugh...

Best stop using the internet until after the Mac-heads are done patting themselves on the back after this test.

Might want to stop using it anyway

If you're on Windows. Less than 1 minute being hacked on a Windows machine just being on the internet. This proves that an OS X machine with very, very basic setup is damn near impervious.

Us "Macheads" know something you don't: Your f*****.

[Xiaxua]

New Article Mocks C|Net "Journalistic" "Standards"

What is this article supposed to do, redeem c|net's woefully inadequate reporting of the earlier "test"?

And I'm in total shock: Mr Gwerdna or Gondwanaland or whatever, from the first test, didn't win in this one?

Hmm. Didn't the updated C|Net article of the earlier test have him boasting about how easy it was to crack into an OS X machine, and that it didn't matter if more strengthening was made to the target Mac? Why didn't he prove that conclusively by breaking into this system then?

More importantly: why has C|Net - rather, ZDnet Australia (same thing) - not done a follow-up interview with Mr Anonymous Hacker to challenge his assertion?

[Wingsy]

Makes One Suspicious

I agree Irma. If guano, or whatever his name is, really did what
he said he did, I'd like to see some proof. And the guy who
initiated the first test is almost as suspicious, since all those
Windows programming books on his bookshelf (in the
background of his picture of the Mini) strongly suggest a certain
amount of affiliation with a certain company having a dubious
reputation for playing fairly in business. Why couldn't he have
provided some proof of the attack? All we have is his word that
his web page was altered.

Which brings up another point. I thought the first "contest" was
to see if anyone could delete enough files to render his system
useless (that's what he was preparing for anyway). You know, it
was an "rm my mac" contest. He never said any files were
removed, only that his web page was altered. So doesn't that
mean that guano never did get root access?

[Wingsy]

Attn: English Majors

OK, all you English majors out there, kindly disregard my misuse of
the word "suspicious" in the 1st paragraph. Supposed to have been
"suspect".

[nightveil]

It's okay

That usage of "suspicious" is okay as far as I can see. It gets the
point across. "Suspect" might have been a better choice, but
"Suspicious" does work.

[MacDuff]

LOL! Hide the beer! The folks are home!

WOW! I cannot believe this! While you can if you go to http://
test.doit.wisc.edu/ (the big hacker test at University of
Wisconsin), you are greeted with this plain text message:

"Yesterday we discovered the Mac OSX "challenge" was not an
activity authorized by the UW-Madison. Once the test came to
the attention of our CIO, she ended it. The site,
test.doit.wisc.edu, will be removed from the network tonight.
Our primary concern is for security and network access for UW
services. We are sorry for any inconvenience this has caused to
the community."

So... the guy staged this challenge on the university bandwidth
-- and network -- without proper authority! Bad move! Like,
what IF someone got through? How much collateral damage
could have been done? In the back of my mind I wondered if this
was sanctioned by the university, but then I thought the guy
couldn't be THAT dumb! Turns out he was! It doesn't negate the
results... but it could negate his employment!

[rleon]

Annie is the winner!

She took down the system, and I think she did not make much of
an effort to do it, she found some vulnerabilities in Dave
Schroeder`s contract and took the Mac Mini in few minutes.

Anyway, Annie has no blame for doing her job, Dave was the one
who should have ask for authorization on his test.

But if all of you send me one dollar each, I would buy a MacMini
and do the test my self ;)

[MacDuff]

ROFLMAO!

"Annie is the winner".

Good one :D

(took her MORE than 30 minutes, though ;) )

[thebignoticeboard.com]

thebignoticeboard.com

still the best os around. i didn't buy it because it didnt have viruses,
that was just a bonus. i bought it because it is the most stable os
i've ever used.

[rockstarstatus]

Have any of you guys been to the...

Web address for the test?
http://test.doit.wisc.edu/

[techguy83]

i have

He's closing the test tonight and has put up some information for the media to use to contact the university.