March 8, 2006 5:23 PM PST

University nixes Mac hacker contest

A Mac OS X hacker challenge apparently got a systems engineer at the University of Wisconsin-Madison into trouble with university administrators.

Dave Schroeder on Monday invited hackers to break into a Mac Mini he attached to the university network. The challenge would last until Friday, he announced. The contest was in response to an earlier challenge, which Schroeder criticized as too easy.

But the event ended early--Tuesday night. On Wednesday, information emerged that the contest had drawn the scrutiny of the university's chief information officer, Annie Stunden.

"The Mac OS X 'challenge' was not an activity authorized by the UW-Madison," Brian Rust, a university spokesman, said in an e-mailed statement. "Once the test came to the attention of our CIO, she ended it...Our primary concern is for security and network access for UW services."

The same statement also appeared on Schroeder's challenge Web site Wednesday afternoon. (His site, http://test.doit.wisc.edu, was down as of Thursday morning.)

"Dave was well-meaning, but he did the test pretty much on his own," Rust said in a phone interview.

Universities are often the target of cyberattacks. The academic institutions face the challenge of balancing the need to share information on large networks with the need to secure data.

The Mac OS X contest ended without a negative impact on the University of Wisconsin-Madison's network, Rust said. "We were able to handle the traffic, and there were no compromises to university systems," he said. The university apologized for any inconvenience its action caused to the Mac community.

The university is distancing itself from the challenge. "If Dave wants to continue this test, he has to do that privately, not using university systems," Rust said.

Schroeder had said he wants to publish some details on the attempts that were made to hack his Mac. The computer was connected to the Net for more than 30 hours, apparently without being compromised. In the earlier challenge, an anonymous hacker claimed he was able to compromise OS X within 30 minutes using an undisclosed vulnerability. However, attackers in that case had been given user-level access to the system rather than being shut out completely.

These hacker challenges came after weeks of scrutiny of the safety of OS X, prompted by the discovery of two worms, and the disclosure of a serious vulnerability. Security experts are also questioning the effectiveness of Apple's latest patch.

See more CNET content tagged:
university, contest, Apple Mac OS X, challenge, Apple Mac OS

31 comments

Join the conversation!
Add your comment
Annie, Annie, Annie
Lighten up. Unless, of course, you're running Windows servers.
Posted by ppgreat (1128 comments )
Reply Link Flag
you lighten up
As the CIO, she has the right to shut down the test, because her job is to make sure all data at that university is secure, no matter what. He also did it without permission, so she was well within her authority to shut it down.
Posted by techguy83 (295 comments )
Link Flag
Makes sense
The University definitely had the right to shut this down. I'm sure it
was causing unnecessary load on their servers. It's still impressive
that this Mac made it so long w/o compromise, however ;)
Posted by iKenny (98 comments )
Link Flag
A real test
I want to see a real test, boxes behind firewalls, private routers, etc. don't count to me. The average user is lucky to have a router that has NAT. I want to see out of the box, connected to a cable modem, on the net, test.

The Windows people and the Mac people should only accept these types of tests, no other 3rd party interference. No firewalls(outside built in OS ones and to use these they must be at default settings) or anything else, this tests the OS security which is what would settle this once and for all. Every 3rd party router, firewall, A/V etc only proves that if you know how to configure your box it is safe. That is not the question being raised here.
Posted by schubb (202 comments )
Link Flag
C/Net could host challenge
Hopefully, a tech site that can dedicate an isolated server to the
purpose will host the challenge. Hmmm. How about C/Net?
Posted by J.G. (837 comments )
Reply Link Flag
Windows box is up . . .
Visit 71.56.240.67 to see another challenge, this time it's a
Windows box.
Posted by rbannon (96 comments )
Reply Link Flag
Windows box is up . . .
Visit 71.56.240.67 to see another challenge, this time it's a
Windows box.

Email ron <dot> bannon <at> gmail <dot> com if you need more
information.
Posted by rbannon (96 comments )
Reply Link Flag
There's someting wrong . . . .
This guy only has port 80 open!

Here's my port scan:
<BLOCKQUOTE>
<TT>
Port Scan has started ...

Port Scanning host: 71.56.240.67

Open TCP Port: 80 http
Port Scan has completed ...
</TT>
</BLOCKQUOTE>

<BR>
Posted by rbannon (96 comments )
Link Flag
Did you publically challenge hackers worldwide?
If not, that's not much of a comparison.
Posted by open-mind (1027 comments )
Reply Link Flag
...that was in response to Catch23. Oops. NT
NT
Posted by open-mind (1027 comments )
Link Flag
Provide Annie some feedback
Annie is an idiot. If you agree, let her know:
<a class="jive-link-external" href="http://www.doit.wisc.edu/feedback.asp?path=annieblog" target="_newWindow">http://www.doit.wisc.edu/feedback.asp?path=annieblog</a>
Posted by stenar (29 comments )
Reply Link Flag
Annie the coward...
Professor Schroeder makes a bold and potentially historic move
- an in-your-face challenge to the best of the best. And Mac
wins again, much to the dismay of those who champion or who
are locked into inferior systems. Make me king for three days,
and I'll add a $5000.00 prize to the successful hacker and, after
the contest, when the miniMac keeps humming along, cowards
like Annie can take their safe, careful, prudent, and backward
vision and shove off with the other bean-counters in the
accounting and internal auditing departments.

It's a mean world out there. It's time for Mac. We win. They lose.
End of line.
Posted by tofino--2008 (3 comments )
Reply Link Flag
you know
Calling someone doing her job a coward is kinda dumb.

She is in charge of data secuirty and making sure the bandwidth at the university is used properly.

He DID NOT ask for permission. Thus most of the university's bandwidth was going into this test. Bandwidth students may have needed for research purposes.


Why call the woman a coward for doing HER job.

What is it that you do? Are you an employer or employee? Would you want an employee doing something without permission? Yes? No?

Is your blind loyalty to Steve Jobs and Apple so great that you have to stoop to childish levels to make someone just doing her job look bad?

Hey, at least my friend doesn't have a c-net id. He considers Mac zealots idiots and calls MAC OSX a second rate OS.

ME? I say windows and macs both have good and bad parts. Its all in what you use it for.
Posted by techguy83 (295 comments )
Link Flag
Reality Check
Um... here's the scenario:

1. Support technician in the (non-academic) IT division of a major University sets up hacker challenge.
2. Without getting permission from anyone.
3. He refers to it on major IT sites as "academic" and plasters an official university logo on it, implying that he's a professor or academic (which he isn't... see <a class="jive-link-external" href="http://das.doit.wisc.edu/" target="_newWindow">http://das.doit.wisc.edu/</a>), and has the University's blessing (which he obviously didn't).
4. Every script-kiddie on the planet heads for the UW's network.
5. The CIO finds out.
6. The CIO shuts it down before the UW's lawyers have her head on a pike. A wise move.
7. The CIO apologizes to the community for shutting it down.
8. Arm-chair analysts post poorly thought-out responses on teh intarweb.

That about the size of it?
Posted by nerdler (2 comments )
Link Flag
Reality Check
Um... here's the scenario:

1. Support technician in the (non-academic) IT division of a major University sets up hacker challenge.
2. Without getting permission from anyone.
3. He refers to it on major IT sites as "academic" and plasters an official university logo on it, implying that he's a professor or academic (which he isn't... see <a class="jive-link-external" href="http://das.doit.wisc.edu/" target="_newWindow">http://das.doit.wisc.edu/</a>), and has the University's blessing (which he obviously didn't).
4. Every script-kiddie on the planet heads for the UW's network.
5. The CIO finds out.
6. The CIO shuts it down before the UW's lawyers have her head on a pike. A wise move.
7. The CIO apologizes to the community for shutting it down.
8. Arm-chair analysts post poorly thought-out responses on teh intarweb.

That about the size of it?
Posted by nerdler (2 comments )
Link Flag
Shouldn't Windows Vista be subjected to the same test.
When Longhorn comes out I think some hackers should try the
same contest and see how if it does any better than OS X.

Now that would be a newsworthy story. Any CNET Editors ready for
that juicy bone of a story.
Posted by ServedUp (413 comments )
Reply Link Flag
71.56.240.67
71.56.240.67
Posted by rbannon (96 comments )
Link Flag
No
It will fail miserably. Since it is based on old, unsecure code, any fixes and those workarounds will be comprimised in short order.

Sure you can secure a windows box. Castrate many functions, install several third party apps and of course a firewall. A default setting + solid firewall on OSX and Linux is far more secure then any castrated, bloated windows box.

Always has been, always will. Unless MS pulls its head out and starts from scratch with security as the #1 priority rather then the afterthought it has always been at Redmond.
Posted by Bill Dautrive (1179 comments )
Link Flag
 

Join the conversation

Add your comment

The posting of advertisements, profanity, or personal attacks is prohibited. Click here to review our Terms of Use.

What's Hot

Discussions

Shared

RSS Feeds

Add headlines from CNET News to your homepage or feedreader.