Forgot your password?
typodupeerror

U of Wisconsin's Mac OS X Security Challenge 401

Posted by Zonk
from the they-really-don't-have-anything-better-to-do-over-there dept.
digitalsurgeon writes "The University of Wisconsin [ed: Go Badgers] has launched a Mac OS X Security challenge, in response to a 'woefully misleading ZDnet article'. From the site: 'The challenge is as follows: simply alter the web page on this machine, test.doit.wisc.edu. The machine is a Mac mini (PowerPC) running Mac OS X 10.4.5 with Security Update 2006-001, has two local accounts, and has ssh and http open - a lot more than most Mac OS X machines will ever have open.' Are you up to the task? Can you prove ZDNet wrong, or can you show that Mac OS X can really be hacked in less then 30 minutes? More information about the challenge is at http://test.doit.wisc.edu/ The challenge ends Fri 10 March 2006 10:00 AM CST." Update: 03/07 14:32 GMT by Z : Commentary on the contest and original claim is available at VNUNet
This discussion has been archived. No new comments can be posted.

U of Wisconsin's Mac OS X Security Challenge

Comments Filter:
  • Prove it! (Score:5, Funny)

    by Bromskloss (750445) <auxiliary.addres ... NosPAm.gmail.com> on Tuesday March 07, 2006 @10:11AM (#14865906)
    Can you prove ZDNet wrong, or can you show that Mac OS X can really be hacked in less then 30 minutes?

    So guys, what do you say? Should we all mabye prove ZDNet wrong by not breaking into that computer?
    • by CheeseburgerBlue (553720) on Tuesday March 07, 2006 @10:20AM (#14865964) Homepage Journal
      The poster then promptly disappeared in a puff of logic.
    • by Ford Prefect (8777) on Tuesday March 07, 2006 @10:25AM (#14865997) Homepage
      I was appalled that someone might have hacked into this machine and thus given the impression that MacOS X was somehow ... insecure, so I hacked into it myself and patched it up with some new security features.

      So to anyone wanting to compete in this challenge: sorry. :-(
    • Easy, To Do (Score:5, Funny)

      by LifesABeach (234436) on Tuesday March 07, 2006 @10:58AM (#14866233)
      The process is pretty simple, "It's too expensive to compromise the Hardware, but the Humanware; That's cheap, and easy. First your dog/pet/loved is shoot, dead, in front of you. The next comes easier. The gun is pointed at you, and you are given 2 minutes to change the web page to some off topic theme. If you are given an extra 5 minutes, you'll learn Photoshop so that you can put an image of you doing it to a male Shetland pony in front of the members of the supreme court, all looking down on you and smiling in that knowing fashion." The D.O.D. Security Instructor that said this to me didn't even bat an eye; That's the chilling part.
    • by mblase (200735) on Tuesday March 07, 2006 @11:21AM (#14866406)
      So guys, what do you say? Should we all mabye prove ZDNet wrong by not breaking into that computer?

      Why don't we just do what Slashdot does best, and DDoS the thing instead? The way I see it, that's the best way to protect it from being hacked in the first place.
  • A Different Test (Score:5, Informative)

    by Paradise Pete (33184) on Tuesday March 07, 2006 @10:11AM (#14865907) Journal
    While I appreciate this test, and expect it to not be breached, it is simply not the same test. The original test was to see if a regular local user could elevate its privileges to admin. The fact that the "proof" was to be done by changing a web page is a red herring. The real story was that someone was (apparently) able to do that.

    This test is of the web server, and of remote cracking without local access. Also, the explanation page says that the original article did not mention that local access was given. Well, perhaps they've updated the article, but it certainly says so now:

    "Participants were given local client access to the target computer and invited to try their luck."
    As I said, I appreciate this test, but I am also concerned about the apparent ability of an ordinary local user to gain admin status.
    • the point of the original test was supposedly to test OS X in 'server' mode rather than 'home desktop' mode, hence the ridiculous number of open doors. yet even that does not justify a local user account on ssh.
      • Re:A Different Test (Score:5, Informative)

        by Tim C (15259) on Tuesday March 07, 2006 @10:27AM (#14866019)
        Lots of hosting companies offer ssh access, not to mention that if an account exists on the machine with ssh access, it may be only a matter of time before someone manages to gain access to it.
        • This is quite true. I had a hosting account that did NOT provide SSH access, so I installed cgi-shell and was able to chsh my account to get ssh. Mainly I wanted it to use scp / rsync instead of ftp. Ftp blows.
        • by massysett (910130) on Tuesday March 07, 2006 @12:11PM (#14866775) Homepage
          Lots of hosting companies offer ssh access, not to mention that if an account exists on the machine with ssh access, it may be only a matter of time before someone manages to gain access to it.

          True, but this test still does not compare to what hosting companies are doing. Web hosting companies are (hopefully) run by professionals who secure the boxes. Web hosting companies run operating systems like RHEL that were designed for server use--Mac OS X on a Mac Mini was designed for home use.

          Most importantly though, hosting companies are not giving ssh to any anonymous joe off the street, which is exactly what happened in this contest. At a minimum, web hosting companies have your credit card number before they offer you ssh. Some will demand additional information, such as a faxed copy of a driver's license. Of course a crook can get a drivers' license and a stolen credit card, but these are additional hoops to jump through that make the process of cracking the machine that much more trouble. Plus, if someone does crack the machine despite his lack of anonymity, the hosting company might be able to track him down.

          This contest as reported on ZDNet was a joke. The guy gave ssh accounts to anyone who asked for them, without demanding any proof of identification. He ran it on an OS that was not designed to be run with untrusted users logged in. Furthermore, the crack was done by an anonymous person using an "undocumented" security hole, which to me calls the credibility of the whole episode into question. In what real-world situtation does anyone allow ssh login to any random, anonymous Joe?

          • by kaffiene (38781) on Tuesday March 07, 2006 @08:34PM (#14871394)
            The reality is that a user was able to elevate their permissions to root - that's a security concern and ought to be pointed out as a weakness. It would be a weakness if it happened on Windows or Linux, it doesn't become a non-issue because fan boys think that only web security is important.

            The fact is *all* security gaps are important. If there's a network hack that can only get you a non-priviledged account, but you can then jack that up to root access using this local hole, then that hole was mighty significant. This whole "Mac has no security faults" meme is dangerously delusional. It's significantly more secure than Win32, but at least own up to faults (small as they may be) and get them fixed, don't bury your heads in the sand.
            • by guet (525509)
              The fact is *all* security gaps are important. If there's a network hack that can only get you a non-priviledged account, but you can then jack that up to root access using this local hole, then that hole was mighty significant. This whole "Mac has no security faults" meme is dangerously delusional. It's significantly more secure than Win32, but at least own up to faults (small as they may be) and get them fixed, don't bury your heads in the sand.

              Have you read the page at http://test.doit.wisc.edu/ [wisc.edu] ?

              He does
    • by mekkab (133181) on Tuesday March 07, 2006 @10:20AM (#14865963) Homepage Journal
      I think you can't "see the forest for the trees."

      The original test was equivalent to saying "I'll let a thief into my house. Let's see if he can steal anything!" Most houses don't have everything bolted down to the floor.

      But how often do you allow someone into your machine? For A desktop, not often, perhaps never.

      The biggest risk to most computers is a network based attack; this is the real meat and potatoes and a better test of the security of a machine.
      • by Paradise Pete (33184) on Tuesday March 07, 2006 @10:31AM (#14866043) Journal
        The original test was equivalent to saying "I'll let a thief into my house. Let's see if he can steal anything!"

        I don't think that analogy is quite apt. It's more like locking someone in your basement and they figure out how to gain access to your whole house.

        When I run a third party program I am essentially letting them inside, but as a non-priviledged user I'm confining them to a specific area. But if this ability to elevate privileges turn out to be a fact, then any program I run can have full access.

        Right now we have only this one supposed demonstration of it. What I'd really appreciate seeing is that *original* test repeated. If we can look at this as if it were an experiment, then when someone publishes a result others try to repeat it under the same conditions. They don't conduct a different test with different conditions in order to disprove the original.

        • by Stalyn (662) on Tuesday March 07, 2006 @11:17AM (#14866362) Homepage Journal
          If we can look at this as if it were an experiment, then when someone publishes a result others try to repeat it under the same conditions. They don't conduct a different test with different conditions in order to disprove the original.

          Science never enters the picture here, this is a religious debate.

        • Much better analogy! (Score:5, Interesting)

          by mekkab (133181) on Tuesday March 07, 2006 @11:20AM (#14866398) Homepage Journal
          I don't think that analogy is quite apt. It's more like locking someone in your basement and they figure out how to gain access to your whole house.

          Okay- I like that analogy better. I've got deep deadbolts on my outside doors; the door between my basement and house has a cheap handle lock that can be popped with a long, thin screw driver.

          Not to get lost in the analogy details, but I think you'll find most security skews the same way.


          When I run a third party program I am essentially letting them inside, but as a non-priviledged user I'm confining them to a specific area. But if this ability to elevate privileges turn out to be a fact, then any program I run can have full access.


          I think this ability to elevate privs should be analyzed on a case by case basis for all programs; as such if you are concerned about what applications a user can and can't run, remove the ability to run those applications from the machine.

          However with most desktop machines your biggest worry isn't normally* an attack from within; its usually from without.

          *)people on slashdot aren't normal and typically have needs that extended beyond normal users. Feel free to contribute some examples that counter this assertion.
        • Right now we have only this one supposed demonstration of it. What I'd really appreciate seeing is that *original* test repeated. If we can look at this as if it were an experiment, then when someone publishes a result others try to repeat it under the same conditions. They don't conduct a different test with different conditions in order to disprove the original.

          What I'd like to see is that same test repeated for Windows, and maybe even Linux and Solaris... and OpenBSD. Now *that* would be interesting.

      • Re:A Different Test (Score:3, Interesting)

        by Anonymous Coward
        "But how often do you allow someone into your machine? For A desktop, not often, perhaps never."

        But for a server, all the time. If you're considering a timesharing system, there may be thousands of users. The central ITS computers at every university I've been to (the ones you SSH to, and run Pine to check your email) have thousands of user accounts. Everyone at the school has one. (An older book, but still a good read about the important of priviledge escalation bugs - look for "The Cukoo's Egg")

        Now y
    • Re:A Different Test (Score:5, Informative)

      by daveschroeder (516195) * on Tuesday March 07, 2006 @10:23AM (#14865980)
      Yes, they updated the article.

      And the whole point isn't that the test "isn't the same". This is how most Mac OS X machines will appear to outside entities on the internet. The original article - and definitely before it was updated - left people with the impression that a Mac OS X machine could be owned in 30 minutes just by being connected to the internet, without the user "doing" anything, and the subsequent coverage of this in most press proves it. None speak to the fact that a local account was given, or even explore the implications. What could have been a useful article was useless, vague sensationalism. I updated the bottom of the page this morning:

      Update

      The ZDnet article has been updated to include the sentence, "Participants were given local client access to the target computer and invited to try their luck." But might it not have been interesting to explore:

      - What are the implications of local account access, and under what conditions might a computer be used in that way?

      - How can such access normally be obtained? Do home users behind firewalls and with no ports open need to worry?
      How can a vendor fix the claimed local privilege escalation vulnerabilities when they are not informed of the issue?

      - What are the moral and ethical implications of knowing about allegedly severe vulnerabilities in products, like the "hacker" they interviewed, and actively choosing to NOT give the vendor an opportunity to fix the problem(s)?

      - How might a Linux or BSD distribution, other commercial UNIXes, or Windows stand up to a similar challenge, where anyone who wishes is given local account access?

      - A discussion about how since much of OS X is closed, this might make it more difficult for the community to discover - and report and fix - potential vulnerabilities in the closed pieces

      ...and things of that nature, instead of leaving people with the impression that any Mac OS X machine connected to the Internet can be taken over in 30 minutes?

      • by jav1231 (539129) on Tuesday March 07, 2006 @10:35AM (#14866066)
        Exactly. If you wanted to truly compare OS X to Windows in this scenerio, put a PC on the Net with TS opened and give out the user account information.
        • Exactly. If you wanted to truly compare OS X to Windows in this scenerio, put a PC on the Net with TS opened and give out the user account information

          Not to be an ass, but there are 100s of open accounts all of the internet with TS enabled and client and guest logins allowed for companies to showcase their software.

          This is one of the things people actually do with TS is use it for software demonstration purposes, and people are 'encouraged' and 'allowed' to sign into Windows 2003 servers to test software or
      • Re:A Different Test (Score:3, Interesting)

        by Total_Wimp (564548)
        How can such access normally be obtained? Do home users behind firewalls and with no ports open need to worry?
        How can a vendor fix the claimed local privilege escalation vulnerabilities when they are not informed of the issue?


        The answer to the first question is pretty easy. Local access can be gained by the cleaning crew in most buildings, by students in others, and don't forget your friendly neighborhood coworkders. The answer to the second question is just as easy. Spouse, kids, kids friends.

        I don't hav
      • Re:A Different Test (Score:3, Interesting)

        by tpgp (48001)
        For the curious, you can read the article as it originally appeared here [64.233.179.104]

        Whilst I agree with you that the original article was a typical zdnet troll attempting to stir the angry mac masses into page views, your statement: left people with the impression that a Mac OS X machine could be owned in 30 minutes just by being connected to the internet, without the user "doing" anything, is not really true if you read the whole article.

        For instance, the original article contained the line:

        Mac acting as a server --

        • Re:A Different Test (Score:5, Interesting)

          by daveschroeder (516195) * on Tuesday March 07, 2006 @11:16AM (#14866359)
          I say that on the actual site itself:

          Mac OS X is not invulnerable. It, like any other operating system, has security deficiencies in various aspects of the software. Some are technical in nature, and others lend themselves to social engineering trickery. However, the general architecture and design philosophy of Mac OS X, in addition to usage of open source components for most network-accessible services that receive intense peer scrutiny from the community, make Mac OS X a very secure operating system. There have been serious vulnerabilities in Mac OS X that could be taken advantage of; however, most Mac OS X "vulnerabilities" to date have relied on typical trojan social engineering tactics, not genuine vulnerabilities. The recent Safari vulnerability was promptly addressed by Apple, as are any exploits reported to Apple. Apple does a fairly good job with regard to security, and has greatly improved its reporting processes after pressure from institutional Mac OS X users: Apple is responsive to security concerns with Mac OS X, which is one of the most important pieces of the security picture.

          The "Mac OS X hacked under 30 minutes" story doesn't mention that local access was granted to the system. While local privilege escalation exploits can certainly be dangerous - and used in conjunction with things like the above Safari exploit - this isn't very informative with regard to the general security of a Mac OS X machine sitting on the Internet.


          Of course, I'd have no problem with this if the original article had actually talked about it meaningfully in the context of a local privilege escalation and explored the implications; instead, they just made it sound like you could throw a patched OS X box onto the internet and it'd get owned. The average reader would leave with that *distinct* impression, and most of the subsequent coverage of it talked about it exactly in that fashion.

          Mac OS X has had several local privilege escalation vulnerabilities, just as other OSes have had. Apple fixes them when they become known. (Also, and this is another discussion, but what can Apple do if the "hacker's" claims are correct, i.e., that the vulnerability is unknown to Apple? It doesn't prove that Mac OS X is "insecure"; all it "proves" is that open scrutiny is difficult with closed source pieces, and that some people intentionally and knowingly refuse to give vendors a chance to fix problems.)
      • by AKAImBatman (238306) *
        This is how most Mac OS X machines will appear to outside entities on the internet.

        Let me just say, thank you. All these trolls seem to think it's perfectly natural that you'd let hundreds of anonymous users into your system, who's only purpose in life is to compromise one of the hundreds of software packages installed in an attempt to gain higher priviledges. That's just ridiculous. Mac OS X is a desktop system. It is configured as such, and is bound to have problems that could be exploited by a sharp hum
      • by adam1101 (805240) on Tuesday March 07, 2006 @11:36AM (#14866520)
        Actually, I think the original test was more interesting than this one. For years we've read countless +5 Insightful posts that OS X is more secure than Windows because normal users run in restricted accounts by default. That trojans can't do anything to the system unless you're "stupid enough to type in your password". If the original hack was indeed an exploit of an undisclosed buffer overflow, it means that this argument is pretty much moot. There have already been lots of posts in this and the previous article that amounted to saying "a local exploit is no big deal, everybody has them, if you have local (restricted) access you should be expected to be compromised anyway". Are these posters saying that the supposed advantages of restricted user accounts on OS X are very overrated? Are they saying it's no big deal if the next social engineering attack is combined with a buffer overflow exploit, meaning no popups asking for your password?

        If the original hacker Gwerdna (Andrew G?) was right that there are many undisclosed priviledge escalation bugs, that is a case for concern, not something to be dismissed as a mere "local" vulnerability. BSD, Linux and even Windows already have patches for NX [wikipedia.org] to contain buffer offerflows, where is Apple on this?

        I think that, especially if you're an Apple user, it is very important to test the claim that the OS is rifle with local priviledge escalation issues. And that's why I think the first test was much better than this one. I don't expect this U of W box to be hacked anytime soon. But this proves very little. You can even setup a Windows SP2 ISS+Remote Desktop box like this, and I don't think it will be hacked anytime soon either. But if you redo something like the original box (give normal user ssh accounts to anyone) and get hacked very quickly again, it proofs a lot. Namely that the local security measures of OS X that many have come to thrust amount to very little.
        • BSD, Linux and even Windows already have patches for NX to contain buffer offerflows, where is Apple on this?

          According to what I've been able to glean from Apple's developer resources (available at developer.apple.com), and from various articles about the new Intel-based Macs, the Macs with x86 processors all have chips that support the NX bit, and the NX bit is turned on by default. There is supposedly a work-around to allow you to compile a specific application without the NX bit set, so that the app can

      • Re:A Different Test (Score:5, Interesting)

        by ScriptedReplay (908196) on Tuesday March 07, 2006 @12:33PM (#14866961)
        *sigh* are you guys hopeless? The point of the original test was not to hack the machine from outside, but from inside. All the noise about Windows getting hacked 4 minutes after it was connected to the net was due to lack of firewalling and vulnerable services - turn on firewalling and the vulnerable services are no longer accessible. What does that prove? nothing - they didn't magically become secure. OSX probably has fewer vulnerable services (active or not) but that was not the point.

        The point is even with proper design of user separation, local security is hard to get right. Every OS has this problem, to various degrees. And if you want a sample of what this type of problems mean, here is one: malware will not be required to ask you for a password to elevate privileges - see? all those 'this is not a virus, it asks for your password and that should set your alarm bells going' argument goes puff! in smoke. This is the same type of issue that plagued non-administrator users in Windows for a long time now. So let me put it this way:
        1. Local privilege escalation is bad - and hard to prevent (see all the attempts done by other OSes - NX, canaries against stack smashing, grsecurity, PAX, load address randomization and so on)
        2. Local privilege escalation to root is really bad. There are precious few places where one should have to look for things that run as root. Most of them are in the default install. And the worst that can happen is a kernel-level exploit, as that would be likely to affect OSX Server as well, which is far more likely to be used in a multiuser setup.


        So, to come back - your test is utterly irrelevant for the type of people that would be interested in the original one. What you are trying to test is the security of the OpenSSH and Apache installs + your setup (yeah, and password strength - expect to be hit by automated dictionary attacks from scripts that couldn't care less about your test). If I had an XServe machine with several users having ssh access I would really want to know whether any of those users really can get root on the machine or not (if they can, XServe has no place in such enviroment). And I would be really worried. As it stands, I still have worries, but at least I know that I have a certain amount of protections in place against such problems (this not being OSX though - no OS names since I'm not interested in 'my OS is more secure than your OS' flames) But this is a real security concern and yet you turn around and say 'but these other things are secure.' Yeah, the article could have sounded misleading for anyone not willing to check the site and see the conditions (but few people would do that anyway) but how are you any better? All this is countering journalistic sensationalism with more of the same, since your box is neither set up as a home user's nor your setting is pertinent to the original multiuser problem.

        To toss in my 2c of an analogy - the original test was to check whether a bank's employees (with access to the bank building) can empty the main safe to which they do not have the combination[*] while yours is to check whether a customer can; all this on a Sunday when the bank is closed.

        And now mods feel free to mod me down - although a more rational answer would be welcome.

        [*] to all those saying 'by dfault root is not even enabled in OSX': bah! 'enabled' pertains to login and privilege escalation couldn't care less about login restrictions; the account is still there. And in fact, the thing that 'get root' means is 'get uid=0 access'
        • The point of the original test was not to hack the machine from outside, but from inside.

          True and it confirmed what most everyone already knew, a mediocre cracker can find a local escalation. There is no problem with the original test. There is a problem with the way the media misleadingly depicted the original test. This second test is designed to help debunk some of the FUD generated by the poor media coverage, by replicating the situation they misleading led readers to believe were the conditions of

      • It's certainly true that the original ZDNet article was sensationalist and overly alarmist about the implications for Mac security. But by implying that the original contest is irrelevent for a typical Mac user and that his test will prove that Macs are secure, Dave Schroeder is being equally, if not more, misleading.

        The original test showed that Macs are vulnernable to local privlege escalation. It is true that most Mac desktops users are not offering accounts to external users. But a great many of the a

    • by Fahrvergnuugen (700293) on Tuesday March 07, 2006 @10:28AM (#14866020) Homepage

      The problem is that the media presents the original test as though Mac OSX is insecure out of the box. It's very misleading.

      An acquaintance of mine runs a small web hosting company. His original service plan offered SSH accounts to every hosting account. Despite his best efforts to secure the box, it was still rooted by a script kiddie.

      His customer's PC was compromised and the ssh password for his account on the linux server was found by the script kiddie. The shell account had access to GCC. The script kiddie logged in as the non privileged user and used gcc to compile a rootkit. The rest was a walk in the park.

      The OS was Slackware linux. All of the accounts were jailed, and all of the "best practice" measures were taken to harden the box (I can't comment on every detail as I am not a linux system admin).

      My point is that when a malicious user gains shell access to any *nix system, you're in deep trouble.

      My friend has since stopped offering SSH access to his customers.
      • by xiphoris (839465) on Tuesday March 07, 2006 @11:02AM (#14866254) Homepage
        The real problem is that tests like this are garbage in the first place.

        In fact, Bruce Schneier [schneier.com] (a respected cryptographer, responsible for Blowfish) addressed the topic thoroughly almost 8 years ago in his column Crypto-Gram. Here's a relevant snippet:

        You see them all the time: "Company X offers $1,000,000 to anyone who can break through their firewall/crack their algorithm/make a fraudulent transaction using their protocol/do whatever." These are cracking contests, and they're supposed to show how strong and secure the target of the contests are. The logic goes something like this: We offered a prize to break the target, and no one did. This means that the target is secure.

        It doesn't.

        Contests are a terrible way to demonstrate security. A product/system/protocol/algorithm that has survived a contest unbroken is not obviously more trustworthy than one that has not been the subject of a contest. The best products/systems/protocols/algorithms available today have not been the subjects of any contests, and probably never will be. Contests generally don't produce useful data. There are three basic reasons why this is so.


        You can read the original here [schneier.com].
        • Hmmm, just had this thought. If you really knew how to break into the system that was the focus of the $1,000,000 challenge, your best bet would be:

          1) Confirm that your hack/exploit really works, but DON'T CHANGE ANYTHING
          2) Wait until the contest ends and the system is declared "uhackable"
          3) Wait a bit longer until the "unhackable" sytem is adopted by a bunch of big businesses
          4) Make a lot more than the original prize fee by pillaging the "unhackable" systems.

          oh.... I suppose it should have read

          4) Profit!
      • I host on a company called Pair (www.pair.com), as do many others including major sites like Tom's Hardware. It's all UNIX hosting, FreeBSD specificly, and you get SSH with all but their most basic accounts. Somehow, they are able to do that, and not get their shit rooted all the time, or indeed ever that I'm aware of.
      • The OS was Slackware linux. All of the accounts were jailed, and all of the "best practice" measures were taken to harden the box (I can't comment on every detail as I am not a linux system admin).

        Well no, obviously he missed something. It was a walk in the park because he left some well-known vulnerability on his system, possibly in the kernel. I don't think Slackware blows off local vulnerabilities and doesn't bother releasing fixes.

        My point is that when a malicious user gains shell access to any *nix sys

      • Re:A Different Test (Score:5, Interesting)

        by Just Some Guy (3352) <kirk+slashdot@strauser.com> on Tuesday March 07, 2006 @04:02PM (#14869186) Homepage Journal
        all of the "best practice" measures were taken to harden the box

        No, they weren't. If all the filesystems that customers have write access to are mounted "noexec", then self-compiled binaries don't present a lot of exposure.

        I'm not saying that it's not a good idea to remove GCC, just that its presence isn't an automatic compromise.

    • Re:A Different Test (Score:3, Interesting)

      by utlemming (654269)
      Well it is a "different test" the results could be remoteley generated. But you would have to have a web browser on their end running to get it to work. You simply write a Java program that runs locally on the client machine. When the client machine connects, they download your Java program. This java program then launches SSH (which, BTW, Java can do), compromises the root account, and then downloads a native Mac OS X malware/spyware program. Sure this is a different test, but it does demonstrate that the
    • by shippo (166521)
      The original machine had had various extra bits of software installed via the Fink project, such as MySQL. The Fink project is very lax at getting updates in place, and there appears to be no specific security policy, particularly if installed from the so-called 'stable' release.

      It is entirely possible that one of the pieces of software installed by fink had a root exploit, perhaps using SETUID.

      Fink should not be installed on production systems.
  • Hackorama Windows (Score:3, Insightful)

    by CDMA_Demo (841347) on Tuesday March 07, 2006 @10:12AM (#14865913) Homepage
    I wish someone running windows 2003 professional could start a competition like this.
    • "I wish someone running windows 2003 professional could start a competition like this."



      A competition to crack a win 2k3pro server isn't a competition, that's a free-for-all.

    • Re:Hackorama Windows (Score:3, Informative)

      by rabbit994 (686936)
      I'm sure Microsoft has held competion to do so as well. Windows 2003 is pretty secure out of the box as well considering almost no services are in the ON state and it comes with a GUI firewall in SP1. Microsoft has a long way to go but you can't fault them for not trying.
    • Re:Hackorama Windows (Score:3, Informative)

      by IflyRC (956454)
      Windows 2003 Professional doesn't exist.

      1) Windows XP Home

      2) Windows XP Professional

      3) Windows Server 2003
    • Re:Hackorama Windows (Score:3, Interesting)

      by evil_tandem (767932)
      i actually saw one. and i've tested it myself. i just installed win2k3 on a machine, hooked it up to a t1 and left it for a week (monitoring the traffic). lots of people found it but no one i saw ever got in.

      win2k was a completely different story. i did this test with that and people were in by the end of the day.

  • Logs (Score:5, Insightful)

    by Bromskloss (750445) <auxiliary.addres ... NosPAm.gmail.com> on Tuesday March 07, 2006 @10:13AM (#14865918)
    Mabye logs could be published (in real-time) so that we all can see some of what possible challengers are up to. That would be interesting.
    • In effect, that would turn into a DDOS quite quickly once the logs grow and site traffic increases exponentially. Still, the idea would be cool to see...perhaps if hosted on one of Sun's 8-core Niagara chips instead of a Mac Mini.

      A hybrid solution would be a summary of the logs and perhaps a popularity percentage and other "smart" metrics.
      • Re:Logs (Score:3, Interesting)

        by tolan-b (230077)
        The logs could be served from another box.

        Or perhaps just published after the challenge.
  • Wouldn't the people that can do it, assuming they're out there, most certainly not do it on a machine that can be used to identify their methods? After all, if they were doing it for security research legitimately, they would've already told Apple...or the entire Internet if they felt Apple wasn't being responsive enough.
  • * yawn * (Score:5, Insightful)

    by Noryungi (70322) on Tuesday March 07, 2006 @10:17AM (#14865942) Homepage Journal
    I am sorry, but what exactly does this prove? That ZDNet is wrong? That Mac OS X is secure?

    It proves neither: every operating system on the face of this earth has been hacked, cracked, and 0wned. Numerous times. Get over it.

    Instead of inane, immature competitions such as this one, I'd rather have a nice manual (RTNM -- Read The Nice Manual) on how to improve/lock down an OS X machine. Even better, make that two manuals: one for the average joe, with nice color screenshots for every step that has to be taken, and another for people like me, who manage systems for a living. THAT would be a valuable contribution to the field of computer security, instead of this stupid challenge.

  • Possible Danger (Score:5, Insightful)

    by zaguar (881743) on Tuesday March 07, 2006 @10:19AM (#14865955)
    Email das@doit.wisc.edu if you feel you have met the requirements, along with the mechanism used. The mechanism will then be reported to Apple and/or the entities responsible for the component(s).

    With virus/spyware becoming a multimillion dollar business, do you really think that the real hackers (sorry for the use of the term) will stay away from this, due to the this very condition. Do you think that the dangerous exploits and cracks that are, for the moment, unknown by Apple, and are hence, very valuable. They will not be willingly sent to Apple for some minor publicity and no material, no, they will be auctioned off in some sleazy IRC channel in Russia.

  • the original post (Score:3, Insightful)

    by rayde (738949) on Tuesday March 07, 2006 @10:19AM (#14865957) Homepage
    here is the original comment [slashdot.org] posted by Dave Schroeder about this challenge pretty much posted right after the 30-minute hack article was posted here. I'm actually quite curious whether the University of Wisconsin has approved this whole thing, as I'm not so sure they really wish to have a machine on their networks in the crosshairs.
    • Re:the original post (Score:5, Informative)

      by daveschroeder (516195) * on Tuesday March 07, 2006 @10:29AM (#14866031)
      Yes, this is approved. But it's getting moved to its own /29 today...unfortunately, that didn't happen before slashdot got to it. ;-)

      There is an identical clone of that Mac mini waiting to go on the new network, and our DNS TTL is currently set to 5 minutes, so when the cutover happens, it should be pretty transparent.
  • by CupBeEmpty (720791) on Tuesday March 07, 2006 @10:23AM (#14865984) Homepage
    ...if the little Mac Mini melts from a good /.'ing?
  • by catwh0re (540371) on Tuesday March 07, 2006 @10:24AM (#14865991)
    I've noticed a significant rise in anti-macosx articles recently. To the point where I'm beginning to believe that it is staged. Each article usually has 3 points to make: Mac OSX is not *nix, Max OSX is insecure and "easy" to hack (and not a target due to small install base.) and that Apple are slow with patches to security faults.

    So far each article has been based on unique situations that lack credibility to begin with, give little detail, and take focus away from the fact that it's basically a machine running a collective of industry proven software (such as apache and openssh.)

    Also of note is that Mac OSX currently has an a user base of over 10 million machines. So the argument that it's too small a target is ridiculous. In fact it's a bigger target as it's untouched territory with a bonus of headline making news.

    • CNet (Score:3, Insightful)

      by aclarke (307017)
      I think much of the fault lies at the feet of ZDNet/CNet. They'll write anything to get page views. It doesn't matter if a piece on their site is entirely non- or anti-factual as long as it inflames enough people to read it out of pure disgust.

      I'm still subscribed to some of their newsletters, where they email me about what this or that person has "blogged" on their site recently. I guess if you call it blogging then you don't have to do any journalism, but they'll have two people playing off both sid
  • by digitaldc (879047) * on Tuesday March 07, 2006 @10:24AM (#14865994)
    I hacked in, and in 22 minutes changed one of the pixels from #FFFFFF to #F0F8FF, but it is very hard to tell.
    In fact, nobody even noticed.
  • Because we know that ANY OS is insecure if it is not properly hardened. What may be of value is for someone to figure out how to harden OS X and then toss that computer on the net and see if it gets hacked. If it doesn't get hacked, feed the method for hardening the computer back to Jobs and company and see if it ends up as part of a future OS update.

  • by ikejam (821818)
    and noone calls dupe?

    http://apple.slashdot.org/article.pl?sid=06/03/06/ 1446207 [slashdot.org]

    That.. must be a record.

    incidentally the original post seems to reflect a more updated view :-s
  • The IP (Score:4, Informative)

    by zaguar (881743) on Tuesday March 07, 2006 @10:30AM (#14866036)
    The IP of the server under the test. Saves you a ping of the site.

    128.104.16.150

  • Hint (Score:5, Informative)

    by spike2131 (468840) on Tuesday March 07, 2006 @10:31AM (#14866045) Homepage
    One of the user names is "das".... as in http://test.doit.wisc.edu/~das/ [wisc.edu]

    So run that against a dictionary and see if you can get in....
    • by xxxJonBoyxxx (565205) on Tuesday March 07, 2006 @11:18AM (#14866379)
      The server appears to be Apache 1.3.3.3, one version behind the current release. The 1.3.3.4 release has a fix for this item, which would be my favorite vector, but I doubt that this server has an application that uses chunked encoding (often used for file uploads).

          *) SECURITY: core: If a request contains both Transfer-Encoding and
                Content-Length headers, remove the Content-Length, mitigating some
                HTTP Request Splitting/Spoofing attacks. This has no impact on
                mod_proxy_http, yet affects any module which supports chunked
                encoding yet fails to prefer T-E: chunked over the Content-Length
                purported value. [Paul Querna, Joe Orton]
    • Doubtful... (Score:4, Funny)

      by TCQuad (537187) on Tuesday March 07, 2006 @11:23AM (#14866421)
      While you're right on the "das", it's doubtful that a dictionary crack would fix it. Since "das" is also his U of Wisc NetID (ref. the e-mail address at the bottom of the page [wisc.edu]), it's more likely that the password is the same as his U of Wisc password [wisc.edu].

      So... Anyone up for breaking into the U of Wisc password database?
      • Re:Doubtful... (Score:4, Informative)

        by daveschroeder (516195) * on Tuesday March 07, 2006 @02:43PM (#14868397)
        For the record, no, the passwords are not the same.

        (And for those wondering, the NetID/username is the non-private part of our NetID credential.)

        Also, I'd hope that one would also understand that going after other machines in that way is bad form, and doesn't speak to Mac OS X's security (or insecurity), but rather to the practice of having strong/different passwords across multiple secure systems.
      • by MirrororriM (801308) on Tuesday March 07, 2006 @03:02PM (#14868596) Homepage Journal
        So... Anyone up for breaking into the U of Wisc password database?

        Why try brute force when you can pull a social engineering attempt:

        Daer DAvid Schroeoedir,

        I am A NIGERIAN PRINCE WHO HACE RECENTLY MOVED TO WISCONCIIN And AM Vary INTERISTED IN OBtaining AN ACCOUINT ON TEST.DOIT.WISC.EDU...i CUULD WIRE YUO 1 MILLION DOLLARS...

  • In this age of silly, vapid Challenges to prove the resilience of OS X, it's good to know that there is one formidable Challenge out there...

    Come on, I dare you, come on I say and try to hack my G4 desktop running OS X 10.4.5 with Security Update 2006-001. It has FTP, SSH, Finger, Apache, PHP, VB running under WINE, and the extremely vulnerable Robots game running.

    Oh! Had enough, eh? Come back and take what's coming to you, you yellow bastards! Come back here and take what's coming to you! I'll bite your le
  • This is the sort of test that the previous one purported to be. The other test had the system configured to allow anyone to create shell accounts by remote connections, thus quickly becoming a local security test rather than a test of srver robustness. It probably got forkbbombed or something similar. Not many systems can hold up against a serious attack from the inside. This time around the machine seems to be in a more typical web server configuration. This is still fairly close to default setup rath
  • Any reason why The Fallacy of Cracking Contests [schneier.com] doesn't apply to this one?
  • by TheSkepticalOptimist (898384) on Tuesday March 07, 2006 @10:47AM (#14866158)
    So Mac OSX security only works for 3 days, while someone is closely monitoring all web traffic?

    If this was a legit challenge, then don't close the challenge. Leave it open, so that when you least suspect it, someone has hacked your site.

    But is this challenge stating the security of OSX? Defacing a website is the same as having a Trojan virus installed that wipes out your applications or formats your system? Why not offer a challenge to find out if someone can write a virus that will adversely affect OSX. The delivery is unimportant, as long as there are people happily downloading apps from P2P, opening email attachments, and downloading security updates from email warnings. No OS is truly secure from human ignorance.

    I guarantee that some hacker will deface the website, but I question the legitimacy of imposing a time limit on the challenge. Certainly hackers don't have a time limit when they corrupt Linux or Windows based website servers, so why impose one for Mac. I think someone is closely monitoring the challenge website, ready to counter any possibility of it being hacked in order to solidify the OSX security myth.
  • How unfair! (Score:4, Funny)

    by Linux_ho (205887) on Tuesday March 07, 2006 @11:03AM (#14866264) Homepage
    They've removed the biggest security hole in an OS X system: The Mac User. The Mac User will set "fluffy" as their password, and attempt to install any interesting-looking screensaver that gets e-mailed to them. Not that any other OS would do much better in the face of such adversity. But it's funny that they would use a test like this to "demonstrate the security" of a desktop OS.
  • by Been on TV (886187) on Tuesday March 07, 2006 @11:15AM (#14866357) Homepage

    One of the unusual things about the "hacked" machine was that Fink was installed. This most likely means that the Apple developer tools were installed (although Fink can install precompiled binaries), making it possible for the hacker to bring his own code and compile on the system. Although Apple ships the developer tools on the OS X client install DVD, it is not installed by default, nor is X11.

    Fink lists a catalog of 6359 open source projects [finkproject.org]that can be installed, many of which are tools that could help a hacker exploit a machine or that are exploitable in themselves. Fink is a Debian style package manager for Mac OS X.

  • by redmoss (108579) on Tuesday March 07, 2006 @11:50AM (#14866634) Homepage
    It seems to me that tests like "remote break-in using ssh" are not as good of a fit to today's common home computing environment. For something like OS X, most home machines probably are not running any services, so it is rather pointless to try to break into them using standard ssh/http attacks.

    I would prefer to see test break-in attempts set up like this:

    an unprivileged "test account" is created on OS X and set up with email, web browser, and other common desktop programs

    the "test account" is set up with several common methods of communicating with the outside world: email, IM, commonly-browsed web sites, webmail, banking sites, etc

    the test account's email address and IM account are made public to the would-be attackers

    someone regularly checks the test account's email and acts like a "gullible user" would, eg click on spam and phishing links, go to hostile web sites, follow dubious instructions received via IM from supposed friends

    the challenge: attacker must be able to do something "bad": control box resources (think spyware), steal critical system information (think remote root), get bank account information (think phishing), whatever

    A few years ago, this was trivial on Windows. I hear they've cleaned up their act to some extent. How well would OS X hold up? How about a standard desktop version of Linux?
  • by Greyfox (87712) on Tuesday March 07, 2006 @11:57AM (#14866672) Homepage Journal
    That their B2 secure version of UNIX was so secure that you could safely post the root password on the Internet. I always thought that was rather disingenuous seeing as how pretty much every UNIX I've worked with required additional configuration to enable remote root logins, but root never had much power on those systems even if someone did find a third party server (or telnetd *cough*) with a possible exploit.

    Then IBM bought Data General and that was the last we heard of DG/UX B2 Secure. Pity really. They should have ditched AIX instead. But I digress...

    OSX is pretty damn secure right out of the box, but Apple could do more to make it tighter by default. They've already managed the security versus usability balance far better than Microsoft has managed so far. I think Apple could push a little more over to the security side of the thing without noticably affecting usability. I also think that Apple users would accept slightly less user friendly systems in order to continue to walk around with that air of I-can't-get-spyware-or-virusses smugness that no Windows user will ever understand until they've seriously used an Apple machine for a few days. Apple's selling more than a machine. They're selling the ability to not have to live in fear every time you connect that machine to the Internet. They're selling the ability to not have to run so many third party security applications that the shiny new machine runs like a shiny new machine from 5 years ago. I think that is worth any percieved price premium.

  • by Anonymous Coward on Tuesday March 07, 2006 @12:40PM (#14867030)
    I love how the mac mini is surviving the slashdotting no probs. Sure its mostly text, but I've seen similar sites crumble in no time.

    http://test.doit.wisc.edu/ [wisc.edu]

    Chris
  • by podperson (592944) on Tuesday March 07, 2006 @01:30PM (#14867560) Homepage
    It appears that the original article has been changed since originally posted. It currently reads:

    "On February 22, a Sweden-based Mac enthusiast set his Mac Mini as a server and invited hackers to break through the computer's security and gain root control, which would allow the attacker to take charge of the computer and delete files and folders or install applications.

    "Participants were given local client access to the target computer and invited to try their luck."


    Other related blog entries have noted the update.

    Even so, the article fails to mention that this vulnerability relies on extra work on the part of the system administrator to create the accounts and open ssh.
  • MiniSlashdotting (Score:3, Interesting)

    by EigenHombre (684799) * on Tuesday March 07, 2006 @08:38PM (#14871418) Homepage Journal
    Am I the only one who is impressed that a single PowerPC (not multi-core Intel) Mac Mini can survive a slashdotting? (Not to mention the additional DoS attacks -- and with rather zippy response time to boot.)

    - Former Badger, glad I ordered one of those new MacBooks

  • Test Now Closed (Score:3, Interesting)

    by themadplasterer (931983) on Wednesday March 08, 2006 @01:07PM (#14876273)
    The test is now closed and there were no sucsessful security breaches. This proves what most of us already knew about Mac OS X .This is take directly from the site http://test.doit.wisc.edu/ [wisc.edu] Mac OS X Security Test Tue 7 March 2006 11:59 PM CST (8 March 2006 0559 GMT) The testing period is now closed. The response has been very strong, and the test has illustrated its point. Traffic to the host spiked at over 30 Mbps. Most of the traffic, aside from casual web visitors, was web exploit scripts, ssh dictionary attacks, and scanning tools such as Nessus. The machine was under intermittent DoS attack. During the two brief periods of denial of service, the host remained up. The test machine was a Mac mini (PowerPC) running Mac OS X 10.4.5 with Security Update 2006-001, had two local accounts, and had ssh and http open with their default configurations. There were no successful access attempts of any kind, including during the 38 hour duration of the test period, nor have their been any claims of success. The host is still the same host and configuration used for the test. Some snippets from 7 March 2006: The site received almost a half a million requests via the web. There were over 4000 login attempts via ssh. The ipfw log grew at 40MB/hour and contains 6 million events logged. Several social engineering attempts were received, including one purporting to be from the government of Sweden, which apparently uses GMail. ;-) More test results and information will be published here at a future date.
  • by bugnuts (94678) on Wednesday March 08, 2006 @06:53PM (#14879260) Journal
    Yesterday we discovered the Mac OSX "challenge" was not an activity authorized by the UW-Madison. Once the test came to the attention of our CIO, she ended it. The site, test.doit.wisc.edu, will be removed from the network tonight. Our primary concern is for security and network access for UW services. We are sorry for any inconvenience this has caused to the community.


    The CIO of UW-Madison has managed to get test.doit.wisc.edu website defaced.
  • by EvilStein (414640) <spam@pbRASPp.net minus berry> on Saturday March 11, 2006 @03:48AM (#14897049) Homepage
    Just in case and of you dumb fuck "Macs suck" knuckle draggers are wondering, It's over. U of Wi pulled the plug.

    38 hours and not one successful crack.

    Mr "Mac OS X is so insecure" didn't even manage to get in.

    http://www.technewsworld.com/story/49296.html [technewsworld.com]

Faith may be defined briefly as an illogical belief in the occurence of the improbable. - H. L. Mencken

Working...