New competition challenges hackers to break into an OS X system connected to the internet
Dodgy OS X hack prompts genuine challenge
/v3-uk/news/1975306/dodgy-os-x-hack-prompts-genuine-challenge
07 Mar 2006, Tom Sanders in California , V3
The University of Wisconsin has launched a competition in which hackers are challenged to break into an OS X system connected to the internet.
"Mac OS X is not invulnerable. Like any other operating system, it has security deficiencies in various aspects of the software," claimed Dave Schroeder, the competition's organiser.
"However, the general architecture and design philosophy of Mac OS X, in addition to the use of open source components for most network-accessible services that receive intense peer scrutiny from the community, make Mac OS X a very secure operating system."
Schroeder is a systems administrator at the University of Wisconsin where he manages both OS X and Unix systems.
His challenge was launched in response to a similar competition last month in which a blogger created user accounts for contestants on a Mac Mini and challenged them to hack into the system by defacing a website.
A hacker by the name of 'Gwerdna' claimed to ZDNet Australia that he won the competition, boasting that the operating system was "easy pickings" and that it took him no more than 30 minutes.
The story made the headlines on Monday, but incorrectly presented the penetration as a 'genuine hack' when it should have been described as a 'privilege escalation for a legitimate user'.
A privilege escalation is similar to breaking into a different user account while sitting behind a computer and is considered significantly easier then hacking into a fully protected system over the internet.
The failure to make this difference prompted Schroeder to describe the ZDNet Australia report as "woefully misleading".
A spokesman for Apple did not return vnunet.com's phone calls seeking comment.
The University of Wisconsin's challenge provides contestants with a URL for the system that they need to hack.
The system is a Mac Mini running the latest version of OS X as well as all the latest security updates. It has been configured with two local user accounts and has SSH and HTTP open. The latter are not typical settings for an average user, according to Schroeder.
Contestants who claim to have succeeded in hacking the system must provide details about how they breached the security walls, which will be provided to Apple. The winner gets a claim to fame, but no material price.
© Incisive Media Investments Limited 2010, Published by Incisive Financial Publishing Limited, Haymarket House, 28-29 Haymarket, London SW1Y 4RX, are companies registered in England and Wales with company registration numbers 04252091 & 04252093
Do you agree?
What a load of crap
These guys seriously think someone is going to enter their stupid competition? They have only setup Apache and OpenSSH. As if someone is going to waste a valuable Apache or SSH bug just to silence some whinging mac fanboys.
How about you get a little more realistic and enable some more services like mdnsresponder (which happens to be default on osx), and afs which many users enable.
I mean it shouldn't be a problem if you have so much faith in osx security. Otherwise this challenge is about as pointless as setting up any operating system running apache+ssh. You will get zero serious punters.
Posted by John Smith, 07 Mar 2006
Mac OS X "challenge" not sanctioned
We discovered yesterday that the Mac OSX "challenge" was not an activity authorized by the UW-Madison. Once the test came to the attention of our CIO, she ended it.
Our primary concern is for security and network access for UW services. We are sorry for any inconvenience this has caused to the community.
Division of Information Technology
UW-Madison
Posted by Brian Rust, 08 Mar 2006
Riiiiight
So the person who breaks in has to reveal exactly how and gets nothing for it? I'm sure that will encourage everyone with 0-Day exploits to come jumping out of the woodwork for a chance at this. When this doesn't occur no doubt it will be trumpeted from the highest mount as proof that OSX is the wunderOS.
Cluephone *rings* Exploits are worth MONEY although OSX exploits aren't worth much of it (yet). Giving them away to prove a point in a silly contest like this would bcontest like this would be pretty stupid. I'll be pretty surprised if anyone gives up anything too Earth shattering. Then again maybe someone is sick of the fanboyz claiming this OS is invincible and will make a point of trashing it :-)
Posted by BLK, 09 Mar 2006
The challenge is now over, no breach
The challenge is now over with no successful breaches, despite being inundated by hack attempts of all types, including unsuccessful DoS and social engineering attacks. Details on his site:
http://test.doit.wisc.edu/
So the lesson is, don't give a local account with SSH access to people you don't trust, practice safe computing (put on that Firewall and you won't get rooted!) with some common sense regarding downloaded/emailed files, and you should be safe. Unless you're on Windows ;)
Posted by msandersen, 08 Mar 2006
Let the games begin!
....shouldn't take more than an hour or so though
Posted by A55cl0wn, 08 Mar 2006
Not sponsored by the University of Wisconsin.
This challenge was NOT sponsored by the University of Wisconsin. It is the individual actions of a single UW-Madison IT employee, acting without direction, using the auspices of the UW to give his challenge more credibility and thus more publicity.
Posted by John Smith, 07 Mar 2006
NOT and official Uni. Project
From the website (http://test.doit.wisc.edu/):
"This is an academic effort, but not an official university project."
To start the article with "The University of Wisconsin has launched a competition..." is blatantly false.
Posted by Albert Hartland, 08 Mar 2006
Let the Games begin!
Let the Games begin!
Posted by Nathan Heritage, 07 Mar 2006
They should publish these two names
http://www.zone-h.org/en/defacements/filter/filter_domain=doit.wisc.edu/page=1/
Already been done, twice!
LMAO
Posted by blahblah, 07 Mar 2006
Whats the fun ?
Every system has its vulnerabilities . It was just a stunt event sponsored by the University. Steve should know that better (from his old days ;-) )
Posted by Ishaan Prasad, 07 Mar 2006