All the latest UK technology news, reviews and analysis
|
|
|
07 Mar 2006
The University of Wisconsin has launched a competition in which hackers are challenged to break into an OS X system connected to the internet.
"Mac OS X is not invulnerable. Like any other operating system, it has security deficiencies in various aspects of the software," claimed Dave Schroeder, the competition's organiser.
"However, the general architecture and design philosophy of Mac OS X, in addition to the use of open source components for most network-accessible services that receive intense peer scrutiny from the community, make Mac OS X a very secure operating system."
Schroeder is a systems administrator at the University of Wisconsin where he manages both OS X and Unix systems.
His challenge was launched in response to a similar competition last month in which a blogger created user accounts for contestants on a Mac Mini and challenged them to hack into the system by defacing a website.
A hacker by the name of 'Gwerdna' claimed to ZDNet Australia that he won the competition, boasting that the operating system was "easy pickings" and that it took him no more than 30 minutes.
The story made the headlines on Monday, but incorrectly presented the penetration as a 'genuine hack' when it should have been described as a 'privilege escalation for a legitimate user'.
A privilege escalation is similar to breaking into a different user account while sitting behind a computer and is considered significantly easier then hacking into a fully protected system over the internet.
The failure to make this difference prompted Schroeder to describe the ZDNet Australia report as "woefully misleading".
A spokesman for Apple did not return vnunet.com's phone calls seeking comment.
The University of Wisconsin's challenge provides contestants with a URL for the system that they need to hack.
The system is a Mac Mini running the latest version of OS X as well as all the latest security updates. It has been configured with two local user accounts and has SSH and HTTP open. The latter are not typical settings for an average user, according to Schroeder.
Contestants who claim to have succeeded in hacking the system must provide details about how they breached the security walls, which will be provided to Apple. The winner gets a claim to fame, but no material price.
Latest stories from Security
Related articles
Related jobs
Poll
What is the most important IT priority for your company this year?
Connect with V3.co.uk
This paper focuses on a series of best practices and techniques for development teams looking to improve their software development processes
Why good data management at all levels is essential in the modern business (video, 6mins)
UK Based Channel Sales Executive - Security and Service...
Graduate Developer - Manchester. My client has an opening...
.Net Graduate Developer - Manchester. My client is looking...
Accounting Business Analyst/Systems Accountant (Back...
Keep up to date with the latest products, services and technologies from the world's leading IT companies. IThound.com brings you over 2,000 white papers, case studies and analyst reports.
Do you agree?
Riiiiight
So the person who breaks in has to reveal exactly how and gets nothing for it? I'm sure that will encourage everyone with 0-Day exploits to come jumping out of the woodwork for a chance at this. When this doesn't occur no doubt it will be trumpeted from the highest mount as proof that OSX is the wunderOS. Cluephone *rings* Exploits are worth MONEY although OSX exploits aren't worth much of it (yet). Giving them away to prove a point in a silly contest like this would bcontest like this would be pretty stupid. I'll be pretty surprised if anyone gives up anything too Earth shattering. Then again maybe someone is sick of the fanboyz claiming this OS is invincible and will make a point of trashing it :-)
Posted by: BLK 09 Mar 2006
Mac OS X "challenge" not sanctioned
We discovered yesterday that the Mac OSX "challenge" was not an activity authorized by the UW-Madison. Once the test came to the attention of our CIO, she ended it. Our primary concern is for security and network access for UW services. We are sorry for any inconvenience this has caused to the community. Division of Information Technology UW-Madison
Posted by: Brian Rust 08 Mar 2006
The challenge is now over, no breach
The challenge is now over with no successful breaches, despite being inundated by hack attempts of all types, including unsuccessful DoS and social engineering attacks. Details on his site: http://test.doit.wisc.edu/ So the lesson is, don't give a local account with SSH access to people you don't trust, practice safe computing (put on that Firewall and you won't get rooted!) with some common sense regarding downloaded/emailed files, and you should be safe. Unless you're on Windows ;)
Posted by: msandersen 08 Mar 2006
Let the games begin!
....shouldn't take more than an hour or so though
Posted by: A55cl0wn 08 Mar 2006
NOT and official Uni. Project
From the website (http://test.doit.wisc.edu/): "This is an academic effort, but not an official university project." To start the article with "The University of Wisconsin has launched a competition..." is blatantly false.
Posted by: Albert Hartland 08 Mar 2006
What a load of crap
These guys seriously think someone is going to enter their stupid competition? They have only setup Apache and OpenSSH. As if someone is going to waste a valuable Apache or SSH bug just to silence some whinging mac fanboys. How about you get a little more realistic and enable some more services like mdnsresponder (which happens to be default on osx), and afs which many users enable. I mean it shouldn't be a problem if you have so much faith in osx security. Otherwise this challenge is about as pointless as setting up any operating system running apache+ssh. You will get zero serious punters.
Posted by: John Smith 07 Mar 2006
Not sponsored by the University of Wisconsin.
This challenge was NOT sponsored by the University of Wisconsin. It is the individual actions of a single UW-Madison IT employee, acting without direction, using the auspices of the UW to give his challenge more credibility and thus more publicity.
Posted by: John Smith 07 Mar 2006
Let the Games begin!
Let the Games begin!
Posted by: Nathan Heritage 07 Mar 2006
They should publish these two names
http://www.zone-h.org/en/defacements/filter/filter_domain=doit.wisc.edu/page=1/ Already been done, twice! LMAO
Posted by: blahblah 07 Mar 2006
Whats the fun ?
Every system has its vulnerabilities . It was just a stunt event sponsored by the University. Steve should know that better (from his old days ;-) )
Posted by: Ishaan Prasad 07 Mar 2006