Slashdot Mirror

← Back to Stories (view on slashdot.org)

Mac OS X Security Competition Ends in 30 Minutes

Posted by ryuzaki0 on from the how-secure-is-secure dept.

ninja_assault_kitten writes "ZDnet is running an article on how a Swedish Mac OS X enthusiast held a competition to prove how good security was on his new fully patched Mac Mini was. Unfortunately, 30 minutes after the competition began, a hacker known as 'gwerdna' had broken in and defaced the website, thus winning the contest. According to gwerdna, 'Mac OS X is easy pickings for bug finders. That said, it doesn't have the market share to really interest most serious bug finders.'." It's also worth noting a piece that says all the security news is much ado about nothing, in practical terms. The security contest also allowed people to have local access via SSH, so that had a lot to do with the crack.

3 of 388 comments (clear)

  1. Re:Mac OS X Security Challenge by tpgp · · Score: 5, Insightful

    Yes, there are local privilege escalation vulnerabilities; likely some that are "unpublished". But this machine was not hacked from the outside just by being on the Internet. It was hacked from within, by someone who was allowed to have a local account on the box. That is a huge distinction.

    Whilst I agree that this is not the same as a remote exploit, do not underestimate the seriousness of local privilege escalation.

    For instance, an unpatched local privilege escalation, used in conjuction with the vulnerability discussed in this article could result in a rooted machine - simply from visiting a hostile website (or even a website you visit regularly, that runs IIS and has been hacked itself)

    I don't believe (as some pundits seem to) that Mac OS is a Microsoft style security disaster only awaiting the attention of hackers to happen - but I do believe that Mac owners are going to have to start paying a little more attention to security matters then they currently are.

    --
    My pics.
  2. Local access IS important! by Chemisor · · Score: 5, Insightful

    Excuse me, but if your OS can be rooted in 30 minutes from a local account, you have no business calling it secure. UNIX is supposed to have multiple local accounts and still be secure with them all running. If you close down every network port on a machine and say "come get me now", that's really not saying much. I, for one, would really like to know how he managed to get root from a local account, so I can verify I don't have the same problem on my server, which really does have ssh access to more than one person.

  3. Re:Why keep SSH on? by gowen · · Score: 5, Insightful
    But you need to remember that OS X is not designed for remote, multi-user usage
    That excuse was bullshit when it was used to defend Windows boxes, and, amazingly, it remains bullshit when applied to fashionable platforms, too.
    --
    Athletic Scholarships to universities make as much sense as academic scholarships to sports teams.