Slashdot Mirror

← Back to Stories (view on slashdot.org)

Mac OS X Security Competition Ends in 30 Minutes

Posted by ryuzaki0 on from the how-secure-is-secure dept.

ninja_assault_kitten writes "ZDnet is running an article on how a Swedish Mac OS X enthusiast held a competition to prove how good security was on his new fully patched Mac Mini was. Unfortunately, 30 minutes after the competition began, a hacker known as 'gwerdna' had broken in and defaced the website, thus winning the contest. According to gwerdna, 'Mac OS X is easy pickings for bug finders. That said, it doesn't have the market share to really interest most serious bug finders.'." It's also worth noting a piece that says all the security news is much ado about nothing, in practical terms. The security contest also allowed people to have local access via SSH, so that had a lot to do with the crack.

2 of 388 comments (clear)

  1. gwerdna? by Loconut1389 · · Score: 5, Interesting

    I wonder if the hacker's name is Andrew G. by any chance?

    What kind of hacker do you suppose he is? gwerdna is a pretty poor anagram of Andrew G.

    If that's not his name, it's fairly random.

    He's been using it since the end of 2004 at least. http://p212.ezboard.com/bnendowingsmirai.showUserP ublicProfile?gid=gwerdna

  2. Mac OS X Security Challenge by daveschroeder · · Score: 5, Interesting

    Mac OS X Security Challenge

    In response to the woefully misleading ZDnet article, Mac OS X hacked under 30 minutes, I have decided to launch a Mac OS X Security Challenge.

    The ZDnet article, and almost all of the coverage of it, failed to mention a very critical point: anyone who wished it was given a local account on the machine (which could be accessed via ssh). Yes, there are local privilege escalation vulnerabilities; likely some that are "unpublished". But this machine was not hacked from the outside just by being on the Internet. It was hacked from within, by someone who was allowed to have a local account on the box. That is a huge distinction.

    Almost all consumer Mac OS X machines will:

    - Not give any external entities access
    - Not even have any ports open

    The challenge is as follows: simply alter the web page on this machine, test.doit.wisc.edu (128.104.16.150). The machine is a Mac Mini (PowerPC) running Mac OS X 10.4.5 with Security Update 2006-001, has two local accounts, and has ssh and http open - a lot more than most Mac OS X machines will ever have open. Email das@doit.wisc.edu if you feel you have met the reqiurements.