Slashdot Mirror
U of Wisconsin's Mac OS X Security Challenge
digitalsurgeon writes "The University of Wisconsin [ed: Go Badgers] has launched a Mac OS X Security challenge, in response to a 'woefully misleading ZDnet article'. From the site: 'The challenge is as follows: simply alter the web page on this machine, test.doit.wisc.edu. The machine is a Mac mini (PowerPC) running Mac OS X 10.4.5 with Security Update 2006-001, has two local accounts, and has ssh and http open - a lot more than most Mac OS X machines will ever have open.' Are you up to the task? Can you prove ZDNet wrong, or can you show that Mac OS X can really be hacked in less then 30 minutes? More information about the challenge is at http://test.doit.wisc.edu/ The challenge ends Fri 10 March 2006 10:00 AM CST." Update: 03/07 14:32 GMT by Z : Commentary on the contest and original claim is available at VNUNet
Can you prove ZDNet wrong, or can you show that Mac OS X can really be hacked in less then 30 minutes?
So guys, what do you say? Should we all mabye prove ZDNet wrong by not breaking into that computer?
Swedish plasma phys. PhD student; MSc EE; knows maths, programming, electronics; finance interest; seeks opportunities
This test is of the web server, and of remote cracking without local access. Also, the explanation page says that the original article did not mention that local access was given. Well, perhaps they've updated the article, but it certainly says so now:
As I said, I appreciate this test, but I am also concerned about the apparent ability of an ordinary local user to gain admin status.I think that this will probably turn into a DDOS rather than an outright hack...
I wish someone running windows 2003 professional could start a competition like this.
Mabye logs could be published (in real-time) so that we all can see some of what possible challengers are up to. That would be interesting.
Swedish plasma phys. PhD student; MSc EE; knows maths, programming, electronics; finance interest; seeks opportunities
Wouldn't the people that can do it, assuming they're out there, most certainly not do it on a machine that can be used to identify their methods? After all, if they were doing it for security research legitimately, they would've already told Apple...or the entire Internet if they felt Apple wasn't being responsive enough.
"It is a miracle that curiosity survives formal education." -Albert Einstein
I am sorry, but what exactly does this prove? That ZDNet is wrong? That Mac OS X is secure?
It proves neither: every operating system on the face of this earth has been hacked, cracked, and 0wned. Numerous times. Get over it.
Instead of inane, immature competitions such as this one, I'd rather have a nice manual (RTNM -- Read The Nice Manual) on how to improve/lock down an OS X machine. Even better, make that two manuals: one for the average joe, with nice color screenshots for every step that has to be taken, and another for people like me, who manage systems for a living. THAT would be a valuable contribution to the field of computer security, instead of this stupid challenge.
The right to offend is far more important than the right not to be offended. (Rowan Atkinson)
With virus/spyware becoming a multimillion dollar business, do you really think that the real hackers (sorry for the use of the term) will stay away from this, due to the this very condition. Do you think that the dangerous exploits and cracks that are, for the moment, unknown by Apple, and are hence, very valuable. They will not be willingly sent to Apple for some minor publicity and no material, no, they will be auctioned off in some sleazy IRC channel in Russia.
"Sure there's porn and piracy on the Web but there's probably a downside too."
here is the original comment posted by Dave Schroeder about this challenge pretty much posted right after the 30-minute hack article was posted here. I'm actually quite curious whether the University of Wisconsin has approved this whole thing, as I'm not so sure they really wish to have a machine on their networks in the crosshairs.
...if the little Mac Mini melts from a good /.'ing?
So far each article has been based on unique situations that lack credibility to begin with, give little detail, and take focus away from the fact that it's basically a machine running a collective of industry proven software (such as apache and openssh.)
Also of note is that Mac OSX currently has an a user base of over 10 million machines. So the argument that it's too small a target is ridiculous. In fact it's a bigger target as it's untouched territory with a bonus of headline making news.
I hacked in, and in 22 minutes changed one of the pixels from #FFFFFF to #F0F8FF, but it is very hard to tell.
In fact, nobody even noticed.
He who knows best knows how little he knows. - Thomas Jefferson
This story was a comment a few days ago
I don't think Dave understood the point of the original challenge however - local privilige escalation - or maybe he was just taking issue with the way it was reported on zdnet.
My pics.
If I recall correctly, isn't there some security hole in 1.3.33 that was fixed in 1.3.34?
Because we know that ANY OS is insecure if it is not properly hardened. What may be of value is for someone to figure out how to harden OS X and then toss that computer on the net and see if it gets hacked. If it doesn't get hacked, feed the method for hardening the computer back to Jobs and company and see if it ends up as part of a future OS update.
This is my opinion. To make sure you don't steal it, it's covered by the DMCA.
and noone calls dupe?
/ 1446207
:-s
http://apple.slashdot.org/article.pl?sid=06/03/06
That.. must be a record.
incidentally the original post seems to reflect a more updated view
128.104.16.150
"Sure there's porn and piracy on the Web but there's probably a downside too."
One of the user names is "das".... as in http://test.doit.wisc.edu/~das/
So run that against a dictionary and see if you can get in....
SpyDock: Scientific Python in a Docker container
In this age of silly, vapid Challenges to prove the resilience of OS X, it's good to know that there is one formidable Challenge out there...
Come on, I dare you, come on I say and try to hack my G4 desktop running OS X 10.4.5 with Security Update 2006-001. It has FTP, SSH, Finger, Apache, PHP, VB running under WINE, and the extremely vulnerable Robots game running.
Oh! Had enough, eh? Come back and take what's coming to you, you yellow bastards! Come back here and take what's coming to you! I'll bite your legs off!
Rich And Stupid is not so bad as Working For Rich And Stupid.
This is the sort of test that the previous one purported to be. The other test had the system configured to allow anyone to create shell accounts by remote connections, thus quickly becoming a local security test rather than a test of srver robustness. It probably got forkbbombed or something similar. Not many systems can hold up against a serious attack from the inside. This time around the machine seems to be in a more typical web server configuration. This is still fairly close to default setup rather than a specifically hardenned one. Let us see.
Corsaire - Securing Mac OS X Tiger
NSA - Mac OS X Security Configuration Guide (not yet updated for Mac OS X 10.4)
Apple - Common Criteria configuration guide
And for the "average joe"?
- Keep your machine patched
- Don't randomly open ports for services you don't use
- Have a personal firewall/router
- Don't run software you don't trust
And this doesn't "prove" anything, except that the initial ZDnet article was totally vague and sensationalistic, making it seem to an average person reading that article that a Mac OS X box could just be "hacked" by being on the internet. That is wrong, and I'm showing that. Simple. It's all explained on http://test.doit.wisc.edu/
Any reason why The Fallacy of Cracking Contests doesn't apply to this one?
I also find it impressive that a little mac mini can withstand a slashdotting (granted, the page is just plain text with one graphic). How's the load on that little guy?
This little contest is organized by one employee who works at the University of Wisconsin internal IT department (DoIT).
It is NOT sponsored by the University of Wisconsin. In fact it has nothing to do with acadamia or UW's top-10 Computer Science department.
I've noticed a significant rise in anti-macosx articles recently. To the point where I'm beginning to believe that it is staged.
So either (a) there is a secret conspiracy out to overthrow Apple or (b) Slashdot likes controversial articles that generate a large comment count.
Any program relying on (nontrivial) preemptive multithreading will be buggy.
From the original article; "On February 22, a Sweden-based Mac enthusiast set his Mac Mini as a server and invited hackers to break through the computer's security and gain root control, which would allow the attacker to take charge of the computer and delete files and folders or install applications. Participants were given local client access to the target computer and invited to try their luck. Within hours of going live, the "rm-my-mac" competition was over. The challenger posted this message on his Web site: "This sucks. Six hours later this poor little Mac was owned and this page got defaced". The hacker that won the challenge, who asked ZDNet Australia to identify him only as "gwerdna", said he gained root control of the Mac in less than 30 minutes." Right in there it says that local access was given..I dont understand how they missed it.
I have mod points and I am not afraid to use them.
Does it count if everone from slashdot tries to hack at the same box at the same time?
If a singular Mac Mini could hanlde that, i would buy 100 of them and start a supercomputing center somewhere in the Nevada desert.
how sweet that you have only ssh and http .. how about cutting the cable and becoming even more secure ?
your chalenge sounds like "hack my pc that is ISP NAT , my local router NAT, and it's my desktop actualy and i dont have any services running" /*
and has ssh and http open - a lot more than most Mac OS X machines will ever have open.
*/
and you are telling me that this peice of junk can be only desktop ?
get real
So Mac OSX security only works for 3 days, while someone is closely monitoring all web traffic?
If this was a legit challenge, then don't close the challenge. Leave it open, so that when you least suspect it, someone has hacked your site.
But is this challenge stating the security of OSX? Defacing a website is the same as having a Trojan virus installed that wipes out your applications or formats your system? Why not offer a challenge to find out if someone can write a virus that will adversely affect OSX. The delivery is unimportant, as long as there are people happily downloading apps from P2P, opening email attachments, and downloading security updates from email warnings. No OS is truly secure from human ignorance.
I guarantee that some hacker will deface the website, but I question the legitimacy of imposing a time limit on the challenge. Certainly hackers don't have a time limit when they corrupt Linux or Windows based website servers, so why impose one for Mac. I think someone is closely monitoring the challenge website, ready to counter any possibility of it being hacked in order to solidify the OSX security myth.
I haven't thought of anything clever to put here, but then again most of you haven't either.
Instead of inane, immature competitions such as this one, I'd rather have a nice manual (RTNM -- Read The Nice Manual) on how to improve/lock down an OS X machine.
This has been done already, TNM can be found here. Two caveats:
1) The manual is for OS.X Panther although it should be mostly just as valid for OS.X Tiger.
2) The publisher has a dubious reputation with the tinfoil-hat crowd.
I found it to be interesting to read and it should be fairly easy for moderately computer-literate users to understand.
Only to idiots, are orders laws.
-- Henning von Tresckow
You have a good point in that the data transfer may become to much for it (if not handled by a separate computer), I didn't think of that. However, I'm not sure that "exponentially" is the right growth rate. Read on.
In effect, that would turn into a DDOS quite quickly once the logs grow and site traffic increases exponentially.
I'm not sure how you got to that growth rate. Let's suppose there are a fixed number of log readers accessing a log with a fixed frequency. Let's also for the moment suppose that the accessing of the log isn't logged.
If challengers' activities are resulting in a constant flow of events to log, then the size of log file will be proportinal to time. The log readers will then generate a data speed (information per time unit (bits per second, for example)) that is also proportional to time. I.e. it's linear, not exponential. The total amount of transferred data is the time integral of the data speed, and will thus grow quadratically with time.
Now, suppose that each time someone downloads the log, a log entry is inserted in the log. The additional information in the log, compared to the former case, will also grow linearly with time, since there are a fixed rate of log accesses (number of readers (fixed) times their accessing frequency (fixed)). That means that the log size and data speed will still grow linearly with time, and the total amount of transferred data will still grow quadratically.
Finally, suppose that each packet (or something equivalent) is logged in the file, so that its contribution to the log size is proportional to the data speed. Now the challengers will still generate log entries that will contribute to the log size in a time-proportional manner. The log readers, however, will make a contribution that is proportional to the log size. Write down the simple first order linear differential equation if you want, or just realise that the time derivative of the log size is proportional to the log size itself, and that this behaviour will actually produce an exponentially growing log file. Remembering that the log readers' data speed was indeed proportional to the log size, we arrive at a data speed that grows exponentially.
Mabye this was what you thought about? In that case I have nothing to add, exept that when setting up this kind of real-time logs, one might want to avoid the latter case.
Swedish plasma phys. PhD student; MSc EE; knows maths, programming, electronics; finance interest; seeks opportunities
The process is pretty simple, "It's too expensive to compromise the Hardware, but the Humanware; That's cheap, and easy. First your dog/pet/loved is shoot, dead, in front of you. The next comes easier. The gun is pointed at you, and you are given 2 minutes to change the web page to some off topic theme. If you are given an extra 5 minutes, you'll learn Photoshop so that you can put an image of you doing it to a male Shetland pony in front of the members of the supreme court, all looking down on you and smiling in that knowing fashion." The D.O.D. Security Instructor that said this to me didn't even bat an eye; That's the chilling part.
The real problem is that tests like this are garbage in the first place.
In fact, Bruce Schneier (a respected cryptographer, responsible for Blowfish) addressed the topic thoroughly almost 8 years ago in his column Crypto-Gram. Here's a relevant snippet:
You see them all the time: "Company X offers $1,000,000 to anyone who can break through their firewall/crack their algorithm/make a fraudulent transaction using their protocol/do whatever." These are cracking contests, and they're supposed to show how strong and secure the target of the contests are. The logic goes something like this: We offered a prize to break the target, and no one did. This means that the target is secure.
It doesn't.
Contests are a terrible way to demonstrate security. A product/system/protocol/algorithm that has survived a contest unbroken is not obviously more trustworthy than one that has not been the subject of a contest. The best products/systems/protocols/algorithms available today have not been the subjects of any contests, and probably never will be. Contests generally don't produce useful data. There are three basic reasons why this is so.
You can read the original here.
They've removed the biggest security hole in an OS X system: The Mac User. The Mac User will set "fluffy" as their password, and attempt to install any interesting-looking screensaver that gets e-mailed to them. Not that any other OS would do much better in the face of such adversity. But it's funny that they would use a test like this to "demonstrate the security" of a desktop OS.
include $sig;
1;
I know its a very simple page, with only one image, but it seems to be doing well under the /. load
I don't understand the point... Basically all you're saying is "Is the version of SSH vulnerable to a remote exploit? Is the version of Apache vulnerable to a remote exploit?"
Why is it that the world only considers remote vulnerabilities to be of consequence? Somehow local vuls are now irrelavent.
It's pretty sad that we've come to this.
I think it's done, It now says "Welcome Slashdot" with a link to this page.
sudo mod me up
You can put any modern OS on the net, with Apache and SSHD the only available services, and it will be secure. This includes XP, Win2k3, Linux, Solaris etc etc etc.. This test proves nothing...
One of the unusual things about the "hacked" machine was that Fink was installed. This most likely means that the Apple developer tools were installed (although Fink can install precompiled binaries), making it possible for the hacker to bring his own code and compile on the system. Although Apple ships the developer tools on the OS X client install DVD, it is not installed by default, nor is X11.
Fink lists a catalog of 6359 open source projectsthat can be installed, many of which are tools that could help a hacker exploit a machine or that are exploitable in themselves. Fink is a Debian style package manager for Mac OS X.
The future is in beta
The server appears to be Apache 1.3.3.3, one version behind the current release. The 1.3.3.4 release has a fix for this item, which would be my favorite vector, but I doubt that this server has an application that uses chunked encoding (often used for file uploads).
*) SECURITY: core: If a request contains both Transfer-Encoding and
Content-Length headers, remove the Content-Length, mitigating some
HTTP Request Splitting/Spoofing attacks. This has no impact on
mod_proxy_http, yet affects any module which supports chunked
encoding yet fails to prefer T-E: chunked over the Content-Length
purported value. [Paul Querna, Joe Orton]
I don't think that analogy is quite apt. It's more like locking someone in your basement and they figure out how to gain access to your whole house.
Okay- I like that analogy better. I've got deep deadbolts on my outside doors; the door between my basement and house has a cheap handle lock that can be popped with a long, thin screw driver.
Not to get lost in the analogy details, but I think you'll find most security skews the same way.
When I run a third party program I am essentially letting them inside, but as a non-priviledged user I'm confining them to a specific area. But if this ability to elevate privileges turn out to be a fact, then any program I run can have full access.
I think this ability to elevate privs should be analyzed on a case by case basis for all programs; as such if you are concerned about what applications a user can and can't run, remove the ability to run those applications from the machine.
However with most desktop machines your biggest worry isn't normally* an attack from within; its usually from without.
*)people on slashdot aren't normal and typically have needs that extended beyond normal users. Feel free to contribute some examples that counter this assertion.
In the future, I would want to not be isolated from my friends in the Space Station.
While you're right on the "das", it's doubtful that a dictionary crack would fix it. Since "das" is also his U of Wisc NetID (ref. the e-mail address at the bottom of the page), it's more likely that the password is the same as his U of Wisc password.
So... Anyone up for breaking into the U of Wisc password database?
First, let me say that if a user can exploit an OS X vulnerability from a true user account (not admin) to gain root, then that is very bad. However, that has not been proven. The supposed hack has not been proven or the claim of unpublished vulnerabilities (of which the hacker said there were many) been proven.
The real problem for the majority of OS X users and security is the decision Apple made in the interest of convenience. When you first set up a computer, the first user is an Admin user. This is the account that the majority of home and small business users will use daily for their work. Apple does nothing to educate or guide users in setting up a daily work non-admin account and a separate admin account for maintaining the computer. Very many people fall into the realm of only running from the original admin account. This is simply not a good practice.
A better solution would be to give people the option of taking the more convenient but less secure set up or the more secure set up from the very beginning. And even after people have chosen the less secure one, give people an easy option to change the configuration without having to think about it much.
that professional hackers always ignore challenges like these. First of all, the last thing they want is lots of publicity. Secondly, the last thing they want is for their exploits to be found.
But to get to your comment, the point of this is to expose security holes in a very public way so that they can be patched.
http://das.doit.wisc.edu/
http://test.doit.wisc.edu/~das
If it helps...
...a brilliant web load test that is.
Actually, I think the original test was more interesting than this one. For years we've read countless +5 Insightful posts that OS X is more secure than Windows because normal users run in restricted accounts by default. That trojans can't do anything to the system unless you're "stupid enough to type in your password". If the original hack was indeed an exploit of an undisclosed buffer overflow, it means that this argument is pretty much moot. There have already been lots of posts in this and the previous article that amounted to saying "a local exploit is no big deal, everybody has them, if you have local (restricted) access you should be expected to be compromised anyway". Are these posters saying that the supposed advantages of restricted user accounts on OS X are very overrated? Are they saying it's no big deal if the next social engineering attack is combined with a buffer overflow exploit, meaning no popups asking for your password?
If the original hacker Gwerdna (Andrew G?) was right that there are many undisclosed priviledge escalation bugs, that is a case for concern, not something to be dismissed as a mere "local" vulnerability. BSD, Linux and even Windows already have patches for NX to contain buffer offerflows, where is Apple on this?
I think that, especially if you're an Apple user, it is very important to test the claim that the OS is rifle with local priviledge escalation issues. And that's why I think the first test was much better than this one. I don't expect this U of W box to be hacked anytime soon. But this proves very little. You can even setup a Windows SP2 ISS+Remote Desktop box like this, and I don't think it will be hacked anytime soon either. But if you redo something like the original box (give normal user ssh accounts to anyone) and get hacked very quickly again, it proofs a lot. Namely that the local security measures of OS X that many have come to thrust amount to very little.
No, my position is not funded or "rewarded" by Apple.
Also, I can't say I've *ever* gotten a "freebie" anything from Apple in 22 years other than a couple of T-shirts. Oh, and a nice pen once. I've also never heard of anyone in enterprise or education getting free flat panels and iPods from Apple (except for the free iPod promotions they've had when people buy certain laptops).
Also, since Mac OS X is used *heavily* in education, particularly at large research universities, and diversity of computing platforms is important to avail faculty, staff, and students of the best resources to do their jobs, I'm sure many are interested in the general security of a typical Mac OS X machine with a couple of typical services running on the internet, especially in the wake of such misleading press coverage of the same. The only interests I represent are those of the University of Wisconsin - Madison.
And yes, this challenge is sanctioned. I'm glad that the University of Wisconsin supports the genuine interests of its faculty, staff, and students, and encourages individual thought, research, discovery, and exploration. That's why it's a great place to be!
Comment removed based on user account deletion
Don't play this down, this is a serious flaw. UNIX security is all about user accounts; if a UNIX based system can't enforce user accounts its entire security model is useless.
Just because a vulnerability is 'local' doesn't mean you have to be sitting at the computer. Take the U of Wisconsin's honey pot box running Apache and ssh. Both Apache and ssh run in a lower privileged user account whenever they can, so that if there's a flaw in code which runs in the lower user account it can only do damage within that lower user account.
Right now if you found a hole in low privilege context code you could use it to get admin access in OS X; this is a serious problem and it makes the UNIX security model, which Apple gives as the reason for OS X's great security, useless.
This doesn't mean OS X is insecure and everything else is, but it is a very serious flaw (especially being unreleased) and I don't understand why everyone is downplaying it.
// MD_Update(&m,buf,j);
It seems to me that tests like "remote break-in using ssh" are not as good of a fit to today's common home computing environment. For something like OS X, most home machines probably are not running any services, so it is rather pointless to try to break into them using standard ssh/http attacks.
I would prefer to see test break-in attempts set up like this:
an unprivileged "test account" is created on OS X and set up with email, web browser, and other common desktop programs
the "test account" is set up with several common methods of communicating with the outside world: email, IM, commonly-browsed web sites, webmail, banking sites, etc
the test account's email address and IM account are made public to the would-be attackers
someone regularly checks the test account's email and acts like a "gullible user" would, eg click on spam and phishing links, go to hostile web sites, follow dubious instructions received via IM from supposed friends
the challenge: attacker must be able to do something "bad": control box resources (think spyware), steal critical system information (think remote root), get bank account information (think phishing), whatever
A few years ago, this was trivial on Windows. I hear they've cleaned up their act to some extent. How well would OS X hold up? How about a standard desktop version of Linux?
Damn it, there goes fluffy. Hmm, how bout something similar, puffy maybe hmm.
Oh, nice screensaver, gotta run.
Then IBM bought Data General and that was the last we heard of DG/UX B2 Secure. Pity really. They should have ditched AIX instead. But I digress...
OSX is pretty damn secure right out of the box, but Apple could do more to make it tighter by default. They've already managed the security versus usability balance far better than Microsoft has managed so far. I think Apple could push a little more over to the security side of the thing without noticably affecting usability. I also think that Apple users would accept slightly less user friendly systems in order to continue to walk around with that air of I-can't-get-spyware-or-virusses smugness that no Windows user will ever understand until they've seriously used an Apple machine for a few days. Apple's selling more than a machine. They're selling the ability to not have to live in fear every time you connect that machine to the Internet. They're selling the ability to not have to run so many third party security applications that the shiny new machine runs like a shiny new machine from 5 years ago. I think that is worth any percieved price premium.
I'm trying to teach myself to set people on fire with my mind... Is it hot in here?
See this: http://apple.slashdot.org/comments.pl?sid=179501&t hreshold=1&commentsort=0&mode=thread&pid=14866045# 14866379
I host on a company called Pair (www.pair.com), as do many others including major sites like Tom's Hardware. It's all UNIX hosting, FreeBSD specificly, and you get SSH with all but their most basic accounts. Somehow, they are able to do that, and not get their shit rooted all the time, or indeed ever that I'm aware of.
True, but this test still does not compare to what hosting companies are doing. Web hosting companies are (hopefully) run by professionals who secure the boxes. Web hosting companies run operating systems like RHEL that were designed for server use--Mac OS X on a Mac Mini was designed for home use.
Most importantly though, hosting companies are not giving ssh to any anonymous joe off the street, which is exactly what happened in this contest. At a minimum, web hosting companies have your credit card number before they offer you ssh. Some will demand additional information, such as a faxed copy of a driver's license. Of course a crook can get a drivers' license and a stolen credit card, but these are additional hoops to jump through that make the process of cracking the machine that much more trouble. Plus, if someone does crack the machine despite his lack of anonymity, the hosting company might be able to track him down.
This contest as reported on ZDNet was a joke. The guy gave ssh accounts to anyone who asked for them, without demanding any proof of identification. He ran it on an OS that was not designed to be run with untrusted users logged in. Furthermore, the crack was done by an anonymous person using an "undocumented" security hole, which to me calls the credibility of the whole episode into question. In what real-world situtation does anyone allow ssh login to any random, anonymous Joe?
Penny - plain text accounting
I'm curious why you think all these applications, all of which run as the user, would somehow let you escalate priveleges?
The University isn't running this, it's being run by a guy in our technology department.
He has a Slashdot ID here.
Hope he succeeds in proving that Mac OS is bulletproof.
-Kurt
"We can categorically state we have not released man-eating badgers into the area." - UK military spokesman, July 2007
I dunno, but I'm pretty sure it's been slashdotted:
Mon 7 March 2006 8:45 AM CST
Welcome, slashdot.
Can anyone verify if they've changed the webpage to support the load?
"No problem. I have the capacity to do infinite work so long as you don't mind that my quality approaches zero."-Dilbert
[ed: Go Badgers]
mushroom! mushroom!
It's true no man is an island, but if you take a bunch of dead guys and tie 'em together, they make a good raft.
I am just down the street from there.
Someone want to pay me to whack it with a bat?
Does "down" count as "modify a web page"?
I could easily modify their site if they were only using a wiki.
You are incorrect--the release version of OS X for Intel does support the "NX" (no execute page protection mode, and by implication, PAE) feature, and has stack pages marked NX by default. Get your facts right before bloviating, troll. I believe, but am not sure, that the G5 equivalent is supported as well, but given the architecture+ABI differences, it's somewhat less vulnerable than x86 to stack smash style vulnerabilities.
"The slave who knows his master's will and does not get ready...will be be beaten with many blows."Luke 12:47-48
I think much of the fault lies at the feet of ZDNet/CNet. They'll write anything to get page views. It doesn't matter if a piece on their site is entirely non- or anti-factual as long as it inflames enough people to read it out of pure disgust.
I'm still subscribed to some of their newsletters, where they email me about what this or that person has "blogged" on their site recently. I guess if you call it blogging then you don't have to do any journalism, but they'll have two people playing off both sides of an argument so so we'll keep clicking and ringing their page count up.
I think the best solution is to ignore them so they'll go away, or otherwise to make sure you make judicious use of Adblock.
www.clarke.ca
I think, depending on the types of attacks you try, you may get in trouble with your own ISP (wtf is all this weird traffic). Also not sure of what the laws say.
.. did they?
U of W should have stated something
I love how the mac mini is surviving the slashdotting no probs. Sure its mostly text, but I've seen similar sites crumble in no time.
http://test.doit.wisc.edu/
Chris
Lots of hosting companies offer ssh access, not to mention that if an account exists on the machine with ssh access, it may be only a matter of time before someone manages to gain access to it.
Yes but how many of those ssh accounts are to virtual servers? It's basically like compromising a box only you are on at that point...
And it's going to be a very long time indeed before someone unwanted can get into a system via ssh if the password is well chosen.
"There is more worth loving than we have strength to love." - Brian Jay Stanley
I have to agree that there are a lot of stories, and many of them look eerily similar. I'm not really one to buy into conspiracy theories but it would be interesting to track down the sources behind some of these things...
"There is more worth loving than we have strength to love." - Brian Jay Stanley
that Mac users get their panties in a bunch for *anything*. Face it, this isn't acemdia or science - this is pure religion.
With virus/spyware becoming a multimillion dollar business, do you really think that the real hackers (sorry for the use of the term) will stay away from this, due to the this very condition. Do you think that the dangerous exploits and cracks that are, for the moment, unknown by Apple, and are hence, very valuable. They will not be willingly sent to Apple for some minor publicity and no material, no, they will be auctioned off in some sleazy IRC channel in Russia.
Well the person that cracked the other OS X box used an unpublished exploit on a computer that could have been logging out the wazoo, so there's at least one person willing to do so...
"There is more worth loving than we have strength to love." - Brian Jay Stanley
Such competitions certainly don't "prove" a system is secure.
But they do help in some situations. For instance, one of the things MS supporters constantly use as a defense is that the other OSes are only "safe" because nobody bothers to try and hack them.
Contests focus attention and effort on these systems. If they survive, it does undermine the original claim, which is merely an opinion to begin with, although often treated as cold, hard, fact.
Yeah, because everyone knows there is no legitimate interest about computer security in academia. You should probably send a message to the Regents of the University of California at Bekley -- I hear some of their people have been wasting time on computer stuff over there, too! A blatant waste...
Recursive: Adj. See Recursive.
At least at 9:28 AM on Tuesday March 7th.
"The slave who knows his master's will and does not get ready...will be be beaten with many blows."Luke 12:47-48
It appears that the original article has been changed since originally posted. It currently reads:
"On February 22, a Sweden-based Mac enthusiast set his Mac Mini as a server and invited hackers to break through the computer's security and gain root control, which would allow the attacker to take charge of the computer and delete files and folders or install applications.
"Participants were given local client access to the target computer and invited to try their luck."
Other related blog entries have noted the update.
Even so, the article fails to mention that this vulnerability relies on extra work on the part of the system administrator to create the accounts and open ssh.
And here are the response headers:
Also, I have the feeling it's running PHP, because it says "Welcome, slashdot!". So it's using scripting alright. It's not JUST a simple text page, it's scripted.
OK that ought to be a start
Comment removed based on user account deletion
I'm not a Mac fan but why encourage people to hack Macs? This is almost like someone wants to destroy the smug "unhackable" world that Mac users live in.
People start hacking Macs and the next thing you know Mac viruses and worms are commonplace. Even if I don't hang out with my Mac neighbours, I don't wish them any harm.
This challenge is moot.
If noone cracks the server it is no proof that the server is secure -- it could as well be that those that could do it save their knowledge for more rewarding targets.
...to have a boss that'll let you fuck around with stupid "challenges" and post on slashdot all day at work, and have the Universi-frickin'-ty of Wisconsin "sponsor" it. Sheesh.
"I think you can't "see the forest for the trees."
The original test was equivalent to saying "I'll let a thief into my house. Let's see if he can steal anything!" Most houses don't have everything bolted down to the floor.
But how often do you allow someone into your machine? For A desktop, not often, perhaps never."
Bad analogy. Unix is supposed to support multiple users.
A better analogy. I let someone move into my apartment complex and give him the keys to his apartment. He shouldn't be able to break into anyone elses apartment. And he shouldn't be able to break into the office and get the master key.
Vote for Pedro
by daveschroeder (516195) on Tuesday March 07, @10:44AM (#14866581)No +1 Informative for you.
[Fuck Beta]
o0t!
What I'd like to see is that same test repeated for Windows, and maybe even Linux and Solaris... and OpenBSD. Now *that* would be interesting.
Guess what? I'm going to wager that all of those systems are prone to some sort of privilege escalation attack. ( actually, I don't have to guess, just check out CERT on this one. )
Are you trying to say WindowsXP or Linux is more secure when it comes to privilege escalation attacks than OS X ? Somehow, I'm tempted to think all of these systems have issues in that area. I'm not saying it's good, and I definitely won't defend Apple's somewhat lax approach in this area ( especially regarding the holes they've put in their security via LaunchServices and SystemStartup ), but uh... you should be fair, I think. It's not like a WindowsXP box, or even a Linux box, would last much longer if you just *gave* everyone user accounts on them, or ran software of questionable origin. That's just not something safe to do, regardless of what system you're on.
Now, if your intention is simply to point out that Apple's systems aren't any more secure than anyone else's in terms of this kind of attack, then you have a good point, one that Apple and their users both need to listen to and act upon.
funny that just moments after I goto the test server, my logs indicate a hack attempt on my webserver, from 69.76.121.90 that address just happens to be a former sysadmin from the university.. wtf?!?
There's no point in providing a hacking challenge with no reward. All you've proven if it isn't hacked is you didn't interest anyone enough to bother. If you offered $1,000,000, as an opposite extreme, and no one hacked it, then you can say that even for a million dollars no one was able to hack the machine. It's hard to imagine no one bothered with a large reward.
Vote for Pedro
Dude. The fact is, news sites around the world are saying "Mac OS X system hacked by some guy on the net", when they should be saying something more like "Mac OS X user locally escalated priveleges using unpublished exploit".
It's a very well accepted fact that there's nearly no way to protect from local privelege escalation. It happens all the time, and new exploits are constantly found. The kind of access you need to use a machine to a reasonable extent (locally, at the console) means you'll always be able to find ways to escalate your priveleges.
"The original test was to see if a regular local user could elevate its privileges to admin."
Actually, the original "test" was something along the lines of "See if you can get into my machine and erase everything, over the network connection. Oh yeah here's an SSH login if you want." Read the FAQ.
malware will not be required to ask you for a password to elevate privileges - see? all those 'this is not a virus, it asks for your password and that should set your alarm bells going' argument goes puff! in smoke.
It's one thing to say it took someone 30 minutes to gain root access from a local acocunt; it's a very different thing to say that a piece of malware will *automatically* do this in a matter of seconds/minutes. Yes, it's a step towards an automated solution, but since the approach wasn't made public it's unclear whether it's universally exploitable, or only under certain conditions, etc.
-Stu
Its not responding to pings or anything. Does anyone know what going on with the machine?
How could you infer that from what I wrote? I never once mentioned any other OS. I have little doubt that XP is less secure, but that's not the issue. Up until a few days ago, no one was claiming to be able to escalate user privileges under OS X. Now someone is claiming that. And if it's true, it's a problem not to be taken lightly. And if it can be done programatically, then it's a very serious issue.
For what it's worth, I don't run XP. I don't run Linux. I run OS X, and I've done so since it first came out. And I ran Mac OS 9, and 8, and 7, and 6, and even had a original Mac with only a floppy drive. So I'm not looking to bash Macs. In fact, my friends who I drive nuts with my "Mac talk" would laugh at the idea.
But that still doesn't mean this is a trivial issue. And it doesn't really matter that's it's "less bad" than XP. I take that to be a given.
It's certainly true that the original ZDNet article was sensationalist and overly alarmist about the implications for Mac security. But by implying that the original contest is irrelevent for a typical Mac user and that his test will prove that Macs are secure, Dave Schroeder is being equally, if not more, misleading.
The original test showed that Macs are vulnernable to local privlege escalation. It is true that most Mac desktops users are not offering accounts to external users. But a great many of the attacks out in the real world today are luring attacks, where a local user is tricked into running an executable with his local user permissions. The original test shows that such a executable can successfully elevate its privliges and own the machine. This is very relevent to the typical Mac desktop user.
Dave's new test doesn't have a user on the machine randomly surfing the internet and clicking on any link that says "get yer naked pics here"! Instead, as he freely admits, he is really just testing apache and ssh security, which are rarely turned on a typical Mac desktop configuration. Of course, were a hacker to exploit a vulnerability in one of those services, he could presumably use the same privledge escalation attack that was used in the original test to own the machine.
One of the more interesting ideas about how to deal with luring attacks has actually come out of the Microsoft .NET Framework. In its security model, the permissons of on application don't depend just on the user that's running it, but also on the origin of the application, as defined by a signed certificate. This system has the potential to greatly improve security, but sadly most Windows applications are not yet managed, and most Windows machines are not yet configured to strictly limit which managed applications are allowed to do what.
I propose a CLIENT side internet security challenge. I cannot script MacOS, but I'm led to believe it is easy to do. So, script two applications as semi-gullible users: Mail and Safari.
For Mail, publish an email address that the Mail client on the target system receives and hackers can spam. Script the mail client to open (view) messages, and to open links in messages. Finally, you perhaps can open (view) attachments to messages. This mimics social engineering techniques which are here for good. Your computer should offer some protection against this.
For Safari, publish a web form for hackers to submit URLs to. Perhaps they can submit a series of them. Script Safari to visit these URLs as if the user had typed them in, or clicked a link.
Run both scripts in the normal MacOS Finder shell with normal user rights (not admin)*.
In both scripts, if an authentication dialog (or any warning dialog) is prompted, cancel it. The user is gullible, but not dumb.
Success would be if no hacker acquired a shell or launched a process.
Utter failure would be if a hacker acquired a root shell and launched a process with root authority.
Mild failure would be a hacker acquiring a shell, or launching a process, but without gaining root authority. I doubt this would happen.
* MacOS does have one of the same big flaws that MS Windows does. If a home user gets a system and sets it up, the OS only leads them to create a second (other than root) administrator account. It doesn't lead them to create a non-admin account for everyday computing. So most home users are running on the internet with administrator rights. Granted, the MacOS second administrator is not as powerful as the WinXP second administrator (which might as well be root), but is privileged.
If the first client security challenge succeeds, repeat but have the Finder and apps run with administrator rights, as a normal home user will do.
I do not know which is worse; a test that was poorly done and basically rigged, or your flawed logic.
By letting somebody on the system, it is only a matter of time before somebody is through the system. There is no system going that will be able to confine 100% of all users if they make it on. At that point, all LOC are in play and any OS that was not mathmatically proven will fail (which would be all).
Now, you read the report, but I am guessing that you have no real background to judge it for being a good enough test. Yet, you comment on it as though the test was valid.
All it proved is that you are once again, an idiot who lies.
Sad, really. You are a waste of space and reading.
Paradise Pete: How could you infer that from what I wrote? I never once mentioned any other OS.
Precisely, you never mentioned any other OS with regards to privilege escalation attacks... and you'll notice I was really just _asking_ if you were trying to imply something about another OS, so actually, I didn't infer it as much as I wondered if you meant to infer it.
I have little doubt that XP is less secure, but that's not the issue. Up until a few days ago, no one was claiming to be able to escalate user privileges under OS X. Now someone is claiming that. And if it's true, it's a problem not to be taken lightly. And if it can be done programatically, then it's a very serious issue.
Um. Ok. Here's the thing: just about every form of *nix under the sun has had a history of problems with privilege escalation. Go to this CERT document and search for "elevated privileges"... as just one example of how widespread and ( fairly ) well-known this type of problem is. While you're there, note that OpenSSH is what OS X uses. I'm sorry that you ( and apparently a lot of other people ) weren't aware of this as a problem, and usually such attacks are fairly difficult and too obscure for most people to do, but... they are a real problem, and always have been.
For what it's worth, I don't run XP. I don't run Linux. I run OS X, and I've done so since it first came out. And I ran Mac OS 9, and 8, and 7, and 6, and even had a original Mac with only a floppy drive. So I'm not looking to bash Macs. In fact, my friends who I drive nuts with my "Mac talk" would laugh at the idea.
Well, consider for a minute then that OS 9 has pretty much *no* such concept as privileged and unprivileged users... it does have some user restrictions, but they never worked terribly well in part because they weren't implemented by much more than the Finder and system services. Would you have given someone an account on your OS 9 machine if you didn't know who they were? I doubt it.
But that still doesn't mean this is a trivial issue. And it doesn't really matter that's it's "less bad" than XP. I take that to be a given.
Yup... definitely not a trivial issue. Definitely an issue that Apple ( and, clearly, developers and system designers in general ) would like to ignore... because it's complicated and restricts what you can do. Apple needs to step up and treat privilege escalation as a more serious threat than it seems they have in the past. Hackers need to step up and do the right thing by reporting these problems when they find them. But most importantly, users like you and I need to remember that there is no such thing as giving someone "safe" access to your machine... if you're going to open up SSH or any other avenue that could be used for attack, do it carefully, check out OpenSSH CERT reports, and remember that you're not invulnerable, no matter what operating system you're using. They have not built an unsinkable ship, nor have they built an operating system that you can give someone "some" ability to directly execute arbitrary code on. You might think OS 9 did that, but it didn't- it made it really, really hard to execute arbitrary code from anything but the console, but once you were a user, it was easy to do whatever you wanted. OS X is an improvement on that, really... even *if* you give anyone who wants one a login account and ask them to own your machine. And it's definitely an improvement on WindowsXP, though I do wonder if OpenBSD or something might be more safe.
It really is like locking somone in the garage or basement and daring them to get into the rest of the house. If you actually *want* to be safe, you'll lock them out at the gate outside your house, and not let them in where they can start to attack through the drywall.
I'll just walk to the doit office. Depending on which office it's in, I could be there in as little as 2 minutes, or if it's across campus, it'll take me roughly 20 minutes. I suppose I could figure out where it is by finding out what it's IP address is....
as the first person to try to draw an analogy between computers and houses or cars, you have automatically lost.
better luck next time.
my password really is 'stinkypants'
I can't dial in. Busy signal all the time. Damnit Nikki.
"The testing period will be closed at 11:59 PM CST on 7 March 2006 (0559 GMT 8 March 2006). Test results will be published." - Mac OS X Security Test
Prove it.
You are a blathering idiot, and a good excuse for retroactive birth control. Sucks to be you.
- Former Badger, glad I ordered one of those new MacBooks
EOT
You really think this Mac Zealot guy has a legitimate interest in security? Har. Since when is arguing with ZDNET about Macs legitimate academic anything?
Whenever I hear the word 'Innovation', I reach for my pistol.
Sorry, Fink is not part of the ADC OS X Developer Tools. Try Again. Show me on ADC where I can download Fink?
I wouldn't touch Fink with a 10ft. poll. I build myself from source if I need something.
Cheers
In an Apple forum I had been visiting, a Windows fanboy had started a thread referencing the ZDNet article to show how Mac OS X can EASILY be hacked by simply being connected to the Internet. Of course this is a clueless fanboy who didn't realize the hacker was given local access. So yeah, fanboy like him will use the misleading article to spread FUD.
You are correct sir, but:
Lighten up, Francis.
Bravo. You managed to prove that your Mac can stay online in a hostile environment for 38 hours. - sorta impressive.
I am sure I won't be rushing off and buying them for homeland defense.
Changing the time was Bull.
Next time your in fear of being proven wrong.
Don't take your ball and bat and go home, play through.
I see you forget to mention that you changed the ending time on the final page.
You experiment proved nothing. And you pulling out said volumes.
If you really want it hacked challenge blackhat.com or put the challenge up to www.zone-h.org. However, Since it is a Macintosh no one is really paying attention.
Gee, I wonder if Yahoo! and other online news websites are going to give as much coverage to this story as they did the original ZNet article?
The only people with brains and with the knowledge to hack a Mac only do it for money. There is no fame or reputation involved. There is no academic interest. There is no proving all the Mac fan-boys wrong motivation. This is a world of pure money.
The test is now closed and there were no sucsessful security breaches. This proves what most of us already knew about Mac OS X .This is take directly from the site http://test.doit.wisc.edu/
Mac OS X Security Test
Tue 7 March 2006 11:59 PM CST (8 March 2006 0559 GMT)
The testing period is now closed.
The response has been very strong, and the test has illustrated its point.
Traffic to the host spiked at over 30 Mbps.
Most of the traffic, aside from casual web visitors, was web exploit scripts, ssh dictionary attacks, and scanning tools such as Nessus.
The machine was under intermittent DoS attack. During the two brief periods of denial of service, the host remained up.
The test machine was a Mac mini (PowerPC) running Mac OS X 10.4.5 with Security Update 2006-001, had two local accounts, and had ssh and http open with their default configurations.
There were no successful access attempts of any kind, including during the 38 hour duration of the test period, nor have their been any claims of success. The host is still the same host and configuration used for the test.
Some snippets from 7 March 2006:
The site received almost a half a million requests via the web.
There were over 4000 login attempts via ssh.
The ipfw log grew at 40MB/hour and contains 6 million events logged.
Several social engineering attempts were received, including one purporting to be from the government of Sweden, which apparently uses GMail. ;-)
More test results and information will be published here at a future date.
So, nobody COULD break in in 38 hours, let alone 30 minutes, and now what do our Mac haters say? Well, if it would have been for MONEY, then they could have broken in. Yeah, right. I am surprised, though, that they cut the test short and nobody complained. It was supposed to last until Friday. I suppose the bandwidth and the attempted DDos attacks might have made the network people a bit edgy.
Acutally, the eWeek article linked by emil is titled "Apple's Switch to Intel Could Allow OS X Exploits", so indeed they are talking about the Intel boxes and not the PPC.
It seems that you are the one who's wrong here, not Apple...
The OS X "challenge" was not sanctioned by the UW-Madison. The test ended yesterday when the CIO learned of it. The machine will be taken off their network tonight.
The CIO of UW-Madison has managed to get test.doit.wisc.edu website defaced.
Yesterday we discovered the Mac OSX "challenge" was not an activity authorized by the UW-Madison. Once the test came to the attention of our CIO, she ended it. The site, test.doit.wisc.edu, will be removed from the network tonight. Our primary concern is for security and network access for UW services. We are sorry for any inconvenience this has caused to the community. I knew this wouldn't get very far. 30Mbps load for one computer on a school network is too much.
Your comment is much more funny anyway. Kudos.
See, the funny part is the CIO did find out about this, and she promptly pulled the plug. Dave Schroeder is nothing more than a mac fanatic wanker. He is as annoying on campus mailing lists as he is on slashdot.
Speaking of AUPS... I wonder why the University of Wisconsin is listed as the registrant for a few of his domains. ipodbatteryfaq intelapplefaq. At least they aren't hosted in the UW ip space, that is very much a no no.
Agreed! But as many people as I see that are Mac fanatics, I see just as many that are anti-Mac fanatics. It is that approach that lead to a very poorly researched and written article that, if I did not give the benefit of a doubt, would believe that it was intended to deliberately spread FUD about OS X.
Dear Mrs. Stunden,
As you know, a test computer was setup at the web address of: http://test.doit.wisc.edu/ in order to research the security of the Mac OS X operating system.
I have read today on the technology news site http://www.slashdot.org/ that it has been abruptly shut down. When I visited the site, I received this message:
"Yesterday we discovered the Mac OSX "challenge" was not an activity authorized by the UW-Madison. Once the test came to the attention of our CIO, she ended it. The site, test.doit.wisc.edu, will be removed from the network tonight. Our primary concern is for security and network access for UW services. We are sorry for any inconvenience this has caused to the community."
In regards to your decision to shut the site down, please understand that you have left an indelible mark on the IT community around the WORLD. Certainly this is a destructive blow to the reputation of your department and to UW-Madison.
You state on your professional bio, "UW-Madison is a 40,000-student research university committed to transformational change of the teaching and learning environment through the use of technology."
How can you and UW-Madison be "committed to transformational change of the teaching and learning environment through the use of technology" by terminating such a noble project? What ever happened to service to the technology community?
Go ahead, laugh at me, ignore me. You probably deleted this e-mail before even reading this far. I'm just a kid...a college student of Information Systems Management; however I am an example of our country's next generation of Leadership. I represent the new style of thinking and ethics.
My generation has no tolerance for people like you. Your leadership style is obsolete and people like you are getting replaced faster than you can say Sayonara. To us, Ethics and Community Service are the two most important values a university must have.
Can you give me one good reason not to write a letter to my Senators and Congressmen, asking to launch an investigation of what your department does with my tax dollars? Can you give me a good reason to not write a letter to UW-Madison's board asking for you to be terminated immediately because of your selfish and unethical behavior?
For someone who has been working in technology since "1959" haven't you learned by now to think about the consequences before you make a decision?
I recommend that you release an official statement and send it to http://www.slashdot.org/ for the sake of your own and UW-Madison's reputation.
most sincerely,
XYZ
> Would be nice to see something like this for all platforms.
Well, huh! Here's a challenge! I've got a Windows box which you can attack at IP 124.235.13... [silence]
PS: What's even funnier is I've actually got a W2K webserver/SSH/SFTP server running here but I dare not give the IP away at slashdot - if OSX has 'an unpublished vulnerability' I wonder how many Windows does... Which is double funny again since supposedly OSX weaknesses haven't been exposed cause of small user base whereas my only defence against horders of hackers here is to keep my website as unpopular as possible!
www.tribalnetworks.org - helping tribal people around the world to own their own means of high-tech communications
Nor did he say it was. What he said was that a computer with fink installed will likely also have the developer tools installed, since fink requires them in order to work properly.
James P. Barrett
doh!
Guess it wasnt sanctioned enough.
New and improved Guilt. Now its alcohol soluble!
A Windows-loyalist buddy of mine thinks a fresh install of XP SP2 would withstand a similar challenge as the one Schroeder set up for OS X. Comments? Anybody care to try?
blasted.
Too bad I guess that Schroeder's superiors rapped his knuckles and took down his playtoy. But one thing is certain: when - not if - the hackers finally broke through, it would only take them another twenty minutes to get root.
LMAO
Comment removed based on user account deletion
Just in case and of you dumb fuck "Macs suck" knuckle draggers are wondering, It's over. U of Wi pulled the plug.
38 hours and not one successful crack.
Mr "Mac OS X is so insecure" didn't even manage to get in.
http://www.technewsworld.com/story/49296.html
No, the "funny part" is that people were aware of it, but later, executive management viewed it as too much of a liability/exposure - this is probably so, from certain perspectives. You can read her thoughts on it here. I routinely do interviews for the press, and have been involved with projects that have received national exposure that aren't strictly UW-related, such as Grants.gov for Mac OS X, a package which Grants.gov and Northrop Grumman now officially distribute themselves.
And appleintelfaq.com and ipodbatteryfaq.com just picked up the default contact information I use on DirectNIC, where other domains I administer for UW are registered. Since they're hosted off campus, have nothing to do with the university, and don't use university DNS, there was never any issue with either domain. I've changed the contact information appropriately.
If you really are affiliated with the university and have something to say to me, why don't you stop by my office or email me instead of anonymously trolling me on slashdot? Thanks!