Slashdot Mirror

← Back to Stories (view on slashdot.org)

U of Wisconsin's Mac OS X Security Challenge

Posted by ryuzaki0 on from the they-really-don't-have-anything-better-to-do-over-there dept.

digitalsurgeon writes "The University of Wisconsin [ed: Go Badgers] has launched a Mac OS X Security challenge, in response to a 'woefully misleading ZDnet article'. From the site: 'The challenge is as follows: simply alter the web page on this machine, test.doit.wisc.edu. The machine is a Mac mini (PowerPC) running Mac OS X 10.4.5 with Security Update 2006-001, has two local accounts, and has ssh and http open - a lot more than most Mac OS X machines will ever have open.' Are you up to the task? Can you prove ZDNet wrong, or can you show that Mac OS X can really be hacked in less then 30 minutes? More information about the challenge is at http://test.doit.wisc.edu/ The challenge ends Fri 10 March 2006 10:00 AM CST." Update: 03/07 14:32 GMT by Z : Commentary on the contest and original claim is available at VNUNet

21 of 401 comments (clear)

  1. Prove it! by Bromskloss · · Score: 5, Funny

    Can you prove ZDNet wrong, or can you show that Mac OS X can really be hacked in less then 30 minutes?

    So guys, what do you say? Should we all mabye prove ZDNet wrong by not breaking into that computer?

    --
    Swedish plasma phys. PhD student; MSc EE; knows maths, programming, electronics; finance interest; seeks opportunities
    1. Re:Prove it! by CheeseburgerBlue · · Score: 5, Funny

      The poster then promptly disappeared in a puff of logic.

      --
      I am from a small, grease-loving country in the north called Ca-na-da.
    2. Re:Prove it! by Ford+Prefect · · Score: 5, Funny

      I was appalled that someone might have hacked into this machine and thus given the impression that MacOS X was somehow ... insecure, so I hacked into it myself and patched it up with some new security features.

      So to anyone wanting to compete in this challenge: sorry. :-(

      --
      Tedious Bloggy Stuff - hooray?
    3. Re:Prove it! by mblase · · Score: 4, Funny

      So guys, what do you say? Should we all mabye prove ZDNet wrong by not breaking into that computer?

      Why don't we just do what Slashdot does best, and DDoS the thing instead? The way I see it, that's the best way to protect it from being hacked in the first place.

  2. Re:Hackorama Windows by racebit · · Score: 2, Funny
    "I wish someone running windows 2003 professional could start a competition like this."



    A competition to crack a win 2k3pro server isn't a competition, that's a free-for-all.

  3. Re:Hackorama Windows by Anonymous Coward · · Score: 1, Funny

    Winning a 'hack my windows box' competition is like getting 'first post' on slashdot. It's not hard, you just have to be quick.

  4. Does /. win... by CupBeEmpty · · Score: 3, Funny

    ...if the little Mac Mini melts from a good /.'ing?

  5. Hacked Pixel #F0F8FF by digitaldc · · Score: 4, Funny

    I hacked in, and in 22 minutes changed one of the pixels from #FFFFFF to #F0F8FF, but it is very hard to tell.
    In fact, nobody even noticed.

    --
    He who knows best knows how little he knows. - Thomas Jefferson
  6. over 15 posts! by ikejam · · Score: 2, Funny

    and noone calls dupe?

    http://apple.slashdot.org/article.pl?sid=06/03/06/ 1446207

    That.. must be a record.

    incidentally the original post seems to reflect a more updated view :-s

  7. Re:A Different Test by Perl-Pusher · · Score: 2, Funny

    Until you posted this tidbit on slashdot.

  8. Easy, To Do by LifesABeach · · Score: 5, Funny

    The process is pretty simple, "It's too expensive to compromise the Hardware, but the Humanware; That's cheap, and easy. First your dog/pet/loved is shoot, dead, in front of you. The next comes easier. The gun is pointed at you, and you are given 2 minutes to change the web page to some off topic theme. If you are given an extra 5 minutes, you'll learn Photoshop so that you can put an image of you doing it to a male Shetland pony in front of the members of the supreme court, all looking down on you and smiling in that knowing fashion." The D.O.D. Security Instructor that said this to me didn't even bat an eye; That's the chilling part.

    1. Re:Easy, To Do by SEWilco · · Score: 5, Funny
      "...dog/pet/loved is shoot, dead"

      • We're talking about a nerd. In Wisconsin.
      • You can't hack your own web page in 2 minutes after your computer has been shot dead.
  9. How unfair! by Linux_ho · · Score: 3, Funny

    They've removed the biggest security hole in an OS X system: The Mac User. The Mac User will set "fluffy" as their password, and attempt to install any interesting-looking screensaver that gets e-mailed to them. Not that any other OS would do much better in the face of such adversity. But it's funny that they would use a test like this to "demonstrate the security" of a desktop OS.

    --
    include $sig;
    1;
  10. Busted? by jrmcferren · · Score: 2, Funny

    I think it's done, It now says "Welcome Slashdot" with a link to this page.

    --
    sudo mod me up
  11. Re:A Different Test by Stalyn · · Score: 5, Funny

    If we can look at this as if it were an experiment, then when someone publishes a result others try to repeat it under the same conditions. They don't conduct a different test with different conditions in order to disprove the original.

    Science never enters the picture here, this is a religious debate.

    --
    The best education consists in immunizing people against systematic attempts at education. - Paul Feyerabend
  12. Doubtful... by TCQuad · · Score: 3, Funny

    While you're right on the "das", it's doubtful that a dictionary crack would fix it. Since "das" is also his U of Wisc NetID (ref. the e-mail address at the bottom of the page), it's more likely that the password is the same as his U of Wisc password.

    So... Anyone up for breaking into the U of Wisc password database?

    1. Re:Doubtful... by MirrororriM · · Score: 4, Funny
      So... Anyone up for breaking into the U of Wisc password database?

      Why try brute force when you can pull a social engineering attempt:

      Daer DAvid Schroeoedir,

      I am A NIGERIAN PRINCE WHO HACE RECENTLY MOVED TO WISCONCIIN And AM Vary INTERISTED IN OBtaining AN ACCOUINT ON TEST.DOIT.WISC.EDU...i CUULD WIRE YUO 1 MILLION DOLLARS...

      --
      Content Management System: A pretentious way of saying "text editor."
  13. Re:Hint by artemis67 · · Score: 2, Funny

    DAS is dead!

    Long live Vindows!

  14. Re:Logs by kminchau · · Score: 2, Funny

    Here is a sample log:
    2006-03-07 08:21:24 66.35.250.150 - 72.33.255.254 80 GET /Default.htm - 200 Mozilla/4.0+(compatible) Referrer - slashdot.org
    2006-03-07 08:21:25 66.35.250.150 - 72.33.255.254 80 GET /Default.htm - 200 Mozilla/4.0+(compatible) Referrer - slashdot.org
    2006-03-07 08:21:26 66.35.250.150 - 72.33.255.254 80 GET /Default.htm - 200 Mozilla/4.0+(compatible) Referrer - slashdot.org
    2006-03-07 08:21:27 66.35.250.150 - 72.33.255.254 80 GET /Default.htm - 200 Mozilla/4.0+(compatible) Referrer - slashdot.org
    2006-03-07 08:21:27 66.35.250.150 - 72.33.255.254 80 GET /Default.htm - 200 Mozilla/4.0+(compatible) Referrer - slashdot.org
    2006-03-07 08:21:27 66.35.250.150 - 72.33.255.254 80 GET /Default.htm - 200 Mozilla/4.0+(compatible) Referrer - 72.33.255.254 pawn yo!
    2006-03-07 08:21:28 66.35.250.150 - 72.33.255.254 80 GET /Default.htm - 200 Mozilla/4.0+(compatible) Referrer - slashdot.org
    2006-03-07 08:21:29 66.35.250.150 - 72.33.255.254 80 GET /Default.htm - 200 Mozilla/4.0+(compatible) Referrer - slashdot.org
    2006-03-07 08:21:30 66.35.250.150 - 72.33.255.254 80 GET /Default.htm - 200 Mozilla/4.0+(compatible) Referrer - slashdot.org
    2006-03-07 08:21:31 66.35.250.150 - 72.33.255.254 80 GET /Default.htm - 200 Mozilla/4.0+(compatible) Referrer - slashdot.org
    ....

    --
    "Never underestimate the power of the Slashdot!"
  15. Re:Hint by amliebsch · · Score: 3, Funny

    No, no, no. The password is "boot".

    --
    If you don't know where you are going, you will wind up somewhere else.
  16. Re:The IP by flutkatastrophe · · Score: 3, Funny

    No No No... it's 127.0.0.1
    Hack away...

    /obligatory