Slashdot Mirror
U of Wisconsin's Mac OS X Security Challenge
digitalsurgeon writes "The University of Wisconsin [ed: Go Badgers] has launched a Mac OS X Security challenge, in response to a 'woefully misleading ZDnet article'. From the site: 'The challenge is as follows: simply alter the web page on this machine, test.doit.wisc.edu. The machine is a Mac mini (PowerPC) running Mac OS X 10.4.5 with Security Update 2006-001, has two local accounts, and has ssh and http open - a lot more than most Mac OS X machines will ever have open.' Are you up to the task? Can you prove ZDNet wrong, or can you show that Mac OS X can really be hacked in less then 30 minutes? More information about the challenge is at http://test.doit.wisc.edu/ The challenge ends Fri 10 March 2006 10:00 AM CST." Update: 03/07 14:32 GMT by Z : Commentary on the contest and original claim is available at VNUNet
This test is of the web server, and of remote cracking without local access. Also, the explanation page says that the original article did not mention that local access was given. Well, perhaps they've updated the article, but it certainly says so now:
As I said, I appreciate this test, but I am also concerned about the apparent ability of an ordinary local user to gain admin status.I'm sure Microsoft has held competion to do so as well. Windows 2003 is pretty secure out of the box as well considering almost no services are in the ON state and it comes with a GUI firewall in SP1. Microsoft has a long way to go but you can't fault them for not trying.
[quote]I'd rather have a nice manual ... on how to improve/lock down an OS X machine.[/quote]
There's this.....
http://www.nsa.gov/snac/downloads_macX.cfm
This sig has exceed its monthly bandwidth allotment.
Yes, this is approved. But it's getting moved to its own /29 today...unfortunately, that didn't happen before slashdot got to it. ;-)
There is an identical clone of that Mac mini waiting to go on the new network, and our DNS TTL is currently set to 5 minutes, so when the cutover happens, it should be pretty transparent.
128.104.16.150
"Sure there's porn and piracy on the Web but there's probably a downside too."
One of the user names is "das".... as in http://test.doit.wisc.edu/~das/
So run that against a dictionary and see if you can get in....
SpyDock: Scientific Python in a Docker container
Windows 2003 Professional doesn't exist.
1) Windows XP Home
2) Windows XP Professional
3) Windows Server 2003
Corsaire - Securing Mac OS X Tiger
NSA - Mac OS X Security Configuration Guide (not yet updated for Mac OS X 10.4)
Apple - Common Criteria configuration guide
And for the "average joe"?
- Keep your machine patched
- Don't randomly open ports for services you don't use
- Have a personal firewall/router
- Don't run software you don't trust
And this doesn't "prove" anything, except that the initial ZDnet article was totally vague and sensationalistic, making it seem to an average person reading that article that a Mac OS X box could just be "hacked" by being on the internet. That is wrong, and I'm showing that. Simple. It's all explained on http://test.doit.wisc.edu/
The real problem is that tests like this are garbage in the first place.
In fact, Bruce Schneier (a respected cryptographer, responsible for Blowfish) addressed the topic thoroughly almost 8 years ago in his column Crypto-Gram. Here's a relevant snippet:
You see them all the time: "Company X offers $1,000,000 to anyone who can break through their firewall/crack their algorithm/make a fraudulent transaction using their protocol/do whatever." These are cracking contests, and they're supposed to show how strong and secure the target of the contests are. The logic goes something like this: We offered a prize to break the target, and no one did. This means that the target is secure.
It doesn't.
Contests are a terrible way to demonstrate security. A product/system/protocol/algorithm that has survived a contest unbroken is not obviously more trustworthy than one that has not been the subject of a contest. The best products/systems/protocols/algorithms available today have not been the subjects of any contests, and probably never will be. Contests generally don't produce useful data. There are three basic reasons why this is so.
You can read the original here.
The University isn't running this, it's being run by a guy in our technology department.
He has a Slashdot ID here.
Hope he succeeds in proving that Mac OS is bulletproof.
You are incorrect--the release version of OS X for Intel does support the "NX" (no execute page protection mode, and by implication, PAE) feature, and has stack pages marked NX by default. Get your facts right before bloviating, troll. I believe, but am not sure, that the G5 equivalent is supported as well, but given the architecture+ABI differences, it's somewhat less vulnerable than x86 to stack smash style vulnerabilities.
"The slave who knows his master's will and does not get ready...will be be beaten with many blows."Luke 12:47-48
I love how the mac mini is surviving the slashdotting no probs. Sure its mostly text, but I've seen similar sites crumble in no time.
http://test.doit.wisc.edu/
Chris
i think that after posting this story on slashdot, there's really little chance to do anything on the machine for today
The new RTFA: Before complaining of a site being slashdotted, check to see if it's actually... you know... slashdotted.
'cause it's not. It's chugging away nicely.
Go OS X, Apache, and hogging your university's network resources!
Information wants to be anthropomorphized.
"The slave who knows his master's will and does not get ready...will be be beaten with many blows."Luke 12:47-48
It appears that the original article has been changed since originally posted. It currently reads:
"On February 22, a Sweden-based Mac enthusiast set his Mac Mini as a server and invited hackers to break through the computer's security and gain root control, which would allow the attacker to take charge of the computer and delete files and folders or install applications.
"Participants were given local client access to the target computer and invited to try their luck."
Other related blog entries have noted the update.
Even so, the article fails to mention that this vulnerability relies on extra work on the part of the system administrator to create the accounts and open ssh.
It's HTML silly. He put that in there because the site was slashdotted...it's not detecting the referenced URL.
For the record, no, the passwords are not the same.
(And for those wondering, the NetID/username is the non-private part of our NetID credential.)
Also, I'd hope that one would also understand that going after other machines in that way is bad form, and doesn't speak to Mac OS X's security (or insecurity), but rather to the practice of having strong/different passwords across multiple secure systems.
According to what I've been able to glean from Apple's developer resources (available at developer.apple.com), and from various articles about the new Intel-based Macs, the Macs with x86 processors all have chips that support the NX bit, and the NX bit is turned on by default. There is supposedly a work-around to allow you to compile a specific application without the NX bit set, so that the app can execute code on the stack (something that apparently some badly-written apps do). The "work-around" is a compiler flag. Certainly, few or no apps that you download or buy pre-packaged are going to have this bit turned off... unless you manage to download a trojan.
I don't recall whether or not the PowerPC ABI allows so-called stack trampolining (executing code on the stack). I know some compilers took advantage of the ability to execute code on the stack to implement certain language-level constructs, though at the moment I'm drawing a blank on the specific ones; regardless, you can implement such features without resorting to executing code on the stack.
I do recall, however, that the PowerPC ABI gives preference to argument passing through registers, whereas the x86 ABI requires passing arguments to functions on the stack (because the x86 has far fewer registers). This is one reason why PowerPC Macs are less vulnerable to buffer overflow / stack based exploits.
I can't believe this comment is at -1. Apple have been slack with responding to local vulnerabilities. A former colleague spent a day and found 5 in OS X. reported them all to Apple and never heard from the company again.
Slashdot: Where nerds gather to pool their ignorance
The reality is that a user was able to elevate their permissions to root - that's a security concern and ought to be pointed out as a weakness. It would be a weakness if it happened on Windows or Linux, it doesn't become a non-issue because fan boys think that only web security is important.
The fact is *all* security gaps are important. If there's a network hack that can only get you a non-priviledged account, but you can then jack that up to root access using this local hole, then that hole was mighty significant. This whole "Mac has no security faults" meme is dangerously delusional. It's significantly more secure than Win32, but at least own up to faults (small as they may be) and get them fixed, don't bury your heads in the sand.
The CIO of UW-Madison has managed to get test.doit.wisc.edu website defaced.
Just in case and of you dumb fuck "Macs suck" knuckle draggers are wondering, It's over. U of Wi pulled the plug.
38 hours and not one successful crack.
Mr "Mac OS X is so insecure" didn't even manage to get in.
http://www.technewsworld.com/story/49296.html