Slashdot Mirror


U of Wisconsin's Mac OS X Security Challenge

digitalsurgeon writes "The University of Wisconsin [ed: Go Badgers] has launched a Mac OS X Security challenge, in response to a 'woefully misleading ZDnet article'. From the site: 'The challenge is as follows: simply alter the web page on this machine, test.doit.wisc.edu. The machine is a Mac mini (PowerPC) running Mac OS X 10.4.5 with Security Update 2006-001, has two local accounts, and has ssh and http open - a lot more than most Mac OS X machines will ever have open.' Are you up to the task? Can you prove ZDNet wrong, or can you show that Mac OS X can really be hacked in less then 30 minutes? More information about the challenge is at http://test.doit.wisc.edu/ The challenge ends Fri 10 March 2006 10:00 AM CST." Update: 03/07 14:32 GMT by Z : Commentary on the contest and original claim is available at VNUNet

9 of 401 comments (clear)

  1. Lame by Anonymous Coward · · Score: -1, Troll


    The story made the headlines on Monday, but incorrectly presented the penetration as a 'genuine hack' when it should have been described as a 'privilege escalation for a legitimate user'.

    What a stupid and lame comment. Privilege escalation are serious problems, and it's not because you feel they shouldn't be considered "genuine hack" that they are not.

    Really, this just another example of why these kinds of contests have no value whatsoever and only serve as ego-stroking for the uneducated platform fanboys.

  2. Re:A Different Test by mgblst · · Score: 0, Troll

    ...and here, classs, we have another example where somebody is desperate to make a comment, and actually has nothing to so, while being pompous and arrogant at the same time as trying to look clever.

    While one person makes a analogy which is not perfect, another person attacks them for it.

    The two things are different, very different. Quit trying to post useless comments. Some comments on home secutiry/computer security are better than others (this wasn't one of them).

  3. Re:Our tax dollars at work by NutscrapeSucks · · Score: -1, Troll

    I've also wondered how an EDU employee can get away with spending so much time on blatent Apple advocacy activitites. (And not just for IT matters either -- daveschroeder spends a lot of time "defending" Apple's policies about iPods and iTMS.)

    Presumably his position must be funded by Apple or rewarded by Apple somehow, and "University of Wisconsin Mac Zealot" is actually in his job description. (Sure, Apple rewards loyal sysadmins with nice freebies like flat panels and iPods, but daveschroeder's activities are way to blatent for that sort of under-the-table stuff.)

    The UW Appropriate Use Policy specifically disallows the use of "University IT resources to represent the interests of any non-University group or organization" (Apple), so presumably this must be sanctioned by his higher-ups.

    I thought about emailing the UW CIO to ask, but I've got better things to do.

    --
    Whenever I hear the word 'Innovation', I reach for my pistol.
  4. What it proves by flyinwhitey · · Score: -1, Troll

    It proves that in response to a "grossly misleading" article, an individual went out of is way to set up a test that supposedly proves he is correct, and the article is not.

    Of course, the fact that the article WAS correct isn't addressed at all, but instead it is discounted for being "grossly misleading".

    I read the original article. I understood what the situation was, and how the outcome occurred. I was not misled.

    What this proves is that regardless of what you say about Macs, if it's bad, you'll get shouted down. It also proves that despite the fact that he is behaving like a fanboy, calling him one will also get you shouted down.

    It's incredibly sad that the response to a security problem was to sweep it under the rug. What's the point of having a contest when you've already made up your mind about the outcome?

    --
    How pathetic are you that you follow me from topic to topic and waste all your mod points at once modding me down?
  5. This whole thing is bogus. by emil · · Score: -1, Troll

    It's one thing to try to hack a static machine that has been carefully prepared for the assault. It's quite a different matter to hack a heavily used workstation which supports many more applications and much higher activity than the above-mentioned test case.

    Let's face it - AFAIK OS X doesn't support NX. Given that even XP has no-execute pages at this point, OS X is way behind the times. I don't see Apple implementing ProPolice, rodata, randomized malloc, extensive privsep, or even a strlcpy/strlcat audit.

    The above features can mean the difference between getting hacked and not. I don't know if they would help in the latest OS X security problems, but they will close a number of doors.

    It goes without saying that users are boneheads. An OS with extensive security features is the best for neophyte users when you don't want the system to go down (praise be to VMS).

    If Wisconsin is serious, give out the IP of the OS X box that belongs to the President's Secretary. Have him/her download a bunch of applications - listen to MP3s, run some bittorrent, use Office, get a few chat clients. Let that test run for six months.

    In any case, Apple has a security reputation that they don't deserve. Lazy bums.

    1. Re:This whole thing is bogus. by emil · · Score: -1, Troll

      Really?

      "Every part of memory is executable by default," Grenier said. "Just about every place you can stick data into memory, you can get it to execute."

      Such a charmer you are... you must work in Apple's PR department.

    2. Re:This whole thing is bogus. by Anonymous Coward · · Score: -1, Troll

      Because we're talking about Intel boxes, and not PPC, which 99% of Macs are currently using, right?

      LOL, suck it long and hard bith, Apple is coming to terms that it's been wrong about PPC, wrong about their OS, and wrong about their company.

  6. Re:A Different Test by bemenaker · · Score: 0, Troll

    You're point is? A privilage escalation test IS A HACKING TEST. DUH!!!!!!

  7. Re:Our tax dollars at work by NutscrapeSucks · · Score: -1, Troll

    The 'volunteer' Apple PR Flack defending individual thought. That's rich.

    Deep down inside, you must realize that getting into an advocacy fit with a lame trade publication has nothing to do with the interests of academia or the University of Wisconsin, and everything to do with your little personal Mac fixation.

    --
    Whenever I hear the word 'Innovation', I reach for my pistol.