3/7/2006

OS X hacking contest - Pointless

Filed under: — menk @ 11:29 am

Apparently some misguided Swede decided last week to set up a Mac Mini as a server and invite users to “hack” the machine. The articles on the web (particularly the coverage at ZD Net) tout the machine was hacked in 30 minutes. The key facts they mention but do not actually explain is what ‘hacked’ means in this context.

The set up of the machine itself was totally non-standard. The Mac was intentionally configured up so that users connecting from the Internet could set themselves up as a local user. They could give themselves an account on the machine. Please note that no-one with a brain would actually set up a system that way.

Then users were encouraged to try (as local users) to gain root access to the machine. The sucessful hacker was able to gain root (or superuser) access in 30 minutes.

What does this mean to the normal user as far as implications of the system security? It means that if you were to set up a user account for any hacker who requested it and then let them in your home to access your Mac directly that one of them might be able to compremise your system and delete files outside that user account if he/she was smart enough.

So this contest is basically irrelavent to most users. It is as pointless as testing the fact that “I gave my house key to everyone who asked for it and then I got my Television stolen!”

To demonstrate how lame this supposed swedish challenge was Dave Schroeder at the University of Wisconsin has set up a Mac OS X with ports open on the Internet. More typically Dave did not configure the mac to allow users to set up themselves as local users. He has issued a challenge to hackers to actually again some sort of access to the machine in this scenerio. It is still far more open and less secure than any typical Mac given the SSH and HTTP ports are open and there is no Firewall in place. During the 38 total hours that the test ran, no successful attempts to hack into the host were reported or claimed by potential hackers. The test was scheduled to run longer but the University of Wisconsin decided to intervene and shut down the system although it was perfectly safe. The school newspaper reported that Dave might face disciplinary action.

link to poorly written and confusing article on ZDNet

Powered by WordPress