Mac OS X Security Challenge
The cool people at University of Wisconsin have posted a rebuttal to the extremely bogus ZDnet article about a Mac being hacked in 30 minutes. ZDNet gave the “attackers” keys to the machines in the form of local user accounts and shell access via SSH. The hackers were able to escalate their security priviliges as a normal user through undisclosed software vulnerabilities.
For most people, this is just silly because they’re not putting their Macs on the internet with their SSHes hanging out and public accounts with weak passwords. If they are, then they should know better.
Read more about The UofW challenge: Mac OS X Security Challenge
update: ZDnet changed the text of their article to include the stand-alone paragraph: “Participants were given local client access to the target computer and invited to try their luck.” What editorial spunk! Reports at MacNN and the UofW page above.
Technorati Tags: Apple, Computing, Security, Software
4 Comments
Well, they should know better about leaving their remote login doors open … weak passwords? I don’t think even the illustrious uber-cool Mac user “knows better” about creating secure passwords …
Posted by beltzner on 7 March 2006 @ 3pm
true. Most people’s passwords are pretty light, I would expect. Especially people who use their machines because they’re “simple-to-use macs”. Of course, these people aren’t likely to forward their SSH ports through their firewall either.
I’m more interested with ZDNet’s sloppy reporting than the actual security (non)implications of their article. You think Microsoft’s paying them?
Posted by boolean on 7 March 2006 @ 4pm
That is a good test, but should really have been one of several including as you note with more realistic security enabled and no local login.
Posted by bodensatz on 7 March 2006 @ 8pm
the new test is a good test of SSH and Apache on OS X as supplied by Apple. Really, I don’t think these things are fooling anyone. They’re both examples of one type of secure path into the system. There may be others, (file-sharing, access control lists, LASERS like in teh movie Tron)…
Posted by boolean on 8 March 2006 @ 8am