Mac OS X 30 minute hack "woefully misleading"

Mac OS X 30 minute hack "woefully misleading"

Summary: There have been a number of salacious reports around the Web to the effect of "Mac OS X hacked in 30 minutes" based on the results of a University of Wisconsin competition in which hackers were challenged to hack into a Mac mini connected to the Internet.

SHARE:
TOPICS: Security
55
There have been a number of salacious reports around the Web to the effect of "Mac OS X hacked in 30 minutes" based on the results of a competition in which hackers were challenged to hack into a Mac mini connected to the Internet. According to ZDNet Australia:

On February 22, a Sweden-based Mac enthusiast set his Mac Mini as a server and invited hackers to break through the computer's security and gain root control, which would allow the attacker to take charge of the computer and delete files and folders or install applications.
But according to vnunet.com:

A hacker by the name of Gwerdna claimed to ZDNet Australia that he won the competition. He boasted that the operating system was "easy pickings" and that it took him no more then 30 minutes. The story made headlines on Monday, but it incorrectly presented the break-in as a genuine hack where it should have been described as a privilege escalation for a legitimate user.

The latter is similar to breaking into a different user account while sitting behind a computer and is considered significantly easier then hacking into a fully protected system over the internet.

The failure to make that difference prompted Schroeder to call the ZDNet Australia report "woefully misleading".


Topic: Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

55 comments
Log in or register to join the discussion
  • The pre-configured "local account" was clearly stated

    It was quite clearly stated that this was a privilege escalation hack (still very serious) using a local account that was pre-configured with SSH access. Everything was clear in the original article. They even admitted that it was not a remote exploit. What you're seeing is sour grapes that the article wasn't spinned a certain way to comfort the reader that it wasn't all that serious.

    There is no doubt that a fully patched Windows, Linux, or Mac behind a firewall is very difficult to hack, but privilege escalation attacks are just another tool that loosens the security foundation of a computer.
    george_ou
    • Dizzy yet, George?

      Fact: The original article DID NOT state it was using a local
      account. A simple google cache search proves it.
      This sentence: "Participants were given local client access to the
      target computer and invited to try their luck" was added later in
      the day. I'd love an explanation on how you can say it clearly
      states it was a privilege escalation hack. That is not mentioned
      at all. SSH is not mentioned either. Without reading the
      talkback comments, the original article is missing a LOT of
      pertinent information. So how exactly was everything clear in
      the original article?

      Fact: Other than a guy saying so on his website, there is no
      evidence at all that this hack even occurred. The supposed
      hacker won't reveal the supposed unpublished exploit. But I
      guess that's what passes for fact-checking at ZDNet.

      The article had a clear spin right from the start. It started with
      the title that took for fact that the hacking actually happened,
      based on no evidence. Then it went on to leave out scads of
      information. One should not have to read through the
      comments to get the full story. The article should be able to
      stand on its own.
      V-Train
      • I guess Google ain't always you're friend :)

        NT
        BitTwiddler
      • George Ou Simply Cannot Be Bothered With Facts or . . .

        . . . honesty either, for that matter. He gets his OS X digs in
        using misleading information in an irrelevant manner, especially
        on the subject of security. Then he cherry-picks his responses,
        responding only to those posters who are unclear or inaccurate
        in some aspect of their message.

        He never responds to those who have clear facts at hand and a
        stated desire for a clear response to their questions.

        He is probably the _most_ inaccurate blogger on the subject of
        computer security on the 'net today, especially where OS X is the
        subject, as he has an obvious agenda and does not have any real
        facts, only distortions designed to support his specious
        arguments.

        This sort of dishonesty really points out the paranoia with some
        on the PC side where OS X is concerned. Not content to be
        honest brokers in discussions on the subject of OS X and its
        strengths or weaknesses, they resort to convoluted statistical
        "evidence" that is evidence of nothing more than their own
        intellectual and ethical shortcomings.

        There is no hackproof OS, we know that. We just want an honest
        discussion about the REAL effects that viruses and spyware have
        on the various platforms and not some fantasy wet dreamworld
        of a bunch of Windows groupies, desperately clinging to a hope
        that OS X will turn out, in some bizarre yet unrealized way, to be
        as buggy and compromised as is Windows of any flavor.

        With no hope of such an actuality they continue to fire blanks
        and pretend they're Rambo.

        JoeL
        joeldm
        • Well Stated JoeL

          AMEN....Could not have responded more accurately.
          rtrimble1239
    • Sorry George....

      No OS is completely secure. (unless you disconnect the network
      cable and lock the box in a vault) Still, you're not quite right
      here and it's not just sour grapes. There's a nice thread on
      slashdot and elsewhere because the original article did not
      include the items about local accounts and SSH in use.

      I realize it's not comforting because you would prefer to paint
      other OS's with the same brush you must use for Windows, but
      you could probably easily hack an XP SP2 box if I gave you a
      remote account, no firewall, and other amenities. Knowing your
      background, I doubt that you would proclaim victory because it
      would mean negative things for Windows.

      ZDNet's publishing of the article does hurt its credibility. I mean,
      if you proclaim to be a news site, research and accuracy are
      expected.

      Regards,
      Kelly
      merlin747
    • Credibility dropping

      Been a bad week or two for your credibility George. I don't know what article you were reading, but the ZDNet USA and Australia ones failed to mention this until they had already been online for many hours, and they were corrected with additional material.

      What was that about sour grapes? Well, guess that's one subject you're an expert on.
      tic swayback
    • Clearly Stated?

      If it was "clearly stated" in the original article, whay has the author added this comment to the article:
      Clarification: The originally published version of this report omitted the fact that participants were given local client access to the target computer.

      Check it yourself
      http://www.zdnet.com/5208-11408-0.html?forumID=1&threadID=18622&messageID=360985&start=-1
      Gregory.J.Bradley9
    • Message has been deleted.

      b.d.hi
    • George_Ou's "Spin till it Fits" laundry Open 24/7 for his conveniance!

      Just keep spinning there George! Sooner or later someone will
      believe you despite your painfully obvious bias....:)

      Pagan jim
      Laff
    • wrong answer

      The ZDNet article was altered "AFTER THE FACT" that this was a priviledge escalation hack. The original article did not state that glaring omission. ZDNet altered the article after people complained about the missing facts of the original test. This has nothing to do with sour grapes.
      abn_junk9
    • George Ou, Where are You?

      It's really easy to post your screed when the article is minutes old
      and no one has even read it yet.

      I guess it's not so easy when you've been owned...
      V-Train
    • George is hiding under his desk.

      As you've now been obviously corrected, over and over again. At least have the spine to step up and deal with it, but you won't. Run and hide back in your blog.

      The original artical was pulled from the front page of ZDNET then reposted to the front page with updated info when ZDNET obviously ran with a story before it did any fact finding (nothing new there).
      Anon_ymous
      • ?

        Who Is George anyway, with that little Zd icon and all?
        Im just asking is all...
        gtravis3
  • The University of Wisconsin's challenge ...

    ...remains unhacked after, what, 20 hours?

    Where is this Mr 30 minute guy?

    I'm tempted to say that Apple should at once fix the vulnerability
    that led to this sensational hack, but instead I'm going to first
    insist that news.com backup their story and find some actual
    proof that an exploit or privilege escalation actually occurred.

    Some repeatable details or proof of concept please! Otherwise,
    let's just call it what it is--FUD.
    Len Rooney
  • The best thing about about this socalled

    Hack is. Don?t turn on something you need. Don?t provide people with the possibility of creating remote account as administrators.
    blidd
  • What are the consequences of a fake hack?

    [i]it incorrectly presented the break-in as a [b]genuine hack[/b] where it should have been described as a privilege escalation for a legitimate user[/i]

    I suppose this means that any malware executed by a regular user which then gets root privileges with this [i]fake hack[/i] will only be able to do [i]fake damage[/i]? Phew, I was worried for a minute! Thanks for clearing it up.
    NonZealot
    • First of all no such "damaging" malware exist for OSX.

      Second of all this is like blaming the gun or gun manufacturer
      for the suicide in which the now deceased person used a gun to
      do the deed. Now it was not the gun (OSX) or the manufacturer
      of said (Apple). Apple's product is sound. If you misuse a car it
      crashes. If you never change the oil the engine will sieze up...all
      pretty basic.

      Sure in "theory" you can create malware that asks for an admin
      password and "IF" it is given some damage "could" happen but
      this still requires the user to give up the password.

      Pagan jim
      Laff
      • Sorry, you are wrong

        [i]Apple's product is sound.[/i]

        OSX could not prevent a restricted rights user from gaining root access [b]without supplying the root password[/b]. That isn't sound. The whole point of asking for the admin password before modifying the system is an attempt to protect the system from a user who runs malware. If the system allows the user to modify the system without asking them for the admin password (as is the case here) then the system has failed. There is no other way to spin this.

        [i]"IF" it is given some damage[/i]

        Hehe, you know the payload of all unpublished exploits? One of the reasons why AIDS is such a successful virus is because it remains hidden for so long. Viruses that make their presence known too quickly have more difficulty spreading. In other words, it isn't the published exploits you should fear.

        Compute in fear Laff, compute in fear. :)
        NonZealot
        • Clarification of one point

          [i]The whole point of asking for the admin password before modifying the system is an attempt to protect the system from a user who runs malware.[/i]

          This isn't accurate. It should read:
          [i]One of the big advantages of asking for the admin password before modifying the system is to protect the system from a user who runs malware.[/i]
          NonZealot