Mac OS X 30 minute hack "woefully misleading"
Summary: There have been a number of salacious reports around the Web to the effect of "Mac OS X hacked in 30 minutes" based on the results of a University of Wisconsin competition in which hackers were challenged to hack into a Mac mini connected to the Internet.
There have been a number of salacious reports around the Web to the effect of "Mac OS X hacked in 30 minutes" based on the results of a competition in which hackers were challenged to hack into a Mac mini connected to the Internet. According to ZDNet Australia:
On February 22, a Sweden-based Mac enthusiast set his Mac Mini as a server and invited hackers to break through the computer's security and gain root control, which would allow the attacker to take charge of the computer and delete files and folders or install applications.But according to vnunet.com:
A hacker by the name of Gwerdna claimed to ZDNet Australia that he won the competition. He boasted that the operating system was "easy pickings" and that it took him no more then 30 minutes. The story made headlines on Monday, but it incorrectly presented the break-in as a genuine hack where it should have been described as a privilege escalation for a legitimate user.
The latter is similar to breaking into a different user account while sitting behind a computer and is considered significantly easier then hacking into a fully protected system over the internet.
The failure to make that difference prompted Schroeder to call the ZDNet Australia report "woefully misleading".
Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.
Talkback
The pre-configured "local account" was clearly stated
There is no doubt that a fully patched Windows, Linux, or Mac behind a firewall is very difficult to hack, but privilege escalation attacks are just another tool that loosens the security foundation of a computer.
Dizzy yet, George?
account. A simple google cache search proves it.
This sentence: "Participants were given local client access to the
target computer and invited to try their luck" was added later in
the day. I'd love an explanation on how you can say it clearly
states it was a privilege escalation hack. That is not mentioned
at all. SSH is not mentioned either. Without reading the
talkback comments, the original article is missing a LOT of
pertinent information. So how exactly was everything clear in
the original article?
Fact: Other than a guy saying so on his website, there is no
evidence at all that this hack even occurred. The supposed
hacker won't reveal the supposed unpublished exploit. But I
guess that's what passes for fact-checking at ZDNet.
The article had a clear spin right from the start. It started with
the title that took for fact that the hacking actually happened,
based on no evidence. Then it went on to leave out scads of
information. One should not have to read through the
comments to get the full story. The article should be able to
stand on its own.
I guess Google ain't always you're friend :)
George Ou Simply Cannot Be Bothered With Facts or . . .
using misleading information in an irrelevant manner, especially
on the subject of security. Then he cherry-picks his responses,
responding only to those posters who are unclear or inaccurate
in some aspect of their message.
He never responds to those who have clear facts at hand and a
stated desire for a clear response to their questions.
He is probably the _most_ inaccurate blogger on the subject of
computer security on the 'net today, especially where OS X is the
subject, as he has an obvious agenda and does not have any real
facts, only distortions designed to support his specious
arguments.
This sort of dishonesty really points out the paranoia with some
on the PC side where OS X is concerned. Not content to be
honest brokers in discussions on the subject of OS X and its
strengths or weaknesses, they resort to convoluted statistical
"evidence" that is evidence of nothing more than their own
intellectual and ethical shortcomings.
There is no hackproof OS, we know that. We just want an honest
discussion about the REAL effects that viruses and spyware have
on the various platforms and not some fantasy wet dreamworld
of a bunch of Windows groupies, desperately clinging to a hope
that OS X will turn out, in some bizarre yet unrealized way, to be
as buggy and compromised as is Windows of any flavor.
With no hope of such an actuality they continue to fire blanks
and pretend they're Rambo.
JoeL
Well Stated JoeL
Sorry George....
cable and lock the box in a vault) Still, you're not quite right
here and it's not just sour grapes. There's a nice thread on
slashdot and elsewhere because the original article did not
include the items about local accounts and SSH in use.
I realize it's not comforting because you would prefer to paint
other OS's with the same brush you must use for Windows, but
you could probably easily hack an XP SP2 box if I gave you a
remote account, no firewall, and other amenities. Knowing your
background, I doubt that you would proclaim victory because it
would mean negative things for Windows.
ZDNet's publishing of the article does hurt its credibility. I mean,
if you proclaim to be a news site, research and accuracy are
expected.
Regards,
Kelly
Credibility dropping
What was that about sour grapes? Well, guess that's one subject you're an expert on.
Clearly Stated?
Clarification: The originally published version of this report omitted the fact that participants were given local client access to the target computer.
Check it yourself
http://www.zdnet.com/5208-11408-0.html?forumID=1&threadID=18622&messageID=360985&start=-1
Message has been deleted.
George_Ou's "Spin till it Fits" laundry Open 24/7 for his conveniance!
believe you despite your painfully obvious bias....:)
Pagan jim
wrong answer
George Ou, Where are You?
and no one has even read it yet.
I guess it's not so easy when you've been owned...
George is hiding under his desk.
The original artical was pulled from the front page of ZDNET then reposted to the front page with updated info when ZDNET obviously ran with a story before it did any fact finding (nothing new there).
?
Im just asking is all...
The University of Wisconsin's challenge ...
Where is this Mr 30 minute guy?
I'm tempted to say that Apple should at once fix the vulnerability
that led to this sensational hack, but instead I'm going to first
insist that news.com backup their story and find some actual
proof that an exploit or privilege escalation actually occurred.
Some repeatable details or proof of concept please! Otherwise,
let's just call it what it is--FUD.
The best thing about about this socalled
What are the consequences of a fake hack?
I suppose this means that any malware executed by a regular user which then gets root privileges with this [i]fake hack[/i] will only be able to do [i]fake damage[/i]? Phew, I was worried for a minute! Thanks for clearing it up.
First of all no such "damaging" malware exist for OSX.
for the suicide in which the now deceased person used a gun to
do the deed. Now it was not the gun (OSX) or the manufacturer
of said (Apple). Apple's product is sound. If you misuse a car it
crashes. If you never change the oil the engine will sieze up...all
pretty basic.
Sure in "theory" you can create malware that asks for an admin
password and "IF" it is given some damage "could" happen but
this still requires the user to give up the password.
Pagan jim
Sorry, you are wrong
OSX could not prevent a restricted rights user from gaining root access [b]without supplying the root password[/b]. That isn't sound. The whole point of asking for the admin password before modifying the system is an attempt to protect the system from a user who runs malware. If the system allows the user to modify the system without asking them for the admin password (as is the case here) then the system has failed. There is no other way to spin this.
[i]"IF" it is given some damage[/i]
Hehe, you know the payload of all unpublished exploits? One of the reasons why AIDS is such a successful virus is because it remains hidden for so long. Viruses that make their presence known too quickly have more difficulty spreading. In other words, it isn't the published exploits you should fear.
Compute in fear Laff, compute in fear. :)
Clarification of one point
This isn't accurate. It should read:
[i]One of the big advantages of asking for the admin password before modifying the system is to protect the system from a user who runs malware.[/i]