Home › News › Industry News
Contest rm-my-mac brought down in less than six hours
If you follow Apple, you'll remember that various security demonstrations they've had for OS X and Macs in general. The most recent one, in which a contest to break the security of a machine was held, won. And in under 30 minutes at that. In this particular demonstration, all the users were given local accounts on the machine, which typically makes system compromise much easier, but the speed at which it was brought down and had the web page for the contest deface is most definitely humbling. The contest didn't even last a day, and was defeated by and as of yet unpublished security vulnerability.
"It probably took about 20 or 30 minutes to get root on the box. Initially, I tried looking around the box for certain misconfigurations and other obvious things, but then I decided to use some unpublished exploits--of which there are a lot for Mac OS X," Gwerdna told ZDNet Australia.
Though this might seem a bit embarassing, this is probably one of the best ideas the IT industry as a whole can use - allow anyone access to a particular machine with the goal of bringing it down, for reward. What a way to use the collective mind power of thousands of people to help "bug test" a system. Enterprise companies have used a similar tactic for many years, hiring someone on the outside to probe them externally, looking for exploits. Sort of like a security audit.
"It probably took about 20 or 30 minutes to get root on the box. Initially, I tried looking around the box for certain misconfigurations and other obvious things, but then I decided to use some unpublished exploits--of which there are a lot for Mac OS X," Gwerdna told ZDNet Australia.
Though this might seem a bit embarassing, this is probably one of the best ideas the IT industry as a whole can use - allow anyone access to a particular machine with the goal of bringing it down, for reward. What a way to use the collective mind power of thousands of people to help "bug test" a system. Enterprise companies have used a similar tactic for many years, hiring someone on the outside to probe them externally, looking for exploits. Sort of like a security audit.
Related Stories
User Comments (5)
Post a comment|
sngx1275 on March 6, 2006 3:19 PM |
While it definately doesn't look good, its not near as bad for the average OS X user as it initially seems. It runs a default install of Mac OS X Tiger, plus fink and some decent versions of Apache, MySQL and PHP Average users don't have that stuff installed or turned on, ssh is disabled by default. One thing that I imagine will be "fixed" in 10.5 Leopard is that the software firewall will probably be turned on by default. There is a firewall now, but its disabled by default.
... I set up an LDAP server and linked it to the Macs naming and authentication services, to let people add their own account to this machine. That way, they will all be able to enjoy the beauty of Mac OS X Tiger. And, of course, get a better chance of rm'ing it! |
|
DragonMaster on March 6, 2006 5:42 PM |
ROFLMAO Congrats Apple! There is a firewall now, but its disabled by default. Wow! How safe!
|
|
sngx1275 on March 6, 2006 7:19 PM |
New challenge issued in response to the sensationalistic journalism as the first one has been reported. http://test.doit.wisc.edu/ Also DragonMaster, it wasn't until SP2 was avaiable for WindowsXP that the firewall was enabled by default. Also no ports are open on a default install of OSX Tiger. |
|
DragonMaster on March 7, 2006 3:07 PM |
Also DragonMaster, it wasn't until SP2 was avaiable for WindowsXP that the firewall was enabled by default. I never told Windows was safe also. If you compare them to some popular Linux distros I used, it's nothing. (The Linux installations practically force you to use the highest security level. They say that almost every other levels are a bad choice.
|
|
Mictlantecuhtli on March 8, 2006 6:09 AM |
Originally posted by DragonMaster: The Linux installations practically force you to use the highest security level. They say that almost every other levels are a bad choice. Many Linux distributions I've seen have had a default firewall configuration allowing all output access. Fortunately, unlikely with Windows' builtin firewall, there's a way to block that.
|
Most Popular
| Trending | Featured |
-
Download the entire Pirate Bay in just 90 Megabytes
-
Digital game purchases: do we really "own" them?
-
Apple loses preliminary injunction against Galaxy Tab 10.1N
-
Double Fine Kickstarter campaign raises over 700k in one day -- make that 1+ million
-
Valve's Steam suffers worldwide failure over the weekend