OS X Hacking Challenge Generates Controversy

by , 2:20 PM EST, March 6th, 2006

A Mac OS X hacking challenge has generated its fair share of controversy, helped in part by a report that a Mac had been hacked in less than 30 minutes, without disclosing some pertinent facts that put the challenge in perspective.

On Feb. 22, a Swedish Mac user started a contest he called "rm-my-mac," which challenged others to break into his Mac mini and gain root administrative control of it. Munir Kotadia reported for ZDNet Australia that a contestant known as "gwerdna" hacked the computer in 30 minutes and placed this message on the contest's Web page: "Six hours later this poor little Mac was owned and this page got defaced."

As a Slashdot posting noted, however, the Mac user who initiated the contest gave anyone who asked for it a user name and password to the computer, giving them local access to the file system. "Gwerdna" used unpublished exploits to gain control of the root account, telling Mr. Kotadia: "There are various Mac OS X hardening guides out there that could have been used to harden the machine, however, it wouldn't have stopped the vulnerability I used to gain access."

He added: "Mac OS X is easy pickings for bug finders. That said, it doesn't have the market share to really interest most serious bug finders." An Apple Australia representative was unable to comment on the contest and Gwerdna's comments.

While Mac OS X has been the subject of several recent news articles addressing security flaws and the arrival of proof-of-concept malware, many Slashdot readers noted that there is a difference between hacking Mac OS X through a local user account and trying to do so remotely, when the operating system comes with a firewall turned on and all non-essential ports closed by default.

In fact, Dave Schroeder of the University of Wisconsin was so bothered by the ZDNet article, which he called "woefully misleading," that he has launched his own Mac OS X Security Challenge. He is challenging users to break into a Mac mini and alter the Web page running on it. He left ssh and http open to make it a little easier, which is "a lot more than most Mac OS X machines will ever have open," he wrote.

He asks anyone who is successful to e-mail him explaining how they managed to alter the page. He will then report that information to Apple and other relevant companies.

"Mac OS X is not invulnerable," Mr. Schroeder acknowledged. "It, like any other operating system, has security deficiencies in various aspects of the software. Some are technical in nature, and others lend themselves to social engineering trickery. However, the general architecture and design philosophy of Mac OS X, in addition to usage of open source components for most network-accessible services that receive intense peer scrutiny from the community, make Mac OS X a very secure operating system."