[olePigeon]

ZDnet is running a story about how Wisconsin University put up a webpage on a Mac mini using default OS X settings. They've asked people to crack the server and modify the website.

After about 30 minutes, someone working at the University physically got on the machine and messed up the webpage. So ZDNet was quick to post about how the Mac mini was hacked in only 30 minutes.

Anyway, the webpage is back up with an explenation. No one's managed to do it yet.

The interesting part is that they've opened it up way more than you usually do. People actually have a shell account they can SSH directly to the server. There's no firewall either.

I wonder how long it'll last, assuming some dipshit doesn't get to the computer again.

[hickey]

wait....what?

whats an SSH account, and what does that do? also, how does this effect the average comp user?

[turtle777]

Anby links ? Can't find it.

I wonder who paid them to do that.

One thing's for sure, if you'd put an out-of-the-box M$ server side-by-side to a OS X server, there's no question who'd get hacked faster.

-t

[CharlesS]

Originally Posted by hickey

wait....what?

whats an SSH account, and what does that do? also, how does this effect the average comp user?

It doesn't affect the average user at all, since the average user won't be running a Web server or an SSH server from his personal computer. Also, most people that are running such services probably aren't running a script on their web page that automatically creates a new user account and password for anyone that requests one, thus giving everyone SSH access to the system. This guy is just asking to get hacked.

Oh, and here's the link to the server the idiot is daring people to destroy:

http://rm-my-mac.wideopenbsd.org.nyud.net:8090/

[olePigeon]

http://www.zdnet.com.au/news/securit...9241748,00.htm

Above is the link to the article. Below is the link to the test website for the contest.

http://test.doit.wisc.edu

For anyone who's wondering, SSH is a way to login to a computer remotely.

[hickey]

I wish I could run my roomates comp remotely, Im too lazy to get up and turn off his crappy music after he leaves for class.

[skipjack]

Originally Posted by olePigeon

http://www.zdnet.com.au/news/securit...9241748,00.htm

Above is the link to the article. Below is the link to the test website for the contest.

http://test.doit.wisc.edu

For anyone who's wondering, SSH is a way to login to a computer remotely.

I don't believe your information is correct. The Mac OS X system that was compromised was (is) not the same as the one at the Wisconsin university. The Wisconsin site was apparently set up in response to the ZDNet article as a more realistic challenge.

http://apple.slashdot.org/comments.p...&op=Change

[turtle777]

Ok, so what does it mean that the hacker gwerdna had "local access" to that machine ?
Does that mean he was hacking from within the LAN, or did he have PHYSICAL access to that machine ?

-t

[turtle777]

Originally Posted by skipjack

I don't believe your information is correct. The Mac OS X system that was compromised was (is) not the same as the one at the Wisconsin university. The Wisconsin site was apparently set up in response to the ZDNet article as a more realistic challenge.

Correct. OlePigeon "bungled" these two things together...

-t

[olePigeon]

Originally Posted by what_the_heck

Correct. OlePigeon "bungled" these two things together...

-t

Oops, I think you're right. But the Sweedish one the guy was at the computer itself. So either way, it wasn't a remote attack. I see that the University has put up another website for people to try again.

[Ω]

http://forums.macnn.com/90/mac-os-x/288048/mac-os-x-hacked-less-than/

[ReggieX]

Originally Posted by hickey

I wish I could run my roomates comp remotely, Im too lazy to get up and turn off his crappy music after he leaves for class.

So tell him to turn his music off when he leaves, geez. But really, if you're "too lazy" to go turn off his music, you deserve to listen to his crap.

[ambush]

Why can't we have a CLEAR, demonstration of a defacement on OS X? Why is there so much confusion. If OS X is easy to hack, we should have a proof by now.

[turtle777]

Originally Posted by ambush

Why can't we have a CLEAR, demonstration of a defacement on OS X? Why is there so much confusion. If OS X is easy to hack, we should have a proof by now.

No, we can't. For FUD's sake !

-t

[Dork.]

Originally Posted by hickey

wait....what?

whats an SSH account, and what does that do? also, how does this effect the average comp user?

Originally Posted by what_the_heck

Ok, so what does it mean that the hacker gwerdna had "local access" to that machine ?
Does that mean he was hacking from within the LAN, or did he have PHYSICAL access to that machine ?

-t

From what I can tell, the "local access" that was provided basically meant that anyone would get the same command-line access that a normal user (without inputting an admin password) could get at the keyboard using Terminal. An SSH account is basically command-line access to the machine in normal user mode. SSH stands for "secure shell", and means that the connection between the server and the remote client is encrypted.

It does not affect the average Mac user, since they are not likely running any services at all. If an SSH or telnet server is not active, a hacker would have to gain physical access to the machine to do these things. Keep in mind, though, that some other services, if they are misconfigured, may fail in a manner that gives this type of access to an attacker. I would grade this as a potential concern, but the "30 minutes" thing is overhyped.

[Scotttheking]

Originally Posted by olePigeon

ZDnet is running a story about how Wisconsin University put up a webpage on a Mac mini using default OS X settings. They've asked people to crack the server and modify the website.

After about 30 minutes, someone working at the University physically got on the machine and messed up the webpage. So ZDNet was quick to post about how the Mac mini was hacked in only 30 minutes.

Anyway, the webpage is back up with an explenation. No one's managed to do it yet.

The interesting part is that they've opened it up way more than you usually do. People actually have a shell account they can SSH directly to the server. There's no firewall either.

I wonder how long it'll last, assuming some dipshit doesn't get to the computer again.

30 minutes to compromise. That's accurate. Physical security is just as important.
The. End.

[dcmacdaddy]

Turning on SSH is modifying the Mini's default security settings.

If they want to do a "true" test of Mac OS X, put a brand new, out-of-the-box Mac Mini on a network and then see what happens. By default, OS X uses an opt-in security strategy so the user has to manually change the security settings for things like SSH and personal file sharing or personal web sharing. If they want to see if OS X is truly hackable "as is", then just take a machine and slap it on the network with no changes to the default settings. THAT would be a true test of the security in OS X.

[turtle777]

Originally Posted by dcmacdaddy

If they want to do a "true" test of Mac OS X, put a brand new, out-of-the-box Mac Mini on a network and then see what happens.

Oh no, that would make so much sense, but it couldn't be used for FUD. Bad idea, baaaad idea.

-t

[11011001]

Sigh, his mini is swamped, the SSH Daemon keeps disconnecting me after a few minutes. I was planning to get a few free SETI runs

It's also not very responsible to have this computer sitting on the network with remote login to anyone on the internet. A malicious individual could use it as a stepping stone to hack another computer, or simply as a zombie for DOS attacks. Furthermore, I wouldn't be surprised if it also gives an individual access to the internal LAN and the ability to see other computers that aren't normally visible (opening them up for attack). I hope they took the necessary steps to isolate this computer on their network.

[turtle777]

Originally Posted by 11011001

I was planning to get a few free SETI runs

-t

[turtle777]

Ok, so MacNN has posted the same story.

How sad. I stopped reading MacNN headline news recently due to all the BS and FUD.

Btw, the haxxor gained root access by means of privilege escalation.
The Mac mini had an active LDAP server, so *anyone* could create local user accounts. To call this a hack is slighlty overstated. It's like somebody gaining PHYSICAL access to a computer: taking out the harddrive and calling it a hack...

-t