Univ. of Wisc. Madison Mac OS X Security Challenge Update

Earlier today the site said they had a load of over 30Mbps during the DoS attacks. Now it has this simple text:

Yesterday we discovered the Mac OSX "challenge" was not an activity authorized by the UW-Madison. Once the test came to the attention of our CIO, she ended it. The site, test.doit.wisc.edu, will be removed from the network tonight. Our primary concern is for security and network access for UW services. We are sorry for any inconvenience this has caused to the community.

I think the point is that being hacked by some unknown hacker on the internet would be a much larger security problem than being hacked by someone you know, someone you have given a user accout to. A family computer doesn't generally run the risk of being hacked by your 8 year old daughter. But if OSX is vulnerable to hacking just by being connected to the web, that's a huge issue.

So in that sense it IS a better test and it is likely that his post challenge discussion will be a better analysis of OSX's security and vulnerabilities, because a. he won't gloss over the details(hopefully) b. he isn't someone with a history of shoddy reporting and bias specifically against OSX. This Munir guy at ZDnet Australia is an idiot and it's not the first time he's written ridiculous articles of half-assed research and outright lies.

Looks like the MacMini was not successfully hacked. But I wonder, wouldn't it be hard for a hacker to get to the MacMini with all the DoS attacks? Seems hard to rate the success of this hack challenge if the hackers couldn't hack because of all the script kiddie attacks.

You wrote that this will be a better analysis of osx security than the previous example, but you seem to be confusing the original challenge with the shoddy coverage of it.

The coverage of the initial challenge made it seem as though there was a threat of osx boxes being compromised by simply being net-accessible, mentioning nothing about the fact that local account privlidges had been given.

This challenge attempts to test osx's vulnerability to net-accessibility *as it was represented* in the media coverage - i.e. leaving aside issues of having local accounts and just seeing if the box can hold up to attack with ssh and http open.

BUT... (and this is the important part) if you look at the previous challenge and not the erroneous coverage of it, then there is still a potential security issue - an issue which is more serious and interesting than simply testing ssh and apache in an osx install.

In the initial challenge someone with a local user account was able to achieve an escalation of user privledge via ssh. Given that much of osx's security depends upon the multiple users/different privlidges paradigm, this escalation DOES represent a serious security flaw. Compared to the known stability of ssh and apache, this escalation vulnerability is much more serious and worthy of being tested.

The second challenge is a understandable response to poor coverage, but it is hardly a cutting-edge test of security. This doesnt invalidate it, but neither does it make it the "better analysis"

Wheels, why would he not be honest? Why would he go to the lengths he is to then just outright lie? Of course there is the possibility this is all a complex hoax, but the main reason I doubt it is, is a simple 'Why?'

There are no ads on the page, he won't be making a scientific journal with is findings, and Apple won't suddenly hire him as a 'security consultant' just because he put his Mini on the web and published his address.

Take his experiment with the correct amount of scepticism you need for reading anything on the web, and you're still left with a nice rebuttal of the earlier claims. If nothing else, it proves that people aren't sticking their head in the sand about Mac security issues.

From the site: "There were no successful access attempts during the 38 hour duration of the test period."

Would anybody trust this guy to tell truth on whether or not the mini was successfully hacked into or not? I know my answer.

Well, a lot of Digg.com readers aren't necessarily known for their sparkling intelligence. I'm not surprised there'd be a motley crew climbing all over themselves to attempt something as pointless as a DoS.

I notice he took the picture off the page. That was probably to reduce the page file size for bandwidth issues. Users on Digg were talking of just doing a DoS attack even though it proves nothing.

Derek: you are probably right. The university sys admins were probably not very happy with this... I will be curious to find out what happened.

The challenge was to alter the web page file. If he's closing it early that means someone at UW Madison (read: over 40,000+ students and faculty) got really mad over the DoS attacks going through their network.