14 DAY TRIAL // "Mac OS X hacked under 30 minutes" read a ZDnet article from yesterday. It detailed a challenge issued by a Swedish Mac user who, on Februaty 22, set up his Mac mini as a server and invited hackers to break into the computer and gain root control, which would allow the user to take control of the machine and delete files as well as install applications.
This article is misleading to anyone who lacks the technical knowledge to understand what exactly is going on. The participants of this experiment were provided with local client access. They did not actually have to break into the machine but were given free reign to it. Gwerdna, the hacker who won the challenge was not placed in a situation where he had to find the machine on the Internet, somehow gain access to it and then gain root access.
If you were to wish to test the security of your home, would you do it by printing an add in the paper which says: "I live on this street, at this number, the key to the front door is hidden under the mat, the code for deactivating the alarm is 642767638? Please see if you can break in and cause some damage? just tag your name on the living room wall if you managed it."
In its original form, the article never even mentioned that the participants were given local access to the machine so they could run around and do what they want, this mention was only added later. What makes it worse is the way many other important sources of information picked up on the article and mirrored it without any second thought.
To demonstrate the biased nature of the experiment and the article, Dave Schroeder of The University of Wisconsin has issued "the academic Mac OS X Security Challenge." He has placed his own Mac mini, running Mac OS X 10.4.5 with Security Update 2006-001, on the internet and has configured the machine to have two local accounts, and ssh and http open.
Even so, despite this being a far more accurate test, it is far from being relevant as the vast majority of Mac owners, due to their default configuration, will not have the ssh remote login available and be further protected by the personal firewall.