14 DAY TRIAL // Yesterday, the Academic Mac OS X Security Challenge was launched in response to the terribly misleading Zdnet article titled "Mac OS X hacked under 30 minutes." Dave Schroeder, like many others, was appalled by the fact that the initial article did not mention that the article initially omitted mentioning that local access was granted to the Mac OS X system, leaving many readers with the impression that any Mac OS X machine could be taken over in just 30 minutes simply by being connected to the Internet.
This is not the case, and to prove as such, Mr. Schroeder launched the challenge to prove it. As Schroeder notes, the Mac OS X "machine was not hacked from the outside just by being on the Internet. It was hacked from within, by someone who was allowed to have a local account on the box. That is a huge distinction." It is like saying that Fort Knox can be broken into by anyone if the guards leave, the security is disabled before hands and the doors are left open? and if some of the would be hackers were also given a road map to make sure they could find the facility in question.
After 38 hours the challenge was considered closed and the machine had still not been broken into. Within a time period 76 time longer than the Zdnet article claimed, the system was still "unhacked".
Verbatim from Dave Schroeder Academic Mac OS X Security Challenge site:
Objections to this test Some have objected to this test as doing nothing more than testing the security of apache or ssh on a PowerPC architecture. That is correct. And that is how most of the world will see Mac OS X externally. The original article was not fair, because it did not note, or even imply, or hint in any way, that local account access was granted. The whole point of Apple using proven open source services like OpenSSH and apache on Mac OS X is exactly because of their secure nature as a result of years of scrutiny by the community. Most users of Mac OS X in a consumer or desktop setting will never even enable any of these services at all. It's unfortunate that the initial coverage was so journalistically poor and sensationalistic on what might otherwise have been an article about an interesting local vulnerability. Instead, it chose to leave people with the impression that a Mac OS X machine can be "hacked" just by doing nothing more that being on the Internet. That is patently false.
The testing period is now closed. - The response has been very strong. - Traffic to the host spiked at over 30 Mbps. - Most of the traffic, aside from casual web visitors, was web exploit scripts, ssh dictionary attacks, and scanning tools such as Nessus. - The machine was under intermittent DoS attack. During the two brief periods of denial of service, the host remained up. - The test machine was a Mac mini (PowerPC) running Mac OS X 10.4.5 with Security Update 2006-001, had two local accounts, and had ssh and http open with their default configurations. - There were no successful access attempts during the 38 hour duration of the test period.
Some snippets from today (7 March 2006): - The site received almost a half a million requests via the web. - There were over 4000 login attempts via ssh. - The ipfw log grew at 40MB/hour and contains 6 million events logged. - More test results and information will be published here at a future date.