Claims of Mac OS X being hacked in less than 30 minutes are not quite what they seem, according to Dave Schroeder, Senior Systems Engineer at the University of Wisconsin – Madison.
A recent ZDNet article told the story of a Swedish man who set up his Mac mini as a server and invited people to try to break into the system and gain root control. Having root control of a computer allows you to install applications, move or delete files.
Within hours of the challenge going live, it was over, as a hacker gained root control of the Mac mini. However, Schroeder says the article failed to mention some of the key reasons why the hacker was able to gain access to the computer.
Anyone that wanted to hack the machine was given access to the machine through a local account (which could be accessed via SSH), so the Mac mini wasn’t hacked from outside — root access was actually gained from a local user account.
“That is a huge distinction,” said Schroeder.
Schroeder points out that, by default, Mac OS X machines will not give any external entities local account access and not have any ports open; also, most consumer machines will be behind personal router/firewall devices, further reducing exposure.
“Mac OS X is not invulnerable,” said Schroeder. “It, like any other operating system, has security deficiencies in various aspects of the software. Some are technical in nature, and others lend themselves to social engineering trickery. However, the general architecture and design philosophy of Mac OS X, in addition to usage of open source components for most network-accessible services that receive intense peer scrutiny from the community, make Mac OS X a very secure operating system.”
Schroeder is so sure of the Mac’s security if setup properly that he is having his own security challenge. According to his Web site, the challenge is as follows: simply alter the web page on this machine, test.doit.wisc.edu. The machine is a Mac mini (PowerPC) running Mac OS X 10.4.5 with Security Update 2006-001, has two local accounts, and has ssh and http open—a lot more than most Mac OS X machines will ever have open. E-mail das@doit.wisc.edu if you feel you have met the requirements, along with the mechanism used. The mechanism will then be reported to Apple and/or the entities responsible for the component(s). Going after other hosts/devices on the network is out of bounds.
Schroeder told Macworld by e-mail that the challenge will be open until Friday, March 10, 2006.