More of my sites

WinInfo Daily News
SuperSite for Windows
Windows IT Pro Magazine
Connected Home
Thurrott Dot Com
Windows Weekly at TWIT

About this site

For six years, the Internet Nexus served as my technology blog, but I've since started blogging at the SuperSite Blog instead. If you're looking for the blog, please head there. --Paul



Monday, March 06, 2006

Mac OS X hacked under 30 minutes

ZDNet:
Gaining root access to a Mac is "easy pickings," according to an individual who won an OS X hacking challenge last month by gaining root control of a machine using an unpublished security vulnerability.

On February 22, a Sweden-based Mac enthusiast set his Mac Mini as a server and invited hackers to break through the computer's security and gain root control, which would allow the attacker to take charge of the computer and delete files and folders or install applications.

Within hours of going live, the "rm-my-mac" competition was over. The challenger posted this message on his Web site: "This sucks. Six hours later this poor little Mac was owned and this page got defaced".

The hacker that won the challenge, who asked ZDNet Australia to identify him only as "gwerdna", said he gained root control of the Mac in less than 30 minutes.

"It probably took about 20 or 30 minutes to get root on the box. Initially I tried looking around the box for certain mis-configurations and other obvious things but then I decided to use some unpublished exploits -- of which there are a lot for Mac OS X," gwerdna told ZDNet.
Will this end the baloney? No, but we're getting there. As the "Mac is more secure" argument falls apart, eventually Mac fantics will have to fall back on such rationale as "I just like it better" when defending their favorite OS. And that's just fine. I think both Windows and OS X have a lot to offer, and target different crowds. The technical people who love OS X need to believe there are technical superiorities in that system. I'm sure there are some. But there is no inherent security superiority. OS X is just used by fewer people and is hacked less as a result. Obviously.

Thanks Anthony.

Update: A Vnunet blogger wonders about this 30 minute claim:
The thing is… the story doesn’t offer a single source backing up the hacker's claim. For all its worth, the blogger could have staged the contest and put up the "defacement" website all by himself. No actual hacking skills needed.
It's highly unlikely that a site like ZDNet would invent such a story, which I why I linked to it. However, "Silicon Valley Sleuth" isn't quite as credible. The question is valid. But assuming this to be a hoax is simply an example of what I was complaining about above.
[ Posted at 7:55 AM | Permalink ]

 

Nexus Home | Nexus Archives | Email Paul
Copyright © 2001-2008 Paul Thurrott. All Rights Reserved.