digg

Facebook Connect Join Digg About

Mac OS X Hacker challenge is over.

test.doit.wisc.edu 38 hours, nobody hacked it. Under fire from intermittent DOS attacks, nessus scans, ssh dictionary attacks and much else. The difference to the other competition? Nobody had local access to the machine except the machine's owners, as it would be in a realistic situation.

Who dugg this? Made popular Mar 8, 2006

Digg DudeWhat is Digg?

Digg is a place for people to discover and share content from anywhere on the web. Digg surfaces the best stuff as submitted and voted on by the community. Take the Tour to learn more.

238 Comments

show profanity settings
expand all
  • mrASSMAN, on 10/12/2007, -26/+100this isnt just a normal 38 hours, this is 38 hours of invited constant attack by thousands of hackers. i'd say this qualifies as tried and tested, more harsh than reality.
  • Choaderboy, on 10/12/2007, -3/+69What I would like to see is a side-by-side challenge. A Windows Server and Mac Server, both running concurrently until one falls.
  • TheShrike, on 10/12/2007, -10/+70If you say 38 hours is nothing... well, you're right. But it is 76 times longer than the 30 minutes it was supposed to take.

    But what I find amazing is that the Mini was still chugging away even after being hit with 2 digg articles and a slashdotting.
  • jayman30, on 10/12/2007, -11/+58Hey 1111,
    Don't matter how long it was up, the site received almost a half a million requests and was on digg and slashdot for all the hackers to find and try to crack. The site says "Most of the traffic, aside from casual web visitors, was web exploit scripts, ssh dictionary attacks, and scanning tools such as Nessus."

    If thousands of hacking attempts can't bring down OSX, then it's pretty damn secure!
  • nogami, on 10/12/2007, -22/+58"Doesn't matter how long it was up"?

    So if you put a server up for 1 second then take it down, it's secure? How about putting it up for a few weeks or months?

    As far as I'm concerned, exploit scripts, dictionary attacks and scanning tools are all script-kiddy signs. Doubtful that any real hackers tried all that hard.

    There's also no benefit aside from bragging rights (and they'd risk potentially closing a hole that they could use for real hacking). If someone did have a good way to get into OSX, they'd almost certainly keep it to themselves so they could use it for something actually useful (ie: making money)...

    N.
  • jessed, on 10/12/2007, -8/+40@nogami

    This is a more realistic production situation. Usually you will not have SSH access to a run-of-the-mill webserver. The previous contest just gave users regular accounts and ssh access with no extra security. My University has better security on their Linux server.
    If you don't think 38 hours is enough then check out http://www.army.mil they've been running OS X for thie webserver for since 1999 and how often has it been hacked since the initial hack that caused them to switch over in 1999? 0 times as far as anyone knows.
  • po6ot, on 10/12/2007, -18/+45How long does it take a PC to get a virus/malware etc? I think the record for a brand new PC simply connected to the internet with default settings is 7 hours or so. 38 hours is more than sufficient.
  • t3hX, on 10/12/2007, -10/+35BTW, this isn't a dupe. The other articles were about the competition starting.
  • lar3ry, on 10/12/2007, -2/+23Six months on a 10 Mpbs line. Would that "line" be behind a corporate firewall?

    The "twenty minutes" report is about an unpatched install of Windows XP directly connected to the Internet.
  • mikm, on 10/12/2007, -1/+21Throw in an openBSD and some decent Linux flavor as well.
  • mochaman, on 10/12/2007, -7/+26ZDnet was simply grabbing attention on recent security bahing on OS X but their so called test that a Mac can be easily hack has now been proving wrong.
  • wastern, on 10/12/2007, -2/+19I think one of the most impressive things is that it was a little G4 mac mini and it was able to handle all the traffic it was getting with ease

    to those that will say it was "only 38 hours", lets be realist again from another angle. how much time is someone going to spend dedicated to 1 box for an average home user. if someone spends that kind of time and effort they need to have a vested interest, not just for the hell of it
  • Smileynh, on 10/12/2007, -0/+17You know what? After reading some Mitnik all these tests are bogus. Social Engineering is your biggest hole. Having a 'test' where you know it's a test removes that hole.
  • Berkana, on 10/12/2007, -11/+27If you look at how the site gathered attention far and wide, not just through digg, but through many other sites, and how many people gave a shot at it, I think 38 hours is sufficient.

    I suspect that far more people attacked this one in those 38 hours due to the publicity than attacked the "easily cracked mac" with the hand-out local access acounts.
  • wastern, on 10/12/2007, -2/+18are you serious? 10.4 has been out over a year now. its not a new OS
  • t3hX, on 10/12/2007, -4/+19Let's now do a ZDNet style test, where we give everyone shell access to a Windows box. How long's it going to last before getting owned? 5 seconds?
  • vinny, on 10/12/2007, -7/+22"There very well may be a bunch of hackers out there who know how to gain root access on OS X, but were unaware of this brief test."

    If they were unaware of this then they aren't much of a hacker. This story was all over the place.
  • atomist, on 10/12/2007, -3/+17I installed 2000 Server in a datacenter. It took no 2 Minutes until the machine got infected while downloading hotfixes from microsoft's website. Grrr
  • Aleks, on 10/12/2007, -17/+31Of course, Reuters, Yahoo , ZDnet will not pick up on this story. They will choose to spread the anti-apple propaganda.

  • vinny, on 10/12/2007, -5/+17"anyways, most the reason OS X / Linux / anything not windows are "more secure" is that since the have such little market share"

    This argument is repeated over and over again, but there is no evidence to support it. All the attention on Mac OS X security recently is certainly enough incentive for people to attack the system.
  • slackerjack, on 10/12/2007, -4/+16It's not feasible to believe that the most 'experienced hackers' participated in this challenge. I don't see why anyone with the knowledge to hack a computer that is believed to be secure would participate. By hacking the machine, THEIR unknown way would become quickly patched. E-week does something similar every year - and every year I find it quite amusing.
  • Charlotte_Web, on 10/12/2007, -6/+17What ZDNet failed to mention was that their group of hackers had local client access to the Mac, which would be an unusual situation for a web server.
  • danielwsmithee, on 10/12/2007, -4/+15A note on ZDnet and CNET. I thought this was very insightful, was posted on a Users Group I am part of.

    "ZDNET is not the most reputable blog/news on the net. They often put out news, claims, reports, and other posts to lure in curious or potentially upset people (including Mac users) to get the "hit" quota to their site so they can get paid by their sponsors. ZDnet's main goal is admittedly ADVERTISING - not news.

    "Under Shelby's direction, CNET Networks has continually played a leading role in the advancement of online advertising, pioneering multiple technological and creative developments that have helped to shape the industry. In 2000, when many people were discounting the value of Internet advertising, Shelby personally led CNET Networks' development of larger advertising units, which were quickly adopted as industry standards. A leading proponent and evangelist for interactive marketing, Shelby was chairman of the Interactive Advertising Bureau from 2001 to 2004 and continues his influential role there as the bureau's chairman emeritus and a member of the executive committee." - http://www.cnetnetworks.com/aboutus/leadership/shelby_bonnie.html

    CNet is the proud owner of ZDNet, by the way. Their mission statement is as follows:

    “We create richer, more authentic brand experiences by building on the
    collective wisdom and passion of users, marketers, and our own people.” - http://www.cnetnetworks.com/aboutus/mission.html

    So, in english... 'We make sure that our advertising is viewed by using distorted truths and lies to draw in sophisticated, intelligent, and passionate people who try to correct us.' OK, ok, said a little nicer... 'Our marketers and staff facilitate online meetings between advertisers and potential customers by playing on their passions and intelligence.'

    When the going gets tuff, attack the Mac users - you know, the creative and intelligent ones with opinions, thoughts, and feelings. If you don't like their tactics and Mac bashing, then unsubscribe. There are plenty of non-biased and even favorable-to-the-Mac sites out there to subscribe to.

    And, if you go to their site out of sheer boredom, there are plenty of fun activities to do. Rather than challenge people to attack a Mac, let's challenge people to decipher, translate, or (in other ways) have fun with CNet's vague, yet somehow obvious, mission statement!


    -JoeyDG



    PS. For anyone curious, ZDNet's (subsidiary of CNet) mission statement is as follows:

    "At ZDNet, our mission is to be the world's premiere "full service" destination for people looking to buy, use, and learn more about technology. By combining our enormous depth and breadth of trusted, authoritative content with the most relevant services and commerce opportunities, ZDNet enables all Web users, from IT professionals to consumers, to get the most out of their investments in and involvement with technology." - http://www.docomp.com/links2.htm


  • Biomechanical, on 10/12/2007, -3/+14Well, Apple charges to go from Panther (10.3) to Tiger (10.4), the same as Microsoft charges to go from Windows 2000 (5.0), to Windows XP (5.1). :)

    I think those are the version numbers, either way, both Microsoft and Apple charge for major point releases, Apple is just more open about it - practically shouting it from the roof tops.
  • wastern, on 10/12/2007, -3/+14just because they don't start from scratch every time doesn't mean there isn't a lot of development and advancement. Tiger is a vast improvement over *Panther*, and Pather was miles ahead of Jaguar, 10.0 and 10.1 weren't that good.

    by your logic they should never charge for an OS because its always just an update. just because they can put out a release every year or two doesn't make it less of a release. I think you should instead be asking why Microsoft takes 5-6 years to come out with a new OS.
  • wastern, on 10/12/2007, -6/+16it was a follow-up to a story that had near 1000 diggs and one that will surely make diggnation, it was pretty big news, not just some random mac software website or rumor about a video iPod or something trivial
  • obdurate, on 10/12/2007, -0/+9jessed: The Army did not switch to OS X in 1999, it wasn't available. They used OS 9 (or possibly OS 8--the classic Mac OS). I do not know what they're using today, or if they switched to OS X, when they did so.
  • nogami, on 10/12/2007, -4/+13I don't know that it's particularly impressive - it's not like it's actually doing anything in the default config - it's not running PHP or SQL, and it's not serving any particularly bandwidth-heavy pages. If you've got it hooked to a university network it's also not going to be short on bandwidth.

    It's not the webserver itself that tends to crumble during high-usage peaks, it's the database backend or PHP modules, or just simply running out of available bandwidth. They mention bandwith spiked to 30 megabits/sec (but not what the average was), which really isn't all that fast.
  • samfrench, on 10/12/2007, -6/+15"If thousands of hacking attempts can't bring down OSX, then it's pretty damn secure!" I guess it is kind of secure, but the main flaw in windows is that so many newbies use it, and install junk, and just don't update. Also, the main flaw in windows is when hackers find exploits. I am not sure there are many hackers finding exploits in OSX, some I guess, but not many. OS X may be more secure then windows, but this does not convince me. Also the challenge should have been a month, or two.
  • ileadyouth, on 10/12/2007, -2/+11The funniest part, to me, about all of this: 2 days ago everyone was screaming and laughing that OSX was hacked, until they found out it was a complete mockery and the users were pretty much given the key to get in the door. So then, as a challenge, another contest is setup with the proper setup on a computer and now everyone screams the time was too short.

    I have witnessed an XP machine getting plugged into a network and receiving a virus within minutes. All of these arguments just bleed ignorance for the most part. Point is - NO OS is perfect. I am a MAC user, and I always will be - I have NO reason to switch back to, what I think, is an inferior OS. That is my opinion, I am entitled to that - but it does not make it GOSPEL for all. People fail to realize that there will always be a choice, and some prefer Windows.

    Security by obscurity? I dont buy that for one second. How long can you possibly use this argument - even KNOWING all of the attention the challenges are receiving (and the traffic). If it makes you sleep better at night, then keep telling yourself that.

    Like I said, no OS is perfect, and MOST of the time it is dumb users who screw up a computer. But for goodness sakes, there are just as many windows fanboys that act WORSE than the mac fanboys do - the stereotype gets really old. Just because Apple users actually ENJOY the product they receive (yes, they know its more expensive, etc). Is it wrong that a company has created loyalty from its customers? Isn't that the goal of any business? To create loyal customers who will continue to come back? Even through the good and bad? You definitely dont see this on the MS side (and there are an array of reasons for this as well).

    Overall, its the ignorance that really makes me chuckle. Get over the fact that not everyone uses OSX. Get over the fact that not everyone uses XP. Get over the fact that some people will pay more for the quality they receive (and the experience). Different strokes for different folks - cant we all just get along?
  • alex007, on 10/12/2007, -1/+9A real hacker would never waste a perfectly good exploit on a honeypot
  • vigil, on 10/12/2007, -6/+14Two things make this posting horribly stupid.

    1. Most comprehensive, non-script kiddie, hacks take months to plan and to profile the system's holes. I'm willing to bet that if anyone dedicated enough time to cracking an OSX box setup as a contest for an extended period of time a hole could be found. The underlying system is still the same, as someone mentioned above, as a BSD TCP/IP stack with Apache and SSH running on top of it. So, why can't we just say *nix systems proven secure! (Yeah, doesn't sound so glamorous now eh?)

    2. Comparing the "average" WinXP user to a OSX power user is a pretty crap comparison. I mean, most of the arguements here are from people who (judging from the fact that they actually read Digg) are rather tech-savvy. Why not compare WinXP power users vs OSX power users, or better yet, Sys Admin to Sys Admin? Push comes to shove, OSX can be just as easily jerked up if the same average idiot who sits at a WinXP system now plops themself infront of the screen. I think some of us have probably seen our grandparents try to use computers right? If the user still doens't understand what services they have online, and what sorts of holes may be exploitable on these available services, they are liable to get shot in the foot.
  • inactive, on 10/12/2007, -2/+10Didn't the original article say it was going to be up until Friday? Why didn't it go all the way? I think it actually DID get hacked, and the guy just isn't saying that.
  • sanjay, on 10/12/2007, -1/+8I really wonder how would this work out if you just changed the OS to Windows XP,
    install the latest security patches and all,put up a firewall(if it had been done in this case), run the same services using apache etc(basically the same stuff for windows).
    i mean sure everybody says that windows isnt as safe compared to the other stuff but apart from the virii(which arent really being tested here) how much different is the web security in the two platforms?

    In my opinion these tests/challenges actually have nothing to do with the security of the OS as such, they are just testing the security of open source software(apache) on a platform.

    the test for an OS would be somewhat on the same lines that the ZDnet reported incident did.
    if you are checking the robustness of an OS you would want to ensure that people dont make it crash over the internet or given a minimal access arent able to escalate the access to super-user.
  • air12ick, on 10/12/2007, -11/+18Kinda dissappointed at this "event" because most of the attacks were just "tools" that anyone can use. Would of been interesting if someone was creative and found a way to get in with their own goodies rather than just bashing it with known "hacks."
  • vinny, on 10/12/2007, -3/+10"The only reason they get as much coverage as they do is because they're the biggest bunch of self-serving self-publicists in the industry - the power of hype in all its glory."

    You're kidding right? Can you give one example of this self-serving self-publicists that goes any farther than any other company? Did you recently get fired or something? I think you need to relax a little.
  • dBLiSS, on 10/12/2007, -1/+7I think the whole getting spyware/malware/virii on an XP box has more to do with the ignorance of the general populace. I don't have an antispyware software, and run a free virus scanner occasionally. My Xp box runs perfect, for monthes with no reboot or "hacks". If users we just more educated on the Do's and Do Not's of the internet if might prevent atleast half of the crap going wrong with XP.
  • vinny, on 10/12/2007, -1/+7What are you talking about? Do you even understand the difference between the last article and this one? What myth are you referring to?
  • DharmaDog, on 10/12/2007, -3/+8Haters.

    When ZDNet posted the bogus story about OS X being "hacked" in 30 minutes you all shouted from the rooftops, "see we told you so, OS X isn't secure."

    Then it was pointed out exactly how bogus that test was and a more realistic test was started. If 30 minutes was enough before to hack the OS you hate so much and is supposedly so insecure then why isn't 76 times that amount of time adequate to hack it? This challenge had much more publicity and seems to have attracted much more attention.

    There's no point in arguing with haters. If the box had been up 20 days for the challenge without being hacked, you would just say why wasn't it up for 20 months? If it was 20 months, you'd demand 20 years, etc.
  • Writher, on 10/12/2007, -1/+6I'd like to see Apple put a host up, and do a contest like this. They could make a cash incentive for finding vulnerabilities and reporting them.
  • project2501, on 10/12/2007, -1/+6Because of Windows user security model, services are in fact less secure than on Unices. But yes, its still down to the actual services security maturity more than the Os's'.
  • rguenthner, on 10/12/2007, -2/+7That's a better challenge IMO. We all know how vulnerable windows is when it's unpatched with the typical user installing everything they can click, but webservers aren't run by your typical user. Uneducated Mac users are just as likely to not update their machines/software as undeducated Windows users. I believe OSX to be much more secure than Windows for the average user out of the box, but for server applications it would be interesting to see a more in-depth side by side challenge.
  • TheCount, on 10/12/2007, -1/+6Well that's cool and all, but when was the last time any of you got hacked? I haven't even had to deal with a virus or worm on my windows machine in years and years. My Mac Mini is on 24/7 and I've never had a problem with any of this crap either. The fact of the matter is that Hackers don't want to waste time hacking into your home machine, what are they going to do, steal the music from you that you stole off the internet? What's the point?
  • Zorlak, on 10/12/2007, -1/+6I will give credit where credit is due, in this case, to the operators who managed to keep a Mac online for 38 hours while under constant attack. However, there are many faults here that are harsh truths.

    1) "Nobody had local access to the machine except the machine's owners, as it would be in a realistic situation."
    - This is hardly the case? In a real life situation there are fair odds that the computer would belong to a corporation, and be part of a network, in-which many users may have user accounts on. You also need to consider domain controllers, and user accounts that are active to take advantage of software services.

    2) 38 hours... That is all well and good, but it doesn't prove anything? I remember a story (in theory a real one) I read in "The Art of Intrusion", by Kevin Mitnick... There was a hacker who spent many months simply trying to hack into one individual system. That may not always be the most practicle approach, but the point is that he did it, and that means he won. There have been many cases where weeks, months, or even years have been spent trying to break into certain systems and networks. I know it isn't practicle to run a hacking challenge for the duration of two years, but if they did, the outcome might very well be different. That is real life.

    3) I think in more ways Apache and Open SSH were the ones really being tested, and I really commend them for doing a good job. I will not give a lot of credit to OS-X in this area, as Apple is not the creator of Open SSH or Apache.

    4) The mac did a good job at holding it's own, no doubt there. I just don't think it proved very much? If you're going to ponder the security of an operating system, I think it is a MUST to consider everything! This includes being on the same LAN, WLAN, having restricted users that can escalate privlages, etc. As a whole, I am still not impressed with OS-X and the security policies that exist. It didn't do awful online, not at all, but in a real world situation I would never trust it. Simply because you have to consider many more levels of attack. The web is a big part of security, but there is more to it than that. Lots more.

    5) We also must consider that the Mac was on a University network, right? Who knows what measures have been taken at the network level to prevent access? (By University administrators.) A lot of times machines get compromised through other machines on the network that are easier to get into... During this hacking challenge such attacks were of course out-of-bounds. What about in real life though? There are just too many factors to consider to really call this challenge a success, although I wouldn't call it a failure. It did stay online, and the majority of my credit goes out to Open SSH and Apache. Don't worry, I will still give some credit to OS-X... Just not nearly as much. I want to say well done to the administrator who setup the web server though. You managed to keep your box online and beat over 4000 attempted logins. Well done! (I just don't think that has very much to do with OS-X.) :-)
  • 1111, on 10/12/2007, -40/+45not trying to troll, but in a "realistic" situation the computer would be up for more than 38 hours. 38 hours is nothing. what about people who work? it allots very little time and presumes people will drop whatever they are doing to participate. im sure there are people out there who didnt even find out about it until it was over. a real testament to security would be a running challenge.
  • ImpactedColon, on 10/12/2007, -4/+9This means absoloutely nothing. No rational person can draw any conclusions. For one, just because something isn't cracked today doesn't mean it can't be cracked tomorrow, and faulty inductive reasoning is merely one logical fallacy embraced by those who would believe Mac OSX is bulletproof.

    That's not to say I am impressed it wasn't hacked during that time, but in the grand scheme of things, it honestly means nothing. This is hardly a clinical environment with variables controlled, and who's to say it was even legitimate?

    I hope this professor doesn't intend to draw any conclusions based on this little social experiment, but I suspect he is smart enough to not be so bold.

    After all, I could say "If there really is a God, He'll strike me down with lightning this week" and then 38 hours later say "I know it hasn't been a week, but I'm still alive, so God doesn't exist." Hardly a persuasive argument.
  • gotamd, on 10/12/2007, -0/+5I should try putting an XP Home box up with all the latest updates. Heck, the Mac wasn't using a base 10.4 install. It had all the latest updates on it too.
  • socket, on 10/12/2007, -1/+6You have to be brain damaged to think Windows XP (or any OS that is) can be compromised through a properly functioning and secure NAT router/firewall. Read a book jr.
  • chicagobiker, on 10/12/2007, -3/+8It's average traffic balance for the day-and-a-half that it was running on the University of Wisconsins network was 30MBs. It was DOsS'd and generating massive access logs.

    Basically the entire internet made a left turn and headed straight for this single network port.

    I'm surprised the thing didn't shoot out of the wall by it's ethernet cable.

    38 hours is plenty to endure that kind of abuse on your schools network.
  • stylesP, on 10/12/2007, -2/+7It should have running till 10. march like they announced
    http://72.14.207.104/search?q=cache:Bp0onbYvKvIJ:test.doit.wisc.edu/
    no comments why they cut it off earlier, ideas?
  • Fetching more discussions...
    Show 51 - 100 of 239 discussions

  • Add a Comment

    Login or register to comment!
    Or, sign-in super fast with your Facebook account ...


© Digg Inc. 2009 — Content created and posted by Digg users is dedicated to the public domain | Terms of Use Updated | Privacy Policy
DIGG, DIGG IT, DUGG, DIGG THIS, Digg graphics, logos, designs, page headers, button icons, scripts, and other service names are the trademarks of Digg Inc.