OSNews

That "lil'Hacker boy" used unpublished local exploits to gain root with a luser local account. All this test proves is OSX's remote security/stability, still doesn't address the fact that there's unpublished/unknown/unpatched local vulns floating around.

Security is not about "fronting off".

Well, considering that a XP box can't be installed exposed to the net without being filled with crap this does prove the authors point. That MacOS X is a secure operating system. But it would be nice if they left it online until it was compromised.

Edited 2006-03-08 14:10

No, SP2 updated would probably pass this test also. SP1 with no firewall would not.

And Windows XP has the same relative security when sitting on the internet as long as its fully patched and updated, as the OSX box was. Now, browsing websites in IE vs. Safari is a different story but we're talking about a box sitting on the internet, in the open.

Well being that a couple of days ago everyone was saying that MACs could be hacked in 30 minutes I think the point has been proven that the story was a hoax

Well being that a couple of days ago everyone was saying that MACs could be hacked in 30 minutes I think the point has been proven that the story was a hoax.

Why? Scientifically speaking, this test does not disprove that story at all. It makes it just a tad bit less likely-- but not a hoax.

the thing that does make the 30 minute story look like a hoax is the complete lack of evidence and methodology presented in the story.

The original story it's self was not scientific at all, it was just a story that got picked up on by a Microsoft friendly news source.

In reality anyone who invites people to come hack their Mac would be more scientific then the original story.

No, what this proves is that the previous testing of having a mac with local shell accounts avalible for anyone can be considered a "bad idea." The new test doesnt really prove anything

Yes, it would be a good long-term test. However I don't think they can afford the bandwidth

That was exactly my thoughts too. The hackii6.com site was running their contest for about 5 weeks or so. It would be interesting to see the Mac stay up for a 2 week or 3 week period. Dedicate a domain to it, call it HackMac.com or some other catchy title.

woah, calm down.

Um, this test DID have the OSX firewall running. He was just leaving the SSH and HTTP ports open. This is the key line: "# The ipfw log grew at 40MB/hour and contains 6 million events logged." Thats the log for the firewall.

No need to be insulting. I didn't know that making a joke about this (IMO) poorly done test was like molesting your grandma to you. And no, it didn't bluescreen, it just sat there, being all Win98ish and useless.

Did you also get half a million visits, like the Mac Mini did?

I just ran an old Windows 98 laptop and connected it to the internet for a day, and it didn't get hacked. Does that now mean that Win 98 is unhackable?

Did you publish it's address on OSNews and every major tech blog and news outlet, inviting hackers to try to break it? No. So it's not remotely the same thing.

"Did you publish it's address on OSNews and every major tech blog and news outlet, inviting hackers to try to break it? No. So it's not remotely the same thing."

If the hackers were really good, I wouldn't need to.

Seriously, what I said was a joke. It's funny how people have taken it. To clarify: I think the test period was too short. Even hackers have jobs to go to, and maybe the good ones were busy that day.

I am wondering how come you have decided to format your PB.

It is not difficult to protect yourself from spywares in case they come up on OS X. Just create another admin account and disable the admin privilege for your present account. Also, disabling the open "safe" file option in Safari also helps. Lastly, you can enable the display of file extensions under Finder's preference (Yes, this will display the .app extension)

Once I configured on them the internet connection, within 2 mins I'm receiving all sorts of pop-ups and self-installing spywARE crap... on windows only. and yeah, it has SP2, by default, but you can never really protect a machine with the "default" things...
However...

Give me a friggin' break. If all you did was install WinXP with SP2, and connected to the internet, you're either:

A. full of crap
B. going to questionable sites you shouldn't be going to.

You don't just connect a PC to the internet and instantly get infested with spyware.

um.... false!!!

this goes back a few years, but when XP had just come out...actually, about 6 months after it had come out. I installed a copy on my dell 400mgz pentium, launced IE, downloaded mozilla (from their site), then closed IE once Moz was DLed.... then... i went to sleep.... thats it!. Due to work and every day life, it took me about week to get back downstairs and get in front of this PC. well, i sat down, went to the desktop and launced the Moz installer... created a folder for my new apps on D:/, and went to install the app... when i created the folder, i noticed a wierd little file was already in the brand new folder. it had an IE icon. I was a bit puzzeled, i examined the file... and it appeared to be a .VBS file... I deleted the folder, and created a new one... and again, there was this .VBS file... at that point... i created a few new folders... every one of them, had this very same .VBS file....

at that point, i was like.... "WTF!!! did i get hacked? i must of... this is a brand new installation... and it was not a cracked version of windows." any way... since this was not my only box, nore was it connected to any other machine at this point..., i figured i would click on the vbs file to see what it did.... well... IE opened, and took me to a porn like web site.... i say porn like cus there was more than just nude girls on the index page... there were links to downloads for weird stuff like spyware protection and plugins and interface "enhancements" for IE....

with out clicking on any links... AT ALL... i just scrolled up and down the page looking at the ads and links trying to figure out were the hell i was... and while i was doing that, IE was busy doing stuff... new IE windows were poping up.... enlarging to full screen... then more would pop up.... then IE restarted.... and when it did... the interface was different... it looked like a few "enhancements" had self installed...and restarted IE for me....

i just sat back and watched at that point! as some one, or some thing "owned my PC" it was almost like magic! ...and was quit amusing!!!!

any way... to make a short story shorter... after a few shits and giggles from my BRAND NEW XP PC getting hacked... i F-Disked the box and installed red hat... 6 i belive....

so.... dont tell me you CANT just plug a windows box in to the interweb and get hacked! I diid!!!!

like i said this was XP... and yea... i know SP2 closes lots of holes.... bla bla bla.... that is not the point! the point, is the for YEARS.... for damn near a decade.... hell since the advent of the web.... the 3 billion MS customers have been left WIDE OPEN to an OS the was build from the ground up to be what MS calls "developer friendly" which has in turned made is fantasticly easy to develope spy ware, viruses, trojens and get one some one elses machine...UNINVITED!!!!

Are you a complete muppet or are you just a little bit dim ?

Windows, Mac OS, Linux, BSD, I don't care. I think every home/business should have a hardware based firewall also instead of relying on just the OS for protection.

You do know that if you download malware, and run it on your computer, it will use the open ports that your browser/email client/IM/p2p programs already have open, whether you have a hardware firewall or not ?

yes, some people should not be left alone with a computer, especially those blockheads who think nothing bad will happen if Mr Hardware Firewall is protecting them

Well I would assume they didnt like having their bandwidth eaten away with a 30Mbps spike and DoS attacks.

They gave the experiment more time and with a more realistic setup than the original and people did try to gain access or nock it down but it didnt happen. I am sure there is someway that it could have been done just no one was able to do it yet.

From what I've read, it's as simple as the fact that the person's employer was not happy at all with what he'd done. You know, all that bandwidth, the publicity, hackers trying to get into the box perhaps by compromising other machines on the network, etc.

- The very first challenge as reported by ZDnet was a FAILURE for the so-called unknown magic hacker, the goal was to "rm -rf" the mac mini... he only defaced a website... --> 100% Failure !!!

I'm gonna assume (and hope) that you're just joking here. But I'll point out anyway that the guy simply chose not to 'rm'. He had root (assuming the story is true) so there was nothing stopping him. It just would have been pointless.

"It just would have been pointless"

Except that it would actually have proven that he had root.
Come on, it's a test by wideopenbsd.org, just another total bullshit (to be quite frank) FUD site. If you've ever looked at their main site (wideopenbsd.org) you'd know.

You assume that the story is true , I don't.
Then, you assume that the guy was nice enough to not "rm -rf" the whole system, I don't. It's you right to believe unknown/untrusted sources...

Now let's consider the facts:

- NOBODY "rm -rf" the system.
- ZDnet article IS 100% FUD since NOBODY has demonstrated the ability to hack OS X under 30 min.

The Academic Challenge shew that:

- NOBODY could get privilege escalation during the 38 Hrs it was online despite many, many attempts.

Do you have facts that would prove me wrong ?

It means that when OSX hits 9% marketshare, as it is projected to do in the next 12 months...

Is there a reference to who is predicting this, and whether it is worldwide or US only?

In 2005 the world market was about 205 million machines. Apple seems to have shipped 4.7 million. So if the world market stays roughly the same or grows a bit, and Apple gets 9% of it, shipments will have to rise to about 20 million. Presumably Apple revenues will rise to match, ie the computer part of the revenues, currently about 50% or so of the total, will quadruple?

In 2005 Apple turned over 14 billion. So this would mean going from roughly 7 billion dollars to around 28 billion from computers alone.

It would indeed be insanely great. If it happens.

come on!!!! i ment another computer AT MY HOUSE... ...i beleive that was obvious!


it WAS pluged in to my cable model