Linked by Thom Holwerda on Mon 6th Mar 2006 21:59 UTC, submitted by crispoe
"In response to the woefully misleading ZDnet article, 'Mac OS X hacked under 30 minutes', the academic Mac OS X Security Challenge has been launched. The ZDnet article, and almost all of the coverage of it, failed to mention a very critical point: anyone who wished it was given a local account on the machine (which could be accessed via ssh). The challenge is as follows: simply alter the web page on this machine, test.doit.wisc.edu. The machine is a Mac mini (PowerPC) running Mac OS X 10.4.5 with Security Update 2006-001, has two local accounts, and has ssh and http open - a lot more than most Mac OS X machines will ever have open."
Thread beginning with comment 101977
To read all comments associated with this story, please click here.
To read all comments associated with this story, please click here.
Member since:
2005-07-06
The guy was given "local" access through SSH.
What validates THIS challenge, is that you are NOT handed a local account. Therefore, you do not have a local account to work your way from the inside out.
Not to because I want to "validate" the original claims, but I too would like them to offer up some real proof and methods of attack. What vulnerabilities were actually used.
The reason everyone is defending Apple in this matter is the same reason people defend the *nixs and BSDs, this was done using local (ssh accounts are considered local not remote, for those who do not know) exploits and not remote vulnerabilities.
JRM7