1) the person who set up this "hacking challenge" set up a script that created a non-admin
user and password for anyone who wanted to try. SSH was enabled for each of these users. I mean, of course
someone was able to get access to the box--he allowed them in! After which the "hacker" then was able to take
advantage of an unpublished exploit to escalate his non-admin account to execute administrative tasks. This violates the
very first and most important rule of securing a computer, by giving external access to users who shouldn't have it and
don't need it. I certainly don't go around enabling SSH for my Mac users, do you? For the record, SSH (called Remote
Access in FileSharing System Preference) is disabled by default on Mac OS X workstations, and on Mac OS X Tiger Server,
there's even a GUI for allowing or disabling SSH access to different users. Mac OS X workstation users can modify the sshd_config file in /etc.
2) the built-in firewall in Mac OS X doesn't appear to have been turned on. Nor was this
machine reportedly behind any other kind of firewall. Yes, of course some people are going to connect their Macs
directly to their broadband lines without any kind of firewall or NAT/router in between, but I bet it's a lower number
than you might think. Even a simple layer of NAT is better protection than nothing. Go ahead, Mr. Hacker/Script Kiddie,
you can pound on my router all you want, but without port
forwarding, you're probably not going to get very far unless you hijack the router itself, and then the security
flaw is with the router, not the OS.
Look, I'm not even trying to defend Mac OS X here. Yes, there are
certainly some security vulnerabilities that Apple (and others) have uncovered and then patched. And there are
definitely some that are undisclosed and undiscovered. However, this schmoe's "hacking contest" is
ridiculous. It's like someone parked their car in a public lot and then taped keys to the car all over its hood.
I'm also not saying that us Mac users should ignore security measures. Of course we should pay
attention to the security incidents that come about in Mac OS X, just as we should pay attention to the inevitable
viruses and/or Trojans that will attempt to invade our computing platform. However, these articles are poorly-written
and laughable jokes and now I'm seeing bloggers reposting that "Mac OS X can be hacked in less than 30
minutes" adding to the echo chamber of misinformation. This machine was compromised from the
inside with a known user account and password and
with a granted attack vector (ssh)!
Good sysadmins are paranoid and we're going to
watch the development of our operating system and take measures to protect it as it grows in
popularity. But when it comes to evaluating the security of this operating system, I'm going to pay attention to the
people who work with it every day, not the PC-oriented technologist writers who've likely never even used Mac OS X, let
alone configured its excellent built-in security measures. Such people can be found on the Mac Enterprise and Radmind
mailing lists, AFP548.com, and Apple's Mac OS X Server mailing list, just to name a few. And so far, they're not
running around screaming that the sky is falling (unlike some PC magazine "technologists"), so why should
In the meantime, Mac sysadmin Dave Schroeder at University of Wisconsin Madison has set up a Mac of his
own as an "out-of-the-box" security challenge. You can read more about
it here and even take a shot at compromising it. Note that Dave's Mac security challenge does not give you the
crutch of a user account and ssh access, which is a much more realistic scenario.