Tuesday, March 07, 2006

But Didya Do It? Apple needs to give these "Virus Drag Racers" a ticket!

Many websites are reporting about a "hacker contest" that was recently held in Sweden under very suspicious terms and conditions.

CNet reports on the competition set up by a Sweden-based Mac site called "rm-my-mac". [You know ... that famous site! ...cough cough]

The competition involved setting up a Mac mini as a server and invited hackers to break in and gain root control.

In actuality, users were allowed to have access to create their own accounts on the machine through a web interface that the "rm-my-mac" site created.

Supposedly, the winner identified as "Gwerdna", claims that he exploited a "vulnerability that has not yet been made public or patched by Apple Computer." (And claims he won in under 30 minutes!)

Arstechnica exposed the contest and the claimed "unpatched/unkown" exploit further. Their investigation revealed that the contest was suspiciously rigged in that it didn't represent an entirely remote exploit:

From Arstechnica:

The web site author had enabled SSH [which a VERY HIGH % of Mac users users do NOT have enabled] ... and added a web-based interface [which a VERY HIGH % of Mac users users do NOT have] so that visitors to the site could add their own shell accounts to the system. These shell accounts were given limited user access, so in theory they should not have been able to access or modify any files that were owned by the system or by other accounts. The hacker used a vulnerability in OS X to promote the privileges of this account, thus "gaining root" and becoming able to modify any file on the computer at will.

The University of Wisconsin has posted a rebuttal challenge due to [in their words] "woefully misleading" reporting of this contest and the terms and conditions of its setup:

"...this machine was not hacked from the outside just by being on the Internet. It was hacked from within, by someone who was allowed to have a local account on the box."

I honestly think its time Apple stepped in and warned people about the consequences of hacking. I think it's time they warned websites that these "hacker contests" are actually illegal. These are essentially "hit men for hire" contests promoting its participants to hack ... hacking without SPECIFIC AUTHORIZATION and EMPLOYMENT to do such is illegal.

Think of it this way.

This is much like a contest asking participants to speed as fast as they can under traffic camera speed traps ... telling anyone who gets through without a ticket wins a prize!

There are legal ways and legal means that you could technically speed and could technically not get a ticket ... IE ... doing a documentary (that was cleared by the city where the the traffic camera was located). I also suppose you could be an emergency vehicle and break the law.

Point is ... these sites that are suspiciously posting virus threats, virus contests, and bogus news about Apple viruses are doing nothing more than ruining the fun at the expense of their own 15 minutes of "hit fame" for their websites.

What are the consequences?

- The Mac could become more difficult to use.

- Possibly less people using Macs will connect to the internet regularly ... thus skewing stats and hurting Apple

- Drastically affect sales of Apple computers to switchers who think Mac OS is safer (and bogusly think that Apple Computers are not safe)

I work in a PC shop as the Apple guy ... just yesterday I was promoting a Mac for sale ... saying that one feature of the Mac is that you don't have the adware, spyware, and viruses that PCs have. One of the owners piped up (in front of my customer) and said, "...but what about all the news those viruses have been getting for Macs lately?" See? See how the uninformed or the ignorant are portraying this?

He was of course referring to these stories:

This worm has teeth

Rumor has it; the 1st Mac Virus is in town


Anonymous said...

I wonder if that guy believes everything he reads and hears, too? Tell him that you saw "gulliable" written on the ceiling. Heh heh heh.

FYT said...

link to test at WISCONSIN U:


Anonymous said...

The guy who set up the alternate site at University of Wisconsin has stated that he has permission to do this test. If you read the page he explains why he is doing it. He is doing it to counter some very damaging and misleading "reporting" by ZD. I doubt he would have set it up otherwise.

FYT said...

I'm not complaining (per se) about the Wiconsin U test ... moreso about the Swedish website test they are trying to counter.

Although, I find the WU test unnecessary ... what happens if it IS broken into?

Anonymous said...

OSX isn't as secure as we're led to believe, if it is broken into. That's it.