CNet reports on the competition set up by a Sweden-based Mac site called "rm-my-mac". [You know ... that famous site! ...cough cough]
The competition involved setting up a Mac mini as a server and invited hackers to break in and gain root control.
In actuality, users were allowed to have access to create their own accounts on the machine through a web interface that the "rm-my-mac" site created.
Supposedly, the winner identified as "Gwerdna", claims that he exploited a "vulnerability that has not yet been made public or patched by Apple Computer." (And claims he won in under 30 minutes!)
Arstechnica exposed the contest and the claimed "unpatched/unkown" exploit further. Their investigation revealed that the contest was suspiciously rigged in that it didn't represent an entirely remote exploit:
The web site author had enabled SSH [which a VERY HIGH % of Mac users users do NOT have enabled] ... and added a web-based interface [which a VERY HIGH % of Mac users users do NOT have] so that visitors to the site could add their own shell accounts to the system. These shell accounts were given limited user access, so in theory they should not have been able to access or modify any files that were owned by the system or by other accounts. The hacker used a vulnerability in OS X to promote the privileges of this account, thus "gaining root" and becoming able to modify any file on the computer at will.
The University of Wisconsin has posted a rebuttal challenge due to [in their words] "woefully misleading" reporting of this contest and the terms and conditions of its setup:
"...this machine was not hacked from the outside just by being on the Internet. It was hacked from within, by someone who was allowed to have a local account on the box."
I honestly think its time Apple stepped in and warned people about the consequences of hacking. I think it's time they warned websites that these "hacker contests" are actually illegal. These are essentially "hit men for hire" contests promoting its participants to hack ... hacking without SPECIFIC AUTHORIZATION and EMPLOYMENT to do such is illegal.
Think of it this way.
This is much like a contest asking participants to speed as fast as they can under traffic camera speed traps ... telling anyone who gets through without a ticket wins a prize!
There are legal ways and legal means that you could technically speed and could technically not get a ticket ... IE ... doing a documentary (that was cleared by the city where the the traffic camera was located). I also suppose you could be an emergency vehicle and break the law.
Point is ... these sites that are suspiciously posting virus threats, virus contests, and bogus news about Apple viruses are doing nothing more than ruining the fun at the expense of their own 15 minutes of "hit fame" for their websites.
What are the consequences?
- The Mac could become more difficult to use.
- Possibly less people using Macs will connect to the internet regularly ... thus skewing stats and hurting Apple
- Drastically affect sales of Apple computers to switchers who think Mac OS is safer (and bogusly think that Apple Computers are not safe)
I work in a PC shop as the Apple guy ... just yesterday I was promoting a Mac for sale ... saying that one feature of the Mac is that you don't have the adware, spyware, and viruses that PCs have. One of the owners piped up (in front of my customer) and said, "...but what about all the news those viruses have been getting for Macs lately?" See? See how the uninformed or the ignorant are portraying this?
He was of course referring to these stories:
This worm has teeth
Rumor has it; the 1st Mac Virus is in town