The Call is Coming from Inside the Mac!
Clarification: The story has been updated to clarify that participants were given local client access to the target computer.Oh! Local access you say. You say you gave everyone who stumbled in your doorway non-admin user access and a password, eh? And you had your firewall turned off?
So, more or less, the contest consisted of giving people access to the machine via SSH and then asking them if they were idiots. When everyone else said "no," apparently the media was called in to bellow a full-throated "yes." To which panicked bloggers replied, "Holy Crap the sky is falling!" and more or less flew off the handle without bothering to find out more about the so-called hack.
Oh, wait, that was me.
In response to all this foolishness, Dave Schroeder of the University of Wisconsin has posted a legitimate security challenge:
The challenge is as follows: simply alter the web page on this machine, test.doit.wisc.edu. The machine is a Mac mini (PowerPC) running Mac OS X 10.4.5 with Security Update 2006-001, has two local accounts, and has ssh and http open - a lot more than most Mac OS X machines will ever have open. Email email@example.com if you feel you have met the requirements, along with the mechanism used. The mechanism will then be reported to Apple and/or the entities responsible for the component(s).The first viruses and Trojan horses designed to exploit Mac OS X are out there, sure. But I think people have been over-reacting lately. There's more than a little bit of glee on behalf of non Mac-users who have grown tired of hearing what a secure system it is, and too much defensive protestation on behalf of some Mac users unwilling to admit that their systems aren't completely impregnable. They are neither Fort Knox nor Windows boxes. But what they are is pretty damn good.
Let's see how long Schroeder's page stays up unaltered. My guess is that even with the vulnerabilities he intentionally included, his Friday deadline will come and go with no untoward exploits, despite a lot of trying.
UPDATE:It looks like I'll be eating my words. Schroeder is ending the contest early:
The testing period will be closed at 11:59 PM CST on 7 March 2006 (0559 GMT 8 March 2006). The response has been strong. Test results and information will be published at a future date.