A university systems engineer in Wisconsin is inviting hackers to break into his Mac.
Dave Schroeder, a senior systems engineer at the University of Wisconsin, launched his contest on Monday. An earlier challenge was too easy, he said.
Schroeder is asking hackers to alter the home page hosted on a Mac mini that is running Mac OS X 10.4.5 with the latest security updates. The system has two local accounts, and has SSH and HTTP open — "a lot more than most Mac OS X machines will ever have open", Schroeder said on his Web site.
Originally, the online event was scheduled to end on Friday. But because of the enormous attention, the time for the challenge has been cut short and will now end Tuesday at 2200 PST (0600 GMT on Wednesday), Schroeder said.
"It has been pretty surprising how well the little Mac Mini has stood up. It has taken a pounding," Schroeder said in a telephone interview. "The attention [the contest] has gotten has just exploded. This isn't a real, official test: It is just kind of done in the academic interest."
First contest
In the earlier challenge, an anonymous hacker claimed he was able to
compromise OS X within 30 minutes using an undisclosed vulnerability to
gain root access. However, attackers were given user-level access to
the system, rather than being shut out completely.
"The original challenge allowed any users to have local accounts to access the machine via SSH," Schroeder said in an interview via email. "This is an important distinction, because if you have local — or physical — access to a computer, you have a very distinct leg-up in terms of the ability to escalate your privileges."
Early media reports on the first competition did not call out the fact that attackers were given local access to the system. This irked Schroeder, moving him to launch his own challenge. "The original article left readers with the impression that a Mac OS X machine could be easily hacked into just by being connected to the Internet," he said.
Still, the previous contest was a real challenge, Schroeder said. "Assuming it is genuine, it represents an as-yet-unknown local privilege escalation that would allow any local user to gain root-level access," he said. This could be a serious issue for any setting with shared machines, such as schools, he said.
It could also pose a problem for Web hosting providers that use Apple's operating system, said Johannes Ullrich, chief research officer at SANS Institute. Customers on shared machines need access to update their Web sites. A privilege escalation flaw could let a malicious user with such access gain full control over a system, he said.
The hacker challenges come after weeks of scrutiny of the safety of OS X, prompted by the discovery of two worms, and the disclosure of a vulnerability that was deemed "extremely critical" by security monitoring company Secunia. Security experts are also questioning the effectiveness of Apple's latest patch.
Schroeder plans to sift through the log files of the Mac and publish anything interesting, he said in the phone interview. "I know it is disappointing that it will be ending early to a lot of people."
Earlier on Tuesday, Schroeder said that most of the hacking attempts were from scripts and tools attempting to use common Web exploits, dictionary attacks against SSH, port scans and scans by security tools such as Nessus. On Tuesday morning the site was down briefly due to a denial-of-service attack, he said.
The person who does successfully hack Schroeder's Mac Mini is requested to send him an email describing the attack. Schroeder plans to report that to the appropriate software vendors and will post results after the close of the challenge, he said.
