Academic security
There have been discussions recently around a couple “hack-a-Mac” challenges that have sprung up in the wake of the recent Mac security scares. These challenges have been quite academic, in multiple meanings of the word.
There have been hack-a-Mac challenges in the past, mainly against Mac OS 9 machines running as Web servers. There was also an ill-advised, quickly withdrawn challenge about a year ago to create a Mac virus.  Recently,  however, a seemingly bored college student decided to create a challenge that would make it pretty much as easy as possible to hack his Mac.  And guess what happened -- yup, his Mac got hacked quite readily.  And of course, especially in light of recent events, certain members of the press picked up on this. But this challenge was pretty much just an academic one, because the situation wasn’t “real world” at all.  How many people would give, to anyone who wanted it, an account on their Mac that is available remotely over the Internet? Those who do tend to get what they deserve (and apparently he did).
In an effort to set things straight,  the University of Wisconsin has launched a real academic Mac OS X security challenge.  Even this one, however, presents a non-real-world scenario, although it’s clearly closer to real-world than the previous one. It doesn’t give people accounts on the Mac in question, but it does enable SSH (Remote Login), which definitely makes things a lot easier for hackers (see “Don’t Panic” for an example of how). Most of the Rest of Us shouldn’t enable SSH, but there are a few cases where it might be desirable to do so (although even then, only with the most excellent of passwords and very tight firewall protection).  See the section “Remote Login” in chapter 8 of our book. The challenge also enables HTTP (Web service) on the Mac.
This well thought-out challenge seems like a pretty good idea, even if it’s still not real world for most of the Rest of Us.  It creates a fairly realistic “worse case” scenario of normal Mac usage.  It will be interesting to see what we learn from it, and how (and if) future challenges are structured.
Tuesday, March 7, 2006