So the goons at CNet are running a story on a Mac hacking contest trumpeting the results: the Mac in question was hacked in half an hour. However, CNet doesn’t bother to even LINK to the site in question or describe the parameters of the test, making it very hard for people to discover some key facts about this “hacking” event. Here’s the real scoop, and the only piece of information you need to know:
The contest “organizer” gave anyone who asked an account on the machine. This means the contest isn’t about getting access; he gave that out to begin with. It was about escalating privileges, which is much simpler. This is why you don’t give user accounts to anyone who asks for one — not that a sane person would, of course, unless they just wanted to get a headline on CNet. It’s also been pointed out that, in addition to handing out accounts, the “host” also left every single service running, thereby providing the maximum possible number of opportunities for his new users to vandalize his machine.
Summary? Like the much-ballyhooed Mac malware of last month, it’s a non-event. Is OS X a hardened system capable of withstanding any conceivable attack? No, certainly not. There’s no such creature. Is it manifestly more secure and stable than anything Microsoft makes? Absolutely.
And can we rely on journalists to print inflammatory stories with no background or follow-through? You bet your ass.
Update: There’s a sober and level-headed discussion of the “hack” over at ubergeek news source Ars Technica.