The reputation of the MacOS as the most secure Internet server platform has been enhanced with the conclusion of the Hack-A-Mac challenge.
The Swedish firm Infinit AB, which put up US$13,500 as a prize for anyone who could hack into its MacOS Webserver and change a page, has retired the machine undefeated after two months.
Joakim Jardenberg and Christine Pamp, the two Infinit employees who ran the challenge, say the machine, which they dubbed Hacke, was "a standard Macintosh from the box. We installed WebSTAR, connected it to the Net and placed some Web pages on it. Then we announced a reward to the first person to crack the server and change the content on its' pages. We didn't do anything special at all with the server- we didn't place it behind any firewall or make any other security arrangements. The setup was done in less than 30 minutes.
"We wanted to prove that there is an alternative to large and expensive Unix-systems and insecure NT-solutions. An alternative that doesn't require hundreds of hours to set up and that does not need a separate firewall. We wanted to prove that there actually is an off-the-shelf system that is a perfect solution for most companies and organisations and will allow them to have a safe, secure and reliable presence on the net within 30 minutes."
"We are not trying to prove that a MacOS-based solution is right for everyone, but we are saying that it is exactly the right for most of us."
The pair say that observing the attacks on the server has been "very exciting". Initially, hackers sought to exploit known holes in Unix, which, of course, proved fruitless.
"We have also been able to track recent news coverage on NT security flaws by increased attempts to hack our server. Each time a new article appeared about a security problem with the NT OS or server software it was followed by new attacks on Hacke. A lot of crackers out there seem to believe that NT and MacOS have something in common. Hacke didn't respond at all to these attacks."
More knowledgeable crackers sought to break the password to pi_admin, the solution on WebSTAR servers which allows core functions to be handled remotely. There were more than 220,000 unsuccessful attempts to guess the username and the password, but even a successful guess would not have allowed the attacker to change page content.
Attempts to attack the pair's DNS machine with the aim of of trying to move Hacke to another IP number and then change the content of the server, failed because the DNS was also running on a Mac. Hackers used to making attacks via the known holes in sendmail were also, alas, disappointed. The mailserver was a Mac too.
The best attacks occured near the end of the competition. One, which the pair described as "pure social engineering", started when Pamp received an email message apparently from firstname.lastname@example.org, asking whether she could put new text on the front page of Hacke because "I don't have the time to do it myself". The problem? The mail was in English, when the two normally communicate in Swedish.
On the last day of the competition Jardenberg received an email from two Internet users which "seemed to be very polite and helpful. They told us that they had found different types of information that could be very helpful for us. Their enclosures looked like documents but they were in fact small AppleScripts that could have changed Hacke's front page had they been launched on the server. They were easy to spot, but it was a good try!
"The people that wrote the script probably realised that they would not be successful because in the middle of the code we found "!Rats! No $13,000 for me today :("."
Ironically, the high-profile success of the challenge isn't necessarily something for Apple Computer to crow about. The organisers admitted that the server, which used OpenTransport networking, was vulnerable to denial of service attacks such as the "Ping of Death" - a vulnerability set for a fix in the now-scrapped OpenTransport 1.5. Three successful ping attacks in two months produced the server's only outages.
More significant is the fact that Apple is committed to dropping the security of the MacOS in favour of Rhapsody, its own version of the Unix-based (and eminently hackable) NextStep OS. Apple has declined comment on the challenge.
Hacke was accessd by users from IBM, HP, Cray, DEC, SGI, Novell, Boeing, AT&T, and Netscape and received "frequent visits" from NASA and the US Airforce, Army and Navy, and Microsoft Corporation - all of which have had their troubles with Internet security.
The pair promise a new version of the challenge - "Crack-a-Mac: The Next Generation" - will launch in the next few weeks and will "address criticisms against the MacOS as a WebServer platform that were levelled at us during the course of this competition.
"These criticisms include the MacOS's ability to deal with remote administration, to be able to deal with several domains, to have a higher level of interactivity, connections to databases, etc. These are all functions that we know work because we use them on other Mac servers."
A full English-language rundown on Crack-A-Mac is available at
Email can be sent to email@example.com