Comments From: Who wants to know? (firstname.lastname@example.org) >No one cracked this Mac
> There were no winners in the "Crack-a-Mac" contest. A lot of effort >was expended trying to break the password to pi_admin, a remote management >feature on WebStar servers, Infinit said, but "the best attack was pure >social engineering." An apparently internal e-mail asked an employee >to put new text on a Web page. It was spotted immediately, however, as it >was in English and Infinit employees communicate in Swedish. > Ping attacks took the server down a few times during the contest. It >could have been prevented by installing a software router, Infinit >reported on its Web page, but "our priority was to have an easy-to-set-up >server." This ain't necessarily so. There was a winner (twice in fact, but read on). I was following this contest while it was going on 3 or 4 months back, and there actually was one guy who did get in *twice* (the contest was held twice) and was able to change their page. Each time, as part of the rules of the contest, the guy gave full disclosure on how he did it. The first time he did it, he exploited a backdoor in a third-party Filemaker database CGI (lasso), but when he did, he and the Infinit people notified the makers of that package (Blue Planet, Blue World? Something like that) and they patched it before Infinit and this guy (I think he was an aussie) announced their results. He won, fair and square, and they took the responsible steps to fix the problem so it couldn't be used again on anyone else running that same CGI. Now, the real bitch was the second time around. This time the same guy found a way in exploiting a third-party (if I remember right) site maintenance tool that was left running on the box. Long story short, the Infinit people swear they weren't running that app at the time, and accused the guy of not fully disclosing how he did it. They were trying to say that he must have somehow been able to "remotely launch" that app himself which, if memory serves, was impossible. It's as though the people at Infinit had screwed up and left it running themselves, and didn't want to own up to it, after being beat again the second time by the same guy. There was substantial reward money for both trials, and the hacker ended up getting screwed out of the prize money the second time around because of Infinit's pussy way of continually accusing the hacker of non-disclosure about this one part of his hack. A lot of people were pissed off at Infint over this. As far as I was concerned, if he got in and changed their page - there's all the proof you need. He gave a completely rational explanation of what was in place and how he performed the hack, but because Infinit was adamant that they didn't leave this management app running, they said he must be lying, it didn't meet the full criteria for the contest, and therefore he didn't deserve the money. Old news. BTW, That article must be REALLY old cuz' around the time of the second contest, Mac OS 8 was already out and I think they upgraded to the OpenTransport 1.2 which provided protection against PoD DoS attacks. C? p.s. I had been on their contest mailing list at the time, but after that fiasco the second time around I cancelled it and deleted all the messages, otherwise I could be more specific - sorry I forgot the hacker's name.