Comments From: Who wants to know? (curiosity@01.com) 

>No one cracked this Mac



>   There were no winners in the "Crack-a-Mac" contest. A lot of effort
>was expended trying to break the password to pi_admin, a remote management
>feature on WebStar servers, Infinit said, but "the best attack was pure
>social engineering." An apparently internal e-mail asked an employee
>to put new text on a Web page. It was spotted immediately, however, as it
>was in English and Infinit employees communicate in Swedish.
>   Ping attacks took the server down a few times during the contest. It
>could have been prevented by installing a software router, Infinit
>reported on its Web page, but "our priority was to have an easy-to-set-up
>server."

This ain't necessarily so.  There was a winner (twice in fact, but read on).

I was following this contest while it was going on 3 or 4 months back, and
there actually was one guy who did get in *twice* (the contest was held
twice) and was able to change their page.  Each time, as part of the rules
of the contest, the guy gave full disclosure on how he did it.

The first time he did it, he exploited a backdoor in a third-party
Filemaker database CGI (lasso), but when he did, he and the Infinit people
notified the makers of that package (Blue Planet, Blue World?  Something
like that) and they patched it before Infinit and this guy (I think he was
an aussie) announced their results.  He won, fair and square, and they took
the responsible steps to fix the problem so it couldn't be used again on
anyone else running that same CGI.

Now, the real bitch was the second time around.  This time the same guy
found a way in exploiting a third-party (if I remember right) site
maintenance tool that was left running on the box.  Long story short, the
Infinit people swear they weren't running that app at the time, and accused
the guy of not fully disclosing how he did it.  They were trying to say
that he must have somehow been able to "remotely launch" that app himself
which, if memory serves, was impossible.  It's as though the people at
Infinit had screwed up and left it running themselves, and didn't want to
own up to it, after being beat again the second time by the same guy.

There was substantial reward money for both trials, and the hacker ended up
getting screwed out of the prize money the second time around because of
Infinit's pussy way of continually accusing the hacker of non-disclosure
about this one part of his hack.

A lot of people were pissed off at Infint over this.  As far as I was
concerned, if he got in and changed their page - there's all the proof you
need.  He gave a completely rational explanation of what was in place and
how he performed the hack, but because Infinit was adamant that they didn't
leave this management app running, they said he must be lying, it didn't
meet the full criteria for the contest, and therefore he didn't deserve the
money.

Old news.

BTW, That article must be REALLY old cuz' around the time of the second
contest, Mac OS 8 was already out and I think they upgraded to the
OpenTransport 1.2 which provided protection against PoD DoS attacks.

C?

p.s. I had been on their contest mailing list at the time, but after that
fiasco the second time around I cancelled it and deleted all the messages,
otherwise I could be more specific - sorry I forgot the hacker's name.