The University of Wisconsin in Madison was always one of my favourite places to visit - I’d show up to do a demonstration of some cutting-edge-at-the-time thing like AppleScript or Automator or Apple Remote Desktop or Dashcode or Writing Apps with Objective-C, and there’s always be a fun, smart, creative and clever audience on hand. Students, network admin, faculty, always a great group.

(Of course I really hoped somebody would introduce me to Mike Leckrone, the former director of the UW Marching Band, whose book Quicksteps to Arranging taught me what little I know about band arranging, but we could never quite make that work.)

Anyway. There had recently been a somewhat dubious try-to-hack-this-Mac contest that some Europeans had put on, and Dave, an extremely highly respected Mac admin at UW who I kind of knew, was miffed about how it had been handled and the woefully misleading way it had been reported, and decided to set up his own contest.

CNET reported on the coverage of that contest.

Mac OS X hacked in under 30 minutes? Think again A highly questionable article on ZDNet claims that "Mac OS X was hacked in under 30 minutes," in a Swedish contest. The article fails to mention, however, that the Mac OS X system that was "hacked" had an LDAP server setup which was linked to the Mac's naming and authentication services, to let people add their own account on the machine. So the contest allowed the user to create their own account and local SSH access -- a precarious set-up to say the least.

Keen to run a challenge properly, Dave sets up a Mac Mini, running Mac OS 10.4.5 along with the latest security updates, and sets up a simple one-page web site on that machine.

Dave’s Challenge

Here’s the web page, from March 6, 2006. “The challenge is as follows: simply alter the web page on this machine”, it said.

SecurityChallenge Web Page

Dave reported later that after 38 hours, the site was hit over 500,000 times and received more than 4,000 login attempts.

and? what did I notice?

Well …. I noticed one other thing on that page, a minor typo - “reqiurements.”

I figured he’d want to know, and I sent him a quick email, and Dave responded right away.

Email Conversation

Just two minutes after my note - note the times, but Dave was in Central time and I’m in Eastern - he’d fixed the typo.

the altered web page.

Typo fixed!
Now the site looked like this (highlight mine) -

Typo Fixed

I WIN

Well, the challenge was Simply alter the web page on this machine - and it was altered, because of my email. Mac OS Hacked In 2 Minutes! the stories would surely read.

In fairness, nobody did hack the machine via any technical measure and the Mac proudly withstood the hundreds of thousands of attempts. I’m very happy about that. Mac security is pretty strong, even right out of the box.

But sometimes social engineering is stronger.

it’s kind of weird that you still have these emails and screen shots

That is kind of weird, isn’t it? A few days ago I was reminiscing about this 20-year-old stunt, but I couldn’t find any of the emails on my current Mac. I kind of wanted to tell the story, though, and tracked Dave down to see if he remembered it the way I did (and if he’d mind if I told you all about this.)

Dave’s doing great as it turns out, and he does remember this whole thing - and here’s the amazing part.

Somehow, Dave kept a copy of MY KEYNOTE SLIDES that I’d used the next time I presented at Wisconsin where I bragged about this a little. Dave sent me back a copy of my OWN SLIDES from 20 years ago which included before and after screen shots of the web site and the emails we’d exchanged.

I could hardly believe it when he sent these back to me yesterday! and here I thought I was a packrat.

Keynote Slides

Thank you Dave, for having kept this, and for all your hard work as a noted member of the wonderful Mac admin community. I wish you well in your new adventures.

…although your latest email to me said, “No one ever hacked that mini, by the way!”

I respectfully disagree.