Free Republic
Browse · Search
News/Activism
Topics · Post Article

Skip to comments.

One year after Mac hack contest, Linux & Vista may be tested
IT World ^ | 6 February 2008 | Robert McMillan

Posted on 02/08/2008 12:48:03 PM PST by ShadowAce

One year after launching a controversial Macintosh hacking contest, the promoters of the CanSecWest security research conference are thinking about giving hackers another shot at cracking the Mac. Only this time, they're looking to broaden the field.

Last year, show organizers invited attendees to hack into a Macintosh laptop, with the successful hacker winning the computer and a cash prize. But this year they're talking about giving attendees three targets to choose from. "We're thinking of having a contest where we have Vista and OS X and Linux ... and see which one goes first," said Dragos Ruiu, the principal organizer of CanSecWest.

Last year, security researcher Dino Dai Zovi spent a sleepless night hacking his Mac in order to take the prize at the show's first PWN to OWN contest. Dai Zovi found a QuickTime bug that allowed him to run unauthorized software on the Mac once the computer's browser was directed to a specially crafted Web page.

Dai Zovi split the contest prize with a friend at the show, Shane Macaulay, who helped him pull off his attack. Macaulay got to keep the Macbook Pro while Dai Zovi pocketed the US$10,000 put up by 3Com's Tipping Point division in exchange for technical details on the bug.

It turned out that the QuickTime bug affected the Windows operating system too, but Ruiu said that Dai Zovi's hack helped change the way the industry thinks about the Mac OS, which has a reputation for being far more secure than Windows. "We were trying to point out that there was a security issue with Mac stuff here, and everybody was trying to play ostrich."

Ruiu and Dai Zovi say that last year's contest helped kick off a flurry of Mac-related security research, but according to TippingPoint Manager of Security Response Terri Forslof, it also illustrated a security industry truism: "Given enough time and motivation, everything can be broken," she said. "When TippingPoint agreed to purchase whatever vulnerability was used to win the contest for $10,000, it added an appropriate level of motivation. That's how it works."

Shortly after last year's contest, Gartner published a research paper warning that such challenges are "risky endeavors" that could put sensitive vulnerability information out in the public domain.

That hasn't stopped CanSecWest from pressing forward with this year's event.

Ruiu isn't certain that he'll run the three-way hacking contest this year. That's because he also has a grander, top-secret hacking contest idea that may or may not pan out, he said.

Either way, he promised "an interesting spectacle."


TOPICS: Technical
KEYWORDS: linux; osx; vista
Navigation: use the links below to view more comments.
first 1-2021-30 next last
Also, here is the Wired article
1 posted on 02/08/2008 12:48:08 PM PST by ShadowAce
[ Post Reply | Private Reply | View Replies]

To: rdb3; Calvinist_Dark_Lord; GodGunsandGuts; CyberCowboy777; Salo; Bobsat; JosephW; ...

2 posted on 02/08/2008 12:49:51 PM PST by ShadowAce (Linux -- The Ultimate Windows Service Pack)
[ Post Reply | Private Reply | To 1 | View Replies]

To: ShadowAce

I suspect because of its BSD underpinnings Mac will win..


3 posted on 02/08/2008 12:52:03 PM PST by N3WBI3 (Ah, arrogance and stupidity all in the same package. How efficient of you. -- Londo Mollari)
[ Post Reply | Private Reply | To 2 | View Replies]

To: Swordmaker; HAL9000

Mac interest Ping?


4 posted on 02/08/2008 12:54:34 PM PST by ShadowAce (Linux -- The Ultimate Windows Service Pack)
[ Post Reply | Private Reply | To 2 | View Replies]

To: N3WBI3

...if the Mac developers have a good tester base and do security upgrades often enough. Do many Mac users do prompt PRs (bug reports) containing relevant information?


5 posted on 02/08/2008 12:57:57 PM PST by familyop
[ Post Reply | Private Reply | To 3 | View Replies]

To: familyop

Per Apple, yes. And the underlying OS is actually Open Source (Darwin) so lots of eyes are looking at the code.


6 posted on 02/08/2008 1:06:30 PM PST by Spktyr (Overwhelmingly superior firepower and the willingness to use it is the only proven peace solution.)
[ Post Reply | Private Reply | To 5 | View Replies]

To: ShadowAce

Vista will be hacked in under 30 minutes.

And that maybe even after the first crutch: SP1


7 posted on 02/08/2008 1:06:46 PM PST by Maneesh
[ Post Reply | Private Reply | To 2 | View Replies]

To: Maneesh

Vista will be hacked in under 15 minutes, without any operator at the keyboard. There’s multiple TCP/IP stack exploits where a remote hacker can take over the machine.

Note that the Mac bug exploit required the user’s intervention to occur - the user had to go to a compromised web page first. If the Mac was just sitting there unattended, nothing would have happened.

Vista (and ALL other MS OSes) are not so lucky.


8 posted on 02/08/2008 1:12:16 PM PST by Spktyr (Overwhelmingly superior firepower and the willingness to use it is the only proven peace solution.)
[ Post Reply | Private Reply | To 7 | View Replies]

To: Maneesh

Forgot to mention. If they *do* allow user interaction, the record for a Vista box getting “pwned” is *under* 60 seconds.


9 posted on 02/08/2008 1:13:45 PM PST by Spktyr (Overwhelmingly superior firepower and the willingness to use it is the only proven peace solution.)
[ Post Reply | Private Reply | To 7 | View Replies]

To: Spktyr

Secunia doesn’t list Vista as having any unpatched vulnerabilities. Of the unpatched Mac vulnerabilities, none involve system access (only DoS and privilege escalation). These contests involve fully patched and protected machines, not out-of-the-box installations.

I’d suspect the choice of which to attack depends on the Linux build they’re offering. If the attacker can select, I’d guess they’d go with an easier target like Red Hat.


10 posted on 02/08/2008 1:36:10 PM PST by flintsilver7
[ Post Reply | Private Reply | To 8 | View Replies]

To: flintsilver7

Secunia is missing at least two that I’m aware of. Why? Because two of my users with “fully patched” Vista laptops came back from a convention with pwned laptops.


11 posted on 02/08/2008 1:37:41 PM PST by Spktyr (Overwhelmingly superior firepower and the willingness to use it is the only proven peace solution.)
[ Post Reply | Private Reply | To 10 | View Replies]

To: flintsilver7

Secunia is not a completely trustworthy source IMHO.

They’re a bit too marketing and pr driven.


12 posted on 02/08/2008 1:54:49 PM PST by D-fendr (Deus non alligatur sacramentis sed nos alligamur.)
[ Post Reply | Private Reply | To 10 | View Replies]

To: ShadowAce

Let’s just sum up the obvious comments that will accompany this article:

Posters who say the Mac will never be hacked.

Posters that say that the Linux machine will never be hacked.

Competing Apple/Linux users who will claim that the Windows machine will be hacked in a time that will vary only in how low each poster can make the number.

In other words, the IQ of this thread will go right to zero and the number of postings will go to about 600.

Flaming fanaticism does that.


13 posted on 02/08/2008 2:03:11 PM PST by VanDeKoik (George Washington 2008)
[ Post Reply | Private Reply | To 1 | View Replies]

To: Spktyr

Is this recent? I know there are critical flaws that are supposed to be addressed on Tuesday. It’s possible, although highly unlikely, that these flaws were exploited. I say this because hackers are generally reactive and only attack systems after Microsoft patches them along with the information on precisely what the vulnerability is. To my knowledge they haven’t released what the exact issues are - just that they are critical.


14 posted on 02/08/2008 2:06:34 PM PST by flintsilver7
[ Post Reply | Private Reply | To 11 | View Replies]

To: D-fendr

That may be true, but outside of Security Focus nobody else really does what they do. I don’t see why they have anything to gain or lose from what they do.


15 posted on 02/08/2008 2:07:57 PM PST by flintsilver7
[ Post Reply | Private Reply | To 12 | View Replies]

To: flintsilver7

Yeah, my users came back today with the exploited laptops.


16 posted on 02/08/2008 2:16:34 PM PST by Spktyr (Overwhelmingly superior firepower and the willingness to use it is the only proven peace solution.)
[ Post Reply | Private Reply | To 14 | View Replies]

To: flintsilver7

They tend to overhype and mischaracterise threats. In order to get headlines, promote their name, and scare up more sales of their product.


17 posted on 02/08/2008 2:43:28 PM PST by D-fendr (Deus non alligatur sacramentis sed nos alligamur.)
[ Post Reply | Private Reply | To 15 | View Replies]

To: ShadowAce
Thought this was interesting:

Torvalds: Leopard is worse than Vista in ways smh.com.au — Apple's much-touted new operating system, OS X Leopard, is in some ways worse than Windows Vista, says the founder of the Linux open source project, Linus Torvalds.

"I don't think they're equally flawed - I think Leopard is a much better system," he said. "(But) OS X in some ways is actually worse than Windows to program for. Their file system is complete and utter crap, which is scary."

http://www.smh.com.au/news/technology/torvalds-pans-apples-os-x/2008/02/05/1202090393959.html

18 posted on 02/08/2008 2:45:20 PM PST by VeniVidiVici (Benedict Arnold was against the Terrorist Surveillance Program)
[ Post Reply | Private Reply | To 1 | View Replies]

To: 1234; 50mm; 6SJ7; Abundy; Action-America; af_vet_rr; Aggie Mama; afnamvet; Alexander Rubin; ...
Linux, Vista, Leopard... Oh, My... PING!

Hacker challenge to include all three magor OSes this year... last year it was just OSX.

If you want on or off the Mac Ping List, Freepmail me.

19 posted on 02/08/2008 4:47:20 PM PST by Swordmaker (We can fix this, but you're gonna need a butter knife, a roll of duct tape, and a car battery.)
[ Post Reply | Private Reply | To 1 | View Replies]

To: VeniVidiVici

The amusing thing is that Mac OS X already uses a UNIX file system (as an option) and is moving to something that everyone else loves but Torvalds hates - ZFS.


20 posted on 02/08/2008 4:47:34 PM PST by Spktyr (Overwhelmingly superior firepower and the willingness to use it is the only proven peace solution.)
[ Post Reply | Private Reply | To 18 | View Replies]


Navigation: use the links below to view more comments.
first 1-2021-30 next last

Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.

Free Republic
Browse · Search
News/Activism
Topics · Post Article

FreeRepublic, LLC, PO BOX 9771, FRESNO, CA 93794
FreeRepublic.com is powered by software copyright 2000-2008 John Robinson