Free Republic
Browse · Search
News/Activism
Topics · Post Article

Skip to comments.

One year after Mac hack contest, Linux & Vista may be tested
IT World ^ | 6 February 2008 | Robert McMillan

Posted on 02/08/2008 12:48:03 PM PST by ShadowAce

One year after launching a controversial Macintosh hacking contest, the promoters of the CanSecWest security research conference are thinking about giving hackers another shot at cracking the Mac. Only this time, they're looking to broaden the field.

Last year, show organizers invited attendees to hack into a Macintosh laptop, with the successful hacker winning the computer and a cash prize. But this year they're talking about giving attendees three targets to choose from. "We're thinking of having a contest where we have Vista and OS X and Linux ... and see which one goes first," said Dragos Ruiu, the principal organizer of CanSecWest.

Last year, security researcher Dino Dai Zovi spent a sleepless night hacking his Mac in order to take the prize at the show's first PWN to OWN contest. Dai Zovi found a QuickTime bug that allowed him to run unauthorized software on the Mac once the computer's browser was directed to a specially crafted Web page.

Dai Zovi split the contest prize with a friend at the show, Shane Macaulay, who helped him pull off his attack. Macaulay got to keep the Macbook Pro while Dai Zovi pocketed the US$10,000 put up by 3Com's Tipping Point division in exchange for technical details on the bug.

It turned out that the QuickTime bug affected the Windows operating system too, but Ruiu said that Dai Zovi's hack helped change the way the industry thinks about the Mac OS, which has a reputation for being far more secure than Windows. "We were trying to point out that there was a security issue with Mac stuff here, and everybody was trying to play ostrich."

Ruiu and Dai Zovi say that last year's contest helped kick off a flurry of Mac-related security research, but according to TippingPoint Manager of Security Response Terri Forslof, it also illustrated a security industry truism: "Given enough time and motivation, everything can be broken," she said. "When TippingPoint agreed to purchase whatever vulnerability was used to win the contest for $10,000, it added an appropriate level of motivation. That's how it works."

Shortly after last year's contest, Gartner published a research paper warning that such challenges are "risky endeavors" that could put sensitive vulnerability information out in the public domain.

That hasn't stopped CanSecWest from pressing forward with this year's event.

Ruiu isn't certain that he'll run the three-way hacking contest this year. That's because he also has a grander, top-secret hacking contest idea that may or may not pan out, he said.

Either way, he promised "an interesting spectacle."


TOPICS: Technical
KEYWORDS: linux; osx; vista
Navigation: use the links below to view more comments.
first previous 1-2021-30 last
To: Spktyr
The amusing thing is that Mac OS X already uses a UNIX file system (as an option)

But normally it's HFS+, and that's what OS X works best with. ZFS would be fun, especially since it could allow Time Machine to only back up changed blocks of a file instead of the whole file (like when a VM drive image gets one byte changed).

21 posted on 02/08/2008 5:06:15 PM PST by antiRepublicrat
[ Post Reply | Private Reply | To 20 | View Replies]

To: ShadowAce

The Windows machine will be hacked quickly. Linux and Mac will have to invite the hackers to the machine, logged on as root, in order to do any damage.


22 posted on 02/08/2008 5:07:46 PM PST by Paul Heinzman (This Kool-aide is tastes kinda funny to me.)
[ Post Reply | Private Reply | To 1 | View Replies]

To: VanDeKoik
Posters who say the Mac will never be hacked.

Why would anybody say that since the Mac was successfully hacked in the previous challenge? Of course it didn't happen until they relaxed the rules a bit.

23 posted on 02/08/2008 5:08:54 PM PST by antiRepublicrat
[ Post Reply | Private Reply | To 13 | View Replies]

To: ShadowAce
"Last year, security researcher Dino Dai Zovi spent a sleepless night hacking his Mac in order to take the prize at the show's first PWN to OWN contest. Dai Zovi found a QuickTime bug that allowed him to run unauthorized software on the Mac once the computer's browser was directed to a specially crafted Web page."

Last year's contest was only won after the sponsors decided to relax the rules after a singular lack of success in hacking an out-of-the-box, but updated, OSX Mac. The new rules allowed the hackers to direct the contest referees to navigate the target computer, using a standard user account, to a specific website and click on a specified Java Script file. The initial vulnerability was actually in Java which then used a vulnerability in Quicktime.

The winners also did not gain full access to the Mac... they did not achieve ROOT... and the prize for that goal went unclaimed. Contrary to the statements in other articles, they did not succeed in installing software that could impact system files on the target Mac... nor could they add or delete applications to the system's Application folder. They only achieved user level access and were able to place a text file in the user's document folder. The access they achieved allowed them to modify and/or delete the user's files - which for that user is very bad - but could not modify or even see other users' files.

24 posted on 02/08/2008 5:23:44 PM PST by Swordmaker (We can fix this, but you're gonna need a butter knife, a roll of duct tape, and a car battery.)
[ Post Reply | Private Reply | To 1 | View Replies]

To: Swordmaker

You keep up with this more than me, but IIRC, didn’t they have to relax the rules significantly for the Mac hack to be successful?


25 posted on 02/08/2008 5:27:37 PM PST by Richard Kimball (Sure, they'd love to kill me, as long as they can do it without admitting I exist)
[ Post Reply | Private Reply | To 19 | View Replies]

To: Richard Kimball
You keep up with this more than me, but IIRC, didn’t they have to relax the rules significantly for the Mac hack to be successful?

YRC... however, the modified rule attack was successful in a limited way.

26 posted on 02/08/2008 5:35:09 PM PST by Swordmaker (We can fix this, but you're gonna need a butter knife, a roll of duct tape, and a car battery.)
[ Post Reply | Private Reply | To 25 | View Replies]

To: Spktyr

Everyone hates ZFS? thats news to me..


27 posted on 02/08/2008 6:08:42 PM PST by N3WBI3 (Ah, arrogance and stupidity all in the same package. How efficient of you. -- Londo Mollari)
[ Post Reply | Private Reply | To 20 | View Replies]

To: N3WBI3
Everyone hates ZFS? thats news to me..

I think he said "Everybody loves ZFS but Torvald hates"...

28 posted on 02/08/2008 6:52:19 PM PST by Swordmaker (We can fix this, but you're gonna need a butter knife, a roll of duct tape, and a car battery.)
[ Post Reply | Private Reply | To 27 | View Replies]

To: N3WBI3

No... read that again.

Everyone loves ZFS, except Torvalds. I’m not at all sure why he hates it so much.


29 posted on 02/08/2008 7:20:46 PM PST by Spktyr (Overwhelmingly superior firepower and the willingness to use it is the only proven peace solution.)
[ Post Reply | Private Reply | To 27 | View Replies]

To: Swordmaker

Y’know what this means? Vista is finally gaining enough market share to be of interest to hackers. /smirk /smirk


30 posted on 02/09/2008 3:51:22 PM PST by SunkenCiv (https://secure.freerepublic.com/donate/_______________________Profile updated Wednesday, January 16,)
[ Post Reply | Private Reply | To 19 | View Replies]


Navigation: use the links below to view more comments.
first previous 1-2021-30 last

Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.

Free Republic
Browse · Search
News/Activism
Topics · Post Article

FreeRepublic, LLC, PO BOX 9771, FRESNO, CA 93794
FreeRepublic.com is powered by software copyright 2000-2008 John Robinson