Mac Hack Contest Redux

narramissic writes "Remember the controversial Mac hacking contest from last year's CanSecWest conference? No? Here's a refresher: Conference organizers challenged attendees to hack into a Macintosh laptop, with the successful hacker winning the computer and a cash prize. Winner Dino Dai Zovi found a QuickTime bug that allowed him to run unauthorized software on the Mac once the computer's browser was directed to a specially crafted Web page. Well, the contest is back again this year, but with a twist, says Dragos Ruiu, the principal organizer of CanSecWest: 'We're thinking of having a contest where we have Vista and OS X and Linux ... and see which one goes first.""

easy

[jim.hansson (1181963)]

http://slashdot.org/firehose.pl?op=view&id=508230 [slashdot.org]

how about a taste test

[gandhi_2 (1108023)]

where you have to try apples, oranges, and beef jerky and decide which one tastes "best".

out of the box linux? Is there really such a thing? Ubuntu OEM, knoppix? That's a pretty wide range here.

Re:

[cheater512 (783349)]

I wouldnt call this a apples to oranges comparison.
They are all common operating systems and they all fulfill the same purpose.

Although they'd probably have to do a handful of Linux boxes to ensure that problems aren't distro specific.

Re:

[mrxak (727974)]

I'd expect most people will try mac and linux, however many boxes they have. Everybody already knows you can hack Vista no problem, there's not much challenge in it, so they will concentrate on the ones with the higher perceived security. Never underestimate people's desire for glory.

Re:

[toadlife (301863)]

Everybody already knows you can hack Vista no problem

Ok. How?

Re:

[calebt3 (1098475)]

Click the 'x' in the top corner of the login screen. Oh wait...

Prediction

[flaming error (1041742)]

> the successful hacker winning the computer and a cash prize I'm betting somebody's taking home a Windows machine.

Wrong!

[EmbeddedJanitor (597831)]

The Vista computer won't get hacked because nobody will want to take it home!

Re:Prediction

[Nerdfest (867930)]

The outcome would be dependent on whether or not the Vista machine has already booted up. If not, attacking the other 2 gives you a decent head-start.

Re:Prediction

[LiquidCoooled (634315)]

There is already a trojan available for vista, however noone is infected because its not finished copying over the network yet.

Re:Prediction

[by Anonymous Coward]

Sorry that's my fault, let me turn my sound off.

Default Install

[Archangel Michael (180766)]

I'd make sure that each was installed to default configuration. No tweaking allowed.

Vista installed from DVD default/recommended choices where possible on installation screens. Same with Ubuntu, and Mac OS/X. Any deviations noted. Any extra software installed must be available on all three platforms.

Just to make it "fair".

Re:Default Install

[calebt3 (1098475)]

I'd say that allowing updates to be installed would be fair.

Re:Default Install

[hairyfeet (841228)]

That isn't really a real world test. I mean,come on,who in the hell would use a windows box with NOTHING on it? With Apple and just about any Linux,you would have everything you need to get work done,but on windows you'll need at LEAST some form of office software,along with adobe reader,and usually Nero or whatever came with the burner.

As a pc repairman that has been fixing windows boxes for over a decade,I can tell you that no matter what ELSE they have installed,they ALWAYS have some sort of office(even if it is just MSWorks) along with Adobe reader and either Nero or Roxio burning software.I don't think I've ever seen a box brought in that didn't have those,so for a real world test I would suggest MS Office 2K3(as that is what I've seen on the most machines) along with adobe reader and Nero or Roxio burning software. That would be a truly fair test.

Besides,if you never actually USE the machine,I doubt you'll be hacked.But most people actually want to DO things with their pc,and with windows that means at the very least a couple of pieces of software. But I doubt it'll make much difference anyway.The windows will be pwned the quickest,just like always.Vista just may take a little longer. Cancel or Allow?

Re:

[stephanruby (542433)]

At the very least, the Vista computer should be an emachine, or have AOL preloaded on it. A computer designed to meet the adware needs of its corporate-manufacturers over the needs of its owner should give us a much more realistic exercise. After all, what are botnets made up of? Cheap preloaded computers purchased at Best Buy/Walmart? Or computers assembled from scratch / or purchased through one's IT department through Dell ?

Re:

[Calinous (985536)]

Sure "OpenBSD has had one remote exploit in the default install in its history"

Since you've heard, the number of OpenBSD remote exploit holes doubled

"fair" would be "what users need"

[SuperBanana (662181)]

Vista installed from DVD default/recommended choices where possible on installation screens. Same with Ubuntu, and Mac OS/X. Any deviations noted. Any extra software installed must be available on all three platforms. Just to make it "fair".

When is the last time you left an OS in its default configuration?

A fair configuration is one in which all tested operating systems provide as identical as possible feature sets, including all the features the majority of people like to use. Like printer and file sharing, for example.

It's also not fair to include, for example, NoScript- that breaks a ton of websites out of the box until you whitelist sites. Likewise for not including Flash as part of the package. An even more relevant example: the necessary firewall rules to allow IM (and file transfers.)

Re:"fair" would be "what users need"

[CannonballHead (842625)]

I think this is an excellent point.

Default windows configuration is defaulted to... well, a very compatible set of options.

Not having actually done a Mac install, I don't know what the default is.

A default Linux partition, depending on the flavor, could be pretty minimal...

Here's what I think would make it more fair: make all the operating systems able to do the same things. Presumably, the normal Mac user, at some point, will want to opens a windows media file and an Office 2007 file. The typical Windows user will use quicktime at some point, and thus have it installed and have its possible security holes, too.

Otherwise, I could create a Linux distro that is THE safest operating system EVER... and just not let you do anything, no network connectivity, etc. Pretty safe! And useless.

What about Quicktime?

[yabos (719499)]

That comes on OS X by default but to make Windows equal in potential flaws you have to install it on Windows too. Stuff like that gets complicated fairly fast. Quicktime shares code between OS X and Windows and most of the recent flaws regarding rtsp were the same result on either platform which was DOS or potential execution of arbitrary code.

Re:

[QuantumG (50515)]

Quicktime comes with Firefox these days .. I've lost count of the number of times I've seen Quicktime crash Firefox.. every time I think "I bet that is exploitable", but, ya know, I'm too lazy to bother looking.

What will be the GNU/Linux prize?

[by Anonymous Coward]

The 386 it was installed on?

Re:What will be the GNU/Linux prize?

[Enoxice (993945)]

The toaster it was installed on?

Fixed.

Re:

[calebt3 (1098475)]

The complete list [uncyclopedia.org]

Begs The question

[realthing02 (1084767)]

Before the sea of "vista sucks" comments, I'm going to ask this question:

When vista inevitably goes first, who is going to want it? I assume it must be a good enough computer to actually run vista, so lets all take guesses at the OS loaded onto it after it's "pwnd".

It doesn't beg any question...

[by Anonymous Coward]

...and you damn well know it. You guys are deliberately baiting the language nazis - there's no way you could *still* be ignorant of what this phrase means.

Obvious misleading conclusions

[Secret Rabbit (914973)]

I think it's obvious the nonsense that'll come out of this. People will say, x OS is more insecure than y and z because it fell first/so quickly. Regardless of the skewed skill/effort that went into breaking it.

This "twist" is bullshit.

Poor subnet

[cruelworld (21187)]

I feel so bad for that subnet. So many idiots who will just sit there and hammer it endlessly hoping that some magical 'hacking' will occur.

I'd like to see stats on effort per platform

[SuperBanana (662181)]

We're thinking of having a contest where we have Vista and OS X and Linux ... and see which one goes first.

What I'd be most interested in is a survey of contestants as to their platform experience, and how focused they intend to be on attacking the different platforms. That part could be wildly unscientific, but could be interesting if everyone answers openly.

Couple that with some good logs of network activity, to see how focused attacks are on the various systems.

For example, it could turn out that nobody goes for the supposed low hanging fruit, and everyone tries to target the Mac...or an OpenBSD box, if they bring one. Etc.

Lopsided...

[msauve (701917)]

This hardly seems like a fair test, for what the results are implied to indicate.

I'll predict that Vista goes down first, because there are more Windows programmers out there than Mac/*nix. Time-to-first-hack isn't a valid measure of OS robustness.

That probably won't be a popular statement here on /. , but oh well.

Re:

[geekoid (135745)]

Yes, but the skill and motivation to hack OSX is much higher. The person who can exploit OSX in a meaningful way would get a lot of prestige from the '*hat' community.

Besides, that involves a logical fallacy. Basically be your statement to be true, they must ahve the same architecture, developed by people od equal skill use the same project management style and the same QA.

Re:

[QuantumG (50515)]

No-one gives a shit about desktop security, let alone Mac-OS desktop security. Businesses pay for security analysis.. of server apps.

Re:

[mgblst (80109)]

Rare? Diamonds are rare, yet I see them daily.

Diamons aren't rare, only the stupid really believe this - why do you think diamonds are rare, because they are marketed to you as such. Diamonds are carefully controlled, so they a huge amount don't flood the market, but that doesn't make them rare.

It would be more interesting to have

[Babu 'God' Hoover (1213422)]

all the contestants attack each of the three systems with the winner given his choice of the systems.

Vista would be first

[tsotha (720379)]

Even if it were the most secure, Vista would be first. I'm sure there are kits you can buy from shady groups in Eastern Europe or Russia that will do the trick immediately. If Vista doesn't already have the highest market share, it will at some point. So if you make hacking kits for organizations that make botnets you're gonna crack Vista first.

Re:

[Idiot with a gun (1081749)]

Except... many important servers run on Linux. So while lots of malware exists for Vista/XP, lots of people around the world really do make attempts at assaulting Linux boxes. More often than not, I believe, success is based upon attacking weaknesses in the software installed on said box. (Which one can argue that a properly maintained *nix box has a better chance of surviving, because of the continual security updates for all of its software).

Re:

[tsotha (720379)]

Oh, I'm sure Linux boxes are subject to attacks as well. I just think, as a nefarious writer of cracking software, you'd have to believe your time is better spent cracking Windows than Linux. And I don't believe servers are the most profitable boxes to hack anymore - keyloggers to swindle online banking users are probably the big moneymakers.

*BSD!

[QuickFox (311231)]

What about *BSD? This contest is grossly unfair unless a *BSD is included!

Hehe. Let's see them try to pwn that one.

Re:*BSD!

[CapsaicinBoy (208973)]

Ummm. OSX is just NeXTstep v5 (or 6 by now?), and NeXTstep is a flavor of BSD.

Please turn in your geek card on the way out.

http://en.wikipedia.org/wiki/Image:Unix_history.en.svg [wikipedia.org]

TFA doesn't say

[Cajun Hell (725246)]

Who is operating each machine? I need their email addresses. I want to send them some programs, and my "hack" is that the programs will come with instructions to the operator: please execute this attachment.

My understanding is that for Windows, I just need to have the filename end with .exe. For MacOS, I need it to end with .dmg. For Linux, I need to train the user how to use chmod.

Re:

[Al_Lapalme (698542)]

Hehehe... Copy to desktop; right click->properties - check 'executable' and then run.

Can't wait to see those vacation pictures!!!

Ahhh f*ck.

Re:

[toadlife (301863)]

For Linux, I need to train the user how to use chmod.

Naw. Assuming it will be a functional equivalent of Windows and OS X, it should be running KDE, which means it will have support for archives (Ark) built into it. Just send 'em an archived shell script with the execute bit already set. Alternatively, you can send them your payload in some sort of package format, like RPM.

stupid test

[EdelFactor19 (732765)]

this doesn't measure the security of the OS
it measures the stupidity of the user

your program can be a one liner on any of the machines.

just a freaking script that says "delete *.*"
or you coudl see who has passwordless sudo and go sudo rm /*
and that will do on any *nix pretty much

again we are testing the OS not the STUPID USER AT THE WHEEL

Re:TFA doesn't say

[Shados (741919)]

Try this for giggles. Have a Vista machine. Send them an email with an exe file. Try and get them to execute it. Good luck. If you manage that, try the same exercise by MSN Messenger. At that point, even I am not sure I can do it without googling, and even then its tricky. Vista is a b**** when it comes to running EXEs received by email or MSN.

OSX, Linux, Vista

[by Anonymous Coward]

If I were to enter such a contest I would target OSX first, then Linux and Finally vista.

OSX is first because apple has been hideing behind security by obscurity for too long. I have seen no evidence that suggests OSX gets it any more than Microsoft did.

Linux next because source code is avaliable... and while clever hits without source are sometimes easier you just might get lucky walking the ususal paths and find something exploitable.

MS has been more or less awake from the security perspective for years

To make it fair.

[Higaran (835598)]

I think all each team should have to hack all 3 computers, and the first team to do so gets to pick, and then the seconed picks the next one and then the thrid gets the last one. So that equal energy goes into hacking each unit, and each team will learn something about a system they probably didn't know, and isn't that what this whole thing is about, learing something.

These contests provide limited information...

[argent (18001)]

While they may help reveal specific information about vulnerabilities, which is good, they don't provide much useful information about the security of the systems being attacked.

Re:Potential for rigging

[Decado (207907)]

I would have said that the challenge pretty much amounts to saying "The next OS we find a vulnerability for is the weakest". In the long term it is a meaningless piece of data. If we hear about a new exploit for any OS tomorrow it means nothing, you have to look at long term trends to find a correct answer.

Re:

[Murphy Murph (833008)]

The problem with the "let's see which OS cracks first" approach is that Microsoft, Apple or maybe even Novell would bribe participants to focus their efforts on their competitor's OS.

And thus another window into how I don't think like some other people. Sure I guess the idea is possible - but to instantly assume all actors are bad actors shows a fundamental distrust of humans I find frightening.

Re:

[The Mighty Buzzard (878441)]

You obviously don't know very many humans then. Of course you are posting on /. so I suppose that's to be expected.

Re:

[HiThere (15173)]

Actually, Vista may be the last standing. I'm not saying it's the most secure, but it's the most unknown. And if you were a Black Hat who had developed a route into Vista, I'm sure there are more profitable ways of exploiting your ingenuity.