Mac Hack Contest Redux

narramissic writes "Remember the controversial Mac hacking contest from last year's CanSecWest conference? No? Here's a refresher: Conference organizers challenged attendees to hack into a Macintosh laptop, with the successful hacker winning the computer and a cash prize. Winner Dino Dai Zovi found a QuickTime bug that allowed him to run unauthorized software on the Mac once the computer's browser was directed to a specially crafted Web page. Well, the contest is back again this year, but with a twist, says Dragos Ruiu, the principal organizer of CanSecWest: 'We're thinking of having a contest where we have Vista and OS X and Linux ... and see which one goes first.""

easy

http://slashdot.org/firehose.pl?op=view&id=508230 [slashdot.org]

Prediction

> the successful hacker winning the computer and a cash prize I'm betting somebody's taking home a Windows machine.

Wrong!

The Vista computer won't get hacked because nobody will want to take it home!

Re:Prediction

The outcome would be dependent on whether or not the Vista machine has already booted up. If not, attacking the other 2 gives you a decent head-start.

Re:Prediction

There is already a trojan available for vista, however noone is infected because its not finished copying over the network yet.

Re:Prediction

Sorry that's my fault, let me turn my sound off.

Default Install

I'd make sure that each was installed to default configuration. No tweaking allowed.

Vista installed from DVD default/recommended choices where possible on installation screens. Same with Ubuntu, and Mac OS/X. Any deviations noted. Any extra software installed must be available on all three platforms.

Just to make it "fair".

Re:Default Install

I'd say that allowing updates to be installed would be fair.

Re:Default Install

That isn't really a real world test. I mean,come on,who in the hell would use a windows box with NOTHING on it? With Apple and just about any Linux,you would have everything you need to get work done,but on windows you'll need at LEAST some form of office software,along with adobe reader,and usually Nero or whatever came with the burner.

As a pc repairman that has been fixing windows boxes for over a decade,I can tell you that no matter what ELSE they have installed,they ALWAYS have some sort of office(even if it is just MSWorks) along with Adobe reader and either Nero or Roxio burning software.I don't think I've ever seen a box brought in that didn't have those,so for a real world test I would suggest MS Office 2K3(as that is what I've seen on the most machines) along with adobe reader and Nero or Roxio burning software. That would be a truly fair test.

Besides,if you never actually USE the machine,I doubt you'll be hacked.But most people actually want to DO things with their pc,and with windows that means at the very least a couple of pieces of software. But I doubt it'll make much difference anyway.The windows will be pwned the quickest,just like always.Vista just may take a little longer. Cancel or Allow?

"fair" would be "what users need"

Vista installed from DVD default/recommended choices where possible on installation screens. Same with Ubuntu, and Mac OS/X. Any deviations noted. Any extra software installed must be available on all three platforms. Just to make it "fair".

When is the last time you left an OS in its default configuration?

A fair configuration is one in which all tested operating systems provide as identical as possible feature sets, including all the features the majority of people like to use. Like printer and file sharing, for example.

It's also not fair to include, for example, NoScript- that breaks a ton of websites out of the box until you whitelist sites. Likewise for not including Flash as part of the package. An even more relevant example: the necessary firewall rules to allow IM (and file transfers.)

Re:"fair" would be "what users need"

I think this is an excellent point.

Default windows configuration is defaulted to... well, a very compatible set of options.

Not having actually done a Mac install, I don't know what the default is.

A default Linux partition, depending on the flavor, could be pretty minimal...

Here's what I think would make it more fair: make all the operating systems able to do the same things. Presumably, the normal Mac user, at some point, will want to opens a windows media file and an Office 2007 file. The typical Windows user will use quicktime at some point, and thus have it installed and have its possible security holes, too.

Otherwise, I could create a Linux distro that is THE safest operating system EVER... and just not let you do anything, no network connectivity, etc. Pretty safe! And useless.

Re:

Quicktime comes with Firefox these days .. I've lost count of the number of times I've seen Quicktime crash Firefox.. every time I think "I bet that is exploitable", but, ya know, I'm too lazy to bother looking.

What will be the GNU/Linux prize?

The 386 it was installed on?

Re:What will be the GNU/Linux prize?

The toaster it was installed on?

Fixed.

Begs The question

Before the sea of "vista sucks" comments, I'm going to ask this question:

When vista inevitably goes first, who is going to want it? I assume it must be a good enough computer to actually run vista, so lets all take guesses at the OS loaded onto it after it's "pwnd".

Obvious misleading conclusions

I think it's obvious the nonsense that'll come out of this. People will say, x OS is more insecure than y and z because it fell first/so quickly. Regardless of the skewed skill/effort that went into breaking it.

This "twist" is bullshit.

I'd like to see stats on effort per platform

We're thinking of having a contest where we have Vista and OS X and Linux ... and see which one goes first.

What I'd be most interested in is a survey of contestants as to their platform experience, and how focused they intend to be on attacking the different platforms. That part could be wildly unscientific, but could be interesting if everyone answers openly.

Couple that with some good logs of network activity, to see how focused attacks are on the various systems.

For example, it could turn out that nobody goes for the supposed low hanging fruit, and everyone tries to target the Mac...or an OpenBSD box, if they bring one. Etc.

Vista would be first

Even if it were the most secure, Vista would be first. I'm sure there are kits you can buy from shady groups in Eastern Europe or Russia that will do the trick immediately. If Vista doesn't already have the highest market share, it will at some point. So if you make hacking kits for organizations that make botnets you're gonna crack Vista first.

Re:

Except... many important servers run on Linux. So while lots of malware exists for Vista/XP, lots of people around the world really do make attempts at assaulting Linux boxes. More often than not, I believe, success is based upon attacking weaknesses in th

Re:

Oh, I'm sure Linux boxes are subject to attacks as well. I just think, as a nefarious writer of cracking software, you'd have to believe your time is better spent cracking Windows than Linux. And I don't believe servers are the most profitable boxes to h

TFA doesn't say

Who is operating each machine? I need their email addresses. I want to send them some programs, and my "hack" is that the programs will come with instructions to the operator: please execute this attachment.

My understanding is that for Windows, I just need to have the filename end with .exe. For MacOS, I need it to end with .dmg. For Linux, I need to train the user how to use chmod.

Re:TFA doesn't say

Try this for giggles. Have a Vista machine. Send them an email with an exe file. Try and get them to execute it. Good luck. If you manage that, try the same exercise by MSN Messenger. At that point, even I am not sure I can do it without googling, and even then its tricky. Vista is a b**** when it comes to running EXEs received by email or MSN.

Re:Potential for rigging

I would have said that the challenge pretty much amounts to saying "The next OS we find a vulnerability for is the weakest". In the long term it is a meaningless piece of data. If we hear about a new exploit for any OS tomorrow it means nothing, you have to look at long term trends to find a correct answer.

Re:

Yes, but the skill and motivation to hack OSX is much higher. The person who can exploit OSX in a meaningful way would get a lot of prestige from the '*hat' community.

Besides, that involves a logical fallacy. Basically be your statement to be true, they mu

Re:*BSD!

Ummm. OSX is just NeXTstep v5 (or 6 by now?), and NeXTstep is a flavor of BSD.

Please turn in your geek card on the way out.

http://en.wikipedia.org/wiki/Image:Unix_history.en.svg [wikipedia.org]