Forgot your password?
typodupeerror
Security Businesses Operating Systems Software Windows Apple Linux

Mac Hack Contest Redux 164

Posted by samzenpus
from the what-breaks-first dept.
narramissic writes "Remember the controversial Mac hacking contest from last year's CanSecWest conference? No? Here's a refresher: Conference organizers challenged attendees to hack into a Macintosh laptop, with the successful hacker winning the computer and a cash prize. Winner Dino Dai Zovi found a QuickTime bug that allowed him to run unauthorized software on the Mac once the computer's browser was directed to a specially crafted Web page. Well, the contest is back again this year, but with a twist, says Dragos Ruiu, the principal organizer of CanSecWest: 'We're thinking of having a contest where we have Vista and OS X and Linux ... and see which one goes first.""
This discussion has been archived. No new comments can be posted.

Mac Hack Contest Redux

Comments Filter:
  • easy (Score:5, Interesting)

    by jim.hansson (1181963) on Wednesday February 06, 2008 @08:27PM (#22327732) Homepage
  • by gandhi_2 (1108023)
    where you have to try apples, oranges, and beef jerky and decide which one tastes "best".


    out of the box linux? Is there really such a thing? Ubuntu OEM, knoppix? That's a pretty wide range here.

    • I wouldnt call this a apples to oranges comparison.
      They are all common operating systems and they all fulfill the same purpose.

      Although they'd probably have to do a handful of Linux boxes to ensure that problems aren't distro specific.
      • by calebt3 (1098475)
        But then you could have a significant number of people attacking the Vista and Mac boxes (say, 20% each) and the other 60% would be split up among (maybe) 4+ Linux boxes.
        • by mrxak (727974)
          I'd expect most people will try mac and linux, however many boxes they have. Everybody already knows you can hack Vista no problem, there's not much challenge in it, so they will concentrate on the ones with the higher perceived security. Never underestimate people's desire for glory.
  • Prediction (Score:3, Funny)

    by flaming error (1041742) on Wednesday February 06, 2008 @08:28PM (#22327746) Journal
    > the successful hacker winning the computer and a cash prize I'm betting somebody's taking home a Windows machine.
  • Default Install (Score:5, Insightful)

    by Archangel Michael (180766) on Wednesday February 06, 2008 @08:29PM (#22327760) Journal
    I'd make sure that each was installed to default configuration. No tweaking allowed.

    Vista installed from DVD default/recommended choices where possible on installation screens. Same with Ubuntu, and Mac OS/X. Any deviations noted. Any extra software installed must be available on all three platforms.

    Just to make it "fair".
    • Re:Default Install (Score:4, Insightful)

      by calebt3 (1098475) on Wednesday February 06, 2008 @08:34PM (#22327812)
      I'd say that allowing updates to be installed would be fair.
    • by SuperBanana (662181) on Wednesday February 06, 2008 @08:40PM (#22327878)

      Vista installed from DVD default/recommended choices where possible on installation screens. Same with Ubuntu, and Mac OS/X. Any deviations noted. Any extra software installed must be available on all three platforms. Just to make it "fair".

      When is the last time you left an OS in its default configuration?

      A fair configuration is one in which all tested operating systems provide as identical as possible feature sets, including all the features the majority of people like to use. Like printer and file sharing, for example.

      It's also not fair to include, for example, NoScript- that breaks a ton of websites out of the box until you whitelist sites. Likewise for not including Flash as part of the package. An even more relevant example: the necessary firewall rules to allow IM (and file transfers.)

      • by CannonballHead (842625) on Wednesday February 06, 2008 @08:48PM (#22327980)

        I think this is an excellent point.

        Default windows configuration is defaulted to... well, a very compatible set of options.

        Not having actually done a Mac install, I don't know what the default is.

        A default Linux partition, depending on the flavor, could be pretty minimal...

        Here's what I think would make it more fair: make all the operating systems able to do the same things. Presumably, the normal Mac user, at some point, will want to opens a windows media file and an Office 2007 file. The typical Windows user will use quicktime at some point, and thus have it installed and have its possible security holes, too.

        Otherwise, I could create a Linux distro that is THE safest operating system EVER... and just not let you do anything, no network connectivity, etc. Pretty safe! And useless.

        • Re: (Score:2, Informative)

          by hunterkll (949515)
          OS X install by default has no network services running external and is firewalled. you have to manually turn on network sharing and services from a preference pane
          • by aliquis (678370)
            I just checked my machine in Leopard and the firewall was off.

            Anyway as others have said OS X has flash and javascript enabled and installed in the browser, quicktime, itunes with streaming music, mp3, pdf, dvd, burner support. Can show docs maybe (?)

            I think default is the only way to test this however. If one os does more bad luck for it. Just take some regular/useful Linux dist.
        • "Otherwise, I could create a Linux distro that is THE safest operating system EVER... and just not let you do anything, no network connectivity, etc. Pretty safe! And useless."

          Oh, I dunno... http://tinfoilhat.shmoo.com/ [shmoo.com] It has its uses.
      • Fair would be the least number of clicks from start to finish, as this is what the majority of machines would be running in the world, and so the results would give an estimation of real world performance (not ubergeek world, but real world). If more people chose windows to attack because they thought it would be easiest, then that would also be a reflection of real world. I'd also stipulate that the install CDs would have to checksum with those available from bestbuy (or the politically correct equivalent)
    • That comes on OS X by default but to make Windows equal in potential flaws you have to install it on Windows too. Stuff like that gets complicated fairly fast. Quicktime shares code between OS X and Windows and most of the recent flaws regarding rtsp were the same result on either platform which was DOS or potential execution of arbitrary code.
      • Re: (Score:3, Interesting)

        by QuantumG (50515)
        Quicktime comes with Firefox these days .. I've lost count of the number of times I've seen Quicktime crash Firefox.. every time I think "I bet that is exploitable", but, ya know, I'm too lazy to bother looking.
        • Re: (Score:2, Informative)

          by Crimson Wing (980223)

          Quicktime comes with Firefox these days
          Uh, BS? Every time I've installed Firefox so far, then gone to a page with an embedded QuickTime media file, Firefox has complained of needing an additional plugin. I install QuickTime itself, and then embedded QT files play just fine.
          • Re: (Score:2, Funny)

            by Grendel70 (1000350)
            Correct and informative post. Unfortunately your sig blew away any credibility you might have had.
        • Re: (Score:2, Funny)

          by glamb (191331)
          Yes, I too have lost count of the number of times I have seen the Quicktime Firefox jump over the lazy dog
  • by Anonymous Coward on Wednesday February 06, 2008 @08:30PM (#22327768)
    The 386 it was installed on?
  • Cool. (Score:1, Insightful)

    by Anonymous Coward
    See, things like this are great when in all in good fun. It's good for the mind and is a wonderful example of human creativity.

    Like I always say, "anything made by a human can be broken by a human".
  • by realthing02 (1084767) on Wednesday February 06, 2008 @08:30PM (#22327778)
    Before the sea of "vista sucks" comments, I'm going to ask this question:

    When vista inevitably goes first, who is going to want it? I assume it must be a good enough computer to actually run vista, so lets all take guesses at the OS loaded onto it after it's "pwnd".
  • The problem with the "let's see which OS cracks first" approach is that Microsoft, Apple or maybe even Novell would bribe participants to focus their efforts on their competitor's OS.
    • Re: (Score:1, Informative)

      by Anonymous Coward
      That and the fact that linux isn't an OS.
    • by Decado (207907) on Wednesday February 06, 2008 @08:39PM (#22327870)
      I would have said that the challenge pretty much amounts to saying "The next OS we find a vulnerability for is the weakest". In the long term it is a meaningless piece of data. If we hear about a new exploit for any OS tomorrow it means nothing, you have to look at long term trends to find a correct answer.
      • by Divebus (860563)

        This is kind of a silly contest. Fun but silly. It might be more fun to see which OS annoys the user enough to launch the CPU across the room.

        If you really want to know what happens from a security standpoint, just connect them all to the Internet and wait. That's real world for you. Even if Linux or OS X does get hacked first, there's a lot of catching up to do before anyone can say "see, it's just as insecure as windows".

        • Re: (Score:2, Funny)

          by KDR_11k (778916)
          It might be more fun to see which OS annoys the user enough to launch the CPU across the room.

          I don't know about you but when I'm annoyed I don't have the patience to remove the case, CPU cooler and finally the damn chip itself just to throw it around.
    • The problem with the "let's see which OS cracks first" approach is that Microsoft, Apple or maybe even Novell would bribe participants to focus their efforts on their competitor's OS.


      And thus another window into how I don't think like some other people. Sure I guess the idea is possible - but to instantly assume all actors are bad actors shows a fundamental distrust of humans I find frightening.
      • Re: (Score:2, Insightful)

        You obviously don't know very many humans then. Of course you are posting on /. so I suppose that's to be expected.
  • by Secret Rabbit (914973) on Wednesday February 06, 2008 @08:38PM (#22327854) Journal
    I think it's obvious the nonsense that'll come out of this. People will say, x OS is more insecure than y and z because it fell first/so quickly. Regardless of the skewed skill/effort that went into breaking it.

    This "twist" is bullshit.
    • by Hybridan (857002)
      Honestly, I could see this being a legitimate, "real world" or functional test type experiment. It would be difficult to make a contest like this something that is a perfect and "equal" or fair representation of the security of the OS's. It would however, provide an interesting look into how people generally perceive and go about attacking different systems. The amount of time or work put into finding cracks in the armor of one or the other is perhaps just as interesting as which would "fall first".
      H.
      • by growse (928427)

        I feel a better way would be to run the tests consecutively rather than concurrently.

        So you take your room of hackers, and you let them loose at a Vista box. Once that's cracked, you end that test. Then you let them loose at a Mac. Rinse, repeat.

        The "Winner" would be the group that managed the fastest crack overall.

    • by aphor (99965)

      I think it's obvious the nonsense that'll come out of this. People will say, x OS is more insecure than y and z because it fell first/so quickly. Regardless of the skewed skill/effort that went into breaking it.

      This "twist" is bullshit.

      Brute force attacks taking a long/short time using a generic fuzzer do not count as extra/less effort.

  • I feel so bad for that subnet. So many idiots who will just sit there and hammer it endlessly hoping that some magical 'hacking' will occur.
    • Re: (Score:2, Funny)

      by KDR_11k (778916)
      At first I read that as "So many idiots who will just sit there with a hammer". Definitely the easiest way to crack a system...
  • by SuperBanana (662181) on Wednesday February 06, 2008 @08:45PM (#22327940)

    We're thinking of having a contest where we have Vista and OS X and Linux ... and see which one goes first.

    What I'd be most interested in is a survey of contestants as to their platform experience, and how focused they intend to be on attacking the different platforms. That part could be wildly unscientific, but could be interesting if everyone answers openly.

    Couple that with some good logs of network activity, to see how focused attacks are on the various systems.

    For example, it could turn out that nobody goes for the supposed low hanging fruit, and everyone tries to target the Mac...or an OpenBSD box, if they bring one. Etc.

  • This hardly seems like a fair test, for what the results are implied to indicate.

    I'll predict that Vista goes down first, because there are more Windows programmers out there than Mac/*nix. Time-to-first-hack isn't a valid measure of OS robustness.

    That probably won't be a popular statement here on /. , but oh well.
    • Re: (Score:3, Insightful)

      by geekoid (135745)
      Yes, but the skill and motivation to hack OSX is much higher. The person who can exploit OSX in a meaningful way would get a lot of prestige from the '*hat' community.

      Besides, that involves a logical fallacy. Basically be your statement to be true, they must ahve the same architecture, developed by people od equal skill use the same project management style and the same QA.
      • by toadlife (301863)

        Yes, but the skill and motivation to hack OSX is much higher.
        You speak as if OSX exploits are a rare thing.

        The person who can exploit OSX in a meaningful way would get a lot of prestige from the '*hat' community.
        You mean like the last contest winner who developed a working brower + quicktime attack in only a few hours? Are you saying the same class of exploit that is used to infect Windows users every day is not significant on OSX?
        • You speak as if OSX exploits are a rare thing.

          Rare? Diamonds are rare, yet I see them daily.

          Are you saying the same class of exploit that is used to infect Windows users every day is not significant on OSX?

          One uses an exploit to potentially cause an infection. If it doesn't spread, well, that doesn't really say much about the exploit.

          But I am really interested in the outcome of the contest, especially what they will consider as a 'default' install and 'default' configuration.

          • Re: (Score:3, Informative)

            by mgblst (80109)

            Rare? Diamonds are rare, yet I see them daily.


            Diamons aren't rare, only the stupid really believe this - why do you think diamonds are rare, because they are marketed to you as such. Diamonds are carefully controlled, so they a huge amount don't flood the market, but that doesn't make them rare.
      • by QuantumG (50515)
        No-one gives a shit about desktop security, let alone Mac-OS desktop security. Businesses pay for security analysis.. of server apps.

      • This is from 2006 and is a fairly basic security flaw. http://milw0rm.com/exploits/1545 [milw0rm.com] Mac OS X simply has not been a valuable enough target in the past to be attacked in a meaningful way.
        • by Weedlekin (836313)
          "This is from 2006 and is a fairly basic security flaw. http://milw0rm.com/exploits/1545 [milw0rm.com] "

          It was (past tense because Apple patched it in 2006) strictly a local exploit, and therefore of negligible risk. This is why the same milwOrm.com site lists a bunch of them for other UNIX variants that have excellent security records, e.g. AIX, Solaris, and HP/UX, and even QNX.

          "Mac OS X simply has not been a valuable enough target in the past to be attacked in a meaningful way."

          Or perhaps it's due to the fact that milw
  • all the contestants attack each of the three systems with the winner given his choice of the systems.

  • The IPs of the machines are given out, but not what OS is on the boxes. (Identifying the windows box is pretty easy though, RPC etc).
  • by tsotha (720379) on Wednesday February 06, 2008 @09:03PM (#22328132)
    Even if it were the most secure, Vista would be first. I'm sure there are kits you can buy from shady groups in Eastern Europe or Russia that will do the trick immediately. If Vista doesn't already have the highest market share, it will at some point. So if you make hacking kits for organizations that make botnets you're gonna crack Vista first.
    • Re: (Score:3, Insightful)

      Except... many important servers run on Linux. So while lots of malware exists for Vista/XP, lots of people around the world really do make attempts at assaulting Linux boxes. More often than not, I believe, success is based upon attacking weaknesses in the software installed on said box. (Which one can argue that a properly maintained *nix box has a better chance of surviving, because of the continual security updates for all of its software).
      • Re: (Score:3, Interesting)

        by tsotha (720379)

        Oh, I'm sure Linux boxes are subject to attacks as well. I just think, as a nefarious writer of cracking software, you'd have to believe your time is better spent cracking Windows than Linux. And I don't believe servers are the most profitable boxes to hack anymore - keyloggers to swindle online banking users are probably the big moneymakers.

        • Some of the most brilliant hacks are for recognition among hackers, not just money. More often than not, the real money makers are the dumb assaults, phishing, domain squatting, social engineering, etc.
    • Vista would be first. I'm sure there are kits you can buy from shady groups in Eastern Europe or Russia that will do the trick immediately.

      Different class of exploit.

      Your average Vista install's destiny is to become part of a botnet. That doesn't requre the type of remote cracking that's being set up in this test, just a trojan embedded in a shiny cursor app.

      Windows botnets tend to be herded by Linux servers which have been individually cracked, which is what this test is about.

  • What about *BSD? This contest is grossly unfair unless a *BSD is included!

    Hehe. Let's see them try to pwn that one.
  • by Cajun Hell (725246) on Wednesday February 06, 2008 @09:17PM (#22328252) Homepage Journal

    Who is operating each machine? I need their email addresses. I want to send them some programs, and my "hack" is that the programs will come with instructions to the operator: please execute this attachment.

    My understanding is that for Windows, I just need to have the filename end with .exe. For MacOS, I need it to end with .dmg. For Linux, I need to train the user how to use chmod.

    • Re: (Score:2, Funny)

      by Al_Lapalme (698542)
      Hehehe... Copy to desktop; right click->properties - check 'executable' and then run.

      Can't wait to see those vacation pictures!!!

      Ahhh f*ck.
    • Re: (Score:2, Informative)

      by toadlife (301863)

      For Linux, I need to train the user how to use chmod.
      Naw. Assuming it will be a functional equivalent of Windows and OS X, it should be running KDE, which means it will have support for archives (Ark) built into it. Just send 'em an archived shell script with the execute bit already set. Alternatively, you can send them your payload in some sort of package format, like RPM.
    • this doesn't measure the security of the OS
      it measures the stupidity of the user

      your program can be a one liner on any of the machines.

      just a freaking script that says "delete *.*"
      or you coudl see who has passwordless sudo and go sudo rm /*
      and that will do on any *nix pretty much

      again we are testing the OS not the STUPID USER AT THE WHEEL

      • Did you hear that whooshing sound? That was the joke going over your head. Fill your tub with ice, chill out, and sell your roommates kidney so you can afford the vacation you so obviously need.

        Relax! Stress prematurely ages people.
        • wow... how the heck did i miss that?
          I think I will do just that.. except i may have to steal someone elses roommates organs since I dont have a roommate :-)

          i could have sworn the parent was +5 insightful which incited my response :-P or not..
    • Re:TFA doesn't say (Score:5, Interesting)

      by Shados (741919) on Wednesday February 06, 2008 @11:05PM (#22329326)
      Try this for giggles. Have a Vista machine. Send them an email with an exe file. Try and get them to execute it. Good luck. If you manage that, try the same exercise by MSN Messenger. At that point, even I am not sure I can do it without googling, and even then its tricky. Vista is a b**** when it comes to running EXEs received by email or MSN.
      • Only if you don't turn off UAC. It's pretty easy for a user to figure out how to do that, and many do. However, given the default configuration you are largely correct.
        • by Shados (741919)
          Actually no, its part of MSN and the built in mail softwares, and has little to do with UAC. (I've tested it on an UAC-disabled machine before posting this).

  • OSX, Linux, Vista (Score:2, Interesting)

    by Anonymous Coward
    If I were to enter such a contest I would target OSX first, then Linux and Finally vista.

    OSX is first because apple has been hideing behind security by obscurity for too long. I have seen no evidence that suggests OSX gets it any more than Microsoft did.

    Linux next because source code is avaliable... and while clever hits without source are sometimes easier you just might get lucky walking the ususal paths and find something exploitable.

    MS has been more or less awake from the security perspective for years
  • Someone should pull a Kobayashi Maru and hack all the competing hacker's machines so they can win the prize.
  • I hope they'll go with Gentoo. It is uncrackable. When the hackers attack they can't do anything to it because the system is busy compiling itself.
    • ... I know this was meant to be a joke, but I just have to respond.

      I don't understand this "uncrackable" part. OpenSSH is on the livecd. Most admins ssh into the box to set it up... leaving ssh open to all. On the current live CD, OpenSSH is pretty old.

      I recently installed Gentoo on my new AMD64 X2 5200+ (65nm/65W). Took about 3-3.5 hours to: partition, install the base, install grub, compile a kernel(took about 3 mins for the kernel, another 10 for modules), boot into new install, upgrade portage
  • To make it fair. (Score:2, Insightful)

    by Higaran (835598)
    I think all each team should have to hack all 3 computers, and the first team to do so gets to pick, and then the seconed picks the next one and then the thrid gets the last one. So that equal energy goes into hacking each unit, and each team will learn something about a system they probably didn't know, and isn't that what this whole thing is about, learing something.
  • They should probably turn off the Windows machine, just to make it fair and all...
  • While they may help reveal specific information about vulnerabilities, which is good, they don't provide much useful information about the security of the systems being attacked.
  • I saw the headline and got all excited.... [wikipedia.org]
  • I can just see this happening.. MC: Okay...the competition is ready to start... We have three computers, Vista, XP and Mac....crack it and it's yours.. Are you ready? On your marks, get set, g.......OKAY OKAY! Not funny...We have now XP and MAC available...the competition will start on my mark....On your marks, get set...go!!
  • You can't determine the security of an OS, any OS, by this kind of limited one-off testing. REAL testing is systematic and time consuming, and involves completely the opposite rationale. Conventioal testing involves attacking a single target until it breaks, this "test" involves attacking a bunch of different systems and seeing which fails "first". This doesn't really evaluate "security" because the critical factor is THE ORDER IN WHICH THE EXPLOITS WERE TRIED. If the attacker just happens to hit the right

"There is no distinctly American criminal class except Congress." -- Mark Twain

Working...