Mac Hack Contest Redux

narramissic writes "Remember the controversial Mac hacking contest from last year's CanSecWest conference? No? Here's a refresher: Conference organizers challenged attendees to hack into a Macintosh laptop, with the successful hacker winning the computer and a cash prize. Winner Dino Dai Zovi found a QuickTime bug that allowed him to run unauthorized software on the Mac once the computer's browser was directed to a specially crafted Web page. Well, the contest is back again this year, but with a twist, says Dragos Ruiu, the principal organizer of CanSecWest: 'We're thinking of having a contest where we have Vista and OS X and Linux ... and see which one goes first.""

easy

[jim.hansson]

http://slashdot.org/firehose.pl?op=view&id=508230 [slashdot.org]

how about a taste test

[gandhi_2]

where you have to try apples, oranges, and beef jerky and decide which one tastes "best".

out of the box linux? Is there really such a thing? Ubuntu OEM, knoppix? That's a pretty wide range here.

I'd like to see stats on effort per platform

[SuperBanana]

We're thinking of having a contest where we have Vista and OS X and Linux ... and see which one goes first.

What I'd be most interested in is a survey of contestants as to their platform experience, and how focused they intend to be on attacking the different platforms. That part could be wildly unscientific, but could be interesting if everyone answers openly.

Couple that with some good logs of network activity, to see how focused attacks are on the various systems.

For example, it could turn out that nobody goes for the supposed low hanging fruit, and everyone tries to target the Mac...or an OpenBSD box, if they bring one. Etc.

Re:"fair" would be "what users need"

[CannonballHead]

I think this is an excellent point.

Default windows configuration is defaulted to... well, a very compatible set of options.

Not having actually done a Mac install, I don't know what the default is.

A default Linux partition, depending on the flavor, could be pretty minimal...

Here's what I think would make it more fair: make all the operating systems able to do the same things. Presumably, the normal Mac user, at some point, will want to opens a windows media file and an Office 2007 file. The typical Windows user will use quicktime at some point, and thus have it installed and have its possible security holes, too.

Otherwise, I could create a Linux distro that is THE safest operating system EVER... and just not let you do anything, no network connectivity, etc. Pretty safe! And useless.

OSX, Linux, Vista

[Anonymous Coward]

If I were to enter such a contest I would target OSX first, then Linux and Finally vista.

OSX is first because apple has been hideing behind security by obscurity for too long. I have seen no evidence that suggests OSX gets it any more than Microsoft did.

Linux next because source code is avaliable... and while clever hits without source are sometimes easier you just might get lucky walking the ususal paths and find something exploitable.

MS has been more or less awake from the security perspective for years now and most of the expliot efforts have been targeted at this platform which raises the bar for discovery of new expliots because all the trivial vectors have already been probed. Following the same line windows expliots are simply worth more than OSX or Linux expliots. Good ones can be worth a room full of PCs if you can find the right buyer.

Applications such as browsers, media players, and various popular plugins ... acrobat, flash...etc provide great cross platform opportunity for successful attacks. It might actually be worth ones time to try for a common expliot and win all three :)

Besides a PC is a PC... you can always reformat the drive and install Solaris if you want :)

Re:What about Quicktime?

[QuantumG]

Quicktime comes with Firefox these days .. I've lost count of the number of times I've seen Quicktime crash Firefox.. every time I think "I bet that is exploitable", but, ya know, I'm too lazy to bother looking.

Re:Vista would be first

[tsotha]

Oh, I'm sure Linux boxes are subject to attacks as well. I just think, as a nefarious writer of cracking software, you'd have to believe your time is better spent cracking Windows than Linux. And I don't believe servers are the most profitable boxes to hack anymore - keyloggers to swindle online banking users are probably the big moneymakers.

Re:Default Install

[Anonymous Coward]

But the update model of Windows is completely different from that of Ubuntu and Mac OS/X. Whereas Windows is based around 'distribute platform, then updates to the platform as and when they are done', Ubuntu is based on 'distribute entire platform in each update as and when they are done'. It's very difficult to index the apples and oranges to a common standard here.

Some ways of doing it are:

1. Windows Vista as per release date shrink wrapped copy, Ubuntu as per most recent internet downloaded copy. Result: Vista has a lot more bugs, especially the exploits that have been published and fixed. Ubuntu will use the very latest patches and have none. Argument in favour: The 'idealised new customer experience' is reflected. Argument against: The 'quality of programming' at either the point of Vista release or at the present is not reflected. Is there an 'idealised new customer' who does not get a patched version from Dell, or store-buyer who does not run Windows Update as prodded to many many times by the OS?

2. Windows Vista as per release date shrink wrapped copy. Ubuntu as per internet download availble on the date Vista was released. This would not reflect any 'idealised new customer experience', but would reflect a 'quality of programming at that point in time' measure to some rough degree. The problem is, which unpatched version of Mac OS/X would be used? The one released at the earliest date BEFORE Vista, or at the earliest date AFTER Vista, and why should Vista's release be the yardstick?

3. Windows Vista patched to the latest date. Ubuntu patched to the latest date. Mac OS/X patched to the latest date. This would not reflect an 'idealised new customer experience', but would come close to reflecting a 'quality of programming at the present' measure together with an 'average user' experience (considering how many get moderately patched versions when they buy it). When Vista SP1 is released, will e.g. anyone buying from Dell have a 'first user' experience WITHOUT SP1?

I'd say 3 is the best, because, although 1 is tempting because it clearly increases the likelihood that Vista will be hacked first, the 'idealised first user experience' that it claims to justify its case is unlikely to exist.

As for the choice of distro - you could always have several teams working on Vista and Mac OS/X computers, and one team for each distro.

Re:too easy

[HiThere]

Actually, Vista may be the last standing. I'm not saying it's the most secure, but it's the most unknown. And if you were a Black Hat who had developed a route into Vista, I'm sure there are more profitable ways of exploiting your ingenuity.

Re:TFA doesn't say

[Shados]

Try this for giggles. Have a Vista machine. Send them an email with an exe file. Try and get them to execute it. Good luck. If you manage that, try the same exercise by MSN Messenger. At that point, even I am not sure I can do it without googling, and even then its tricky. Vista is a b**** when it comes to running EXEs received by email or MSN.