Mac Hack Contest Redux

narramissic writes "Remember the controversial Mac hacking contest from last year's CanSecWest conference? No? Here's a refresher: Conference organizers challenged attendees to hack into a Macintosh laptop, with the successful hacker winning the computer and a cash prize. Winner Dino Dai Zovi found a QuickTime bug that allowed him to run unauthorized software on the Mac once the computer's browser was directed to a specially crafted Web page. Well, the contest is back again this year, but with a twist, says Dragos Ruiu, the principal organizer of CanSecWest: 'We're thinking of having a contest where we have Vista and OS X and Linux ... and see which one goes first.""

easy

[jim.hansson]

http://slashdot.org/firehose.pl?op=view&id=508230 [slashdot.org]

how about a taste test

[gandhi_2]

where you have to try apples, oranges, and beef jerky and decide which one tastes "best".

out of the box linux? Is there really such a thing? Ubuntu OEM, knoppix? That's a pretty wide range here.

Re:

[cheater512]

I wouldnt call this a apples to oranges comparison.
They are all common operating systems and they all fulfill the same purpose.

Although they'd probably have to do a handful of Linux boxes to ensure that problems aren't distro specific.

Re:

[calebt3]

But then you could have a significant number of people attacking the Vista and Mac boxes (say, 20% each) and the other 60% would be split up among (maybe) 4+ Linux boxes.

Re:

[mrxak]

I'd expect most people will try mac and linux, however many boxes they have. Everybody already knows you can hack Vista no problem, there's not much challenge in it, so they will concentrate on the ones with the higher perceived security. Never underestimate people's desire for glory.

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[calebt3]

Click the 'x' in the top corner of the login screen. Oh wait...

Prediction

[flaming error]

> the successful hacker winning the computer and a cash prize I'm betting somebody's taking home a Windows machine.

Wrong!

[EmbeddedJanitor]

The Vista computer won't get hacked because nobody will want to take it home!

Re:

[Darfeld]

Yes it will. you could always get rid of windows and install linux after that. Or sell it on e-bay...

Re:

[jellomizer]

Unless Linux is the first to be hacked into...
Hey it is a possiblity. I ain't taking bets on who will be first to be broken in.
Linux being Open Source having the ability of some hacker checking the code and use a volnerability that was just open reported. May not be useful for a large scale hack but for the contest it just might work.

Max OS may have some old Unix volnerability That has never been fixed. Or one of the new features that allows remote access say via iChat may allow a back door.

Windows while h

Re:Prediction

[Nerdfest]

The outcome would be dependent on whether or not the Vista machine has already booted up. If not, attacking the other 2 gives you a decent head-start.

Re:Prediction

[LiquidCoooled]

There is already a trojan available for vista, however noone is infected because its not finished copying over the network yet.

Re:Prediction

[Anonymous Coward]

Sorry that's my fault, let me turn my sound off.

Default Install

[Archangel Michael]

I'd make sure that each was installed to default configuration. No tweaking allowed.

Vista installed from DVD default/recommended choices where possible on installation screens. Same with Ubuntu, and Mac OS/X. Any deviations noted. Any extra software installed must be available on all three platforms.

Just to make it "fair".

Re:Default Install

[calebt3]

I'd say that allowing updates to be installed would be fair.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:

[stephanruby]

At the very least, the Vista computer should be an emachine, or have AOL preloaded on it. A computer designed to meet the adware needs of its corporate-manufacturers over the needs of its owner should give us a much more realistic exercise. After all, what are botnets made up of? Cheap preloaded computers purchased at Best Buy/Walmart? Or computers assembled from scratch / or purchased through one's IT department through Dell ?

Re:

[leenks]

The same applies to other operating systems too then. OSX comes with very little out of the box. New Macs usually come with iLife and some with iWork (or at least a trial) pre-installed - ie third party software. Mine even came with a 30 day trial of Office 2004. A stock installation of OSX doesn't include Quicktime or the like either. I guess you could argue the same with a linux distribution like RHEL or Debian if you wanted - virtually nothing is installed in the most basic install option.

Re:

[cheesewire]

OSX comes with very little out of the box. New Macs usually come with iLife and some with iWork (or at least a trial) pre-installed - ie third party software. Mine even came with a 30 day trial of Office 2004. A stock installation of OSX doesn't include Quicktime or the like either.

When you buy a mac, it comes with iLife and Quicktime. Both are made by Apple. Both are pretty fundamental to macs providing quite a lot of functionality out of the box.

Even if you delete Quicktime.app, the quicktime framework

Re:

[leenks]

I said that a new mac came with iLife and Quicktime. I apparently made a balls up on the fact that Quicktime and iTunes come with OSX though.

iLife being fundamental to providing functionality is a bit off though. You could argue any PC manufacturers bundled apps are fundamental to providing that functionality out of the box too. In the context of comparing the base operating systems its a bit unfair to include iLife but exclude whatever equivalent suites Sony / Dell / HP / ... might include "out of the box"

Re:

[Calinous]

Sure "OpenBSD has had one remote exploit in the default install in its history"

Since you've heard, the number of OpenBSD remote exploit holes doubled

"fair" would be "what users need"

[SuperBanana]

Vista installed from DVD default/recommended choices where possible on installation screens. Same with Ubuntu, and Mac OS/X. Any deviations noted. Any extra software installed must be available on all three platforms. Just to make it "fair".

When is the last time you left an OS in its default configuration?

A fair configuration is one in which all tested operating systems provide as identical as possible feature sets, including all the features the majority of people like to use. Like printer and file sharing, for example.

It's also not fair to include, for example, NoScript- that breaks a ton of websites out of the box until you whitelist sites. Likewise for not including Flash as part of the package. An even more relevant example: the necessary firewall rules to allow IM (and file transfers.)

Re:"fair" would be "what users need"

[CannonballHead]

I think this is an excellent point.

Default windows configuration is defaulted to... well, a very compatible set of options.

Not having actually done a Mac install, I don't know what the default is.

A default Linux partition, depending on the flavor, could be pretty minimal...

Here's what I think would make it more fair: make all the operating systems able to do the same things. Presumably, the normal Mac user, at some point, will want to opens a windows media file and an Office 2007 file. The typical Windows user will use quicktime at some point, and thus have it installed and have its possible security holes, too.

Otherwise, I could create a Linux distro that is THE safest operating system EVER... and just not let you do anything, no network connectivity, etc. Pretty safe! And useless.

Re:

[hunterkll]

OS X install by default has no network services running external and is firewalled. you have to manually turn on network sharing and services from a preference pane

Re:

[aliquis]

I just checked my machine in Leopard and the firewall was off.

Anyway as others have said OS X has flash and javascript enabled and installed in the browser, quicktime, itunes with streaming music, mp3, pdf, dvd, burner support. Can show docs maybe (?)

I think default is the only way to test this however. If one os does more bad luck for it. Just take some regular/useful Linux dist.

Re:

[aliquis]

Mine wasn't on, and I've been using this computer for 4 months, my first mac thought... So I hadn't bothered looking around for it earlier, did it now when the parent talked about it. I hope the much less knowledgable people than me turn it on on their macs aswell... Especially when so many people try to convince them that macs are bulletproof ...

Personally I see a ingoing firewall as rather useless since you shouldn't be running services you don't need anyway, and if you need them blocking them out isn't t

Re:

[Captain DaFt]

"Otherwise, I could create a Linux distro that is THE safest operating system EVER... and just not let you do anything, no network connectivity, etc. Pretty safe! And useless."

Oh, I dunno... http://tinfoilhat.shmoo.com/ [shmoo.com] It has its uses.

Re:

[LaskoVortex]

Fair would be the least number of clicks from start to finish, as this is what the majority of machines would be running in the world, and so the results would give an estimation of real world performance (not ubergeek world, but real world). If more people chose windows to attack because they thought it would be easiest, then that would also be a reflection of real world. I'd also stipulate that the install CDs would have to checksum with those available from bestbuy (or the politically correct equivalent)

What about Quicktime?

[yabos]

That comes on OS X by default but to make Windows equal in potential flaws you have to install it on Windows too. Stuff like that gets complicated fairly fast. Quicktime shares code between OS X and Windows and most of the recent flaws regarding rtsp were the same result on either platform which was DOS or potential execution of arbitrary code.

Re:

[QuantumG]

Quicktime comes with Firefox these days .. I've lost count of the number of times I've seen Quicktime crash Firefox.. every time I think "I bet that is exploitable", but, ya know, I'm too lazy to bother looking.

Re:

[Crimson Wing]

Quicktime comes with Firefox these days

Uh, BS? Every time I've installed Firefox so far, then gone to a page with an embedded QuickTime media file, Firefox has complained of needing an additional plugin. I install QuickTime itself, and then embedded QT files play just fine.

Re:

[Grendel70]

Correct and informative post. Unfortunately your sig blew away any credibility you might have had.

Re:

[glamb]

Yes, I too have lost count of the number of times I have seen the Quicktime Firefox jump over the lazy dog

What will be the GNU/Linux prize?

[Anonymous Coward]

The 386 it was installed on?

Re:What will be the GNU/Linux prize?

[Enoxice]

The toaster it was installed on?

Fixed.

Re:

[calebt3]

The complete list [uncyclopedia.org]

Re:

[HiThere]

Sorry, it was BSD Unix that was installed on the toaster. (I forget which flavor.)

Re:

[Eddi3]

A slice of cinnamon bread?

Cool.

[Anonymous Coward]

See, things like this are great when in all in good fun. It's good for the mind and is a wonderful example of human creativity.

Like I always say, "anything made by a human can be broken by a human".

Begs The question

[realthing02]

Before the sea of "vista sucks" comments, I'm going to ask this question:

When vista inevitably goes first, who is going to want it? I assume it must be a good enough computer to actually run vista, so lets all take guesses at the OS loaded onto it after it's "pwnd".

It doesn't beg any question...

[Anonymous Coward]

...and you damn well know it. You guys are deliberately baiting the language nazis - there's no way you could *still* be ignorant of what this phrase means.

Re:

[NatasRevol]

Central Seattle, WA. Just google it.

Potential for rigging

[volt4ire]

The problem with the "let's see which OS cracks first" approach is that Microsoft, Apple or maybe even Novell would bribe participants to focus their efforts on their competitor's OS.

Re:

[Anonymous Coward]

That and the fact that linux isn't an OS.

Re:Potential for rigging

[Decado]

I would have said that the challenge pretty much amounts to saying "The next OS we find a vulnerability for is the weakest". In the long term it is a meaningless piece of data. If we hear about a new exploit for any OS tomorrow it means nothing, you have to look at long term trends to find a correct answer.

Re:

[Divebus]

This is kind of a silly contest. Fun but silly. It might be more fun to see which OS annoys the user enough to launch the CPU across the room.

If you really want to know what happens from a security standpoint, just connect them all to the Internet and wait. That's real world for you. Even if Linux or OS X does get hacked first, there's a lot of catching up to do before anyone can say "see, it's just as insecure as windows".

Re:

[KDR_11k]

It might be more fun to see which OS annoys the user enough to launch the CPU across the room.

I don't know about you but when I'm annoyed I don't have the patience to remove the case, CPU cooler and finally the damn chip itself just to throw it around.

Re:

[Murphy Murph]

The problem with the "let's see which OS cracks first" approach is that Microsoft, Apple or maybe even Novell would bribe participants to focus their efforts on their competitor's OS.

And thus another window into how I don't think like some other people. Sure I guess the idea is possible - but to instantly assume all actors are bad actors shows a fundamental distrust of humans I find frightening.

Re:

[The Mighty Buzzard]

You obviously don't know very many humans then. Of course you are posting on /. so I suppose that's to be expected.

Obvious misleading conclusions

[Secret Rabbit]

I think it's obvious the nonsense that'll come out of this. People will say, x OS is more insecure than y and z because it fell first/so quickly. Regardless of the skewed skill/effort that went into breaking it.

This "twist" is bullshit.

Re:

[Hybridan]

Honestly, I could see this being a legitimate, "real world" or functional test type experiment. It would be difficult to make a contest like this something that is a perfect and "equal" or fair representation of the security of the OS's. It would however, provide an interesting look into how people generally perceive and go about attacking different systems. The amount of time or work put into finding cracks in the armor of one or the other is perhaps just as interesting as which would "fall first".
H.

Re:

[growse]

I feel a better way would be to run the tests consecutively rather than concurrently.

So you take your room of hackers, and you let them loose at a Vista box. Once that's cracked, you end that test. Then you let them loose at a Mac. Rinse, repeat.

The "Winner" would be the group that managed the fastest crack overall.

Re:

[aphor]

I think it's obvious the nonsense that'll come out of this. People will say, x OS is more insecure than y and z because it fell first/so quickly. Regardless of the skewed skill/effort that went into breaking it.

This "twist" is bullshit.

Brute force attacks taking a long/short time using a generic fuzzer do not count as extra/less effort.

Poor subnet

[cruelworld]

I feel so bad for that subnet. So many idiots who will just sit there and hammer it endlessly hoping that some magical 'hacking' will occur.

Re:

[KDR_11k]

At first I read that as "So many idiots who will just sit there with a hammer". Definitely the easiest way to crack a system...

I'd like to see stats on effort per platform

[SuperBanana]

We're thinking of having a contest where we have Vista and OS X and Linux ... and see which one goes first.

What I'd be most interested in is a survey of contestants as to their platform experience, and how focused they intend to be on attacking the different platforms. That part could be wildly unscientific, but could be interesting if everyone answers openly.

Couple that with some good logs of network activity, to see how focused attacks are on the various systems.

For example, it could turn out that nobody goes for the supposed low hanging fruit, and everyone tries to target the Mac...or an OpenBSD box, if they bring one. Etc.

Lopsided...

[msauve]

This hardly seems like a fair test, for what the results are implied to indicate.

I'll predict that Vista goes down first, because there are more Windows programmers out there than Mac/*nix. Time-to-first-hack isn't a valid measure of OS robustness.

That probably won't be a popular statement here on /. , but oh well.

Re:

[geekoid]

Yes, but the skill and motivation to hack OSX is much higher. The person who can exploit OSX in a meaningful way would get a lot of prestige from the '*hat' community.

Besides, that involves a logical fallacy. Basically be your statement to be true, they must ahve the same architecture, developed by people od equal skill use the same project management style and the same QA.

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[Jerry Smith]

You speak as if OSX exploits are a rare thing.

Rare? Diamonds are rare, yet I see them daily.

Are you saying the same class of exploit that is used to infect Windows users every day is not significant on OSX?

One uses an exploit to potentially cause an infection. If it doesn't spread, well, that doesn't really say much about the exploit.

But I am really interested in the outcome of the contest, especially what they will consider as a 'default' install and 'default' configuration.

Re:

[mgblst]

Rare? Diamonds are rare, yet I see them daily.

Diamons aren't rare, only the stupid really believe this - why do you think diamonds are rare, because they are marketed to you as such. Diamonds are carefully controlled, so they a huge amount don't flood the market, but that doesn't make them rare.

Re:

[QuantumG]

No-one gives a shit about desktop security, let alone Mac-OS desktop security. Businesses pay for security analysis.. of server apps.

Re:

[phantomcircuit]

This is from 2006 and is a fairly basic security flaw. http://milw0rm.com/exploits/1545 [milw0rm.com] Mac OS X simply has not been a valuable enough target in the past to be attacked in a meaningful way.

Re:

[Weedlekin]

"This is from 2006 and is a fairly basic security flaw. http://milw0rm.com/exploits/1545 [milw0rm.com] "

It was (past tense because Apple patched it in 2006) strictly a local exploit, and therefore of negligible risk. This is why the same milwOrm.com site lists a bunch of them for other UNIX variants that have excellent security records, e.g. AIX, Solaris, and HP/UX, and even QNX.

"Mac OS X simply has not been a valuable enough target in the past to be attacked in a meaningful way."

Or perhaps it's due to the fact that milw

It would be more interesting to have

[Babu 'God' Hoover]

all the contestants attack each of the three systems with the winner given his choice of the systems.

A new rule

[kcbanner]

The IPs of the machines are given out, but not what OS is on the boxes. (Identifying the windows box is pretty easy though, RPC etc).

Vista would be first

[tsotha]

Even if it were the most secure, Vista would be first. I'm sure there are kits you can buy from shady groups in Eastern Europe or Russia that will do the trick immediately. If Vista doesn't already have the highest market share, it will at some point. So if you make hacking kits for organizations that make botnets you're gonna crack Vista first.

Re:

[Idiot with a gun]

Except... many important servers run on Linux. So while lots of malware exists for Vista/XP, lots of people around the world really do make attempts at assaulting Linux boxes. More often than not, I believe, success is based upon attacking weaknesses in the software installed on said box. (Which one can argue that a properly maintained *nix box has a better chance of surviving, because of the continual security updates for all of its software).

Re:

[tsotha]

Oh, I'm sure Linux boxes are subject to attacks as well. I just think, as a nefarious writer of cracking software, you'd have to believe your time is better spent cracking Windows than Linux. And I don't believe servers are the most profitable boxes to hack anymore - keyloggers to swindle online banking users are probably the big moneymakers.

Re:

[Idiot with a gun]

Some of the most brilliant hacks are for recognition among hackers, not just money. More often than not, the real money makers are the dumb assaults, phishing, domain squatting, social engineering, etc.

Re:

[ozmanjusri]

Vista would be first. I'm sure there are kits you can buy from shady groups in Eastern Europe or Russia that will do the trick immediately.

Different class of exploit.

Your average Vista install's destiny is to become part of a botnet. That doesn't requre the type of remote cracking that's being set up in this test, just a trojan embedded in a shiny cursor app.

Windows botnets tend to be herded by Linux servers which have been individually cracked, which is what this test is about.

*BSD!

[QuickFox]

What about *BSD? This contest is grossly unfair unless a *BSD is included!

Hehe. Let's see them try to pwn that one.

Re:*BSD!

[CapsaicinBoy]

Ummm. OSX is just NeXTstep v5 (or 6 by now?), and NeXTstep is a flavor of BSD.

Please turn in your geek card on the way out.

http://en.wikipedia.org/wiki/Image:Unix_history.en.svg [wikipedia.org]

TFA doesn't say

[Cajun Hell]

Who is operating each machine? I need their email addresses. I want to send them some programs, and my "hack" is that the programs will come with instructions to the operator: please execute this attachment.

My understanding is that for Windows, I just need to have the filename end with .exe. For MacOS, I need it to end with .dmg. For Linux, I need to train the user how to use chmod.

Re:

[Al_Lapalme]

Hehehe... Copy to desktop; right click->properties - check 'executable' and then run.

Can't wait to see those vacation pictures!!!

Ahhh f*ck.

Re:

[account_deleted]

Comment removed based on user account deletion

stupid test

[EdelFactor19]

this doesn't measure the security of the OS
it measures the stupidity of the user

your program can be a one liner on any of the machines.

just a freaking script that says "delete *.*"
or you coudl see who has passwordless sudo and go sudo rm /*
and that will do on any *nix pretty much

again we are testing the OS not the STUPID USER AT THE WHEEL

Re:

[prichardson]

Did you hear that whooshing sound? That was the joke going over your head. Fill your tub with ice, chill out, and sell your roommates kidney so you can afford the vacation you so obviously need.

Relax! Stress prematurely ages people.

Re:

[EdelFactor19]

wow... how the heck did i miss that?
I think I will do just that.. except i may have to steal someone elses roommates organs since I dont have a roommate :-)

i could have sworn the parent was +5 insightful which incited my response :-P or not..

Re:TFA doesn't say

[Shados]

Try this for giggles. Have a Vista machine. Send them an email with an exe file. Try and get them to execute it. Good luck. If you manage that, try the same exercise by MSN Messenger. At that point, even I am not sure I can do it without googling, and even then its tricky. Vista is a b**** when it comes to running EXEs received by email or MSN.

Re:

[dreamchaser]

Only if you don't turn off UAC. It's pretty easy for a user to figure out how to do that, and many do. However, given the default configuration you are largely correct.

Re:

[Shados]

Actually no, its part of MSN and the built in mail softwares, and has little to do with UAC. (I've tested it on an UAC-disabled machine before posting this).

OSX, Linux, Vista

[Anonymous Coward]

If I were to enter such a contest I would target OSX first, then Linux and Finally vista.

OSX is first because apple has been hideing behind security by obscurity for too long. I have seen no evidence that suggests OSX gets it any more than Microsoft did.

Linux next because source code is avaliable... and while clever hits without source are sometimes easier you just might get lucky walking the ususal paths and find something exploitable.

MS has been more or less awake from the security perspective for years

Kobayashi Maru

[Coolhand2120]

Someone should pull a Kobayashi Maru and hack all the competing hacker's machines so they can win the prize.

Re:

[calebt3]

Everybody else gets redirected to 127.0.0.1 while you take your time?

GNU/Linux... which distro will they use?

[Sodki]

I hope they'll go with Gentoo. It is uncrackable. When the hackers attack they can't do anything to it because the system is busy compiling itself.

Re:

[corychristison]

... I know this was meant to be a joke, but I just have to respond.

I don't understand this "uncrackable" part. OpenSSH is on the livecd. Most admins ssh into the box to set it up... leaving ssh open to all. On the current live CD, OpenSSH is pretty old.

I recently installed Gentoo on my new AMD64 X2 5200+ (65nm/65W). Took about 3-3.5 hours to: partition, install the base, install grub, compile a kernel(took about 3 mins for the kernel, another 10 for modules), boot into new install, upgrade portage

To make it fair.

[Higaran]

I think all each team should have to hack all 3 computers, and the first team to do so gets to pick, and then the seconed picks the next one and then the thrid gets the last one. So that equal energy goes into hacking each unit, and each team will learn something about a system they probably didn't know, and isn't that what this whole thing is about, learing something.

Me thinks...

[drewmoney]

They should probably turn off the Windows machine, just to make it fair and all...

These contests provide limited information...

[argent]

While they may help reveal specific information about vulnerabilities, which is good, they don't provide much useful information about the security of the systems being attacked.

Aw, man...

[TobyRush]

I saw the headline and got all excited.... [wikipedia.org]

On your marks, get set

[KimmoV]

I can just see this happening.. MC: Okay...the competition is ready to start... We have three computers, Vista, XP and Mac....crack it and it's yours.. Are you ready? On your marks, get set, g.......OKAY OKAY! Not funny...We have now XP and MAC available...the competition will start on my mark....On your marks, get set...go!!

It's just a game.

[rtechie]

You can't determine the security of an OS, any OS, by this kind of limited one-off testing. REAL testing is systematic and time consuming, and involves completely the opposite rationale. Conventioal testing involves attacking a single target until it breaks, this "test" involves attacking a bunch of different systems and seeing which fails "first". This doesn't really evaluate "security" because the critical factor is THE ORDER IN WHICH THE EXPLOITS WERE TRIED. If the attacker just happens to hit the right

Re:

[doombringerltx]

Just a wild guess, but I doubt with whatever distro they use, it won't be an alpha or beta verison. Just a hunch.

Re:

[HiThere]

Actually, Vista may be the last standing. I'm not saying it's the most secure, but it's the most unknown. And if you were a Black Hat who had developed a route into Vista, I'm sure there are more profitable ways of exploiting your ingenuity.

Re:

[egypt_jimbob]

Thank you for finally bringing this up. If someone has oh-day for out-of-the-box Vista, it's probably worth at least $20k. Who's gonna drop a twenty thousand dollar 0day for a box?

Re:

[Antique Geekmeister]

Does it count that the contest managers will still have been unable to install the network drivers, so it's unconnected to anything? I've tried to install network drivers for a Broadcom chipset on an OpenBSD system: it wasn't a pretty sight.

Re:

[Daimanta]

That's not fair. Linux has the unfair adavantage. There are no windows fans.

Re:

[Titoxd]

To be fair, Linus said that HFS+ was complete and utter crap, not all of OS X. As for HFS+, I do agree with him, sadly...