Linked by Thom Holwerda on Fri 28th Mar 2008 20:39 UTC, submitted by irbis
Privacy, Security, Encryption "An Apple Mac was the first victim in a hacker shoot-out to determine which operating system is the most secure. A former US National Security Agency employee has trousered USD 10000 for breaking into a MacBook Air at CanSecWest security conference's PWN 2 OWN hacking contest. The MacBook was lined up against Linux and Vista PCs - which have so far remained uncracked. Nobody was able to hack into the systems on the first day of the contest when contestants were only allowed to attack the computers over the network, but yesterday the rules were relaxed so that attackers could direct contest organisers using the computers to do things like visit websites or open email messages. The MacBook was the only system to be hacked by Thursday. Miller didn't need much time. He quickly directed the contest's organisers to visit a website that contained his exploit code, which then allowed him to seize control of the computer, as about 20 onlookers cheered him on. He was the first contestant to attempt an attack on any of the systems." There is more bad news for Apple: "If you have Apple and compare it to Microsoft, the number of unpatched vulnerabilities are higher at Apple." Update: The contest is over. Vista got hacked using Adobe's Flash, Ubuntu was left standing.
Thread beginning with comment 307103
To read all comments associated with this story, please click here.
Awesome
by mrhasbean on Sat 29th Mar 2008 04:39 UTC
mrhasbean
Member since:
2006-04-03

Great news for Microsoft - now that people know Vista is secure I'm sure they will overlook all the other things they hate about it...

The contest really doesn't expose holes in any of these OSes though. It wasn't the operating system that was compromised it was a piece of software running on the operating system - regardless of it being bundled software. Web browsers are commonly used and therefore viewed as game for the hackers. How many other apps now interact with the 'net in some way though? Who is to say that any of the apps bundled with any of these OSes don't have flaws that could be exploited. Its great that the Safari flaw has been exposed - Apple can now fix it. So if that flaw is fixed and they redo it where does that leave the argument of all the near orgasmic frenzied Windows fanboys? Totally moot? How many flaws have been found in IE over the years - or Firefox - or [insert your browser of choice for whatever platform]?

The guy who won this obviously went along to the contest with the knowledge already in hand, which once again raises the argument about these people just wanting their 5 minutes of fame. Maybe Mummy and Daddy didn't pay him enough attention when he was little? Who knows? The responsible thing to do with any such knowledge would be to inform the company in question. It seems though that these guys are really only interested in the kudos and making money from it. In some fields it would border on extortion - but when its software they get publicized and win rewards. Go figure.

And for the record, I use all three OSes - well, actually, I don't use Vista 'cause, well, sorry but I gave it a week and then reinstalled XP Pro. And that was after the Service Pack. Secure or not it's not for me. I never have issues with XP (after it was properly secured) or Linux (which I really only use on some servers) or OSX. Like everyone these days I regularly run utilities on all of them to check for rootkits, viruses, spyware, etc. And if I had browsed to the web page in question on one of my OSX boxes Little Snitch would have popped a dialog to ask me if I wanted to allow the connection - so my Mac would still be running along nice and secure.

I'd be interested to see what would happen if the hackers were allowed to give them a CD to insert...

Reply Score: 1

RE: Awesome
by 6c1452 on Sat 29th Mar 2008 05:12 in reply to "Awesome"
6c1452 Member since:
2007-08-29

The guy who won this obviously went along to the contest with the knowledge already in hand, which once again raises the argument about these people just wanting their 5 minutes of fame. Maybe Mummy and Daddy didn't pay him enough attention when he was little? Who knows?


The guidelines state:

To claim a laptop as your own, you will need to read the contents of a designated file on each system through exploitation of a 0day code execution vulnerability (ie: no directory traversal style bugs).


Nothing about having to discover and figure out how to exploit a vulnerability during the contest. Everybody else had the same opportunity.


The responsible thing to do with any such knowledge would be to inform the company in question. It seems though that these guys are really only interested in the kudos and making money from it. In some fields it would border on extortion - but when its software they get publicized and win rewards. Go figure.


The guidelines state:
[...] once the vendor patches the issue. Until then, the actual vulnerability will be kept quiet from the public. This is a required condition of entry into the contest; all entrants must agree to the responsible disclosure handling of their vulnerability/exploit through the ZDI.
[...]
Any vulnerability that the Zero Day Initiative awards a cash prize for, becomes the property of the ZDI, and therefore the winner can not discuss or disclose details of the 0day until the affected vendor has successfully patched the issue. Any discussion of the bug prior to the public disclosure of a ZDI advisory will result in forfeiting of the prize. TippingPoint is collaborating with the vendors to ensure that their response teams will be ready and waiting to receive any and all 0day that comes out of this contest.


Hard to get more responsible than that.

Edited 2008-03-29 05:17 UTC

Reply Parent Score: 6

RE[2]: Awesome
by Arun on Sat 29th Mar 2008 17:12 in reply to "RE: Awesome"
Arun Member since:
2005-07-07

That wasn't the original poster's point. The guy who broke safari knew about the exploit before the contest but had not informed Apple but waited till the contest.

Reply Parent Score: 2