Linked by Thom Holwerda on Fri 28th Mar 2008 20:39 UTC, submitted by irbis
Privacy, Security, Encryption "An Apple Mac was the first victim in a hacker shoot-out to determine which operating system is the most secure. A former US National Security Agency employee has trousered USD 10000 for breaking into a MacBook Air at CanSecWest security conference's PWN 2 OWN hacking contest. The MacBook was lined up against Linux and Vista PCs - which have so far remained uncracked. Nobody was able to hack into the systems on the first day of the contest when contestants were only allowed to attack the computers over the network, but yesterday the rules were relaxed so that attackers could direct contest organisers using the computers to do things like visit websites or open email messages. The MacBook was the only system to be hacked by Thursday. Miller didn't need much time. He quickly directed the contest's organisers to visit a website that contained his exploit code, which then allowed him to seize control of the computer, as about 20 onlookers cheered him on. He was the first contestant to attempt an attack on any of the systems." There is more bad news for Apple: "If you have Apple and compare it to Microsoft, the number of unpatched vulnerabilities are higher at Apple." Update: The contest is over. Vista got hacked using Adobe's Flash, Ubuntu was left standing.
Thread beginning with comment 307105
To view parent comment, click here.
To read all comments associated with this story, please click here.
RE: Awesome
by 6c1452 on Sat 29th Mar 2008 05:12 UTC in reply to "Awesome"
6c1452
Member since:
2007-08-29

The guy who won this obviously went along to the contest with the knowledge already in hand, which once again raises the argument about these people just wanting their 5 minutes of fame. Maybe Mummy and Daddy didn't pay him enough attention when he was little? Who knows?


The guidelines state:

To claim a laptop as your own, you will need to read the contents of a designated file on each system through exploitation of a 0day code execution vulnerability (ie: no directory traversal style bugs).


Nothing about having to discover and figure out how to exploit a vulnerability during the contest. Everybody else had the same opportunity.


The responsible thing to do with any such knowledge would be to inform the company in question. It seems though that these guys are really only interested in the kudos and making money from it. In some fields it would border on extortion - but when its software they get publicized and win rewards. Go figure.


The guidelines state:
[...] once the vendor patches the issue. Until then, the actual vulnerability will be kept quiet from the public. This is a required condition of entry into the contest; all entrants must agree to the responsible disclosure handling of their vulnerability/exploit through the ZDI.
[...]
Any vulnerability that the Zero Day Initiative awards a cash prize for, becomes the property of the ZDI, and therefore the winner can not discuss or disclose details of the 0day until the affected vendor has successfully patched the issue. Any discussion of the bug prior to the public disclosure of a ZDI advisory will result in forfeiting of the prize. TippingPoint is collaborating with the vendors to ensure that their response teams will be ready and waiting to receive any and all 0day that comes out of this contest.


Hard to get more responsible than that.

Edited 2008-03-29 05:17 UTC

Reply Parent Score: 6

RE[2]: Awesome
by Arun on Sat 29th Mar 2008 17:12 in reply to "RE: Awesome"
Arun Member since:
2005-07-07

That wasn't the original poster's point. The guy who broke safari knew about the exploit before the contest but had not informed Apple but waited till the contest.

Reply Parent Score: 2

RE[3]: Awesome
by Gryzor on Sun 30th Mar 2008 15:56 in reply to "RE[2]: Awesome"
Gryzor Member since:
2005-07-03

That wasn't the original poster's point. The guy who broke safari knew about the exploit before the contest but had not informed Apple but waited till the contest.


And what's wrong about that. Why miss the opportunity to earn 10k and a laptop. You'd be a fool if you didn't do it.

Edited 2008-03-30 15:56 UTC

Reply Parent Score: 2