Linked by Thom Holwerda on Fri 28th Mar 2008 20:39 UTC, submitted by irbis
Privacy, Security, Encryption "An Apple Mac was the first victim in a hacker shoot-out to determine which operating system is the most secure. A former US National Security Agency employee has trousered USD 10000 for breaking into a MacBook Air at CanSecWest security conference's PWN 2 OWN hacking contest. The MacBook was lined up against Linux and Vista PCs - which have so far remained uncracked. Nobody was able to hack into the systems on the first day of the contest when contestants were only allowed to attack the computers over the network, but yesterday the rules were relaxed so that attackers could direct contest organisers using the computers to do things like visit websites or open email messages. The MacBook was the only system to be hacked by Thursday. Miller didn't need much time. He quickly directed the contest's organisers to visit a website that contained his exploit code, which then allowed him to seize control of the computer, as about 20 onlookers cheered him on. He was the first contestant to attempt an attack on any of the systems." There is more bad news for Apple: "If you have Apple and compare it to Microsoft, the number of unpatched vulnerabilities are higher at Apple." Update: The contest is over. Vista got hacked using Adobe's Flash, Ubuntu was left standing.
Thread beginning with comment 307107
To read all comments associated with this story, please click here.
Comment by apoclypse
by apoclypse on Sat 29th Mar 2008 05:47 UTC
apoclypse
Member since:
2007-02-17

Well the real issue here is that this is not the first time that here has been a comprimising exploit for safari. Anyone here remember the exploit used to jailbreak the iphone? At the end of the day the OS may be as safe as possible. If the applications aren't written with security in mind then the OS doesn't matter at that point.

I rarely use safari on my mac. I use firefox because I don't like the way safari automatically mounts all of your downloaded content which i think is a huge security risk.

What I want to know is if this is an issue with webkit or if the problem soley rests on safari.

Btw, I'm also very pleased to see ubuntu still hanging in there. Considering that security hasn't really been a priority for the distro its really surprising. Regardless of how much a pain in the ass Vista is Mas learned their lesson and the OS les seem far more secure than its predecessor. Thsrcis good to see as well eventhough I'm not windows user at home

Edited 2008-03-29 05:54 UTC

Reply Score: 2

RE: Comment by apoclypse
by macUser on Sat 29th Mar 2008 06:21 in reply to "Comment by apoclypse"
macUser Member since:
2006-12-15

I rarely use safari on my mac. I use firefox because I don't like the way safari automatically mounts all of your downloaded content which i think is a huge security risk.


The opening of safe content is a preference that can be turned off. I think it should be off by default and don't like the fact that it isn't. I'm wondering if this attack exploited this default setting, or if the attack was based on some other crack in the code.

Should be real interesting when the exploit is announced.

Reply Parent Score: 1

RE: Comment by apoclypse
by netpython on Sat 29th Mar 2008 14:26 in reply to "Comment by apoclypse"
netpython Member since:
2005-07-06

Considering that security hasn't really been a priority for the distro its really surprising.

I don't agree. Just have a look at the release notes of the upcoming 8.04 release:

in the footsteps of Ubuntu 7.10 with even more virtualization support and security enhancements - enabling AppArmor for more applications by default, improving protection of kernel memory against attacks, and supporting KVM and iSCSI technologies out of the box.

Reply Parent Score: 2

RE[2]: Comment by apoclypse
by sbergman27 on Sat 29th Mar 2008 15:08 in reply to "RE: Comment by apoclypse"
sbergman27 Member since:
2005-07-24

I don't agree. Just have a look at the release notes of the upcoming 8.04 release:


FWIW, the claims that Ubuntu is not security conscious mainly seem to be coming from the "SELinux is the one true security framework" camp.

I would be interested in seeing a contest like this conducted between various Linux distros. (Obviously, the contest would have to run a lot longer than this one that included easier targets, like MacOSX and Windows.) But I'd like to see if the claims made by the Fedora camp (which I more or less consider to be my distro if choice) are valid, or just a bunch of smoke.

On the topic of firewalls, it is true that Ubuntu does not run one by default. But it also has no services listening on any ports, by default. IIRC, while Fedora has a firewall by default, the SSH service is running, and port 22 is open by default, giving Ubuntu the security edge, overall, on that front.

Reply Parent Score: 2

RE[2]: Comment by apoclypse
by apoclypse on Sat 29th Mar 2008 21:00 in reply to "RE: Comment by apoclypse"
apoclypse Member since:
2007-02-17

Well I meant to say in the past. I think they've included an easy to use command line firewall utility this time around and they should be working on a UI for the next release. With 7.10 many complained about Ubuntu's security compared to other distros and the Ubuntu devs heard their pleas and are now making the OS more secure (than it already is apparently).

I think Ubuntu was the perfect candidate for Linux in this contest, Its the most popular distro out there and because of the market that canonical wants to focus on the distro would be perfect to exploit. The fact that it couldn't be done even with all the third party apps that come installed with Ubuntu by default and all the binary drivers that it installs for your hardware, it just makes Linux look like a rock.

The funniest thing about apple is that they don't even acknowledge the Linux community, their focus (and I guess rightly so) is solely on windows users. This just doesn't make them look good at all, loosing to windows is harsh,

Reply Parent Score: 2