Linked by Thom Holwerda on Fri 28th Mar 2008 20:39 UTC, submitted by irbis
Privacy, Security, Encryption "An Apple Mac was the first victim in a hacker shoot-out to determine which operating system is the most secure. A former US National Security Agency employee has trousered USD 10000 for breaking into a MacBook Air at CanSecWest security conference's PWN 2 OWN hacking contest. The MacBook was lined up against Linux and Vista PCs - which have so far remained uncracked. Nobody was able to hack into the systems on the first day of the contest when contestants were only allowed to attack the computers over the network, but yesterday the rules were relaxed so that attackers could direct contest organisers using the computers to do things like visit websites or open email messages. The MacBook was the only system to be hacked by Thursday. Miller didn't need much time. He quickly directed the contest's organisers to visit a website that contained his exploit code, which then allowed him to seize control of the computer, as about 20 onlookers cheered him on. He was the first contestant to attempt an attack on any of the systems." There is more bad news for Apple: "If you have Apple and compare it to Microsoft, the number of unpatched vulnerabilities are higher at Apple." Update: The contest is over. Vista got hacked using Adobe's Flash, Ubuntu was left standing.
Thread beginning with comment 307117
To view parent comment, click here.
To read all comments associated with this story, please click here.
RE: Here you go!1
by pxa270 on Sat 29th Mar 2008 09:03 UTC in reply to "Here you go!1"
Member since:

Oh really, so tell me how to you call then what happened to Graduate School of Arts and Sciences last month?

Ok, why don't you tell me how exactly it got hacked, since you seem to know so well?

Their web site got just hacked and student data were stolen and then exposed to Bittorrent. And guess which system they are running? Oh, oh.... So please don't come up with nonsense.

So they were running a webserver on XP, which got hacked? Was it Apache or IIS? Hacked trough a software vulnerability or a leaked password? Not that it matters, since a default XP install does not run any webserver, so this would be an impossible attack angle in this contest anyway.

I guess I should have qualified my statement: non-user interaction exploits are pretty much over for the default setup of end user desktop systems. Vista and XP-SP2 run a firewall by default, OS X and Linux run few to no net exposed servers. How are you going to exploit them? Of course it's possible that you discover a hole in the Windows firewall and a vulnerability in one of the services behind the firewall, but that probability is pretty low. That should be pretty clear from this contest: nobody even made an attempt on the first day. Even XP-SP2 in its default setup would probably do just as well.

Of course, it's an entirely different matter if you're talking about systems running servers exposed to the network, which are course much riskier. Claiming that non user interaction exploits or over in that scenario is of course foolish, since vulnerabilities in permanent running net exposed software (not just webservers, but also things like skype and instant messengers) are discovered all the time. But in that scenario it isn't clear at all that OS X or Ubuntu with Apache would fare much better than, say Vista with IIS.

But that was not the point of the first day contest, where you're asked to remotely compromise a default setup without user interaction. Pretty much all modern systems are hardened enough for that.

Reply Parent Score: 5