Linked by Thom Holwerda on Fri 28th Mar 2008 20:39 UTC, submitted by irbis
Privacy, Security, Encryption "An Apple Mac was the first victim in a hacker shoot-out to determine which operating system is the most secure. A former US National Security Agency employee has trousered USD 10000 for breaking into a MacBook Air at CanSecWest security conference's PWN 2 OWN hacking contest. The MacBook was lined up against Linux and Vista PCs - which have so far remained uncracked. Nobody was able to hack into the systems on the first day of the contest when contestants were only allowed to attack the computers over the network, but yesterday the rules were relaxed so that attackers could direct contest organisers using the computers to do things like visit websites or open email messages. The MacBook was the only system to be hacked by Thursday. Miller didn't need much time. He quickly directed the contest's organisers to visit a website that contained his exploit code, which then allowed him to seize control of the computer, as about 20 onlookers cheered him on. He was the first contestant to attempt an attack on any of the systems." There is more bad news for Apple: "If you have Apple and compare it to Microsoft, the number of unpatched vulnerabilities are higher at Apple." Update: The contest is over. Vista got hacked using Adobe's Flash, Ubuntu was left standing.
Thread beginning with comment 307124
To read all comments associated with this story, please click here.
There's no invincible OS
by Phloptical on Sat 29th Mar 2008 13:13 UTC
Phloptical
Member since:
2006-10-10

You can code all you want, and put in as many bundled security features as the day is long. But at the end of the day, if the user is stupid, and doesn't exact some sort of logical thinking while using a PC, the point of failure resides soley on them. You can't patch a user.

That goes for any OS in the wild.

Reply Score: 4

RE: There's no invincible OS
by tweakedenigma on Sat 29th Mar 2008 14:09 in reply to "There's no invincible OS"
tweakedenigma Member since:
2006-12-27

Gotta agree there, at this point in the game the fault is normally a problem caused by the users not taking due care in what they are doing.

Windows, Mac, Linux, BSD, Unix, Solaris are all able to be hurt by people that don't know how to take care of themselves online.

Reply Parent Score: 3

RE: There's no invincible OS
by sbergman27 on Sat 29th Mar 2008 14:36 in reply to "There's no invincible OS"
sbergman27 Member since:
2005-07-24

But at the end of the day, if the user is stupid, and doesn't exact some sort of logical thinking while using a PC

I am not anti-mac by a long shot. But... as I posted earlier, all the user had to do was visit the web site with the exploit to give the cracker the foot in the door he needed. (There was no "Please download and run this." and no "Please enter your administrator password".) This site could just as easily have been a Google search hit encountered while a user was comparing the relative fuel economies of two cars he we considering buying. I really don't see how or why anyone would choose to defend it. And by blaming the user, at that!

Apple needs to fix this serious security hole. Period.

That said, people are still safer with Mac than with Windows. Because the fact of the matter is that, for whatever reason (it doesn't matter), Windows users are the ones under siege. If you had a choice of two Kevlar vests, of known equal quality, and of two associated destinations, would you rather wear vest #1 and go to Omaha Nebraska, where occasionally one reads in the paper about how someone was shot? Or would you rather wear vest #2 and go to a war zone?

While arguments that state, or imply, that if everybody used Operating System Q, it "would be just as vulnerable as Operating W is" are common, they are also completely specious.

Windows advocates: "If only it were you under attack. If only I weren't the one under attack all the time!"

Everyone else: "Butcha are, Blanche! Ya are!"

Reality prevails... again.

Edited 2008-03-29 14:40 UTC

Reply Parent Score: 8

RE[2]: There's no invincible OS
by tomcat on Mon 31st Mar 2008 06:37 in reply to "RE: There's no invincible OS"
tomcat Member since:
2006-01-06

That said, people are still safer with Mac than with Windows. Because the fact of the matter is that, for whatever reason (it doesn't matter), Windows users are the ones under siege.


It's this kind of denial and complancency which has led Apple to fall on its face over security. Personallty, I'd rather use an OS from a supplier that has shown willingness and demonstrable success in improving security. At least Microsoft has that going in its favor.

Reply Parent Score: 2

RE: There's no invincible OS
by mind!dagger on Sat 29th Mar 2008 22:43 in reply to "There's no invincible OS"
mind!dagger Member since:
2007-06-26

You can't patch a user..


Does a swift kick from the foot to the ass count as a user-level patch?

Most of the repairs I've made were to user-level stupidity. Porn sites being the main culprit.

Reply Parent Score: 1

RE: There's no invincible OS
by andyfisk on Wed 2nd Apr 2008 23:11 in reply to "There's no invincible OS"
andyfisk Member since:
2008-04-02

Of all the stuff that been has written so far, this scares me the most -- even if Apple and Microsoft wrote perfect, secure code as soon as a user is involved any hope of security goes out the window. In a default "out of the box" install the first user on a Mac is an admin account, maybe I need to go and read the fine print of the contest and this wouldn't be allowed, but with an admin account on a Mac and the user will run the application for me root access is 6 clicks. While I appreciate the inventiveness of the folks that cracked this -- 3 weeks of work for something that would take 10 minutes on the phone with a user seems a little silly. And while it might take more than 6 clicks, I am sure that Vista would fail the same way, and the only saving grace for the *nix OS (yes I know OSX is a *nix OS but the world seems to think it is different (at least taht's what Apple says)) is that the users tend to be a little more in tune with security. As soon as Mom and Dad buy an ubuntu box from Wal-Mart or Dell, even that differential will go away. Seems like the security folks are looking in the wrong direction and would rather people bought the latest super duper security suite version 10.

Reply Parent Score: 1