Slashdot Mirror
Large Prize Offered For Writing Mac Virus
Mordant writes "Some experienced Mac developers are offering a $25K prize to the first person to successfully infect two 'naked' Internet-connected Macs running stock Apple software. The best part is that if any Symantec employee succeeds in infecting the Macs, the prize goes up to $50K (Symantec has been fanning the flames of totally bogus "Macs aren't more secure, it's just that Windows is a bigger target" technical-equivalence propaganda)!" Update: 03/26 20:24 GMT by Z : Well, that was quick. Jack Campbell has cancelled the contest, after he "...was contacted by a large number of Mac users, and Mac software professionals who shared their thinking with me about the contest."
This has got to be one of the stupidest contests of this type I've heard about.
1) If a virus has spread over every Mac on the Internet, then it's harmful.
2) Many people would say that ANY virus is harmful, just by virtue of it being a virus (spreading, infecting.)
3) I'm so sure it's worth $50,000 for Symantec to finally put that "Antivirus companies don't write viruses" myth to bed.
4) We're going to use antivirus software to determine if we've been infected... which will only catch previously known viruses.
5) Hey you guy that wrote the virus that spread to every Mac on the Internet: just identify yourself afterwards, and we'll pay you.
Couldn't this shake their credibility, though, if someone does succeed? Seems like a bit of a gamble to me. But it would be cool if no one succeeded.
Everything I need to know about copyrights I learned from Slashdot.
Nice balanced submission you got there. As far as I'm aware there is no conclusive evidence that shows Macs are inherently more secure and would not suffer the virus problem that Windows does if it had Windows' market share. Note that a lot of the virus problem comes from users showing bad practice (clicking 'Yes' to install things they really shouldn't, opening attachments they really shouldn't). I wouldn't be suprised if Mac users were on average more savy, and this could contribute.
This is the notorious Jack Campbell, one of the shadiest characters around. It's undoubtedly a publicity stunt for his business. What a jerk.
They aren't asking for source code to the virus, or the virus to be sent to them (and only to them) in a polite form, they're leaving two Macs exposed to the net and expecting to pick a winner by what their virus scanning software finds. You claim the money by sending them a 32 character string that appears in the virus.
If you got a virus to them this way, I think the $25k would only begin to cover your legal bills.
Something tells me it's unlikely you'd ever see the cash, even if you were to succeed.
Google for Jack Campbell and MacTable for more info on this guy's shady past.
Since the majority of viruses, spyware, and other crap are due to user inaction, this isn't really a fair metric about the overall security. However, it is good to compare against the Windows survival time which is measured in minutes. This does show that Apple has its default security setup as "paranoid with multiple tin foil hats) compared to Windows XP's default setup. A more interesting test would compare how hard it is to get spyware onto a user's computer via the default webbrowser since that seems to be the primary vector these days. However, this is problematic since it's heavily dependent on user stupidity.
--
Want a free iPod?
Or try a free Nintendo DS, GC, PS2, Xbox. (you only need 4 referrals)
Wired article as proof
They double the reward from $25,000 to $50,000 if a Symantec employee writes the virus? Most companies that run these kinds of events prohibit employees from entering because the risk of cheating is too great. Who is to say some employee from Symantec gets a hold of an entry, and changes it slightly and then submits the entry as his own? Wasn't Mcdonalds involved in an insider game scam? http://archives.cnn.com/2001/LAW/08/21/monopoly.ar rests/
Rosco: "If brains were gunpowder, Enos couldn't blow his nose."
Would you accept the word of a locksmith telling you that your current locks aren't sufficient and that you should give him lots more money to put new locks on your house if he cannot SHOW you how easy it is for him to pick your current locks?
It's time for Symantec to put up or shut up. Either Macs do need their software AND they can prove it or they're just pushing their software with lies.That's an awful big "if".That's a real problem. Either the virus writer has to modify an existing virus so that its signature is picked up, or send the virus software companies a copy of his virus so they can update their signature files.That's about how it will go.
Either someone has to show how it can be done, or Symantec needs to shutup about how vulnerable Macs are.
Personally, I don't see much of a problem there.
Worms attack through ports.
Viruses load themselves into memory and infect other files.
Trojans only run when you launch them.
From the article, it looks as if they're hunting for worms or exploitable holes in apps. But the most common Windows-side issues now are trojans emailing themselves to everyone.
Too bad this is being sponsored by a manufacturer of rather poor-quality products. For example, they make a product called the SightFlex which appears to be the ideal iSight stand. So, I bought one... The camera caused all sorts of problems on the FireWire bus, so I contacted Jack at MacMice. The long thread of emails ended in my not receiving a response to a request for a working product, although Jack did suggest opening up the SightFlex and wrapping aluminum foil around the wires in the base.
t ing
;)
So, I opened it up and here's what I found: http://www.nuxx.net/gallery/sightflex_troubleshoo
Great, huh? Nicely random scattered, poorly soldered wires in the base, not all twisted up like they are supposed to be in a FireWire cable.
I would have pursued the issue further, but the cheap plastic base of the device ended up breaking when I was moving it around one day. It seems that the flexible metal of the neck is just threaded into some fairly thin plastic in the base (again, see pictures) and the rather brittle plastic just up and broke one day.
Great idea, piss poor execution.
And, it is exactly becuase of this sort of product why I will never trust DVForge / MacMice again, no matter how noble the cause may be.
After my experience, I'd think that they are offering $25,000 in monopoly money. Note that they never say US Dollars, so you can't fault them if they pay up in fake bills.
Viruses are inhereintly harmful, from the mere fact that they replicate.
Inducing someone to commit a crime by offering to pay them is also illegal.
So the summary claims that Mac OS X is technically more secure than Windows. Then why has this well-known root exploit in iSync not been fixed even after several security updates and one system update, and despite that Apple has apparently been notified?
That worries me -- this bug is trivial to exploit from any user account (just compile and run). It smells like Microsoft-esque security practices.
FWIW, my temporary fix was to revoke the vulnerable file's setuid and execute permissions:
(Note: omit any spurious spaces and linebreaks Slashdots inserts here.)
Jack Campbell, who is behind this, has been behind a number of rather dubious projects. There's a page about him at Macintouch http://www.macintouch.com/mactable.html.
There was a "hack a mac" contest in 1997. The challenge was to break in and modify a web page. Eventually someone named Starfire succeeded. The company fixed the site and renewed the challenge. Starfire broke in again and the company refused to pay the second time due to some sort of dispute.
Symantec doesn't like Macs? That's news to me.
I am a Symantec employee (posting this anon for obvious reasons), and myself and several others in my department own Macs. When I work from home, I do so on my Mac.
I don't know why my employer is speaking poorly of Macs, but I will be asking some questions in the office on Monday morning.
if it was behind a firewall(a proper one, even xp's own) then there's nothing that could have gotten to the xp computer in the first place.
maybe in that 10 minutes he went on and downloaded "dogsex3333.exe" or something.
world was created 5 seconds before this post as it is.
I think Microsoft has changed a great deal in the past 5-10 years, and I think it might be our fault. When MS first came out with Windows 95, it was a HUGE improvment over Windows 3.1, it was made to be much easier to use. It trusted the user to do anything and everything. When Windows 98 came out, it was very much like Windows 95. It trusted the user. It did not expect hackers to take over a system. Windows 98 was made for multimedia use, for games, to have fun.
Somewhere after that, people started slamming Microsoft. In many cases the reasons for attacking Microsoft were valid, it was becomming a monopoly, ect, ect. But some people also decided to start hacking and cracking into Windows computers because they hated Microsoft. Some hacked just because they were curious. I will admit, when Excite@Home first offered internet service in my area, you could open Windows Explorer and browse the neighborhood. If you knew any IP address, all you had to do was assign it a new drive letter. Why would Microsoft make it so easy for computers to connect and share information? Was Microsoft out to make our lives so insecure that anyone could rob us blind?
Now Microsoft's pendulum has swung all the way to the other extreme. Now you can't get Windows without tons and tons and tons of DRM bullcrap, you can't run software your way, it has to be their way. And they are going the way of making each copy of Windows known to them, you have to call in to activate your copy, and when you do they get tons of data about your CPU, other identifiable information about your system, and so forth which they match up with the serial number of the copy of Windows you have.
I don't think people will ever be satisfied. What happens if you make it very secure and filled with DRM. Nobody except tech's will want to use it. What happens if you make it very easy to use, everything is trusted? Hackers will exploit it.
My contention is, make it reasonably secure out of the box. If 90% of the attacks come from active-x, maybe it is time to retire active-x? Yet the moment you retire active-x, there goes all the flash swf video's and games too. So, what do you do? How much are YOU willing to trust your neighbors when they have anonymity?
Or should it be, that the USER must know what they are doing? If that is the concensus that we are heading to, the personal computer will die for mainstream people, and it will go back to the backpages of popular mechanics magazines. I for one have come to the point where I could learn to live without email. There are enough ways for people to reach me that I don't need a computer. And I am old enough where I really don't care about games on the computer. If my experiance on the computer is taking HOURS AND HOURS to fight off hackers and script kiddies, then spending HOURS AND HOURS trying to find a hack to back up my DVD's, at some point I will say "this is just too much a pain in the ass" and I'll go outside and BBQ and drink beer, and talk to the neighbors and find out thier names.
Rosco: "If brains were gunpowder, Enos couldn't blow his nose."
If you contract and pay someone to kill someone else, you are held liable in their murder. I'd assume if you contract and pay someone to write a virus, you're liable for whatever computer crimes are broken as well.
If you offer a $25,000 prize to someone who writes a virus, you are contracting someone to write a virus, and I would very much expect you are liable to be charged with computer crimes even if the person who writes the virus is never caught.
If you look at the link, these people have cancelled their contest. But the offer was still made. I am not sure canceling the contest is enough to get them out of legal liability of having offered cash to break the law. If someone attempts a mac virus in the next month, or some other timeframe that would make it likely to be a response to this "contest", I wonder what will happen to them.
Irritable, left-wing and possibly humorous bumper stickers and t-shirts
Whenever someone sends an email virus to my Mac, VirtualPC kindly associates a Windows icon with it, reminding me once again why I abandoned the Window platform.
I am TheRaven on Soylent News
Connect these dots:
1) Finder (and other apps) automatically shows thumbnails of image files without user intervention
2) postscript and EPS files are image files than must be executed to generate thumbnails
3) postscript is Turing complete
So, if you wanted to get an attachment to auto-execute on reciept, what file format would you use?
19: Estimated number of days before we see all kinds of exploitable holes in Apple's and various other postscript interpreters...
There are 1.1... kinds of people.
from post:
"Symantec has been fanning the flames of totally bogus "Macs aren't more secure, it's just that Windows is a bigger target" technical-equivalence propaganda"
Of course, in the article, the Symatec claim is actually backed up.
from Symantec article:
"In its seventh bi-annual Internet Security Threat Report, Symantec said over the past year, security researchers had discovered at least 37 serious vulnerabilities in the Mac OS X system."
"Apple Computer has become a target for new attacks... The appearance of a rootkit109 called Opener in October 2004, serves to illustrate the growth in vulnerability research on the OS X platform..."
"Symantec's concerns were echoed by James Turner, security analyst at Frost & Sullivan Australia, who said many of the people who bought Apple products were not concerned about security, which left them wide open to attack."
"Look at where mobile viruses are going and they are not targeting Microsoft - they are targeting the market leader, which is Symbian,"
Vote for Pedro
The fact that he shut it down ("chickened out") only gives credibility to the claim that "Windows is just a bigger target" crowd, which were not his intentions. If he kept the contest going, and the Macs had been infected, which probably would have happened eventually, then it would show that Macs are vulnerable too, which Mac software writers don't want, because Mac has benefited from the security lessons MSFT has learned the hard way and the perception, real or not, that Macs are more secure. Either way, it was a lose-lose for this guy and the Mac community.
No, as both a Windows and a Mac user myself (typing this on my G5 right now) - I agree completely with you. The Mac "community" seems to enjoy hanging onto the belief that Mac apps are almost always "friendlier" and "easier to use" than their Windows counterparts.
.sit extension from the end of them. Well, hey, that's pretty cool, EXCEPT, the whole design of Mac OS X has pivoted around the idea that file extensions aren't critical to a file's behavior. Mac users are trained to learn that their JPG doesn't have to end in .jpg for their favorite editor to view it properly by default. Extensions can just be completely left off of your documents, and it's pretty much just "optional". But now, StuffIt comes along and creates a situation where the .sit extension does have actual meaning/functionality.)
I've found that to be entirely false as often as it's true. Basically, a wash....
There are lots of reasons I like my Mac, but an equal number of reasons to dislike it. Until somebody really "gets it all right", I feel like my best option is to keep using both platforms.
As you said, 3rd. party products can radically change the "interface philosophy" of the whole system. (EG. The latest version of Stuffit Expander for the Mac will automatically compress or decompress files simply by the user adding or removing the