Large Prize Offered For Writing Mac Virus

Mordant writes "Some experienced Mac developers are offering a $25K prize to the first person to successfully infect two 'naked' Internet-connected Macs running stock Apple software. The best part is that if any Symantec employee succeeds in infecting the Macs, the prize goes up to $50K (Symantec has been fanning the flames of totally bogus "Macs aren't more secure, it's just that Windows is a bigger target" technical-equivalence propaganda)!" Update: 03/26 20:24 GMT by Z : Well, that was quick. Jack Campbell has cancelled the contest, after he "...was contacted by a large number of Mac users, and Mac software professionals who shared their thinking with me about the contest."

Stupid

[ryanr]

This has got to be one of the stupidest contests of this type I've heard about.

1) If a virus has spread over every Mac on the Internet, then it's harmful.

2) Many people would say that ANY virus is harmful, just by virtue of it being a virus (spreading, infecting.)

3) I'm so sure it's worth $50,000 for Symantec to finally put that "Antivirus companies don't write viruses" myth to bed.

4) We're going to use antivirus software to determine if we've been infected... which will only catch previously known viruses.

5) Hey you guy that wrote the virus that spread to every Mac on the Internet: just identify yourself afterwards, and we'll pay you.

Re:Stupid

[ryanr]

If they gave the IPs for the Macs in question, you could go fo that route. There are ways to find out of course, but that doesn't seem to be what they are after, by my reading. Who wants to start attacking random Macs, on the assumption that they are the right ones? Well, and be able to claim the prize after...

They HAVE actually left a practical attack vector, should someone want to try. They will accept email, but not open attachments. They have left open the vector of client-side holes in their email app(s). Were I going to try, that's how I'd do it.

Re:Stupid

[Ohreally_factor]

DVforge is owned by one Jack Cambell, a known con artist and admirer of publicity stunts. This is exactly that and nothing more: a publicity stunt.d I'd be very surprised if 1) either of the two computers actually exist, 2) the prize money exists, 3) if the computers exist and the prize money exists, then Jack will ever pay up if someone wins.

Balance

[fish34]

Nice balanced submission you got there. As far as I'm aware there is no conclusive evidence that shows Macs are inherently more secure and would not suffer the virus problem that Windows does if it had Windows' market share. Note that a lot of the virus problem comes from users showing bad practice (clicking 'Yes' to install things they really shouldn't, opening attachments they really shouldn't). I wouldn't be suprised if Mac users were on average more savy, and this could contribute.

Re:Balance

[node+3]

Being based on BSD has nothing to do with anything,

Are you serious? It's a significant swath of the OS that you don't have to worry about!

the userland/desktop space is where most exploits have been in recent years

Wrong. Most 'theoretical' exploits have been in the BSD/OSS side of OS X. Absolutely none of those 'theoretical' exploits have been known to have been actually 'exploited' (all you've had was a 'click this to test' proof-of-concept).

the Aqua shell is no more free from exploits than Explorer is.

That's absurd. Aqua isn't what you use every day to visit untrusted sites with, while Explorer is. That makes it harder to exploit, which makes it inherently more secure.

I think (hope) they fixed that but it was still several months until all the holes and variants of this technique were "fixed" (really just hacked around).

The 'hack' fixes came out the same day, Apple's fix was about two weeks later, primarily because it wasn't a 'patch', it was a change in the policy for running apps from Safari.

Essentially, Apple haven't proven themselves any more skilled at designing secure desktops than Microsoft have.

Except for the fact that there have been *zero* malicious exploits for OS X.

Zero, none, el zip-o, a big goose egg (like the one on your face).

"Experienced Mac developers" my ass.

[qengho]

This is the notorious Jack Campbell, one of the shadiest characters around. It's undoubtedly a publicity stunt for his business. What a jerk.

This strikes me as irresponsible.

[MillionthMonkey]

They aren't asking for source code to the virus, or the virus to be sent to them (and only to them) in a polite form, they're leaving two Macs exposed to the net and expecting to pick a winner by what their virus scanning software finds. You claim the money by sending them a 32 character string that appears in the virus.

If you got a virus to them this way, I think the $25k would only begin to cover your legal bills.

Check out the Sponsor ...

[Socket+Scientist]

... before wasting your time.

Something tells me it's unlikely you'd ever see the cash, even if you were to succeed.

Google for Jack Campbell and MacTable for more info on this guy's shady past.

They should be the experts.

[khasim]

3) I'm so sure it's worth $50,000 for Symantec to finally put that "Antivirus companies don't write viruses" myth to bed.

Their people should be among the best qualified to show how easy it is to infect a Mac.

Would you accept the word of a locksmith telling you that your current locks aren't sufficient and that you should give him lots more money to put new locks on your house if he cannot SHOW you how easy it is for him to pick your current locks?

It's time for Symantec to put up or shut up. Either Macs do need their software AND they can prove it or they're just pushing their software with lies.

1) If a virus has spread over every Mac on the Internet, then it's harmful.

That's an awful big "if".

4) We're going to use antivirus software to determine if we've been infected... which will only catch previously known viruses.

That's a real problem. Either the virus writer has to modify an existing virus so that its signature is picked up, or send the virus software companies a copy of his virus so they can update their signature files.

5) Hey you guy that wrote the virus that spread to every Mac on the Internet: just identify yourself afterwards, and we'll pay you.

That's about how it will go.

Either someone has to show how it can be done, or Symantec needs to shutup about how vulnerable Macs are.

Personally, I don't see much of a problem there.

Worms attack through ports.

Viruses load themselves into memory and infect other files.

Trojans only run when you launch them.

From the article, it looks as if they're hunting for worms or exploitable holes in apps. But the most common Windows-side issues now are trojans emailing themselves to everyone.

DVForge / MacMice? Great...

[nuxx]

Too bad this is being sponsored by a manufacturer of rather poor-quality products. For example, they make a product called the SightFlex which appears to be the ideal iSight stand. So, I bought one... The camera caused all sorts of problems on the FireWire bus, so I contacted Jack at MacMice. The long thread of emails ended in my not receiving a response to a request for a working product, although Jack did suggest opening up the SightFlex and wrapping aluminum foil around the wires in the base.

So, I opened it up and here's what I found: http://www.nuxx.net/gallery/sightflex_troubleshoot ing

Great, huh? Nicely random scattered, poorly soldered wires in the base, not all twisted up like they are supposed to be in a FireWire cable.

I would have pursued the issue further, but the cheap plastic base of the device ended up breaking when I was moving it around one day. It seems that the flexible metal of the neck is just threaded into some fairly thin plastic in the base (again, see pictures) and the rather brittle plastic just up and broke one day.

Great idea, piss poor execution.

And, it is exactly becuase of this sort of product why I will never trust DVForge / MacMice again, no matter how noble the cause may be.

After my experience, I'd think that they are offering $25,000 in monopoly money. Note that they never say US Dollars, so you can't fault them if they pay up in fake bills. ;)

Root exploit _still_ not fixed

[McDutchie]

So the summary claims that Mac OS X is technically more secure than Windows. Then why has this well-known root exploit in iSync not been fixed even after several security updates and one system update, and despite that Apple has apparently been notified?

That worries me -- this bug is trivial to exploit from any user account (just compile and run). It smells like Microsoft-esque security practices.

FWIW, my temporary fix was to revoke the vulnerable file's setuid and execute permissions:

$ chmod 644 /System/Library/SyncServices/SymbianConduit.bundle /Contents/Resources/
mRouter

(Note: omit any spurious spaces and linebreaks Slashdots inserts here.)

More experienced in deception than development

[sgb235]

Jack Campbell, who is behind this, has been behind a number of rather dubious projects. There's a page about him at Macintouch http://www.macintouch.com/mactable.html.

What I'd wonder

[mcc]

If you contract and pay someone to kill someone else, you are held liable in their murder. I'd assume if you contract and pay someone to write a virus, you're liable for whatever computer crimes are broken as well.

If you offer a $25,000 prize to someone who writes a virus, you are contracting someone to write a virus, and I would very much expect you are liable to be charged with computer crimes even if the person who writes the virus is never caught.

If you look at the link, these people have cancelled their contest. But the offer was still made. I am not sure canceling the contest is enough to get them out of legal liability of having offered cash to break the law. If someone attempts a mac virus in the next month, or some other timeframe that would make it likely to be a response to this "contest", I wonder what will happen to them.