Mac Hack Contest Redux

narramissic writes "Remember the controversial Mac hacking contest from last year's CanSecWest conference? No? Here's a refresher: Conference organizers challenged attendees to hack into a Macintosh laptop, with the successful hacker winning the computer and a cash prize. Winner Dino Dai Zovi found a QuickTime bug that allowed him to run unauthorized software on the Mac once the computer's browser was directed to a specially crafted Web page. Well, the contest is back again this year, but with a twist, says Dragos Ruiu, the principal organizer of CanSecWest: 'We're thinking of having a contest where we have Vista and OS X and Linux ... and see which one goes first.""

easy

[jim.hansson]

http://slashdot.org/firehose.pl?op=view&id=508230

Re:easy

It is a very large penis

how about a taste test

[gandhi_2]

where you have to try apples, oranges, and beef jerky and decide which one tastes "best".

out of the box linux? Is there really such a thing? Ubuntu OEM, knoppix? That's a pretty wide range here.

Re:how about a taste test

[cheater512]

I wouldnt call this a apples to oranges comparison.
They are all common operating systems and they all fulfill the same purpose.

Although they'd probably have to do a handful of Linux boxes to ensure that problems aren't distro specific.

Re:how about a taste test

[calebt3]

But then you could have a significant number of people attacking the Vista and Mac boxes (say, 20% each) and the other 60% would be split up among (maybe) 4+ Linux boxes.

Re:how about a taste test

[mrxak]

I'd expect most people will try mac and linux, however many boxes they have. Everybody already knows you can hack Vista no problem, there's not much challenge in it, so they will concentrate on the ones with the higher perceived security. Never underestimate people's desire for glory.

Re:how about a taste test

[toadlife]

Everybody already knows you can hack Vista no problem Ok. How?

Re:how about a taste test

[calebt3]

Click the 'x' in the top corner of the login screen. Oh wait...

Re:how about a taste test

[KDR_11k]

'sides, who'd want to win a Vista PC?

Re:how about a taste test

[Timex]

You COULD take the PC and put the OS of choice on it...

Re:how about a taste test

Well, as long as the OS of choice isn't OS X, because Apple might not like that...

Re:how about a taste test

[darkpixel2k]

Everybody already knows you can hack Vista no problem

Ok. How?

Plug it in to the internet.

Prediction

[flaming+error]

> the successful hacker winning the computer and a cash prize I'm betting somebody's taking home a Windows machine.

Re:Prediction

[Nerdfest]

The outcome would be dependent on whether or not the Vista machine has already booted up. If not, attacking the other 2 gives you a decent head-start.

Re:Prediction

[LiquidCoooled]

There is already a trojan available for vista, however noone is infected because its not finished copying over the network yet.

Re:Prediction

[__aawdrj2992]

That's because they found out it was only a Mac Mini and gave up.

Re:Prediction

Sorry that's my fault, let me turn my sound off.

Re:Prediction

Looks like you're trying to turn Sound off. Cancel or allow?

Re:Prediction

[lazyforker]

That will make the winner a loser. Maybe they should give the winner the machine of their choice!

Default Install

[Archangel+Michael]

I'd make sure that each was installed to default configuration. No tweaking allowed.

Vista installed from DVD default/recommended choices where possible on installation screens. Same with Ubuntu, and Mac OS/X. Any deviations noted. Any extra software installed must be available on all three platforms.

Just to make it "fair".

Re:Default Install

[calebt3]

I'd say that allowing updates to be installed would be fair.

Re:Default Install

But the update model of Windows is completely different from that of Ubuntu and Mac OS/X. Whereas Windows is based around 'distribute platform, then updates to the platform as and when they are done', Ubuntu is based on 'distribute entire platform in each update as and when they are done'. It's very difficult to index the apples and oranges to a common standard here.

Some ways of doing it are:

1. Windows Vista as per release date shrink wrapped copy, Ubuntu as per most recent internet downloaded copy. Result: Vista has a lot more bugs, especially the exploits that have been published and fixed. Ubuntu will use the very latest patches and have none. Argument in favour: The 'idealised new customer experience' is reflected. Argument against: The 'quality of programming' at either the point of Vista release or at the present is not reflected. Is there an 'idealised new customer' who does not get a patched version from Dell, or store-buyer who does not run Windows Update as prodded to many many times by the OS?

2. Windows Vista as per release date shrink wrapped copy. Ubuntu as per internet download availble on the date Vista was released. This would not reflect any 'idealised new customer experience', but would reflect a 'quality of programming at that point in time' measure to some rough degree. The problem is, which unpatched version of Mac OS/X would be used? The one released at the earliest date BEFORE Vista, or at the earliest date AFTER Vista, and why should Vista's release be the yardstick?

3. Windows Vista patched to the latest date. Ubuntu patched to the latest date. Mac OS/X patched to the latest date. This would not reflect an 'idealised new customer experience', but would come close to reflecting a 'quality of programming at the present' measure together with an 'average user' experience (considering how many get moderately patched versions when they buy it). When Vista SP1 is released, will e.g. anyone buying from Dell have a 'first user' experience WITHOUT SP1?

I'd say 3 is the best, because, although 1 is tempting because it clearly increases the likelihood that Vista will be hacked first, the 'idealised first user experience' that it claims to justify its case is unlikely to exist.

As for the choice of distro - you could always have several teams working on Vista and Mac OS/X computers, and one team for each distro.

Re:Default Install

[Daengbo]

Nt only "fair" but required. The systems should be fully patched and using default installed software. This makes Windows a much smaller target software-wise, but I don't see any other way to make the competition fairer.

Re:Default Install

[hairyfeet]

That isn't really a real world test. I mean,come on,who in the hell would use a windows box with NOTHING on it? With Apple and just about any Linux,you would have everything you need to get work done,but on windows you'll need at LEAST some form of office software,along with adobe reader,and usually Nero or whatever came with the burner.

As a pc repairman that has been fixing windows boxes for over a decade,I can tell you that no matter what ELSE they have installed,they ALWAYS have some sort of office(even if it is just MSWorks) along with Adobe reader and either Nero or Roxio burning software.I don't think I've ever seen a box brought in that didn't have those,so for a real world test I would suggest MS Office 2K3(as that is what I've seen on the most machines) along with adobe reader and Nero or Roxio burning software. That would be a truly fair test.

Besides,if you never actually USE the machine,I doubt you'll be hacked.But most people actually want to DO things with their pc,and with windows that means at the very least a couple of pieces of software. But I doubt it'll make much difference anyway.The windows will be pwned the quickest,just like always.Vista just may take a little longer. Cancel or Allow?

Re:Default Install

[Daengbo]

I agree with your assertion that a Windows computer won't be used like that, but any other configuration won't test the OS but applications unrelated to it, compromising the test. Sure "OpenBSD has had one remote exploit in the default install in its history" and the OS isn't usable for much in the default state, but that's the way to compare it against other OSes. Everything else just comes down to an argument of "why did you install that" and "they weren't optimized equally." Default install. XP still has enough holes fully patched that it would be first, but I'm pretty sure Vista would hold up well.

You need to exclude social engineering, too, but that's not a very "real world" case, either.

Re:Default Install

[stephanruby]

At the very least, the Vista computer should be an emachine, or have AOL preloaded on it. A computer designed to meet the adware needs of its corporate-manufacturers over the needs of its owner should give us a much more realistic exercise. After all, what are botnets made up of? Cheap preloaded computers purchased at Best Buy/Walmart? Or computers assembled from scratch / or purchased through one's IT department through Dell ?

Re:Default Install

[El+Lobo]

Hmm..the default installation of IE in Vista is "sandboxed", so it will be **very hard** to install a program from it.

Re:Default Install

[leenks]

The same applies to other operating systems too then. OSX comes with very little out of the box. New Macs usually come with iLife and some with iWork (or at least a trial) pre-installed - ie third party software. Mine even came with a 30 day trial of Office 2004. A stock installation of OSX doesn't include Quicktime or the like either. I guess you could argue the same with a linux distribution like RHEL or Debian if you wanted - virtually nothing is installed in the most basic install option.

Re:Default Install

[Calinous]

Sure "OpenBSD has had one remote exploit in the default install in its history"

Since you've heard, the number of OpenBSD remote exploit holes doubled

Re:Default Install

[cheesewire]

OSX comes with very little out of the box. New Macs usually come with iLife and some with iWork (or at least a trial) pre-installed - ie third party software. Mine even came with a 30 day trial of Office 2004. A stock installation of OSX doesn't include Quicktime or the like either.

When you buy a mac, it comes with iLife and Quicktime. Both are made by Apple. Both are pretty fundamental to macs providing quite a lot of functionality out of the box.

Even if you delete Quicktime.app, the quicktime framework is still there, it's needed by many things.

Re:Default Install

[SigmundFloyd]

New Macs usually come with iLife and some with iWork (or at least a trial) pre-installed - ie third party software.

iLife and iWork are Apple software, not third-party.

A stock installation of OSX doesn't include Quicktime or the like either.

Totally wrong. QuickTime is installed by default and it's an integral part of Mac OS X.

Re:Default Install

[jrothwell97]

If OS X was installed, vanilla, without ANY tweaking, the firewall would be down. With all the ports open.

Therefore I predict that will be hacked first, and the winner will simply be able to start the firewall and take it home. Linux would be a bit more difficult to break into and no-one would want to take home the Vista box.

Re:Default Install

Well, I'm assuming you do know that there will be no ports open on OS X. A vanilla install means that no services at all are turned on. Thus, to reiterate, no ports will be open.

Not a whole lot of reason to turn on the firewall then. If you turn on services, turn on the firewall.

Re:Default Install

[leenks]

I said that a new mac came with iLife and Quicktime. I apparently made a balls up on the fact that Quicktime and iTunes come with OSX though.

iLife being fundamental to providing functionality is a bit off though. You could argue any PC manufacturers bundled apps are fundamental to providing that functionality out of the box too. In the context of comparing the base operating systems its a bit unfair to include iLife but exclude whatever equivalent suites Sony / Dell / HP / ... might include "out of the box", no?

Do they even have to ask?

[Paiev]

We're thinking of having a contest where we have Vista and OS X and Linux ... and see which one goes first Do they even have to ask? Vista will go down first, most likely. Also, what Linux distribution are they going to be using? A Debian machine is going to be a lot more difficult to break into than an alpha version of Fedora 9, for example.

Re:Do they even have to ask?

[doombringerltx]

Just a wild guess, but I doubt with whatever distro they use, it won't be an alpha or beta verison. Just a hunch.

Re:Do they even have to ask?

> Just a wild guess, but I doubt with whatever distro they use, it won't be an alpha or beta verison. Just a hunch.

Well that excludes Vista then.

What will be the GNU/Linux prize?

The 386 it was installed on?

Re:What will be the GNU/Linux prize?

[Enoxice]

The toaster it was installed on?

Fixed.

Re:What will be the GNU/Linux prize?

[calebt3]

The complete list

Re:What will be the GNU/Linux prize?

[HiThere]

Sorry, it was BSD Unix that was installed on the toaster. (I forget which flavor.)

Re:What will be the GNU/Linux prize?

[Eddi3]

A slice of cinnamon bread?

Re:What will be the GNU/Linux prize?

[Isauq]

NetBSD. The devs maintain that it was an excellent example of typical embedded systems with NetBSD.

Re:What will be the GNU/Linux prize?

[Eighty7]

That's nothing. I've seen it installed on a dead badger.

Re:What will be the GNU/Linux prize?

I don't want to be racist but since when do Cylons run Linux?

Cool.

See, things like this are great when in all in good fun. It's good for the mind and is a wonderful example of human creativity.

Like I always say, "anything made by a human can be broken by a human".

Re:Cool.

[karlto]

Like I always say, "anything made by a human can be broken by a human"

I always heard it the blunt way: "If you can fix it, I can f*** it."

Begs The question

[realthing02]

Before the sea of "vista sucks" comments, I'm going to ask this question:

When vista inevitably goes first, who is going to want it? I assume it must be a good enough computer to actually run vista, so lets all take guesses at the OS loaded onto it after it's "pwnd".

Re:Begs The question

[gmby]

Whers is this "sea of vista sucks" that everyone keeps talking about?
I can't find it on any maps.

Re:Begs The question

[NatasRevol]

Central Seattle, WA. Just google it.

Wrong!

[EmbeddedJanitor]

The Vista computer won't get hacked because nobody will want to take it home!

Re:Wrong!

[Darfeld]

Yes it will. you could always get rid of windows and install linux after that. Or sell it on e-bay...

Re:Wrong!

[r0b!n]

Hardware capable of running Vista will run Linux very nicely.

Re:Wrong!

(Score:-1, Wooshbait)

Re:Wrong!

[TGoddard]

I dunno, that thing would have to have some serious grunt.

Re:Wrong!

Wrong, everybody will take the Vista pc because it's the pc which needs the most recent hardware. So you get the best machine :) After hacking you erase the Vista install and put linux on it.

Re:Wrong!

[jellomizer]

Unless Linux is the first to be hacked into...
Hey it is a possiblity. I ain't taking bets on who will be first to be broken in.
Linux being Open Source having the ability of some hacker checking the code and use a volnerability that was just open reported. May not be useful for a large scale hack but for the contest it just might work.

Max OS may have some old Unix volnerability That has never been fixed. Or one of the new features that allows remote access say via iChat may allow a back door.

Windows while has the bad reputation for being easy to hack into, most of it requires user intervention (social hacking) to get threw, go to this website, check this email... Getting in may be harder then expected.

too easy

Aww come on, placing Vista in this contest is obviously unfair to OS X and Linux; the latter two don't stand a chance at beating Vista for first place.

Won't somebody please think of the Vista? :(

Re:too easy

[HiThere]

Actually, Vista may be the last standing. I'm not saying it's the most secure, but it's the most unknown. And if you were a Black Hat who had developed a route into Vista, I'm sure there are more profitable ways of exploiting your ingenuity.

Re:too easy

[egypt_jimbob]

Thank you for finally bringing this up. If someone has oh-day for out-of-the-box Vista, it's probably worth at least $20k. Who's gonna drop a twenty thousand dollar 0day for a box?

Potential for rigging

[volt4ire]

The problem with the "let's see which OS cracks first" approach is that Microsoft, Apple or maybe even Novell would bribe participants to focus their efforts on their competitor's OS.

Re:Potential for rigging

That and the fact that linux isn't an OS.

Re:Potential for rigging

[Decado]

I would have said that the challenge pretty much amounts to saying "The next OS we find a vulnerability for is the weakest". In the long term it is a meaningless piece of data. If we hear about a new exploit for any OS tomorrow it means nothing, you have to look at long term trends to find a correct answer.

Re:Potential for rigging

[Murphy+Murph]

The problem with the "let's see which OS cracks first" approach is that Microsoft, Apple or maybe even Novell would bribe participants to focus their efforts on their competitor's OS.

And thus another window into how I don't think like some other people. Sure I guess the idea is possible - but to instantly assume all actors are bad actors shows a fundamental distrust of humans I find frightening.

Re:Potential for rigging

That's about the only intelligent post that this thread will result in.

Re:Potential for rigging

[The+Mighty+Buzzard]

You obviously don't know very many humans then. Of course you are posting on /. so I suppose that's to be expected.

Re:Potential for rigging

[Divebus]

This is kind of a silly contest. Fun but silly. It might be more fun to see which OS annoys the user enough to launch the CPU across the room.

If you really want to know what happens from a security standpoint, just connect them all to the Internet and wait. That's real world for you. Even if Linux or OS X does get hacked first, there's a lot of catching up to do before anyone can say "see, it's just as insecure as windows".

Re:Potential for rigging

[KDR_11k]

It might be more fun to see which OS annoys the user enough to launch the CPU across the room.

I don't know about you but when I'm annoyed I don't have the patience to remove the case, CPU cooler and finally the damn chip itself just to throw it around.

Obvious misleading conclusions

[Secret+Rabbit]

I think it's obvious the nonsense that'll come out of this. People will say, x OS is more insecure than y and z because it fell first/so quickly. Regardless of the skewed skill/effort that went into breaking it.

This "twist" is bullshit.

Re:Obvious misleading conclusions

[Hybridan]

Honestly, I could see this being a legitimate, "real world" or functional test type experiment. It would be difficult to make a contest like this something that is a perfect and "equal" or fair representation of the security of the OS's. It would however, provide an interesting look into how people generally perceive and go about attacking different systems. The amount of time or work put into finding cracks in the armor of one or the other is perhaps just as interesting as which would "fall first".
H.

Re:Obvious misleading conclusions

Regardless of the skewed skill/effort that went into breaking it.

So they could make the contest to be the first person to break into all three machines, then look at the average time it took for each OS. That should take care of evening out the distribution of talent attacking each system.

Re:Obvious misleading conclusions

[growse]

I feel a better way would be to run the tests consecutively rather than concurrently.

So you take your room of hackers, and you let them loose at a Vista box. Once that's cracked, you end that test. Then you let them loose at a Mac. Rinse, repeat.

The "Winner" would be the group that managed the fastest crack overall.

Re:Obvious misleading conclusions

[aphor]

I think it's obvious the nonsense that'll come out of this. People will say, x OS is more insecure than y and z because it fell first/so quickly. Regardless of the skewed skill/effort that went into breaking it.

This "twist" is bullshit.

Brute force attacks taking a long/short time using a generic fuzzer do not count as extra/less effort.

"fair" would be "what users need"

[SuperBanana]

Vista installed from DVD default/recommended choices where possible on installation screens. Same with Ubuntu, and Mac OS/X. Any deviations noted. Any extra software installed must be available on all three platforms. Just to make it "fair".

When is the last time you left an OS in its default configuration?

A fair configuration is one in which all tested operating systems provide as identical as possible feature sets, including all the features the majority of people like to use. Like printer and file sharing, for example.

It's also not fair to include, for example, NoScript- that breaks a ton of websites out of the box until you whitelist sites. Likewise for not including Flash as part of the package. An even more relevant example: the necessary firewall rules to allow IM (and file transfers.)

Re:"fair" would be "what users need"

[CannonballHead]

I think this is an excellent point.

Default windows configuration is defaulted to... well, a very compatible set of options.

Not having actually done a Mac install, I don't know what the default is.

A default Linux partition, depending on the flavor, could be pretty minimal...

Here's what I think would make it more fair: make all the operating systems able to do the same things. Presumably, the normal Mac user, at some point, will want to opens a windows media file and an Office 2007 file. The typical Windows user will use quicktime at some point, and thus have it installed and have its possible security holes, too.

Otherwise, I could create a Linux distro that is THE safest operating system EVER... and just not let you do anything, no network connectivity, etc. Pretty safe! And useless.

Re:"fair" would be "what users need"

[LaskoVortex]

Fair would be the least number of clicks from start to finish, as this is what the majority of machines would be running in the world, and so the results would give an estimation of real world performance (not ubergeek world, but real world). If more people chose windows to attack because they thought it would be easiest, then that would also be a reflection of real world. I'd also stipulate that the install CDs would have to checksum with those available from bestbuy (or the politically correct equivalent). Several different linux installs would probably need to be tested as well, as these would vary.

Re:"fair" would be "what users need"

[hunterkll]

OS X install by default has no network services running external and is firewalled. you have to manually turn on network sharing and services from a preference pane

Re:"fair" would be "what users need"

[song-of-the-pogo]

my experience was that the firewall was not enabled by default. I had to enable it myself. the rest of what you posted is certainly the case, though.

Re:"fair" would be "what users need"

[Captain+DaFt]

"Otherwise, I could create a Linux distro that is THE safest operating system EVER... and just not let you do anything, no network connectivity, etc. Pretty safe! And useless."

Oh, I dunno... http://tinfoilhat.shmoo.com/ It has its uses.

Re:"fair" would be "what users need"

[aliquis]

I just checked my machine in Leopard and the firewall was off.

Anyway as others have said OS X has flash and javascript enabled and installed in the browser, quicktime, itunes with streaming music, mp3, pdf, dvd, burner support. Can show docs maybe (?)

I think default is the only way to test this however. If one os does more bad luck for it. Just take some regular/useful Linux dist.

Re:"fair" would be "what users need"

[Shiina]

I think it's safe to say that default firewalls should be on for all machines. Regardless of whether they are to be turned on manually or they're on by default when the OS is installed.

Otherwise, it makes things a bit too easy. The contest is run by a security company to locate security holes inside the OSs. And well, pointing out the painfully obvious, firewall being turned off is a big hole in security.

As for other installations, well, if they just kept the average joe's computer in mind it shouldn't be too hard to figure out what to put on it and keep it both fair and challenging. For instance a windows machine could be equipped with your typical antivirus software, windows firewall, MSoffice and plug ins and such installed for happy browsing and file viewing (JS, flash, quicktime, acrobat etc.)

That's probably what i'd do anyway... otherwise, the purpose of the research could quite easily be defeated since not many people really use their computer with only what was on it when they first put the OS onto it.

Re:"fair" would be "what users need"

[zukinux]

When is the last time you left an OS in its default configuration?
You know that me and you and most of slashdot users didn't install and left their OS in it's default configurations, but I'd say that at-least 95% of Home computer users, like my grandma never changed something in the OS default configuration.

Believe it or not, but some users actually afraid to change configurations like the common sentence used by some people : "It works, don't touch it!!".

Re:"fair" would be "what users need"

[aliquis]

Mine wasn't on, and I've been using this computer for 4 months, my first mac thought... So I hadn't bothered looking around for it earlier, did it now when the parent talked about it. I hope the much less knowledgable people than me turn it on on their macs aswell... Especially when so many people try to convince them that macs are bulletproof ...

Personally I see a ingoing firewall as rather useless since you shouldn't be running services you don't need anyway, and if you need them blocking them out isn't that great... (Filtering on ips may be ok, but I don't think this firewall supports that anyway, haven't checked, won't do it now.)

I used to and may even run littlesnitch just to prevent outgoing connections from applications calling home or spyware/keylogger/whatever.

It's not like having random people choose a target will be scientific either, but if you want just use two machines of each OS, one default install and one average user standard desktop.

Re:"fair" would be "what users need"

[ters+a-zA-Z0-9$_.+!*]

this will be fair OS X "gay beach ball of death" Win95 It's now safe to turn off your computer Linux BusyBox console login?

Re:"fair" would be "what users need"

[SigmundFloyd]

I just checked my machine in Leopard and the firewall was off.

This has changed with different Mac OS X releases. IIRC 10.4 was the 1st release to enable the FW by default.

Re:"fair" would be "what users need"

[hobbit]

I think it's safe to say that default firewalls should be on for all machines. Regardless of whether they are to be turned on manually or they're on by default when the OS is installed. Absolutely not. If, for example, OS X would have been the first to fall because Apple stupidly refuse to enable the firewall by default, well, Apple obviously need a bit of bad press to persuade them to do the Right Thing out of the box.

Poor subnet

[cruelworld]

I feel so bad for that subnet. So many idiots who will just sit there and hammer it endlessly hoping that some magical 'hacking' will occur.

Re:Poor subnet

[KDR_11k]

At first I read that as "So many idiots who will just sit there with a hammer". Definitely the easiest way to crack a system...

I'd like to see stats on effort per platform

[SuperBanana]

We're thinking of having a contest where we have Vista and OS X and Linux ... and see which one goes first.

What I'd be most interested in is a survey of contestants as to their platform experience, and how focused they intend to be on attacking the different platforms. That part could be wildly unscientific, but could be interesting if everyone answers openly.

Couple that with some good logs of network activity, to see how focused attacks are on the various systems.

For example, it could turn out that nobody goes for the supposed low hanging fruit, and everyone tries to target the Mac...or an OpenBSD box, if they bring one. Etc.

Lopsided...

[msauve]

This hardly seems like a fair test, for what the results are implied to indicate.

I'll predict that Vista goes down first, because there are more Windows programmers out there than Mac/*nix. Time-to-first-hack isn't a valid measure of OS robustness.

That probably won't be a popular statement here on /. , but oh well.

Re:Lopsided...

[geekoid]

Yes, but the skill and motivation to hack OSX is much higher. The person who can exploit OSX in a meaningful way would get a lot of prestige from the '*hat' community.

Besides, that involves a logical fallacy. Basically be your statement to be true, they must ahve the same architecture, developed by people od equal skill use the same project management style and the same QA.

Re:Lopsided...

[toadlife]

Yes, but the skill and motivation to hack OSX is much higher. You speak as if OSX exploits are a rare thing.

The person who can exploit OSX in a meaningful way would get a lot of prestige from the '*hat' community. You mean like the last contest winner who developed a working brower + quicktime attack in only a few hours? Are you saying the same class of exploit that is used to infect Windows users every day is not significant on OSX?

Re:Lopsided...

[QuantumG]

No-one gives a shit about desktop security, let alone Mac-OS desktop security. Businesses pay for security analysis.. of server apps.

Re:Lopsided...

[Jerry+Smith]

You speak as if OSX exploits are a rare thing.

Rare? Diamonds are rare, yet I see them daily.

Are you saying the same class of exploit that is used to infect Windows users every day is not significant on OSX?

One uses an exploit to potentially cause an infection. If it doesn't spread, well, that doesn't really say much about the exploit.

But I am really interested in the outcome of the contest, especially what they will consider as a 'default' install and 'default' configuration.

Re:Lopsided...

[phantomcircuit]

This is from 2006 and is a fairly basic security flaw. http://milw0rm.com/exploits/1545 Mac OS X simply has not been a valuable enough target in the past to be attacked in a meaningful way.

Re:Lopsided...

[toadlife]

If it doesn't spread, well, that doesn't really say much about the exploit. The vast majority of desktop exploits do not spread, so I would agree.

But I am really interested in the outcome of the contest, especially what they will consider as a 'default' install and 'default' configuration. I'm sure those two issues will inevitably invalidate the results in someone's eyes, regardless of the result.

Re:Lopsided...

[Weedlekin]

"This is from 2006 and is a fairly basic security flaw. http://milw0rm.com/exploits/1545 "

It was (past tense because Apple patched it in 2006) strictly a local exploit, and therefore of negligible risk. This is why the same milwOrm.com site lists a bunch of them for other UNIX variants that have excellent security records, e.g. AIX, Solaris, and HP/UX, and even QNX.

"Mac OS X simply has not been a valuable enough target in the past to be attacked in a meaningful way."

Or perhaps it's due to the fact that milw0rm.com has a total of 9 _remote vulnerabilities_ for OS X and various programs that run on it, the last of which was reported in March 2007, while their listing for Windows and software for Windows contains well over 30 entries reported in 2008 (which isn't even two months old yet!).

Re:Lopsided...

[mgblst]

Rare? Diamonds are rare, yet I see them daily.

Diamons aren't rare, only the stupid really believe this - why do you think diamonds are rare, because they are marketed to you as such. Diamonds are carefully controlled, so they a huge amount don't flood the market, but that doesn't make them rare.

It would be more interesting to have

[Babu+'God'+Hoover]

all the contestants attack each of the three systems with the winner given his choice of the systems.

A new rule

[kcbanner]

The IPs of the machines are given out, but not what OS is on the boxes. (Identifying the windows box is pretty easy though, RPC etc).

Re:A new rule

[gazbo]

Yeah, forcing them to run ultra secret hacking tools like nmap will really sort the 1337 from the L4m3.

What about Quicktime?

[yabos]

That comes on OS X by default but to make Windows equal in potential flaws you have to install it on Windows too. Stuff like that gets complicated fairly fast. Quicktime shares code between OS X and Windows and most of the recent flaws regarding rtsp were the same result on either platform which was DOS or potential execution of arbitrary code.

Re:What about Quicktime?

[QuantumG]

Quicktime comes with Firefox these days .. I've lost count of the number of times I've seen Quicktime crash Firefox.. every time I think "I bet that is exploitable", but, ya know, I'm too lazy to bother looking.

Re:What about Quicktime?

[Crimson+Wing]

Quicktime comes with Firefox these days

Uh, BS? Every time I've installed Firefox so far, then gone to a page with an embedded QuickTime media file, Firefox has complained of needing an additional plugin. I install QuickTime itself, and then embedded QT files play just fine.

Re:What about Quicktime?

[Grendel70]

Correct and informative post. Unfortunately your sig blew away any credibility you might have had.

Re:What about Quicktime?

[Crimson+Wing]

Heh. And to think, I was considering posting that as AC...

Re:What about Quicktime?

[glamb]

Yes, I too have lost count of the number of times I have seen the Quicktime Firefox jump over the lazy dog

Vista would be first

[tsotha]

Even if it were the most secure, Vista would be first. I'm sure there are kits you can buy from shady groups in Eastern Europe or Russia that will do the trick immediately. If Vista doesn't already have the highest market share, it will at some point. So if you make hacking kits for organizations that make botnets you're gonna crack Vista first.

Re:Vista would be first

[Idiot+with+a+gun]

Except... many important servers run on Linux. So while lots of malware exists for Vista/XP, lots of people around the world really do make attempts at assaulting Linux boxes. More often than not, I believe, success is based upon attacking weaknesses in the software installed on said box. (Which one can argue that a properly maintained *nix box has a better chance of surviving, because of the continual security updates for all of its software).

Re:Vista would be first

[tsotha]

Oh, I'm sure Linux boxes are subject to attacks as well. I just think, as a nefarious writer of cracking software, you'd have to believe your time is better spent cracking Windows than Linux. And I don't believe servers are the most profitable boxes to hack anymore - keyloggers to swindle online banking users are probably the big moneymakers.

Re:Vista would be first

Is it profitable to buy Vista hacks? I am guessing that with SP1 RTM, all easy hacks used by script kiddies are plugged, so you'll have to get kits using obscure hacking methods. Remember that you'll have to disclose the method to breach the security and I don't see why shady groups will sell you their secrets because once they're out, the holes'll get plugged, effectively rendering their products useless. I don't think it'll be cheap nor will it guarantee you to be the first to breach the security. You may spend more than going to a store and buy a complete set of computer.

Re:Vista would be first

[Idiot+with+a+gun]

Some of the most brilliant hacks are for recognition among hackers, not just money. More often than not, the real money makers are the dumb assaults, phishing, domain squatting, social engineering, etc.

Re:Vista would be first

[ozmanjusri]

Vista would be first. I'm sure there are kits you can buy from shady groups in Eastern Europe or Russia that will do the trick immediately.

Different class of exploit.

Your average Vista install's destiny is to become part of a botnet. That doesn't requre the type of remote cracking that's being set up in this test, just a trojan embedded in a shiny cursor app.

Windows botnets tend to be herded by Linux servers which have been individually cracked, which is what this test is about.

Re:Vista would be first

[argiedot]

Actually, there was a /. article a while ago that said that the boxes controlling some botnet (probably Storm, I don't recall) were mostly rooted Linux boxes. So the linux servers were used to control the rest of the compromised machines. I would think Linux servers are a very attractive target, they're usually on for long periods of time and always have internet access as opposed to the home computer which is switched off every night and/or has to login to the internet every time. Linux machines aren't invincible, really.

*BSD!

[QuickFox]

What about *BSD? This contest is grossly unfair unless a *BSD is included!

Hehe. Let's see them try to pwn that one.

Re:*BSD!

[CapsaicinBoy]

Ummm. OSX is just NeXTstep v5 (or 6 by now?), and NeXTstep is a flavor of BSD.

Please turn in your geek card on the way out.

http://en.wikipedia.org/wiki/Image:Unix_history.en.svg

Re:*BSD!

They tried to include a workstation with OpenBSD in it, but the hackers would complain that it could be considered torture.
Seriously, if you have not tried OpenBSD, try it. It does require more hand-configuration than say, Ubuntu, but its manpages are actually useful. No more searching through the entire Google database to be able to start your system's GUI. Filesystems support is its weakness, but if you are looking for a free OS for your laptop(ytes, that includes your wireless card) you will have troubles to find anything better.
It isn't solid as in nobody has ever bothered to break it. It is solid as in Gameboy.

Re:*BSD!

here is the real history of unix:

http://www.levenez.com/unix/history.html

TFA doesn't say

[Cajun+Hell]

Who is operating each machine? I need their email addresses. I want to send them some programs, and my "hack" is that the programs will come with instructions to the operator: please execute this attachment.

My understanding is that for Windows, I just need to have the filename end with .exe. For MacOS, I need it to end with .dmg. For Linux, I need to train the user how to use chmod.

Re:TFA doesn't say

[Al_Lapalme]

Hehehe... Copy to desktop; right click->properties - check 'executable' and then run.

Can't wait to see those vacation pictures!!!

Ahhh f*ck.

Re:TFA doesn't say

[toadlife]

For Linux, I need to train the user how to use chmod. Naw. Assuming it will be a functional equivalent of Windows and OS X, it should be running KDE, which means it will have support for archives (Ark) built into it. Just send 'em an archived shell script with the execute bit already set. Alternatively, you can send them your payload in some sort of package format, like RPM.

Re:TFA doesn't say

Umm... DMG is just a disk image. What you want is to create your application and everything it needs into one folder and append .app to the end of the folder name. Hope this helps in your evil plot. :)

Re:TFA doesn't say

[Shados]

Try this for giggles. Have a Vista machine. Send them an email with an exe file. Try and get them to execute it. Good luck. If you manage that, try the same exercise by MSN Messenger. At that point, even I am not sure I can do it without googling, and even then its tricky. Vista is a b**** when it comes to running EXEs received by email or MSN.

Re:TFA doesn't say

[dreamchaser]

Only if you don't turn off UAC. It's pretty easy for a user to figure out how to do that, and many do. However, given the default configuration you are largely correct.

Re:TFA doesn't say

[Shados]

Actually no, its part of MSN and the built in mail softwares, and has little to do with UAC. (I've tested it on an UAC-disabled machine before posting this).

Re:TFA doesn't say

Try this for giggles. Have a Vista machine. You're right - I tried that, and it was hilarious!

I'm taking a wild guess here

[Lewrker]

that they won't use a Debian stable netinstall with properly configured iptables and choose to deploy Fedora instead ?

OSX, Linux, Vista

If I were to enter such a contest I would target OSX first, then Linux and Finally vista.

OSX is first because apple has been hideing behind security by obscurity for too long. I have seen no evidence that suggests OSX gets it any more than Microsoft did.

Linux next because source code is avaliable... and while clever hits without source are sometimes easier you just might get lucky walking the ususal paths and find something exploitable.

MS has been more or less awake from the security perspective for years now and most of the expliot efforts have been targeted at this platform which raises the bar for discovery of new expliots because all the trivial vectors have already been probed. Following the same line windows expliots are simply worth more than OSX or Linux expliots. Good ones can be worth a room full of PCs if you can find the right buyer.

Applications such as browsers, media players, and various popular plugins ... acrobat, flash...etc provide great cross platform opportunity for successful attacks. It might actually be worth ones time to try for a common expliot and win all three :)

Besides a PC is a PC... you can always reformat the drive and install Solaris if you want :)

It doesn't beg any question...

...and you damn well know it. You guys are deliberately baiting the language nazis - there's no way you could *still* be ignorant of what this phrase means.

Re:It doesn't beg any question...

You're fighting a losing battle. And it's not unreasonable that to "beg the question," if it had no other meaning, would mean "raise the question." Many words and phrases take on multiple meanings. That's just the way language goes.

Re:It doesn't beg any question...

[realthing02]

As the above notes, perhaps it is you who is ignorant of what it means:

In recent decades, the term has also been used to mean raising the question [7]

I'm not going to assume, but I'll imagine you as either some fresh out of college prick, younger than 30 who is holding on to some abuse his father gave him because he used a contraction in his letter to santa- holding onto ideals that will never exist, or some philosopher want-to-be that feels some urge to demonstrate that his 120K education was not worthless as he sits in front of slash dot, loathing the world for his own inadequacies.

I really hope you appreciate that fucking run on sentence.

Re:It doesn't beg any question...

[hobbit]

You're sick.

Kobayashi Maru

[Coolhand2120]

Someone should pull a Kobayashi Maru and hack all the competing hacker's machines so they can win the prize.

Re:Kobayashi Maru

[calebt3]

Everybody else gets redirected to 127.0.0.1 while you take your time?

Re:Kobayashi Maru

1. Beat the pasty-faced nerds with a waffle iron each time they go close to their computers
2. Keep trying on your own computer. Trap them in cages
3. Keep trying until they show you how to hack it out of frustration
4. You win
5. Sell them to someone
6. Profit!

There is no ? step!

Re:Kobayashi Maru

[Coolhand2120]

Or if you were really slick you could hack the MAC address table on the switch and have the hacker's hack their own boxes.

GNU/Linux... which distro will they use?

[Sodki]

I hope they'll go with Gentoo. It is uncrackable. When the hackers attack they can't do anything to it because the system is busy compiling itself.

Re:GNU/Linux... which distro will they use?

[corychristison]

... I know this was meant to be a joke, but I just have to respond.

I don't understand this "uncrackable" part. OpenSSH is on the livecd. Most admins ssh into the box to set it up... leaving ssh open to all. On the current live CD, OpenSSH is pretty old.

I recently installed Gentoo on my new AMD64 X2 5200+ (65nm/65W). Took about 3-3.5 hours to: partition, install the base, install grub, compile a kernel(took about 3 mins for the kernel, another 10 for modules), boot into new install, upgrade portage & all base apps, and compile X and XFCE.

Sadly, that is closing in on the time it takes to install Vista... ;-)

To make it fair.

[Higaran]

I think all each team should have to hack all 3 computers, and the first team to do so gets to pick, and then the seconed picks the next one and then the thrid gets the last one. So that equal energy goes into hacking each unit, and each team will learn something about a system they probably didn't know, and isn't that what this whole thing is about, learing something.

Me thinks...

[drewmoney]

They should probably turn off the Windows machine, just to make it fair and all...

stupid test

[EdelFactor19]

this doesn't measure the security of the OS
it measures the stupidity of the user

your program can be a one liner on any of the machines.

just a freaking script that says "delete *.*"
or you coudl see who has passwordless sudo and go sudo rm /*
and that will do on any *nix pretty much

again we are testing the OS not the STUPID USER AT THE WHEEL

Re:stupid test

[prichardson]

Did you hear that whooshing sound? That was the joke going over your head. Fill your tub with ice, chill out, and sell your roommates kidney so you can afford the vacation you so obviously need.

Relax! Stress prematurely ages people.

Re:stupid test

[EdelFactor19]

wow... how the heck did i miss that?
I think I will do just that.. except i may have to steal someone elses roommates organs since I dont have a roommate :-)

i could have sworn the parent was +5 insightful which incited my response :-P or not..

These contests provide limited information...

[argent]

While they may help reveal specific information about vulnerabilities, which is good, they don't provide much useful information about the security of the systems being attacked.

Second prize...

[Swimingly+Gunston]

two windows laptops plus a cash prize.

Sin City

[dangran]

What'll Vegas open the odds at?

Aw, man...

[TobyRush]

I saw the headline and got all excited....

Unfortunately...

[actionbastard]

As a long time OS X admin, OS X will -unfortunately- probably go down really hard this time 'round.
After all, LI_US has already passed judgement on it.

Re:Unfortunately...

[Titoxd]

To be fair, Linus said that HFS+ was complete and utter crap, not all of OS X. As for HFS+, I do agree with him, sadly...

OpenBSD

[EEPROMS]

You could be real bastard and put OpenBSD on a top or the range $10k machine and watch as people spend hours pulling their hair out.

Re:OpenBSD

[EEPROMS]

You could be a real bastard and put OpenBSD on a top of the range $10k machine and watch as people spend hours pulling their hair out.

Re:OpenBSD

[Antique+Geekmeister]

Does it count that the contest managers will still have been unable to install the network drivers, so it's unconnected to anything? I've tried to install network drivers for a Broadcom chipset on an OpenBSD system: it wasn't a pretty sight.

Competetion

[yams]

Oh boy! That will be fun.

All the Windows fans will be trying to hack Linux, trying to prove that it is worse. All the Linux and OSX fans will be trying to hack Windows for the same reason.

It will be one big mud slinging campaign.

Re:Competetion

[Daimanta]

That's not fair. Linux has the unfair adavantage. There are no windows fans.

On your marks, get set

[KimmoV]

I can just see this happening.. MC: Okay...the competition is ready to start... We have three computers, Vista, XP and Mac....crack it and it's yours.. Are you ready? On your marks, get set, g.......OKAY OKAY! Not funny...We have now XP and MAC available...the competition will start on my mark....On your marks, get set...go!!

Wesley Snipes says....

As Wesley Snipes says, always bet on Mac.

Although actually, I think Teh Lunix will definitely give Mac a run for the money. They are both shining beacons of security through obscurity.

Linux will be hacked first

[pUNX.h]

I don't know about any of you, but I don't think my linux box is very secure at all. Let me know if you can hack it: http://127.0.0.1/

It's just a game.

[rtechie]

You can't determine the security of an OS, any OS, by this kind of limited one-off testing. REAL testing is systematic and time consuming, and involves completely the opposite rationale. Conventioal testing involves attacking a single target until it breaks, this "test" involves attacking a bunch of different systems and seeing which fails "first". This doesn't really evaluate "security" because the critical factor is THE ORDER IN WHICH THE EXPLOITS WERE TRIED. If the attacker just happens to hit the right exploit on his first attempt, he would hack that box "faster". Along the same lines, # of exploits doesn't really mean shit either. What matters is HOW SEVERE the exploits are.

I'd argue that the Linux box is likely to fall first, simply because the attackers are most familiar with hacking Linux boxes. The limited permissions structure of Linux means that if an attack succeeds, you very likely have root as opposed to Windows attacks which may just expose the service. A lot of the weaknesses in Windows and MacOS are application-specific, if you don't have those apps installed you don't have the vulnerabilities. Since Linux, by default, is likely to have a lot more apps installed it's likely to have more vulnerabilities as well.

i hope they don't use out of the box ubuntu...

with out of the box ubuntu you just have to press esc on boot and grub will give you root access...

they should give the computers to people for a week to use and test the resaulting setup (with any luck vista will be infected by then anyway)

by nature linux machines are not used as "out of the box", the are tweaked -- quite often for the better
by contrast windows machines have limewire etc installed

maybe everyone has to hack the machines that everyone else is using and last one standing wins

Quicktime IS malware

[BlatOdea]

QuickTime is malware in and of itself as far as I'm concerned. Every time I've ever installed it on Windows, it's buggy and something manages to go wrong. That and it tends to take over every file association it possibly can regardless of what it's told to do. Then when I go to uninstall it, I can never seem to get it all off the system.

Older Prediction

I don't want to start a holy war here, but what is the deal with you Vista fanatics? I have recently upgraded from a 1GHz PC with 1GB of RAM and Windows XP to a new quad core 3.5GHz with 4GB of RAM and Windows Vista to help me at my freelance gig where I needed to copy a 17 Meg file from my home network to a desktop folder. On Vista it took about 20 minutes. At home, on my old iBook running OSX, which by all standards should be a lot slower than this PC, the same operation would take about a minute. If that.

In addition, during this file transfer, my sound will not work. And everything else has ground to a halt. Even IE is straining to keep up as I type this.

Vista addicts, flame me if you'd like, but I'd rather hear some intelligent reasons why anyone would choose to use Vista over other faster, cheaper, more stable systems.