Slashdot Mirror

← Back to Stories (view on slashdot.org)

Mac Hack Contest Redux

Posted by samzenpus on from the what-breaks-first dept.

narramissic writes "Remember the controversial Mac hacking contest from last year's CanSecWest conference? No? Here's a refresher: Conference organizers challenged attendees to hack into a Macintosh laptop, with the successful hacker winning the computer and a cash prize. Winner Dino Dai Zovi found a QuickTime bug that allowed him to run unauthorized software on the Mac once the computer's browser was directed to a specially crafted Web page. Well, the contest is back again this year, but with a twist, says Dragos Ruiu, the principal organizer of CanSecWest: 'We're thinking of having a contest where we have Vista and OS X and Linux ... and see which one goes first.""

48 of 164 comments (clear)

  1. easy by jim.hansson · · Score: 5, Interesting

    http://slashdot.org/firehose.pl?op=view&id=508230

    --
    preview button, my computer does't have any preview button
  2. how about a taste test by gandhi_2 · · Score: 2, Interesting
    where you have to try apples, oranges, and beef jerky and decide which one tastes "best".


    out of the box linux? Is there really such a thing? Ubuntu OEM, knoppix? That's a pretty wide range here.

    --
    THL phish sticks
    1. Re:how about a taste test by toadlife · · Score: 2

      Everybody already knows you can hack Vista no problem Ok. How?
      --
      I don't always use unix-like operating systems; but when I do, I prefer FreeBSD.
    2. Re:how about a taste test by calebt3 · · Score: 3, Funny

      Click the 'x' in the top corner of the login screen. Oh wait...

  3. Prediction by flaming+error · · Score: 2, Funny

    > the successful hacker winning the computer and a cash prize I'm betting somebody's taking home a Windows machine.

    1. Re:Prediction by Nerdfest · · Score: 4, Funny

      The outcome would be dependent on whether or not the Vista machine has already booted up. If not, attacking the other 2 gives you a decent head-start.

    2. Re:Prediction by LiquidCoooled · · Score: 5, Funny

      There is already a trojan available for vista, however noone is infected because its not finished copying over the network yet.

      --
      liqbase :: faster than paper
    3. Re:Prediction by Anonymous Coward · · Score: 5, Funny

      Sorry that's my fault, let me turn my sound off.

  4. Default Install by Archangel+Michael · · Score: 5, Insightful

    I'd make sure that each was installed to default configuration. No tweaking allowed.

    Vista installed from DVD default/recommended choices where possible on installation screens. Same with Ubuntu, and Mac OS/X. Any deviations noted. Any extra software installed must be available on all three platforms.

    Just to make it "fair".

    --
    Agent K: A *person* is smart. People are dumb, stupid, panicky animals, and you know it.
    1. Re:Default Install by calebt3 · · Score: 4, Insightful

      I'd say that allowing updates to be installed would be fair.

    2. Re:Default Install by hairyfeet · · Score: 3, Insightful
      That isn't really a real world test. I mean,come on,who in the hell would use a windows box with NOTHING on it? With Apple and just about any Linux,you would have everything you need to get work done,but on windows you'll need at LEAST some form of office software,along with adobe reader,and usually Nero or whatever came with the burner.


      As a pc repairman that has been fixing windows boxes for over a decade,I can tell you that no matter what ELSE they have installed,they ALWAYS have some sort of office(even if it is just MSWorks) along with Adobe reader and either Nero or Roxio burning software.I don't think I've ever seen a box brought in that didn't have those,so for a real world test I would suggest MS Office 2K3(as that is what I've seen on the most machines) along with adobe reader and Nero or Roxio burning software. That would be a truly fair test.


      Besides,if you never actually USE the machine,I doubt you'll be hacked.But most people actually want to DO things with their pc,and with windows that means at the very least a couple of pieces of software. But I doubt it'll make much difference anyway.The windows will be pwned the quickest,just like always.Vista just may take a little longer. Cancel or Allow?

      --
      ACs don't waste your time replying, your posts are never seen by me.
    3. Re:Default Install by stephanruby · · Score: 2, Insightful

      At the very least, the Vista computer should be an emachine, or have AOL preloaded on it. A computer designed to meet the adware needs of its corporate-manufacturers over the needs of its owner should give us a much more realistic exercise. After all, what are botnets made up of? Cheap preloaded computers purchased at Best Buy/Walmart? Or computers assembled from scratch / or purchased through one's IT department through Dell ?

    4. Re:Default Install by Calinous · · Score: 2, Informative

      Sure "OpenBSD has had one remote exploit in the default install in its history"

      Since you've heard, the number of OpenBSD remote exploit holes doubled

    5. Re:Default Install by cheesewire · · Score: 2, Informative

      OSX comes with very little out of the box. New Macs usually come with iLife and some with iWork (or at least a trial) pre-installed - ie third party software. Mine even came with a 30 day trial of Office 2004. A stock installation of OSX doesn't include Quicktime or the like either.

      When you buy a mac, it comes with iLife and Quicktime. Both are made by Apple. Both are pretty fundamental to macs providing quite a lot of functionality out of the box.

      Even if you delete Quicktime.app, the quicktime framework is still there, it's needed by many things.

  5. What will be the GNU/Linux prize? by Anonymous Coward · · Score: 5, Funny

    The 386 it was installed on?

    1. Re:What will be the GNU/Linux prize? by Enoxice · · Score: 4, Funny

      The toaster it was installed on?

      Fixed.
      --
      Anyone else think the comments just weren't rendering right before they turned off ABP and saw ads?
    2. Re:What will be the GNU/Linux prize? by calebt3 · · Score: 2, Informative

      The complete list

  6. Begs The question by realthing02 · · Score: 3, Funny

    Before the sea of "vista sucks" comments, I'm going to ask this question:

    When vista inevitably goes first, who is going to want it? I assume it must be a good enough computer to actually run vista, so lets all take guesses at the OS loaded onto it after it's "pwnd".

  7. Wrong! by EmbeddedJanitor · · Score: 4, Funny

    The Vista computer won't get hacked because nobody will want to take it home!

    --
    Engineering is the art of compromise.
  8. Obvious misleading conclusions by Secret+Rabbit · · Score: 4, Insightful

    I think it's obvious the nonsense that'll come out of this. People will say, x OS is more insecure than y and z because it fell first/so quickly. Regardless of the skewed skill/effort that went into breaking it.

    This "twist" is bullshit.

  9. Re:Potential for rigging by Decado · · Score: 5, Insightful

    I would have said that the challenge pretty much amounts to saying "The next OS we find a vulnerability for is the weakest". In the long term it is a meaningless piece of data. If we hear about a new exploit for any OS tomorrow it means nothing, you have to look at long term trends to find a correct answer.

    --

    Slashdot: Proof that a million monkeys at a million typewriters can create a masterpiece

  10. "fair" would be "what users need" by SuperBanana · · Score: 4, Insightful

    Vista installed from DVD default/recommended choices where possible on installation screens. Same with Ubuntu, and Mac OS/X. Any deviations noted. Any extra software installed must be available on all three platforms. Just to make it "fair".

    When is the last time you left an OS in its default configuration?

    A fair configuration is one in which all tested operating systems provide as identical as possible feature sets, including all the features the majority of people like to use. Like printer and file sharing, for example.

    It's also not fair to include, for example, NoScript- that breaks a ton of websites out of the box until you whitelist sites. Likewise for not including Flash as part of the package. An even more relevant example: the necessary firewall rules to allow IM (and file transfers.)

    --
    Please help metamoderate.
    1. Re:"fair" would be "what users need" by CannonballHead · · Score: 3, Interesting

      I think this is an excellent point.

      Default windows configuration is defaulted to... well, a very compatible set of options.

      Not having actually done a Mac install, I don't know what the default is.

      A default Linux partition, depending on the flavor, could be pretty minimal...

      Here's what I think would make it more fair: make all the operating systems able to do the same things. Presumably, the normal Mac user, at some point, will want to opens a windows media file and an Office 2007 file. The typical Windows user will use quicktime at some point, and thus have it installed and have its possible security holes, too.

      Otherwise, I could create a Linux distro that is THE safest operating system EVER... and just not let you do anything, no network connectivity, etc. Pretty safe! And useless.

    2. Re:"fair" would be "what users need" by hunterkll · · Score: 2, Informative

      OS X install by default has no network services running external and is firewalled. you have to manually turn on network sharing and services from a preference pane

  11. I'd like to see stats on effort per platform by SuperBanana · · Score: 4, Interesting

    We're thinking of having a contest where we have Vista and OS X and Linux ... and see which one goes first.

    What I'd be most interested in is a survey of contestants as to their platform experience, and how focused they intend to be on attacking the different platforms. That part could be wildly unscientific, but could be interesting if everyone answers openly.

    Couple that with some good logs of network activity, to see how focused attacks are on the various systems.

    For example, it could turn out that nobody goes for the supposed low hanging fruit, and everyone tries to target the Mac...or an OpenBSD box, if they bring one. Etc.

    --
    Please help metamoderate.
  12. It would be more interesting to have by Babu+'God'+Hoover · · Score: 2, Insightful

    all the contestants attack each of the three systems with the winner given his choice of the systems.

  13. Re:Lopsided... by geekoid · · Score: 2, Insightful

    Yes, but the skill and motivation to hack OSX is much higher. The person who can exploit OSX in a meaningful way would get a lot of prestige from the '*hat' community.

    Besides, that involves a logical fallacy. Basically be your statement to be true, they must ahve the same architecture, developed by people od equal skill use the same project management style and the same QA.

    --
    The Kruger Dunning explains most post on /. http://en.wikipedia.org/wiki/Dunning%E2%80%93Kruger_effect
  14. Vista would be first by tsotha · · Score: 3, Insightful

    Even if it were the most secure, Vista would be first. I'm sure there are kits you can buy from shady groups in Eastern Europe or Russia that will do the trick immediately. If Vista doesn't already have the highest market share, it will at some point. So if you make hacking kits for organizations that make botnets you're gonna crack Vista first.

    1. Re:Vista would be first by Idiot+with+a+gun · · Score: 3, Insightful

      Except... many important servers run on Linux. So while lots of malware exists for Vista/XP, lots of people around the world really do make attempts at assaulting Linux boxes. More often than not, I believe, success is based upon attacking weaknesses in the software installed on said box. (Which one can argue that a properly maintained *nix box has a better chance of surviving, because of the continual security updates for all of its software).

    2. Re:Vista would be first by tsotha · · Score: 2, Interesting

      Oh, I'm sure Linux boxes are subject to attacks as well. I just think, as a nefarious writer of cracking software, you'd have to believe your time is better spent cracking Windows than Linux. And I don't believe servers are the most profitable boxes to hack anymore - keyloggers to swindle online banking users are probably the big moneymakers.

  15. TFA doesn't say by Cajun+Hell · · Score: 5, Funny

    Who is operating each machine? I need their email addresses. I want to send them some programs, and my "hack" is that the programs will come with instructions to the operator: please execute this attachment.

    My understanding is that for Windows, I just need to have the filename end with .exe. For MacOS, I need it to end with .dmg. For Linux, I need to train the user how to use chmod.

    --
    "Believe me!" -- Donald Trump
    1. Re:TFA doesn't say by Al_Lapalme · · Score: 2, Funny

      Hehehe... Copy to desktop; right click->properties - check 'executable' and then run.

      Can't wait to see those vacation pictures!!!

      Ahhh f*ck.

      --
      Al
    2. Re:TFA doesn't say by toadlife · · Score: 2, Informative

      For Linux, I need to train the user how to use chmod. Naw. Assuming it will be a functional equivalent of Windows and OS X, it should be running KDE, which means it will have support for archives (Ark) built into it. Just send 'em an archived shell script with the execute bit already set. Alternatively, you can send them your payload in some sort of package format, like RPM.
      --
      I don't always use unix-like operating systems; but when I do, I prefer FreeBSD.
    3. Re:TFA doesn't say by Shados · · Score: 4, Interesting

      Try this for giggles. Have a Vista machine. Send them an email with an exe file. Try and get them to execute it. Good luck. If you manage that, try the same exercise by MSN Messenger. At that point, even I am not sure I can do it without googling, and even then its tricky. Vista is a b**** when it comes to running EXEs received by email or MSN.

  16. OSX, Linux, Vista by Anonymous Coward · · Score: 2, Interesting

    If I were to enter such a contest I would target OSX first, then Linux and Finally vista.

    OSX is first because apple has been hideing behind security by obscurity for too long. I have seen no evidence that suggests OSX gets it any more than Microsoft did.

    Linux next because source code is avaliable... and while clever hits without source are sometimes easier you just might get lucky walking the ususal paths and find something exploitable.

    MS has been more or less awake from the security perspective for years now and most of the expliot efforts have been targeted at this platform which raises the bar for discovery of new expliots because all the trivial vectors have already been probed. Following the same line windows expliots are simply worth more than OSX or Linux expliots. Good ones can be worth a room full of PCs if you can find the right buyer.

    Applications such as browsers, media players, and various popular plugins ... acrobat, flash...etc provide great cross platform opportunity for successful attacks. It might actually be worth ones time to try for a common expliot and win all three :)

    Besides a PC is a PC... you can always reformat the drive and install Solaris if you want :)

  17. Re:What about Quicktime? by QuantumG · · Score: 2, Interesting

    Quicktime comes with Firefox these days .. I've lost count of the number of times I've seen Quicktime crash Firefox.. every time I think "I bet that is exploitable", but, ya know, I'm too lazy to bother looking.

    --
    How we know is more important than what we know.
  18. It doesn't beg any question... by Anonymous Coward · · Score: 2, Funny

    ...and you damn well know it. You guys are deliberately baiting the language nazis - there's no way you could *still* be ignorant of what this phrase means.

  19. Re:*BSD! by CapsaicinBoy · · Score: 4, Funny

    Ummm. OSX is just NeXTstep v5 (or 6 by now?), and NeXTstep is a flavor of BSD.

    Please turn in your geek card on the way out.

    http://en.wikipedia.org/wiki/Image:Unix_history.en.svg

  20. Re:Potential for rigging by The+Mighty+Buzzard · · Score: 2, Insightful

    You obviously don't know very many humans then. Of course you are posting on /. so I suppose that's to be expected.

    --
    Violence is like duct tape. If it doesn't solve the problem, you didn't use enough.
  21. To make it fair. by Higaran · · Score: 2, Insightful

    I think all each team should have to hack all 3 computers, and the first team to do so gets to pick, and then the seconed picks the next one and then the thrid gets the last one. So that equal energy goes into hacking each unit, and each team will learn something about a system they probably didn't know, and isn't that what this whole thing is about, learing something.

  22. Re:What about Quicktime? by Crimson+Wing · · Score: 2, Informative

    Quicktime comes with Firefox these days
    Uh, BS? Every time I've installed Firefox so far, then gone to a page with an embedded QuickTime media file, Firefox has complained of needing an additional plugin. I install QuickTime itself, and then embedded QT files play just fine.
    --
    Sig? What's that? Oh, 'signature'...and it's supposed to be witty? Right...
  23. Re:too easy by HiThere · · Score: 2, Interesting

    Actually, Vista may be the last standing. I'm not saying it's the most secure, but it's the most unknown. And if you were a Black Hat who had developed a route into Vista, I'm sure there are more profitable ways of exploiting your ingenuity.

    --

    I think we've pushed this "anyone can grow up to be president" thing too far.
  24. Re:What about Quicktime? by Grendel70 · · Score: 2, Funny

    Correct and informative post. Unfortunately your sig blew away any credibility you might have had.

    --
    Perhaps you mean a different thing than I do when you say "science."
  25. Re:Potential for rigging by KDR_11k · · Score: 2, Funny

    It might be more fun to see which OS annoys the user enough to launch the CPU across the room.

    I don't know about you but when I'm annoyed I don't have the patience to remove the case, CPU cooler and finally the damn chip itself just to throw it around.

    --
    Justice is the sheep getting arrested while an impartial judge declares the vote void.
  26. Re:Poor subnet by KDR_11k · · Score: 2, Funny

    At first I read that as "So many idiots who will just sit there with a hammer". Definitely the easiest way to crack a system...

    --
    Justice is the sheep getting arrested while an impartial judge declares the vote void.
  27. On your marks, get set by KimmoV · · Score: 2, Funny

    I can just see this happening.. MC: Okay...the competition is ready to start... We have three computers, Vista, XP and Mac....crack it and it's yours.. Are you ready? On your marks, get set, g.......OKAY OKAY! Not funny...We have now XP and MAC available...the competition will start on my mark....On your marks, get set...go!!

    --
    This text has been written completely with recycled bits and bytes.
  28. Re:Lopsided... by mgblst · · Score: 2, Informative

    Rare? Diamonds are rare, yet I see them daily.


    Diamons aren't rare, only the stupid really believe this - why do you think diamonds are rare, because they are marketed to you as such. Diamonds are carefully controlled, so they a huge amount don't flood the market, but that doesn't make them rare.
  29. Re:What about Quicktime? by glamb · · Score: 2, Funny

    Yes, I too have lost count of the number of times I have seen the Quicktime Firefox jump over the lazy dog