Gizmodo
Organizers behind the CanSecWest security conference in Vancouver are putting together a "hacker superbowl" of sorts, pitting attendees' skills against Vista, Mac OS X and Linux. Dubbed PWN 2 OWN (ewwww), the objective is to develop a brand-new "zero day" attack to take control of one of the three operating systems loaded onto laptops. There's a grand prize of $20,000, and the hacked laptop will go to the first contestant to pull it off. So, the question is—which OS do you think will go down first? UPDATE: A winner has been announced! Vote and then hit the jump to see if you were correct.
It appears that contestant Charlie Miller just earned himself $10,000 for hacking a Macbook Air inside two minutes. So, those of you who voted Vista as the first to go down are probably fairly shocked right now. Miller was also among the researchers who first hacked Apple's iPhone last year, so it may not be all that surprising to hear that he was able to work his magic with OS X so quickly.
During day one hackers were only allowed to use network-based attacks. Not surprisingly, no one even attempted it. Today the rules were relaxed to allow hacks that involve websites and email. So, Miller utilized a simple website that contained exploit code to get the job done—which leads us to believe that the flaw he exploited exists within the Safari browser. Too bad they cut the prize money in half with each passing day. [PWN 2 OWN via Yahoo and PC World]
Comments
I think it will be a close race whichever way it goes.
People forget that Windows is "insecure" because of market share as well as OS vulnerabilities. All of a sudden you put these three OSes on level terms (1/3 share each), and you have a real race.
I would actually bet against Vista SP1; plenty of built in protection out of the box.
I want to say that the one that gets hacked often is the one that is least to be hacked right away.
The MacBookAir already hacked...
M
Going to place my bet for Vista on the table.
That is not to say that OS X and Ubuntu are flawless in this regard, but the exploits for those systems aren't as obvious and as easy (I'd think) to take advantage of.
hahaha mac book air hacked in 2 minutes flat!...hhmmmm i wonder what the apple fanboys have to say bout that. ofcourse there's a logical explanation for it...im sure.
Pop an Ubuntu LIVE CD into the Vista machine and you can access the NTFS partition no problem, however this assumes the BIOS isn't locked down, which most peoples aren't... but these probably are. (It's still a good way to win a bet with a friend)
Linux is the first because it is a hack from day one. Vista is second just because it has so many unknown bugs. OSX is the last because it does not have as large user base, so less attractive to "hacker." BTW, "hacker" in this context should be called "cracker."
@Anticitizen:
It's not a matter of Vista's vulnerabilities being obvious. The thing is that so many people have Windows and so many of those people hate Microsoft that cracks and countermeasures have been continually developed over the years to bring MS down. No one cares about OSX and Linux because they're open platforms that are (by nature) loved by its users. However, there's an important point to consider. If a hacker did want to bring down OSX or Linux, it wouldn't take very much work because they're so loved and so few people are out to get them. It's already been proven that OSX is far less secure than Windows, and Apple likes to taunt Microsoft with its lack of viruses, but the thing is that no one cares about hacking them yet. Make them as powerful and hated as Microsoft and you'll soon see all sorts of problems with OSX followed by countless security patches to download for those vulnerabilities.
I'm not a Microsoft or Apple fanboy, btw. I just don't think anyone got it right yet. There's much room for improvement for all 3 of these OSes.
(Just RTFA and: "No physical access to the machines.")
boy am I OFF today!
"OSX and Linux because they're open platforms that are"
OSX isn't REALLY open, when it comes down to it, and a lot of the reasons why Linux is secure is because it IS open.
Normally you would have to go with the windows OS, but this time I have no idea. Vista is actually very secure. Unfortunately you have some programs that arent compatible because of that, but losing a few programs for more stability and security sounds good to me.
I actually am impressed that (if I read this correctly) that all three operating systems made it through the first day without an issue. I am hoping that none of them get hacked, and maybe we can finally put this whole 'my operating system is more secure than yours' crap to bed once and for all.
Can't we all just get along?
Come on, guys. Group hug.
@nutbastard: Heh. Better be careful - you might get de-starred! :D
mac lost in 2 minutes. yikes!
This deserves a poll.
My bets
first Linx
second Vista
third OS X
For what ever reason, the poll did not render on my screen.
Disregard my previous post.
Is this a rhetorical question?
@FredicvsMaximvs:
yeah you guys are lucky - nothing to lose!
haha macs are terrible
"Nobody was able to hack into the systems on the first day of the contest when contestants were only allowed to attack the computers over the network, but on Thursday, the rules were relaxed so that attackers could direct contest organizers using the computers to do things like visit Web sites or open e-mail messages."
Lame, it requires the user to do something specific...
@TehBoj:
Don't count yer chickens before they're hatched - he was the first one to try to hack any of them, and since it's a website based hack it probably works on all three platforms.
The Mac was already hacked. It was because of Safari, which is pre-loaded by default.
Truthfully, I would have guessed that anyways. You'd be surprised how much security researches have hammered on OS X, and what they've found.
@fuzzycuffs: Heh, I was going to bet on OS/X (I can't get to the website -- timing out. Some of you guys lay off, so I can get a chance!): MS has been forced (and shamed) into making their OSes progresssively more secure; Ubuntu is made more secure through the philosophy of "many eyes"; and OS/X is protected through arrogance and the Reality Distortion Field... Doesn't take a genius to figure out which is weakest. Safari (3.1?) was immediately found to have severe insecurities (on all platforms) upon it's recent release. Yeah, I really want Apple Update trying to force it on me....
Hacked using Safari, eh? You mean the same Safari that Apple is trying to force onto everyone's computer?
So much for that reliable operating system. I think Steve's RDF is wearing away.
"A grand prize of $20,000 and the hacked laptop will go to the first contestant to pull it off."
Just Thinking...
Would you want to hack any other laptop than the Macbook Air ?
@Tomahawk214: I'm not going to take sides here, as I'm a user of all three OS's, but I will say that ONE guy hacking ONE system is not a testament to that systems security.
@Aleung: Cracker please!
@Aleung: No, it's called cracking when breaking encryption. This is hacking...
@Spyrojoe: Last time I checked one single hack put on by one guy could easily be replicated by thousands.
Security by obscurity. As long as you dont have a reason to hack a Mac you wont (and since no real business runs it and nobody with any money runs them no reason to waste your time).
@archercc: Actually my experience has been that most people with Macs have more money than they know what to do with, or at least there parents do.
So this makes it two years in a row that a Mac has "won" the title of most easily hacked.
@archercc: "and since no real business runs it and nobody with any money runs them no reason to waste your time"
I come for the stories - and stay for the entertaining, enlightened banter.
It would be nice to see this in action on video.
I picked the winner it seems. My reasoning was that A) With fewer targeted attacks normally Mac would likely have fewer well-tested safeguards and B) Macbook Air would probably be worth the most to take home.
Remember -- fewer exploits doesn't mean more secure it just means it's faced lesser challenges.
Wow MacOSX is better than windows even on that..
@TallDudeFromBrazil:
Or did he just pick the MBA first because he wanted to win it?
Safari: the reason why it's so insecure is cuz it's fugly.
@MINI Driver: He probably had to take a piss so he hacked OSX because its the easiest.
The other two actually require time.
Na, the hack probably works with every browser. He just hacked the OSX machine because he wanted that one.
Why wouldn't the Linux system be the easiest to hack, linux it open-source so it should be the easiest, right?
MacOS X is insecure and CanSecWest proved it.
Macworld 2009:
(image)
[www.baboo.com.br]
Vista already got hacked... The ones trying to hack osx can keep trying. Sorry windows!
@newSeasons: Good evening sir. For today's three course menu, we will be starting with your foot...
For the people saying he hacked the MBA because it was the most appealing to take home - remember that there's also the cash prize. So logic would dictate that instead of going for the machine you most want, you should go for the one that you can hack quicker and before anyone else. You can more than afford any of the 3 laptops (or all 3 if you wanted) with the money.
Hear that? ...that's Steve crying. So far, 2008 has been pretty rough on him.
...if the kid really wanted a certain laptop, he could have bought it with the cash prize that he won. He hacked the least secure machine.
wonder what did the guy do with his half a mac book air ............
No surprises here. Macs are notoriously on the easy side to hack. Mostly due to the fact that no one usually bothers so the Mac makers usually don't bother with anything but the most rudimentary protections. What really surprises me is that no one tried to network hack the Mac honestly.
hasnt this already been proven? that because the mac os is attacked less frequently they are easier to "open"?
didnt that "bug" from a couple years ago highlight that stark reality?
since then, apple has been paying a lot more attention to security though - good for them.
why would he choose the "most valuable" laptop? they all probably fall in the $1,000 - $2,000 range, with the grand prize for day 2 being $10,000. logic dictates to attack the most vulnerable machine to get to the prize money.
Charlie Miller was sent here from the Gods...
if the Vista machine was the victim I would see all kinds of flames but since the Mac was hacked the excuse is that he wanted to keep the laptop with the shitty OS, but pretty case.
He hacked it because it was easier, reason for being is not many people know about these exploits because it makes no sense on developing a virus/hack to affect all 200 Mac users in the US.
Considering how large the prize money is it is ridiculous to say he hacked the MacBook Air because it was the trendiest computer. If he thought either of the other two computers could be hacked more quickly he would not have risked $10,000 for the sake of a $2,000 MacBook Air. The MBA is nice, but not /that/ nice.
@keyser: I don't understand the logic. This would suggest that Macs just have the same old security issues. Paying more attention to security does not equal two minute hacking time.
@nutbastard: Its not that you are off ... you are thinking about "most people" ... in IT security physical security comes 1st and its a given. The rule of thumb is no physical security, no security period. If you think about it its quite obvious, and why NOCs are such a PITA to get into.
The speed of the hack makes it almost plain that he knew about the existence of this bug before hand. a derivative of the original iPhone safari exploit ?
Contrary to popular belief, M$ did its homework securing Vista, there obviously are still some exploits for it but most require some interaction by an unaware user, like downloading a malicious DRMd WMV ...
@nutbastard: As this was the second day, it gave this basic level of user interaction, users downloaded email and opened websites, but did not download anything, nor clicked "yes" on any prompts. Just downloaded and read email, and visited a website with no obvious threats to it. Just like a real security-conscious user would.
So the exploit is really cool actually, just visiting a website made your macbook pwned. I wonder if this was run behind a corporate firewall too ? i think it would probably work as nothing was downloaded to the mac.
And to those thinking he hacked the MacBook air for "value" you are waaaay off. He hacked the one he knew better in the fastest way he knew how, the bragging rights of this are worth 10 MacBook Air put together.
Sorry for the 3 comments in a row, but no edit and keep thinking new things ...
If i had to place a bet, it's be that he did it with an image with some "payload" in it that got interpreted by Safari, similar to the old jalibreakme (?) site for the iphone.