I stumbled across this while browsing some email newsletters that I signed up for. There is a Security conference going on in Vancouver, British Columbia right now (CanSecWest) having a "PWN 2 OWN" hacking contest. Up for attack are three systems, representing each platform, Linux, Mac, Windows. The contest is actually quite interesting in that it progressively opens up the systems until they get hacked. For example, on the first day hackers have to try and hack a standard OS install from across the network. If they can't hack that, then the next day the contest organizers will allow hackers to use email luring attacks/web pages to try and hack the machines. If the hackers can't hack using email attacks, on the third day the organizers will install 3rd party software, and hackers can try and hack the system via the 3rd party software.

On day one, all of the systems survived unhacked. On day two, the first victim fell. Within 2 minutes, the Mac fell prey and was hacked. Linux and Windows machines are still safe, for now.

You can read about it here

Writeup of Day 1
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9072418

Writeup of Day 2
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9072699&source=NLT_AM&nlid=1

Interview with Hacker that broke into the Mac - quote "Mac easiest to hack"
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9072959&source=NLT_PM&nlid=8

Before all of the Mac fanboys (and the Windows or Linux fanboys, depending on which system falls next) start coming out of the woodworks crying foul, let me stop you before you start. This is just ONE instance of a contest.


Does it mean Mac is the least secure and Windows/Linux is the most secure? NO
Can I find other contests where a Windows machine, or Linux machine was hacked before a Mac, most likely YES.
Should anyone base their future buying decisions on just one hacking contest? NO
Does this contest bring to light that every OS platform has weaknesses ? YES
Does this show that users are as much to blame for security vulnerabilities as the underlying OS (I thought that .exe in my email was harmless)? YES


I'm quite sure people will say the contest is invalid because System A didn't have Patch X applied, or System B had feature X applied while System C didn't. In the end it doesn't really matter. This is a point in time contest using OS's with current date patch levels,etc. The security world does not stop for hacking contests, and there are new exploits being created, new patches being written that will invalidate these results 6 months from now.

So what does this have to do with Photography? Well, almost weekly someone posts a question about "Should I get a Mac or PC to due my post processing work". I think it's important for people to see that all systems are not totally secure. I'm quite sure that by tomorrow, all 3 systems will have gotten hacked.

PEBKAC. :D

I think the Mac guys are speechless.:shock:

"2:30pm PST Update: Its been two hours so far, and both Vista and Ubuntu laptops are still standing. Stay tuned..."

http://dvlabs.tippingpoint.com/blog/2008/03/28/pwn-to-own-final-day-and-wrap-up

What people fail to realize is that the exploit requires the user to visit a website with the malicious code. It's not like the OS was hacked by an active remote/network hack attempt.

If anything, it's a flaw in Safari, not OS X.

Granted, I do think it's disconcerting that Safari has a privilege elevation exploit. But that's how Unix boxes get 'hacked' in the first place. There's usually a program that can be run with elevated privileges and the malicous code is able to obtain root privileges through that program. Long life programs like pine, sendmail, samba, etc, have had issues in previous revisions (and probably have some unknown/unexploited issues in current versions) that have allowed 'rooting' of the system.

If anything, it's a flaw in Safari, not OS X.

We realize it. You get hacked when accessing the internet. You can't hack a computer that just sits there and does nothing without touching it.

OSX has Safari installed by default and I'm sorry, I consider it part of the OS. You can uninstall it, but the Mac options are most likely MORE unsecure than Safari.

"2:30pm PST Update: Its been two hours so far, and both Vista and Ubuntu laptops are still standing. Stay tuned..."

http://dvlabs.tippingpoint.com/blog/2008/03/28/pwn-to-own-final-day-and-wrap-up

7:30pm PST Update - Vista Laptop was Won!:

http://dvlabs.tippingpoint.com/blog/2008/03/28/pwn-to-own-final-day-and-wrap-up

Actually, that title is a misnomer. The windows Vista machine was hacked due to a flaw in Adobe Flash. (Shame on Adobe) Looks like the Ubuntu box took the cake in this contest. I love these contests, because if anything they are a little dose of reality of how easily people can hack into your system.

I think that most OS's have gotten relatively secure. It now seems as though the 3rd party application vendors are becoming a prime target for hackers, as most of these companies don't do the rigorous security testing that an Apple or Microsoft will have to do in the operating system.

Says something about Vista and IE7 though...Was firefox in the PC mix perhaps?

There's really a simple explanation for this. See, the first to hack the Vista, Ubuntu or MacBook Air not only got $10,000, but they also got to keep the computer. I mean, who wants a Vista or Ubuntu machine? :)

Let's hope Apple gets this Safari hole plugged real soon...

While I dual boot WinXP and ubuntu. I somehow thought Vista would come out on top. But, then find out 2 weeks later, Microsoft paid for it all :rolleyes:

Look, Linux (ubuntu), is the most secure, for the simple reason. It's not worth hacking right now. Not enough users to warrant the time invested.

As long as Windows XP or Vista have there large percentage of the desktop, they are THE target. Add to the fact, so many don't like (in haxor circles) Microsoft, and with the point to prove there security sucks.

Why shoot at the Penguin when you kill the Deer most times.


By Design, I believe MAC and Ubuntu to be more secure. Both are based on UNIX. Windows is based on ease of use on top of DOS.
A flaw they have been having trouble with since the beginning.
UNIX is a proven more secure system. Linux is a secure system as it's based on unix, the same goes for MAC.

yes yes, I know, windows no longer runs on top of dos. But it's where it started.

UNiX and Linux are trusted with so many things that windows cannot even be considered for.
i.e. World clocks are kept track of with UNIX.
Please do not get me started, so many things are entrusted with UNIX/Linux. Really there is "NO" other choice. Microsoft products can NOT be trusted with so many things.

Vista is a nail in there own coffin.

Windows is Defective by Design.

Photoshop is all really use/need windows for, when I can run photoshop under ubuntu, windows no more.
Secure or unsecure, u are useless to me.

The notion that Apple is more secure than Windows is pure rubbish. Hackers just dont have the incentive to hack Apple because there are not nearly as many people using Macs as compare to PCs.

Just take a look at how fast hackers hacked the iPhone.

I mean, who wants a Vista or Ubuntu machine? :)

I do.
I want a new Ubuntu laptop.
I used to use Windows but dabbled with Linux from time to time.
The moment Vista came out and I saw the future of Windows I invested a little time into the learning curve and now I am a Linux convert.
I am forced to use Windows XP at work though, so it is still there, but I personally would support Linux, with Ubuntu being my distribution of choice.

I have never tried a Mac but I have heard it is a 'way of life' or 'lifestyle' more than anything else, but I cannot form an opinion on it myself.

Most of the world's critical applications run on Unix/Linux servers. Even Microsoft uses Linux... that has to say something.

I am not surprised, I could get nothing out of Vista when I was sitting in front of it, logged on and in control of the keyboard :-)

By Design, I believe MAC and Ubuntu to be more secure. Both are based on UNIX. Windows is based on ease of use on top of DOS.
A flaw they have been having trouble with since the beginning.
UNIX is a proven more secure system. Linux is a secure system as it's based on unix, the same goes for MAC.

Wrong. Linux is a UNIX like system, but is NOT based on UNIX code. If anything, Linus [Torvalds] built the initial Linux kernel after Minix, which is actually a micro kernel and not a monolithic kernel like UNIX and Windows (and Linux for that matter). Linux happens to follow many ABI standards, because they are standards, and Linux is the most standards compliant operating system in current development. Mac is NOT based on UNIX. The kernel is a MACH style kernel (based on the NEXTos micro kernel) in a BSD userland. It's a messy arrangement that tends to cause OS X to have serious performance issues when dealing with large dbases etc (because of the way kernel calls are made etc).

Most common UNIXes today are based on Sys V code, BSD is based on the older v32 code from memory. There are differences.

UNiX and Linux are trusted with so many things that windows cannot even be considered for.

Sort of true, but that's because the code was designed on a UNIX system before Windows even existed. Let's take BIND for example - it's the backbone of the web. Windows is weak in many areas - lack of text processing stream applications - sed, awk/gawk to name a few. Nothing like sort, cut. System monitoring tools are almost non existant, and process manager hides many things. UNIX/Linux have top, ps just to name a few. Windows does not support SSH out of the box, but rather older and more insecure applications like telnet. Windows still supports nslookup as default, where it is deprecated and replaced by DIG. Windows is very weak as a powerful all purpose operating system, but it is good as a desktop/gaming system and that is what 99% of the population wants. This is why Windows wins - it does help that Microsoft has friends in high places, take a long look at the OOXML debacle that is currently happening.


Windows is Defective by Design.


Agreed. Reliability and security have been dropped at the price of usability. Sadly, many many people using computers today simply shouldn't be. Once upon a time you had to learn how to use a computer, but these days...and it's the sole reason why viruses/spamming/poor inter-network performances are so common.

Any software can be hacked - there are some nasty Linux rootkits out there as an example. Hell, rootkits can be installed onto ROM chips on the motherboard, basically meaning that they are impossible to remove without actually removing the hardware. They are proof of concept rootkits, but they are do-able. I think you'll see BSD style jails, or Solaris containers become the de rigeur to help increase safety on operating systems in the future.

Dave

We realize it. You get hacked when accessing the internet. You can't hack a computer that just sits there and does nothing without touching it.

Uhm, yes you can hack a computer that is sitting on a network without the user/owner doing anything.

It's called a remote exploit. The famous 'Blaster' worm is one such example. Any WinXP computer that wasn't patched for the DCOM RPC buffer overflow was vulnerable. The worm hits that computer, if it is vulnerable, puts the malicious code on that computer, and from there, it searches for more hosts that are vulnerable to copy itself to. It didn't require the user of that computer to do anything.

The most common method of 'hacking'/'cracking' is people trying to brute force ssh/telnet accounts on a machine using a dictionary attack. Assuming they can get a shell session, they are on the computer remotely and will then attempt to install malicious programs or daemons, or even try to run rootkits on the machine to get root level access.

'Hacking' a person's computer by getting the user to actually do something like visit a website relies a lot on "social hacking" (more polite term for "user ignorance").

Windows machines are even easier to crack - boot off a Linux live disk, copy the .sam file to a CD/floppy, take it away and run crack on it until you crack the .sam file. You normally cannot access the .sam files whilst Windows is running (at least Microsoft did something right lol). True, you could do the same probably with a Linux live CD and Linux by grabbing /etc/passwd and the shadow file as well.

Modern operating systems are generally pretty safe - most cracks are due to social engineering, not brute force ssh/telnet attacks.

Oh, and it's cracking, not hacking. Hacking is something else, stupid Hollywood ballsing something else up. No wonder the ordinary person thinks us IT guys only have to type a few magical things on a keyboard, or press a button and it magically fixes the PCs ills.

Dave