Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

MacBook Air First To Be Compromised In Hacking Contest

Soulskill posted more than 6 years ago | from the potential-reality-tv-show dept.

Portables 493

Multiple readers have written to let us know that the MacBook Air was the first laptop to fall in the CanSecWest hacking contest. The successful hijacking took place only two minutes into the second day of the competition, after the rules had been relaxed to allow the visiting of websites and opening of emails. The TippingPoint blog reveals that the vulnerability was located within Safari, but they won't release specific details until Apple has had a chance to correct the problem. The winner, Charlie Miller, gets to keep the laptop and $10,000. We covered the contest last year, and the results were similar.

cancel ×

493 comments

Sorry! There are no comments related to the filter you selected.

0wnership (5, Funny)

Anonymous Coward | more than 6 years ago | (#22890086)

Ah, the pride of 0wnership.

do you hear that ? (5, Funny)

Anonymous Coward | more than 6 years ago | (#22890090)

the sound of a million fanbois as they screamed Nooooooooooooo i sense i disturbance in the reality distortion generator set comments to flamebait and activate the extra moderation modules captain taco

Re:do you hear that ? (4, Funny)

Lovat (1248352) | more than 6 years ago | (#22890118)

You are correct, sir. Flaimbait tags on both the story and half the comments here in 3 . . . 2 . . . 1 . . .

Get the Facts is a better tag. (-1, Troll)

Mactrope (1256892) | more than 6 years ago | (#22890170)

What, did you expect anything else from something sponsored by Microsoft [cansecwest.com] ? It was easy to tell that the loser was going to be Apple or Ubuntu.

getthefacts baby!

Re:Get the Facts is a better tag. (5, Funny)

Anonymous Coward | more than 6 years ago | (#22890244)

Yes. The totally unbiased facts from a guy with "Mac" in his username.

Re:Get the Facts is a better tag. (2, Insightful)

calebt3 (1098475) | more than 6 years ago | (#22890402)

It's Twitter imitating Macthorpe.

Re:Get the Facts is a better tag. (0)

Anonymous Coward | more than 6 years ago | (#22890326)

You already posted [slashdot.org] in the Firehose [slashdot.org] entry for this article with one of your many sockpuppets [slashdot.org] .

And said exactly the same thing, which is to blame Microsoft, as usual [slashdot.org] . Of course you forget to mention that Vista was also one of the target systems and was not compromised.

Re:Get the Facts is a better tag. (1)

DKlineburg (1074921) | more than 6 years ago | (#22890584)

There Vista system didn't have Nvida graphics cards. . . NVida's whoas [zdnet.com]

Re:Get the Facts is a better tag. (5, Funny)

exley (221867) | more than 6 years ago | (#22890604)

The contest was also sponsored by the likes of Google, Cisco, Adobe, some security folk... They must all have it in for Apple, oh no Apple is screwed! Plus if you read how the contest [itworld.com] was run, it's hard to make the case that this was all pro-MS.

Get the facts... Up to the point where they support your agenda and then punt.

I say well done. (4, Insightful)

catwh0re (540371) | more than 6 years ago | (#22890446)

In the past I've written replies which effectively defended the mac platform, not due to some loyalty, but because most of the feedback people write is pure b/s. I prefer factual arguments, not near-random fear mongering.

I haven't RTFA but from the surface it sounds like a fair exploit test, and sure it only fell over with user interaction, but it still fell first. So good on them, they'll enjoy their prize of a macbook air and a sweet $10k.

I think the relevant part is: (-1, Redundant)

MacDork (560499) | more than 6 years ago | (#22890558)

The winner, Charlie Miller, gets to keep the laptop

In other words, the first to hack it gets it! Who wants a Vaio or a Fujitsu anyway? Given a choice between the three, I'm sure everybody wanted the MacBook Air. Naturally, the only machine getting the pounding is going to be the first to crack.

So... the moral of this story? Never underestimate the ability of an Apple fan to rationalize how the Mac could be the first to fail, yet still be the finest computer in the competition. d(^_~) [Thumbs up!]

Better headline (5, Funny)

BadAnalogyGuy (945258) | more than 6 years ago | (#22890094)

Safari browser has massive security hole.

It's funny how they turned a huge hole in the Safari browser into a commercial for the Mac Air.

"Small size, big holes"

Identical articles (2, Insightful)

Robert1 (513674) | more than 6 years ago | (#22890096)

They're nearly perfect mirrors of one another. Really the only difference between this year and lasts was the word "Air."

Re:Identical articles (5, Insightful)

Anonymous Coward | more than 6 years ago | (#22890116)

No, this year Vista and Ubuntu were in the contest as well. But the mac got hacked in two minutes and the Vista and Ubuntu machines resisted every hack. Big difference there. Oh, and I'd like to say, HA HA /nelson - now tell us again how absense of mac malware is not because of small market share.

Would you want a Vista machine? (1, Funny)

Anonymous Coward | more than 6 years ago | (#22890220)

Seriously... Microsoft can't even pay people to take it, let alone get them to put in effort to get one.

Re:Identical articles (5, Funny)

Anonymous Coward | more than 6 years ago | (#22890240)

The Vista machine would have been hacked quicker if it ran faster

Re:Identical articles (1, Insightful)

Immerial (1093103) | more than 6 years ago | (#22890242)

But the mac got hacked in two minutes and the Vista and Ubuntu machines resisted every hack.

You aren't totally correct on that. The article says "He was the first contestant to attempt an attack on any of the systems." (on the second day). None of the systems fell on the remote only side but when it came to test user interaction the Mac was the first one tested. I'm still waiting for the result on the other machines. It is what a lot of us suspected... because of Apple's rep., people would be eager to take on the Mac first. It is still not to say it isn't bad... oh, it is. But the contest isn't over yet.

Now if Vista and Ubutunu machines are tested by folks and hold up, then that news is more interesting to me.

My bet is on the Vista machine having an exploit but not Ubuntu.

Re:Identical articles (5, Informative)

recoiledsnake (879048) | more than 6 years ago | (#22890300)

You aren't totally correct on that. The article says "He was the first contestant to attempt an attack on any of the systems." (on the second day). None of the systems fell on the remote only side but when it came to test user interaction the Mac was the first one tested. I'm still waiting for the result on the other machines. It is what a lot of us suspected... because of Apple's rep., people would be eager to take on the Mac first. It is still not to say it isn't bad... oh, it is. But the contest isn't over yet.
Sorry, that's just plain wrong. Every laptop had different contestants going on about it in 30 minute slots all day.

Day 1: March 26th: Remote pre-auth All laptops will be open only for Remotely exploitable Pre-Auth vulnerabilities which require no user interaction. First one to pwn it, receives the laptop and a $20,000 cash prize. The pwned machine(s) will be taken out of the contest at that time. Day 2: March 27th: Default client-side apps The attack surfaces increases to also include any default installed client-side applications which can be exploited by following a link through email, vendor supplied IM client or visiting a malicious website. First one to pwn it receives the laptop and a $10,000 cash prize. The pwned machine(s) will be taken out of the contest at that time. Day 3: March 28th: Third Party apps Assuming the laptops are still standing, we will finally add some popular 3rd party client applications to the scope. That list will be made available at CanSecWest, and will be also posted here on the blog. First to pwn it receives the laptop and a $5,000 cash prize
So the Macbook is out of the race since it finished last. Tomorrow, the Ubuntu and Vista machines will have a prize of $5000 on them being cracked with lots of third party apps installed.

Re:Identical articles (1, Redundant)

Immerial (1093103) | more than 6 years ago | (#22890392)

So is it official that the Vista and Ubuntu machines have survived day 2??! Judging from the blog... it isn't:

Update 5:45 PST - The contest is officially over for today. Check back tomorrow to see how the Vista and Ubuntu laptops fare.

Do you have an inside scoop??

Re:Identical articles (5, Informative)

recoiledsnake (879048) | more than 6 years ago | (#22890556)

So is it official that the Vista and Ubuntu machines have survived day 2??! Judging from the blog... it isn't: Update 5:45 PST - The contest is officially over for today. Check back tomorrow to see how the Vista and Ubuntu laptops fare. Do you have an inside scoop??
You misunderstod the contest rules. No inside scoop. Just the blog.

Day 1: March 26th: Remote pre-auth
All laptops will be open only for Remotely exploitable Pre-Auth vulnerabilities which require no user interaction. First one to pwn it, receives the laptop and a $20,000 cash prize.
The pwned machine(s) will be taken out of the contest at that time.
Day 2: March 27th: Default client-side apps
The attack surfaces increases to also include any default installed client-side applications which can be exploited by following a link through email, vendor supplied IM client or visiting a malicious website. First one to pwn it receives the laptop and a $10,000 cash prize.
The pwned machine(s) will be taken out of the contest at that time.
Day 3: March 28th: Third Party apps
Assuming the laptops are still standing, we will finally add some popular 3rd party client applications to the scope. That list will be made available at CanSecWest, and will be also posted here on the blog. First to pwn it receives the laptop and a $5,000 cash prize.
So the security will be even more relaxed on the third day because Ubuntu and Vista survived the first two days without a hack. The Mac finished last and is out of the race.

Re:Identical articles (1)

calebt3 (1098475) | more than 6 years ago | (#22890434)

What is their definition of a "popular application"? WINE (obviously) is much more popular on Ubuntu than Vista.

Re:Identical articles (4, Insightful)

Whiney Mac Fanboy (963289) | more than 6 years ago | (#22890416)

because of Apple's rep., people would be eager to take on the Mac first.

Hold on - are you saying that Mac's have a better reputation for security than linux?

Congratulations sir. Apple fanboy's capacity for self-delusion never ceases to amaze me.

Re:Identical articles (0, Offtopic)

Immerial (1093103) | more than 6 years ago | (#22890468)

Hold on - are you saying that Mac's have a better reputation for security than linux?
Ah... no.

Congratulations sir. Apple fanboy's capacity for self-delusion never ceases to amaze me.
Okaaaay... I'm a fanboy? Wow, you sir have a RDF right up there with Mr. Steve.

Re:Identical articles (0)

zizdodrian (987577) | more than 6 years ago | (#22890250)

Maybe I'm being ignorant, but was the same attention devoted to hacking the other systems?

Of course Mac OS X is going to have 'special attention' - it's an unknown quantity, in a way - and has become the kind of trophy that Vista or Linux would never be.

Another thing - what is with all these buffer overflows due to malformed/long URLs in Safari, Quicktime, etc? Surely the system would truncate them to fit the buffer and remove any dubious characters? (I'm not terribly knowledgeable as far as security is concerned.)

And, in this case, the attacker deliberately chose (3, Insightful)

reiisi (1211052) | more than 6 years ago | (#22890266)

Miller, best known as one of the researchers who first hacked Apple's iPhone last year, didn't take much time. Within 2 minutes, he directed the contest's organizers to visit a Web site that contained his exploit code, which then allowed him to seize control of the computer, as about 20 onlookers cheered him on.

He was the first contestant to attempt an attack on any of the systems.

But the issue is really not which is more vulnerable, it is that you can't run a secure browser and a convenient browser unless they are two separate browsers.

It's time to abandon the general purpose browser. It's also time to quit surfing as your log-in user. You need a browser for surfing that you run (sudo or something) as a strictly limited privilege user without log-in capabilities.

Re:And, in this case, the attacker deliberately ch (5, Informative)

recoiledsnake (879048) | more than 6 years ago | (#22890360)

It's time to abandon the general purpose browser. It's also time to quit surfing as your log-in user. You need a browser for surfing that you run (sudo or something) as a strictly limited privilege user without log-in capabilities.
If you pulled your head out of the sand and informed yourself beyond the anti-Vista tripe that's posted on here, you might have known that IE7 on Vista does exactly what you described ever since it came out more than a year ago.

linky, pleasey (1)

reiisi (1211052) | more than 6 years ago | (#22890414)

sudo (especially, M$'s patented snake-oil version of sudo) all by itself isn't enough.

You have to have single-purpose browsers, and they can't be just parameterized instances of the general purpose browser (and, no, the current MSIE is not even such a parameterizable browser).

Re:linky, pleasey (4, Informative)

Chokolad (35911) | more than 6 years ago | (#22890460)

Here is your linkey http://blogs.msdn.com/ie/archive/2006/02/09/528963.aspx [msdn.com]

Quote from the linkey

  In IE7's Protected Mode--which is the default in other than the Trusted security zone--the IE process runs with Low rights, even if the logged-in user is an administrator. Since add-ins to IE such as ActiveX controls and toolbars run within the IE process, those add-ins run Low as well. The idea behind Protected Mode IE is that even if an attacker somehow defeated every defense mechanism and gained control of the IE process and got it to run some arbitrary code, that code would be severely limited in what it could do. Almost all of the file system and registry would be off-limits to it for writing, reducing the ability of an exploit to modify the system or harm user files. The code wouldn't have enough privileges to install software, put files in the user's Startup folder, hijack browser settings, or other nastiness.

In Protected Mode IE writes/reads special Low versions of the cache, TEMP folder, Cookies and History:

Cache: %userprofile%\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low
Temp: %userprofile%\AppData\Local\Temp\Low
Cookies: %userprofile%\AppData\Roaming\Microsoft\Windows\Cookies\Low
History: %userprofile%\AppData\Local\Microsoft\Windows\History\Low

Re:linky, pleasey (1)

recoiledsnake (879048) | more than 6 years ago | (#22890572)

sudo (especially, M$'s patented snake-oil version of sudo) all by itself isn't enough.
sudo? sudo is a sandbox? since when? I should have guessed that people calling Microsoft M$

You have to have single-purpose browsers, and they can't be just parameterized instances of the general purpose browser (and, no, the current MSIE is not even such a parameterizable browser).
What are you blathering about? What's a single purpose browser? Like a browser that can only browse one site? Or one browser running in a virtual machine for each tab opened?

Re:And, in this case, the attacker deliberately ch (1)

mrsteveman1 (1010381) | more than 6 years ago | (#22890470)

Sudo runs things as the super user, hence the name......this is not what you want if you are going for higher security.

I think you are advocating mandatory access control, not separate user logins or separate browsers. Running a program under a separate user helps nothing if that 2nd user has the exact same access to the system as your own user. There is no difference. Even a less privileged user isn't a good security method. In Vista there is some protection for IE7 because the browser runs in the low integrity level (vista has "integrity levels", medium is the default).

I'm also not quite sure what you mean by a 2nd browser, you mean one specifically for visiting sites you don't trust? Care to explain how you have condensed every site on the internet into a list of sites you trust and sites you don't? Or perhaps how you intend to limit the contact this ultra secure browser has to any location on the internet but what you intended?

Re:And, in this case, the attacker deliberately ch (4, Informative)

Psychotria (953670) | more than 6 years ago | (#22890546)

Sudo runs things as the super user, hence the name......this is not what you want if you are going for higher security.

Actually "su" stands for "switch user". You can just as easily sudo to _any_ user.

Re:And, in this case, the attacker deliberately ch (5, Informative)

AdamTheBastard (532937) | more than 6 years ago | (#22890598)

Sudo runs things as the super user, hence the name
Wrong. sudo, an extension of the idea behind su, allows you to switch user and do something, hence the name. Yes, the default is to switch to the super user. It also allows you to switch to any another user (which it has been configured to allow you to access) using the '-u username' command line parameter and do things under their account.

What the parent was suggesting is to create an account with very limited access and to run the browser as that account using something like: `sudo -u sandboxaccount browserbin`.

Re:Identical articles (1)

bondsbw (888959) | more than 6 years ago | (#22890270)

Q: What makes this guy better than all the others out there who post IE, Firefox, and Safari exploits?
A: He was smart enough to wait until he could win money to let it loose.

Don't get me wrong, an exploit is an exploit, but come on... it should only count if the entire exploit was created and performed on-site. Who is to say that someone else would not have found a Vista exploit that way, in much less time than Charlie Miller did?

Re:Identical articles (1)

PolarBearFire (1176791) | more than 6 years ago | (#22890154)

I actually clicked on the link and it said last year was a QT exploit. So which is correct safari or QT exploit?

Re:Identical articles (0)

Anonymous Coward | more than 6 years ago | (#22890166)

So which is correct safari or QT exploit?

Does it matter? Apple is the common thread.

Re:Identical articles (2, Interesting)

Anonymous Coward | more than 6 years ago | (#22890260)

Something else the same that should be pointed out: Microsoft sponsored the contest both times. It is important to know where the money is coming from [slashdot.org] (and who is writing the rules [wired.com] ).

I think this section is relevant (0, Redundant)

rolfwind (528248) | more than 6 years ago | (#22890104)

Nobody was able to hack into the systems on the first day of the contest when contestants were only allowed to attack the computers over the network, but on Thursday the rules were relaxed so that attackers could direct contest organizers using the computers to do things like visit Web sites or open e-mail messages.


Pretty much says it all.

Re:I think this section is relevant (1)

PolarBearFire (1176791) | more than 6 years ago | (#22890132)

Part of the game I think. Make it easier as time goes on, but also less prize money. Not at all something that wasn't unplanned game rulewise.

Re:I think this section is relevant (5, Insightful)

chubs730 (1095151) | more than 6 years ago | (#22890134)

Pretty much says that a laptop widely meant for home users was only compromised when allowed access to some of the most widely used applications? I'm not sure what you're trying to say (or not, rather) but a hole in safari is a bit of an issue; unless of course you're just concerned with that server running on your Air ;).

Re:I think this section is relevant (2, Insightful)

chrome (3506) | more than 6 years ago | (#22890142)

Depends if it was a "view this page and you're 0wned" exploit or a "view this page, click accept through some requests, etc" exploit as to how dangerous it is.

But as a mac user .. will be using FF for a while until apple patch ;)

Re:I think this section is relevant (4, Insightful)

nmb3000 (741169) | more than 6 years ago | (#22890454)

Nobody was able to hack into the systems on the first day of the contest when contestants were only allowed to attack the computers over the network, but on Thursday the rules were relaxed so that attackers could direct contest organizers using the computers to do things like visit Web sites or open e-mail messages.

Pretty much says it all.

Wow, at +4 already for just quoting the summary and tossing in a vague and meaningless sentence.

So anyway, what exactly is it saying? The only thing I see there is that a completely passive attack (that is, absolutely no user interaction, like many well-known worms worked) failed. Once this part of the test was passed they allowed interactive attacks (where the user must assist the attacker in some way). Since this is how nearly all malware and malicious software spreads these days, I don't see anything wrong with this. Aside from just attaching hardware to the network, a web browser and email client are the two applications with the most Internet "surface area". As all major operating systems come bundled with a primary browser (IE, Safari, Firefox) a flaw in the browser essentially amounts to a flaw in the OS. It seems natural and obvious to put them to the test.

Ouch, that didn't take long. (3, Insightful)

Anonymous Coward | more than 6 years ago | (#22890108)

There goes their geek cred. Hey, at least they still sell a metric crap load of iPods!

Re:Ouch, that didn't take long. (2, Funny)

Almahtar (991773) | more than 6 years ago | (#22890340)

The crap load is a metric unit?

Re:Ouch, that didn't take long. (0)

Anonymous Coward | more than 6 years ago | (#22890482)

Didn't you learn anything in school? The Crap Load is the SI unit approximately equivalent to an Imperial Fuck-ton.

Re:Ouch, that didn't take long. (3, Funny)

Anonymous Coward | more than 6 years ago | (#22890536)

Sorry, you are confusing the Fuck-ton with the Ass-Load. The Imperial Ass-Load is the comparable unit. Fuck-ton is for measuring mass, not volume.

Re:Ouch, that didn't take long. (1)

mrsteveman1 (1010381) | more than 6 years ago | (#22890498)

You aren't familiar with MCraps? It's totally an SI unit now man.....

It Might Have Been Harder if... (-1)

Anonymous Coward | more than 6 years ago | (#22890126)

If only Leopard's firewall wasn't such a piece of sh!t.

I wouldn't be surprised.. (0, Redundant)

xSquaredAdmin (725927) | more than 6 years ago | (#22890138)

...if a lot of the folks were focusing solely on the new MacBook air, because it makes a much better headline: "<x> Hacks MacBook Air" vs "<x> Hacks HP Notebook". I'm sure that the other machines could have been exposed quickly as well if they were drawing as much attention as the Air.

Re:I wouldn't be surprised.. (1)

recoiledsnake (879048) | more than 6 years ago | (#22890198)

Uhh what? The Air has nothing to do with it. All fully patched machines running OS X with the latest Safari 3.1 are vulnerable to this exploit. And you mean a exploit targeting fully patched Vista SP1 or Ubuntu 7.10 won't make headlines? Think again.

Re:I wouldn't be surprised.. (1)

Immerial (1093103) | more than 6 years ago | (#22890332)

Uhh what? The Air has nothing to do with it. All fully patched machines running OS X with the latest Safari 3.1 are vulnerable to this exploit. And you mean a exploit targeting fully patched Vista SP1 or Ubuntu 7.10 won't make headlines? Think again.
No, he's right. Notice how people (and even yourself) are mentioning that it's an "Air" vs a Mac or Mac OS 10.5.2. To me that is proof in itself that the Air has a bigger cache and therefore a more attractive target.

Re:I wouldn't be surprised.. (0)

Anonymous Coward | more than 6 years ago | (#22890518)

Umm excuse me but WHAT??

Your logic and ability to follow a thread of thought within a given context must be incredibly weak for you to even consider something like that.

well, tFriendlyA does mention (1)

reiisi (1211052) | more than 6 years ago | (#22890334)

(as more than one person mentions above,) ... that the attack on the mac was the first attempted hack under the relaxed rules. I think it's clear that the hacker wanted the mac, especially since there are known open vulnerabilities that could have been used on MSIE, and some highly probable directions fairly well known on Firefox.

We know that the browser is vulnerable. Anyone who thinks general purpose browsers are invincible is living in a dream world.

Re:well, tFriendlyA does mention (5, Informative)

recoiledsnake (879048) | more than 6 years ago | (#22890440)

as more than one person mentions above,) ... that the attack on the mac was the first attempted hack under the relaxed rules. I think it's clear that the hacker wanted the mac, especially since there are known open vulnerabilities that could have been used on MSIE, and some highly probable directions fairly well known on Firefox.
You've lost me. Where does it say that the mac(apart from your 'persons above' handwaving) was the first attempted hack under the relaxed rules? Go read the site. It says that all three laptops were tried all day and the Mac was removed from the competition because it failed to survive the second day. The others did. Under the same rules.

especially since there are known open vulnerabilities that could have been used on MSIE, and some highly probable directions fairly well known on Firefox.
So there are known open vulnerabilities in IE7 and Firefox and no one wanted a free 10k in cash (20k in total) for just running them plus 2 expensive laptops? Are you kidding me?

We know that the browser is vulnerable. Anyone who thinks general purpose browsers are invincible is living in a dream world.
IE7 on Vista runs in a sandbox. This kind of attack on IE7 wouldn't have worked without another hole compromising the sandbox. Stop coloring all the browsers with the same color just because the one you use got pwned.

Re:I wouldn't be surprised.. (1)

EraserMouseMan (847479) | more than 6 years ago | (#22890314)

Um, wtf does Safari have to do with HP (or anything but Mac)? Nobody uses Safari except Mac users. Nobody.

Re:I wouldn't be surprised.. (1)

NiceGeek (126629) | more than 6 years ago | (#22890344)

and sometimes not even then (Firefox user here)

Re:I wouldn't be surprised.. (1)

jalsk (751403) | more than 6 years ago | (#22890564)

Agreed. I can't live without Firefox, no matter what OS I'm on.

Re:I wouldn't be surprised.. (1)

xSquaredAdmin (725927) | more than 6 years ago | (#22890348)

I was referring to the fact that other laptops were available to be hacked in the competition mentioned in TFA (which I know nobody reads). With some of the talk which is seen about Macs being more secure or not needing anti-virus software installed on them, having a Mac hacked before a Sony/Fujitsu machine running Windows (which is well-known as a rather vulnerable OS) would be bigger news than if the Windows machines were hacked first.

Re:I wouldn't be surprised.. (4, Insightful)

EraserMouseMan (847479) | more than 6 years ago | (#22890432)

The Mac was hacked 2 minutes into day 2. After day 2 was over no other OSs or browsers had been hacked. Period. Give it up. Safari sucks. The web is a jungle. Tame it by not using Safari on your Mac.

Re:I wouldn't be surprised.. (2, Insightful)

zizdodrian (987577) | more than 6 years ago | (#22890582)

There's no conceivable way that the exploit was discovered and attack code written in two minutes. Hell, I could barely write a slightly sophisticated 'hello world' app in that time (maybe I'm just a slow typist, or he's an android.)

From what I've seen, (correct me if I'm wrong) the rules stated that no previously disclosed vulnerabilities could be used. So, if this guy kept quiet for a few weeks, he could have used exploit code he had already developed.

Users == the problem (3, Insightful)

ashridah (72567) | more than 6 years ago | (#22890140)

Well. Big shock there. These days, most vulnerabilities require the user to be at the helm.

Good to see that social engineering is still all it requires to compromise something.

Re:Users == the problem (5, Insightful)

recoiledsnake (879048) | more than 6 years ago | (#22890284)

Good to see that social engineering is still all it requires to compromise something.
So why weren't the Windows and Linux machines be able to be hacked inspite of the social engineering and users being at the helm all day?

Re:Users == the problem (2, Insightful)

ashridah (72567) | more than 6 years ago | (#22890472)

Bigger hoops to jump through? Linux has fairly high levels of user/admin separation, and windows has been burned enough times that the sandbox that IE runs with is effective enough to slow people down, far more than it was back in the ie6 or ie5.5 days.

I doubt it'll take much longer for all three to get taken over. There'll be some office bug, or a local service vulnerability that hasn't been patched yet, and it'll be game over, sooner rather than later.

There's a lot to be said for being exposed, it does give you the benefit of a lot more hindsight.

Keep the laptop (4, Funny)

iliketrash (624051) | more than 6 years ago | (#22890150)

"The winner, Charlie Miller, gets to keep the laptop and $10,000."

You mean like when your airplane flight is cancelled and the airline offers you a free ticket. Or when the food at a restaurant is crappy and they give you a coupon to eat there again.

Re:Keep the laptop (4, Insightful)

MobileTatsu-NJG (946591) | more than 6 years ago | (#22890188)

You mean like when your airplane flight is cancelled and the airline offers you a free ticket. Or when the food at a restaurant is crappy and they give you a coupon to eat there again.
Well.. sorta. It's more like when a company loans you a laptop to hack, then they let ya keep it, then they give ya ten thousand dollars on top of that.

Re:Keep the laptop (0)

Anonymous Coward | more than 6 years ago | (#22890214)

More like, you can keep any car you want, but you have to break into it first. Maybe Charlie decided he wanted the MacBook Air?

Re:Keep the laptop (1)

calebt3 (1098475) | more than 6 years ago | (#22890382)

You can always install Ubuntu on it.

right (-1, Troll)

wizardforce (1005805) | more than 6 years ago | (#22890186)

anyone who either has physical access to the computer being attacked or can convince the user running the machine to install/download anything is capable of breaking pretty much any OS they want. The fact that they had to relax the rules so that the Mac could be broken into illustrates this nicely.

Re:right (5, Insightful)

recoiledsnake (879048) | more than 6 years ago | (#22890248)

And the karma-whoring RDF sets in.

anyone who either has physical access to the computer being attacked or can convince the user running the machine to install/download anything is capable of breaking pretty much any OS they want.
So no one wanted 20k of cash and expensive windows and linux laptops? Why weren't anyone able to hack the Windows and Linux laptops? They did not have physical access to the machine. Nothing was downloaded or installed manually. Only a website hosted by the attacker was just visited by the organizers on the browsers and mails were opened(attachemnts were not) and read.

The fact that they had to relax the rules so that the Mac could be broken into illustrates this nicely.
The fact that inspite of the relaxed rules, the Windows and Linux laptops were not broken into, illustrates totally something else. I will let you guess it. They are going to further relax the rules tomorrow to include third party applications to make it even easier to hack. Unfortunately, the Mac won't be there because it didn't make it to the third day.

Re:right (0, Offtopic)

freedom_india (780002) | more than 6 years ago | (#22890256)

While having physical access to a machine makes it 80% vulnerable, the rest 20% seems to be OS driven.
Am surprised that Mac OS X didn't prompt the user for root password at all.
If it had and the user had typed it in to invoke the crack, then it is no crack at all.
But in this case Mac seems to be running like XP, which is terrifying.

XP grew up in a bad neighborhood with lots of people hacking into your home and kicking you. So you grew up to disproportionate sizes to counter the bullies and also put in rudimentary plyboards to prevent them from coming in.
Also you started building a fort around yourself (Vista) so that others can be seen swimming towards your fort and sunk.
All in all, XP's rapid "growing up" and the fact that it has become robust over years shows the brutal world out there in wild.

Mac has been living the sheltered life like the Lion in the Zoo in Madagascar.
Safari was its first brutal exposure to the bad world and its quick exploit by XP hackers proved to be as much of a shock to Apple as it did to Mac Fanboys(who could not dispute or ridicule like the republicans do their opponents).
Now, the hurd has taken the battle to Apple's camp and cracked its Mac OS X through Safari.

One perverse way Microsoft must be celebrating that their default install of XP or Vista did not crack so easily.

Probably Apple needs some Microsoft lessons. But then apple has always sued hackers or jailed them, unlike Microsoft which has an uneasy peace with them.

Bottomline: Microsoft has been slowly improving default security and is kinda crackproof.
Mac still believes all users are angels and its hallelujah crowd will defend its glory.
Apple is in for a rude surprise when it enters the wild world of Windows.

Welcome to Earth!

Re:right (1)

wizardforce (1005805) | more than 6 years ago | (#22890316)

While having physical access to a machine makes it 80% vulnerable, the rest 20% seems to be OS driven.
considering who is doing the attacking I'd bet that physical access would make these comps 100% breakable. all that needs to be done is reset the bios and pop in a live cd and it's game over.

Am surprised that Mac OS X didn't prompt the user for root password at all.
I know... it shocked me that installing software often didn't require any sort of authentication what so ever...

Bottomline: Microsoft has been slowly improving default security and is kinda crackproof.
lol... I think you know what's wrong with that.
you could look at it this way: cracking anything Windows is pretty much nothing special, it's being done on a massive scale botnets and zombies considered- what is perhaps a ncier target is a 2,000 dolalr macbook that claims to have a lot higher security than windows. motivation being the biggest security danger of them all.

Re:right (2, Insightful)

recoiledsnake (879048) | more than 6 years ago | (#22890500)

considering who is doing the attacking I'd bet that physical access would make these comps 100% breakable. all that needs to be done is reset the bios and pop in a live cd and it's game over.
So why was a unpatched security vulnerability in Safari needed if it were so simple? There was no physical access provided. Give some credit to the organizers, they're not dumbasses to give $10k in cash and a expensive laptop to the first contestant that jogs into the competition.

I know... it shocked me that installing software often didn't require any sort of authentication what so ever...
Because the code ran under Safari's privileges, i.e not root but user.

you could look at it this way: cracking anything Windows is pretty much nothing special, it's being done on a massive scale botnets and zombies considered- what is perhaps a ncier target is a 2,000 dolalr macbook that claims to have a lot higher security than windows. motivation being the biggest security danger of them all.
The Sony VAIO TZ37CN Ubuntu laptop costs $2300+ You mean no one wanted that and 10k in cash when "all that needs to be done is reset the bios and pop in a live cd and it's game over."?

Re:right (2)

wizardforce (1005805) | more than 6 years ago | (#22890610)

So why was a unpatched security vulnerability in Safari needed if it were so simple?
which is because

There was no physical access provided.

"all that needs to be done is reset the bios and pop in a live cd and it's game over."?
try doing that when you don't have physical access to the machine in question. It seems that Safari is Mac's equivalent of Internet explorer in that it can be a major security problem. it's something Apple really needs to get under control lest they actually become as fubared as Windows often is. It's inevitable as it stands as Mac gets more popular and its users less knowledgeable about how to secure their systems.

Re:right (0)

Anonymous Coward | more than 6 years ago | (#22890262)

"anyone who either has physical access to the computer being attacked or can convince the user running the machine to install/download anything is capable of breaking pretty much any OS they want. The fact that they had to relax the rules so that the Mac could be broken into illustrates this nicely."

You mean relaxing the rules to represent how the MacBook would be used in real life? jeez...those silly people who think that allowing the hacking contest to better represent reality and show just how insecure the MacBook really is. Yes...it illustrates nicely just how user unfriendly the MacBook really is since 99% of all users aren't experts in security and shouldn't be expected to be experts.

I mean let's be honest here. The MacBook advertises as being "fun" and "cute". Just what kind of users do you think they will attract?

Re:right (0)

Anonymous Coward | more than 6 years ago | (#22890276)

Idiot. The rules were relaxed to include browsing websites. If an OS can be taken over by that it's a piece of shit.

Re:right (2, Informative)

wizardforce (1005805) | more than 6 years ago | (#22890342)

the security flaw was in Safari- probably a buffer overflow allowing arbitrary code to be executed. had safari been on any other OS with that flaw the other OSes would be fscked as well no questions asked. something like SElinux or Apparmor on the *nixes can help defend against things like that to a point but it won't stop them all. bottom line: the OS is a big chunk of the problem but software flaws and help from PEBKAC makes things a whole lot worse.

Re:right (0)

Anonymous Coward | more than 6 years ago | (#22890608)

"the security flaw was in Safari- probably a buffer overflow allowing arbitrary code to be executed. had safari been on any other OS with that flaw the other OSes would be fscked as well no questions asked. something like SElinux or Apparmor on the *nixes can help defend against things like that to a point but it won't stop them all. bottom line: the OS is a big chunk of the problem but software flaws and help from PEBKAC makes things a whole lot worse."

Doesn't Vista use Address Space Layout Randomization to help protect against buffer overflow attacks?

Inquiring minds... (0)

Anonymous Coward | more than 6 years ago | (#22890212)

wanna know. Does "first to be compromised" mean the only one to be compromised? Is the contest completely over once one machine is cracked? If not, were Windows and Ubuntu cracked minutes or hours after OS X? Does using Firefox on OS X make it uncrackable? Was each OS required to use it's own browser: IE, Safari, and Epiphany? Since Firefox works on all 3 systems, wouldn't that be a better gauge of OS security? Where did I come from? Why is the sky blue?

Re:Inquiring minds... (1)

R4nneko (1194727) | more than 6 years ago | (#22890274)

Looking at the details of the competition, found by following a link in the article, it appears that the competition does not finish after one machine is cracked, but if this were a vulnerability that could be used to also compromise another machine (through say the way they run safari in windows) it is not a valid vulnerability to use to attack the other machine. Also, the guy who won the MacBook Air and the cash can't try for the other laptops as well.

Hack a Mac, Get More Publicity (0, Troll)

vertigoCiel (1070374) | more than 6 years ago | (#22890232)

I don't think that the OS X laptop was necessarily cracked because there are more (or easier to exploit) vulnerabilities for OS X than for Vista or Ubuntu. It's more impressive to crack an OS X machine than a Vista machine, because OS X has a reputation for being virus and malware free, so the security researcher receives more acclaim.

Re:Hack a Mac, Get More Publicity (1, Insightful)

Anonymous Coward | more than 6 years ago | (#22890268)

or safari is just a buggy piece of shit

Re:Hack a Mac, Get More Publicity (1)

EraserMouseMan (847479) | more than 6 years ago | (#22890362)

You're going to have to ditch that line of reasoning in porportion to the market share that Macs get. Windows machines are now heavily battle tested. Macs not battle tested and it is now becoming apparent.

And in other news..... (1, Troll)

edwardpickman (965122) | more than 6 years ago | (#22890264)

All Apple products cause herpes.

Sorry it's worth the troll mod. Come on guys the Mac/Apple bashing articles are really getting silly. You might as well add it to the Slashdot logo, "We Love Microsoft and Hate All Things Apple." Honestly look at the numbers of articles pro and against each product line. Then check the postings. Say something pro Mac and you'll get shot down. Say something pointing out issues with PCs and you'll get Trolled. Yes go ahead and troll me but you're just killing the messenger and looking petty doing it.

Re:And in other news..... (5, Informative)

chubs730 (1095151) | more than 6 years ago | (#22890282)

"We Love Microsoft and Hate All Things Apple."
O_O Are we on the same slashdot?

Re:And in other news..... (1)

RockWolf (806901) | more than 6 years ago | (#22890464)

Nah, he's browsing at +6 flamebait.

Re:And in other news..... (5, Funny)

linumax (910946) | more than 6 years ago | (#22890508)

"We Love Microsoft and Hate All Things Apple."
O_O Are we on the same slashdot?
We all are on the same website; some posters though, are inside the Reality Distortion Field.

Re:And in other news..... (1)

TobyWong (168498) | more than 6 years ago | (#22890328)

I must have missed all those pro microsoft articles here...

Re:And in other news..... (3, Insightful)

recoiledsnake (879048) | more than 6 years ago | (#22890524)

All Apple products cause herpes.
Maybe the articles are just pointing out that the Apple products you worship are not without their faults?

Come on guys the Mac/Apple bashing articles are really getting silly.
Yea lets bury this news article then just because it's anti-Apple? You're the one blaming the messenger(Slashdot) for posting news. Maybe you should blame reality for all the 'Mac bashing'.

Thats not news... (0)

Anonymous Coward | more than 6 years ago | (#22890280)

...its just that we'r well into the apple hate week by now.

Maybe it's major, or maybe no big deal (4, Insightful)

jht (5006) | more than 6 years ago | (#22890296)

To me, a web hack to worry about (on any platform/browser) is one that can just be triggered by viewing a compromised page (like happens to most unpatched Windows machines that get nailed by drive-bys). I'm not nearly as worried about ones that require user intervention - clicking on a link, button, or something of the sort.

So if the Mac was tagged by just loading a page that delivered the hack, that's bad. Quite bad. If he had to click and download something (and perhaps defeat the auto-quarantine they use), that's not so much a big deal, though still a hole that needs patching.

One of the things about vulnerabilities on all platforms is that a significant part of the magnitude depends on how difficult it is to exploit. Remote connections to a system that avoid/defeat a firewall are really dangerous. Attacks that require the user to do something stupid are inevitable, but far less dangerous.

Thus far most of the Mac vulnerabilities have been the second type. Luckily.

a visit (1)

reiisi (1211052) | more than 6 years ago | (#22890560)

as it says in the article.

2nd day was default Apple apps.

Encouraging that the Ubuntu box survived the second day (Sony VAIO VGN-TZ37CN), surprising that the Vista box did, as well. (Fujitsu U810, 800 MHz iNTEL A110, but it does have 1G RAM. 40G HD isn't all that interesting.)

I really think sony doesn't want to sell laptops to people who know anything about them. Finding information on that VAIO on sonystyle.com is like pulling teeth.

Contest rules... (0, Insightful)

Anonymous Coward | more than 6 years ago | (#22890336)

Its important to remember that the contest rules stated that only hitherto unknown expolits could be used to hack into the computers...Thats like letting microsoft start at the 50m line in a 100m dash. That rule makes no sense. Well, it does make the contest fair, but the results say nothing about which is truly the most secure system.

Re:Contest rules... (5, Informative)

Nightspirit (846159) | more than 6 years ago | (#22890510)

According to secunia Vista has 2 minor vulnerabilities unpatched, Ubuntu 0, and OS X 6 vulnerabilities.

Safari holed, so Apple pushes it to Windows ;) (3, Funny)

Marbleless (640965) | more than 6 years ago | (#22890376)

So it is just coincidence that Apple are now pushing an unsafe Safari to Windows users (http://apple.slashdot.org/article.pl?sid=08/03/27/129236)?

Or am I being a conspiracy nut? ;)

maybe its not important at all... (1)

hasha (1263612) | more than 6 years ago | (#22890448)

...but the conference name is CanSecWest. Seeing as this is the 8th year of the event, perhaps a spelling correction could be suggested. http://cansecwest.com/ [cansecwest.com]

It needed... (0, Offtopic)

TheNucleon (865817) | more than 6 years ago | (#22890462)

...an Air gap.

misleading (-1, Flamebait)

Mindstate (1117201) | more than 6 years ago | (#22890562)

you know, these articles are extremely misleading. this, and others all over the web which are just like it, gives the immediate impression that all systems were being hacked at the same time and the Mac was the first to fall. most people don't bother reading the article so they won't see the fine print, which is that the Mac was the first to fall because it was the first to be tested!! in a similar outcome, my shower this morning apparently took less time than brushing my teeth, simply because i showered first. LAME.

don't hurt me for this one... (0, Offtopic)

Pvt. Cthulhu (990218) | more than 6 years ago | (#22890600)

Man, the macbook air is suuuch a lightweight!
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>