Vista, Leopard, Linux to compete in hack contest

Apple's OS X, Microsoft Windows, and Linux operating systems are to be pitted against each other in an ethical hacking contest in Vancouver next month.

Run by the organizers of the CanSecWest Vancouver 2008 security conference, the competition is a repeat of the "PWN to Own" contest at CanSecWest in 2007, when security researchers competed to win a MacBook Pro and $10,000. The prize was shared between security researchers Dino Dai Zovi and Shane Macauley for their successful use of a zero-day QuickTime vulnerability, which they used to compromise the MacBook. The vulnerability was subsequently found to also affect Windows platforms.

The hacking competition at CanSecWest 2008 will pit the Linux, Leopard OS X, and Vista operating systems against each other, according to CanSecWest organizer Dragos Ruiu.

"The fur is flying right now about which is more secure--Linux, Vista, or Leopard," Ruiu said on Thursday. "Linux guys have their propaganda, Windows guys are saying this and that, Apple guys have buried their heads in the sand as usual. I guess the proof is in the pudding."

The prizes for the contest will be "several laptops," according to Ruiu. When he spoke to ZDNet UK, on Thursday, the security researcher was in Tokyo partly to organize a CanSecWest event and partly to go "shopping for laptops." Ruiu had not yet decided which laptops to buy, but said he was looking for something "new and thrilling."

"We want the prizes to inspire lust amongst geeks," said Ruiu. "It's going to be something lustworthy."

Last year the $10,000 prize money was supplied by security firm TippingPoint. This year's contest still needs a sponsor, and it is possible that the nature of the contest could still change, said Ruiu, although he declined to say what other form it might take.

Tom Espiner of ZDNet UK reported from London.

[ejevo]

Yee-haw! Can't wait for this!

Oh, this is going to be good. Let the fanbois shut up, and the results will speak.

[rapier1]

Be realistic

No matter what the results are the fanbois will skew it to make it
seem like their system is the best the EVAR!!!!111!!

If the Mac gets hacked (again) they'll say its unrealistic and no
one in their right mind would have their system in the
configuration that was used. If the linux system gets hacked
someone will say they the system was mis-configured because
the admin wasn't 1337 enough. If the windows system gets
hacked well... they'll just say it could have been worse ;)

[nlakin]

Boy can this be skewed...

The initial security settings set on each of these machines can vary
greatly. What one expert calls "typical" security setup for each one
of these OS's can greatly skew the results.

They at least should have a rep from each OS to rebut/agree on a
typical setting. This is like a prosecuter presenting a case to a jury
without the defense having a chance to refute the evidence.

[Draxon]

Defaults

Or they could just use the defaults since 95% of all users dont bother tweaking with the default reccomended secuirity setting.

[d.rugless]

What about distro?

I agree with what you say nlakin; there needs to be someone on behalf of each OS to oversee that machines are setup in a standard configuration.

Also, what I find important, is which flavour of linux is to be used? Many distributions contain their own security implementations, and many their own flaws. There needs to be some standardization otherwise the contest doesn't come as professional as it could.

[supoman]

Vista will have so many holes...

It'll be like trying to plug the holes in a sponge to keep water inside.

[Penguinisto]

On one condition:

That all three are set up with just their defaults.

The last time something like this was done, was a contest in 1999 by Mindcraft... bought and paid for by Microsoft. You can only guess how stacked the odds were. Or, you can read the MSFT flack's admission of same for yourself - here: http://www.itweb.co.za/sections/enterprise/1999/9904221410.asp

(Mindcraft's website is still up, but it's been pretty much defunct since 2003).

--

This time, let's set it up with the ultimate - the defaults, patched to present with whatever patching/update program exists on each OS (All three have one). Fedora Core 8, OSX Leopard/10.5, and Vista w/ SP1.

Then simply turn 'em loose with public IP addys and see what comes of it.

/P

[protagonistic]

RE: On one condition:

"Fedora Core 8, OSX Leopard/10.5, and Vista w/ SP1. "

I think they should use Ubuntu, though, because that is
probably the one most widely used Linux distribution by people
departing Windows. And, yes, unbox it, set it up, and then if it
asks about installing the updates, do so. If not then run it that
way.

Let's face it, if you have an expert set up the security first even
Windows can be pretty secure. No fair installing any 3rd party
security programs.

[Vegaman_Dan]

They'd all go down

DOS attack on the public IP's would immediately invalidate any results.

Unless you mean to just let the machines go raw on the internet and don't publish the IP's. That would be a more realistic scenario.

No matter what the results are, people will be able to claim anything they wish. Don't like the results- skew them. Like them? Others will claim they were skewed.

It's not really something you can compare directly without favortism showing up somewhere in the equation.

[ittesi259]

Speed vs Severity

I would like to see this rated as speed and severity taken into consideration. Its one thing to say "I hacked you in 5 minutes" but no good if your hack doesn't do anything. But if you can say "I hacked you in 30 minutes and now I own your system" thats a different story.

I expect all 3 will be hacked. I'd be more interested in whether or not the exploits involve a lot of user interaction like the Mac one did needing to go to a specifically crafted website. User education should in theory prevent such attacks from working, however such is not the case.

As a user of Windows and Mac OS X I say only the following to fanboys of either. Both are gonna get hacked, and thats just the way it is. The only secure piece of software is one that has undiscovered bugs. For those thinking I'm a Linux fanboy for not including it, its because I don't use it myself.

[Lee in San Diego]

Do both

Hack out of the box operating systems, the Joe Syxpack
configuration.

Then hack hardened operating systems.

[Ushiikun]

RE: Do both

I agree. I'd love to see how the default settings with only automatically downloaded patches compared against the hardened configuration.

I personally think that computers right out of the box should have links to where the NIST standards are, so that those without a lot of know how can easily find a good check for the system's security.

[Commander_Spock]

OS/2 Is The "Must Have" Operating System...

... (not "Vista, Leopard, Linux) which will compete in hack an contest) like those Golden Oldies by Elvis Presley. Was OS/2 involved it would have whooped "Vista, Leopard, Linux" hands-down. ;-) !

[Maclover1]

To compete

you need to have more than 1% of 1% of the desktop OS market.

OS/2 was way off.

[frank bruce]

Living in a Warped World

I agree that Warp was the OS to use. I remember my friends having all sort of problems running Windows 95 in their 486s while my Warp performed flawless in a 386.
I'm even tempted to pay for a copy of eComStation and virtualize it in y Mac (OSX 10.5.1) to be able to run all the programs I had for Warp Connect.

But its days as a mainstream OS are over, it is more a workstation for certain programs, applications, and duties. I will not doubt to run it as my main file / printer SMP server. But it is more because I grew with it than what it offers right now.

[Penguinisto]

No, BeOS is!

...and maybe we can get up an Amiga rig while we're at it :p

/P

[ralfthedog]

If they have Lotus installed it will take about three seconds.

The ERR() and the IRR() vulnerabilities will leave the system wide open. When will they remove these unsafe functions like the rest of the computer industry.


:)

[frankwick]

Vista SP1?

Will this contest occur before or after SP1 is installed?

[ethana2]

Real time patches and git clones

I look forward to every last security vulnerability getting crushed out of linux, while microsoft and apple hobble along with their closed systems that respond in days instead of minutes to new developments.

This will be entertaining.

[Commander_Spock]

Directions On OS/2!

There were/are reasons why banks and their customers relied on OS/2 - Customers trusted the banks to keep their money whilst the ATMs dispensed the "cash" safely and securely. Therefore relying on historical data here is what the roll-out scenario in the banking industry (the folks that you trust with all your cash - even your mortgage) should look like following a known: (IBM, Bankers at Odds Over OS/2 Migration Path
Vendor advises OS/2 users to switch to Linux, but ATM makers are leading push to Windows):

http://www.computerworld.com/softwaretopics/os/story/0,10801,83884,00.html

Hey "ethana2"! The "Real-Time" solutions (Desktop) are needed to address the nation's Sub-Prime Mortgage Crises.

If It Ain't Broke (Is Not OS/2 Then It Is Going To Be Code-Base OS/2 (Windows) Don't Fix It. M :-$ !

[rdgadz]

vista lose? your proof

isnt ie7 still the only browser that doesn't allow writing to system files by default?

[wbenton]

Don't under estimate Microsoft

Remember this:

>>>The prizes for the contest will be "several laptops,"<<<

If Microsoft offers each of the top hackers $20,000 each to NOT hack Vista... Vista might just stand a chance. It would be worth more than just a mere $20,000 per hacker to Microsoft to come out on top.

And hackers only have a few PC's to win... thus with an amount of $20,000... in cash from Microsoft... the awfulest hackers might just bow out and cash in on a Microsoft hand-out! (* SMIRK *)

Don't think it's possible? Just look at Microsoft's reputation and pocket book as well as the human greed factor! (* GRIN *)

DO NOT underestimate Microsoft!

Walt

[Commander_Spock]

Do You Know What You Are Saying!

Why don't any hacker with any real "geeky" ability waste their time behind a mere paltry "$20,000" (which country's currency is denominated here anyway; because, if it is one of those developing country's then it ain't worth crap) instead of showing the world how banks can stem the tide in the U.S. Housing Markets in "Big/Deep Blue" like (Bobby Fisher...) ways; and, let's say a prize of One-Two Million U.S. Dollars is offered by the banks; (perhaps, some oil-rich Middle Eastern "dude" might even offer an "executive jet" as an additional prize to gain "bragging rights" for the petroleum industry). Now, that should be something "really meaningful" and "geeky" while the whole world watches on. ;-) !

[Commander_Spock]

Without OS/2 this contest is M-U-T-E!

Since, according to some reports - Russians were said to be the best hackers - yet, the Russian Federation, the International Space Station and a host of other industries around the world continue to rely on OS/2. ;-) !

See: "Usage of eComStation and OS/2 Warp operating systems"

http://en.ecomstation.ru/solutions/

Read the subject line!

[The_Decider]

LOL

At least your quest to stay irrelevant and insane never dies, unlike OS/2.

[i,Jimbot]

The contest does not speak???

Mute "means refraining from or unable to speak." It also means
unpronounced. I don't see this contest as being either of those.
Perhaps you meant moot, which means "subject to debate or
dispute".

You probably should not use words whose meaning you don't
understand, or words which you cannot spell.

[PzkwVIb]

The word is moot

not mute.

[ralfthedog]

Contest in three stages.

Stage I:

Fully patched systems with industry standard security software installed.

Stage II:

Fully patched systems, no security software installed.

Stage III:

Computer out of the box with a post it note saying, "Kick Me" on the monitor.

Give the hackers x amount of time for stage I. If no one wins, go to stage II. If no one wins, stage III.

[Thomas, David]

I agree, except in reverse

Given that most computers are not in the hands of the adept
(concerning their computer):

Stage I should be out of the box
Stage II should be fully patched, no security
Stage III should be fully patched with standard security software

[ferretboy88]

I hope the Macs get shelled

I hope they really do this right and Linux is proven once and for all to be the most secure. The apple guys with their noses in the air should go home with their tails between their legs. On a side note. If Apple is the most secure I will go out and buy a new macbook again.

[Penguinisto]

Err...

...you do realize that OSX is pure BSD under-the-hood, right? FreeBSD (and it's cousins Net and Open) in turn ranks among the most secure default rigs alive.

Unless they manage to find and exploit a hole in Aqua, or in whatever add-ons Apple bolted onto the basic BSD rig (there's a few), well... good luck with that one.

/P

[frank bruce]

Steve will always be there with its arms open

Waiting for your Credit Card to shell the price of a MacBook, MacBook Pro, or Air; and yes that is a safe bet.

[mariusthull]

This should be interesting...

But I would not want to be the one to set the conditions for the test. It's almost like trying to compare apples, oranges, and grapes because of the average group of people that uses each computer.

That being said I would think the most fair test would be this;
Fresh installs of OSX, Vista, and linux. Install the latest updates of each and go from there. Hacks like the quicktime hack should be out of bounds. The reason being quicktime isn't part of the OS. That is also why anti virus and firewall software should not be included. Neither is a part of the OS.
If firewalls and anti-virus programs are added to OSX and Vista would it be fair to use a linux distro in SElinux mode? I'm just curious about this since I'm not overly familiar with SELinux.

[pmchefalo]

Linux Fanboys == Commander Spock

In 2017.

[Penguinisto]

You misspelled "Microsoft" up there ;)

...because they seem to be the only OS manufacturer that's not
growing so much.

/P

[Commander_Spock]

In "In 2017" you say "pmchefalo"!

Is that when OS/2's JFS (after being borrowed from IBM) are returned from the Linux Community - lock, stock and barrel? LOL!

[i,Jimbot]

Already showing his bias

Dragos is not much of a scientist. He's showing his bias already in
his comments:

"Linux guys have their propaganda, Windows guys are saying this
and that, Apple guys have buried their heads in the sand as usual."

How can one not be suspect?

[ferretboy88]

In the end it will not matter at all who wins

The average person who buys a new computer will never hear about who wins and they will not care. I tell people about Linux all the time and they just look at me and don't even understand what the heck I am saying. I know about 10 people who have just bought a new computer in the last 2 months and they all bought windows machines. The average person still doesn't even know what a mac is. They don't even have Apples in stores where I live anymore(Since compusa closed here). Most people don't even know what Vista is. I asked a person who picked up a new computer last week if it had xp or Vista and they didn't even know. I use all three and like them all. I don't see microsoft going out of business any time soon. The average person could careless about computers. They usually will buy a windows machine since they are cheaper and already know how to use them. End of story.