Apple's OS X, Microsoft Windows, and Linux operating systems are to be pitted against each other in an ethical hacking contest in Vancouver next month.
Run by the organizers of the CanSecWest Vancouver 2008 security conference, the competition is a repeat of the "PWN to Own" contest at CanSecWest in 2007, when security researchers competed to win a MacBook Pro and $10,000. The prize was shared between security researchers Dino Dai Zovi and Shane Macauley for their successful use of a zero-day QuickTime vulnerability, which they used to compromise the MacBook. The vulnerability was subsequently found to also affect Windows platforms.
The hacking competition at CanSecWest 2008 will pit the Linux, Leopard OS X, and Vista operating systems against each other, according to CanSecWest organizer Dragos Ruiu.
"The fur is flying right now about which is more secure--Linux, Vista, or Leopard," Ruiu said on Thursday. "Linux guys have their propaganda, Windows guys are saying this and that, Apple guys have buried their heads in the sand as usual. I guess the proof is in the pudding."
The prizes for the contest will be "several laptops," according to Ruiu. When he spoke to ZDNet UK, on Thursday, the security researcher was in Tokyo partly to organize a CanSecWest event and partly to go "shopping for laptops." Ruiu had not yet decided which laptops to buy, but said he was looking for something "new and thrilling."
"We want the prizes to inspire lust amongst geeks," said Ruiu. "It's going to be something lustworthy."
Last year the $10,000 prize money was supplied by security firm TippingPoint. This year's contest still needs a sponsor, and it is possible that the nature of the contest could still change, said Ruiu, although he declined to say what other form it might take.
No matter what the results are the fanbois will skew it to make it seem like their system is the best the EVAR!!!!111!!
If the Mac gets hacked (again) they'll say its unrealistic and no one in their right mind would have their system in the configuration that was used. If the linux system gets hacked someone will say they the system was mis-configured because the admin wasn't 1337 enough. If the windows system gets hacked well... they'll just say it could have been worse ;)
The initial security settings set on each of these machines can vary greatly. What one expert calls "typical" security setup for each one of these OS's can greatly skew the results.
They at least should have a rep from each OS to rebut/agree on a typical setting. This is like a prosecuter presenting a case to a jury without the defense having a chance to refute the evidence.
I agree with what you say nlakin; there needs to be someone on behalf of each OS to oversee that machines are setup in a standard configuration.
Also, what I find important, is which flavour of linux is to be used? Many distributions contain their own security implementations, and many their own flaws. There needs to be some standardization otherwise the contest doesn't come as professional as it could.
That all three are set up with just their defaults.
The last time something like this was done, was a contest in 1999 by Mindcraft... bought and paid for by Microsoft. You can only guess how stacked the odds were. Or, you can read the MSFT flack's admission of same for yourself - here: <a class="jive-link-external" href="http://www.itweb.co.za/sections/enterprise/1999/9904221410.asp" target="_newWindow">http://www.itweb.co.za/sections/enterprise/1999/9904221410.asp</a>
(Mindcraft's website is still up, but it's been pretty much defunct since 2003).
--
This time, let's set it up with the ultimate - the defaults, patched to present with whatever patching/update program exists on each OS (All three have one). Fedora Core 8, OSX Leopard/10.5, and Vista w/ SP1.
Then simply turn 'em loose with public IP addys and see what comes of it.
"Fedora Core 8, OSX Leopard/10.5, and Vista w/ SP1. "
I think they should use Ubuntu, though, because that is probably the one most widely used Linux distribution by people departing Windows. And, yes, unbox it, set it up, and then if it asks about installing the updates, do so. If not then run it that way.
Let's face it, if you have an expert set up the security first even Windows can be pretty secure. No fair installing any 3rd party security programs.
DOS attack on the public IP's would immediately invalidate any results.
Unless you mean to just let the machines go raw on the internet and don't publish the IP's. That would be a more realistic scenario.
No matter what the results are, people will be able to claim anything they wish. Don't like the results- skew them. Like them? Others will claim they were skewed.
It's not really something you can compare directly without favortism showing up somewhere in the equation.
I would like to see this rated as speed and severity taken into consideration. Its one thing to say "I hacked you in 5 minutes" but no good if your hack doesn't do anything. But if you can say "I hacked you in 30 minutes and now I own your system" thats a different story.
I expect all 3 will be hacked. I'd be more interested in whether or not the exploits involve a lot of user interaction like the Mac one did needing to go to a specifically crafted website. User education should in theory prevent such attacks from working, however such is not the case.
As a user of Windows and Mac OS X I say only the following to fanboys of either. Both are gonna get hacked, and thats just the way it is. The only secure piece of software is one that has undiscovered bugs. For those thinking I'm a Linux fanboy for not including it, its because I don't use it myself.
I agree. I'd love to see how the default settings with only automatically downloaded patches compared against the hardened configuration.
I personally think that computers right out of the box should have links to where the NIST standards are, so that those without a lot of know how can easily find a good check for the system's security.
... (not "Vista, Leopard, Linux) which will compete in hack an contest) like those Golden Oldies by Elvis Presley. Was OS/2 involved it would have whooped "Vista, Leopard, Linux" hands-down. ;-) !
I agree that Warp was the OS to use. I remember my friends having all sort of problems running Windows 95 in their 486s while my Warp performed flawless in a 386. I'm even tempted to pay for a copy of eComStation and virtualize it in y Mac (OSX 10.5.1) to be able to run all the programs I had for Warp Connect.
But its days as a mainstream OS are over, it is more a workstation for certain programs, applications, and duties. I will not doubt to run it as my main file / printer SMP server. But it is more because I grew with it than what it offers right now.
If they have Lotus installed it will take about three seconds.
The ERR() and the IRR() vulnerabilities will leave the system wide open. When will they remove these unsafe functions like the rest of the computer industry.
I look forward to every last security vulnerability getting crushed out of linux, while microsoft and apple hobble along with their closed systems that respond in days instead of minutes to new developments.
There were/are reasons why banks and their customers relied on OS/2 - Customers trusted the banks to keep their money whilst the ATMs dispensed the "cash" safely and securely. Therefore relying on historical data here is what the roll-out scenario in the banking industry (the folks that you trust with all your cash - even your mortgage) should look like following a known: (IBM, Bankers at Odds Over OS/2 Migration Path Vendor advises OS/2 users to switch to Linux, but ATM makers are leading push to Windows):
>>>The prizes for the contest will be "several laptops,"<<<
If Microsoft offers each of the top hackers $20,000 each to NOT hack Vista... Vista might just stand a chance. It would be worth more than just a mere $20,000 per hacker to Microsoft to come out on top.
And hackers only have a few PC's to win... thus with an amount of $20,000... in cash from Microsoft... the awfulest hackers might just bow out and cash in on a Microsoft hand-out! (* SMIRK *)
Don't think it's possible? Just look at Microsoft's reputation and pocket book as well as the human greed factor! (* GRIN *)
Why don't any hacker with any real "geeky" ability waste their time behind a mere paltry "$20,000" (which country's currency is denominated here anyway; because, if it is one of those developing country's then it ain't worth crap) instead of showing the world how banks can stem the tide in the U.S. Housing Markets in "Big/Deep Blue" like (Bobby Fisher...) ways; and, let's say a prize of One-Two Million U.S. Dollars is offered by the banks; (perhaps, some oil-rich Middle Eastern "dude" might even offer an "executive jet" as an additional prize to gain "bragging rights" for the petroleum industry). Now, that should be something "really meaningful" and "geeky" while the whole world watches on. ;-) !
Since, according to some reports - Russians were said to be the best hackers - yet, the Russian Federation, the International Space Station and a host of other industries around the world continue to rely on OS/2. ;-) !
See: "Usage of eComStation and OS/2 Warp operating systems"
Mute "means refraining from or unable to speak." It also means unpronounced. I don't see this contest as being either of those. Perhaps you meant moot, which means "subject to debate or dispute".
You probably should not use words whose meaning you don't understand, or words which you cannot spell.
I hope they really do this right and Linux is proven once and for all to be the most secure. The apple guys with their noses in the air should go home with their tails between their legs. On a side note. If Apple is the most secure I will go out and buy a new macbook again.
...you do realize that OSX is pure BSD under-the-hood, right? FreeBSD (and it's cousins Net and Open) in turn ranks among the most secure default rigs alive.
Unless they manage to find and exploit a hole in Aqua, or in whatever add-ons Apple bolted onto the basic BSD rig (there's a few), well... good luck with that one.
But I would not want to be the one to set the conditions for the test. It's almost like trying to compare apples, oranges, and grapes because of the average group of people that uses each computer.
That being said I would think the most fair test would be this; Fresh installs of OSX, Vista, and linux. Install the latest updates of each and go from there. Hacks like the quicktime hack should be out of bounds. The reason being quicktime isn't part of the OS. That is also why anti virus and firewall software should not be included. Neither is a part of the OS. If firewalls and anti-virus programs are added to OSX and Vista would it be fair to use a linux distro in SElinux mode? I'm just curious about this since I'm not overly familiar with SELinux.
The average person who buys a new computer will never hear about who wins and they will not care. I tell people about Linux all the time and they just look at me and don't even understand what the heck I am saying. I know about 10 people who have just bought a new computer in the last 2 months and they all bought windows machines. The average person still doesn't even know what a mac is. They don't even have Apples in stores where I live anymore(Since compusa closed here). Most people don't even know what Vista is. I asked a person who picked up a new computer last week if it had xp or Vista and they didn't even know. I use all three and like them all. I don't see microsoft going out of business any time soon. The average person could careless about computers. They usually will buy a windows machine since they are cheaper and already know how to use them. End of story.
Apple, Google, Microsoft, Amazon--all are targets for Mozilla's plan to use Web apps to free people from ecosystem lock-in. Also: new Firefox features aplenty.
The rise of Apple's stores is one of the past decade's great retail stories. So, why then does the company continue to creep back into the big-box outlets and will this hurt the brand?
The company helps small businesses with little tech savvy build apps easily, and now its partner Constant Contact will email-blast prospective users, too.
The Samsung Galaxy Mini 2 S6500 could make its debut at the Mobile World Congress in Barcelona later this month, according to a leaked promotional image.
Web giant is spending $120 million to beef up its Mountain View, Calif., headquarters, according to filings with the city reviewed by the San Jose Mercury News.
seem like their system is the best the EVAR!!!!111!!
If the Mac gets hacked (again) they'll say its unrealistic and no
one in their right mind would have their system in the
configuration that was used. If the linux system gets hacked
someone will say they the system was mis-configured because
the admin wasn't 1337 enough. If the windows system gets
hacked well... they'll just say it could have been worse ;)
greatly. What one expert calls "typical" security setup for each one
of these OS's can greatly skew the results.
They at least should have a rep from each OS to rebut/agree on a
typical setting. This is like a prosecuter presenting a case to a jury
without the defense having a chance to refute the evidence.
Also, what I find important, is which flavour of linux is to be used? Many distributions contain their own security implementations, and many their own flaws. There needs to be some standardization otherwise the contest doesn't come as professional as it could.
The last time something like this was done, was a contest in 1999 by Mindcraft... bought and paid for by Microsoft. You can only guess how stacked the odds were. Or, you can read the MSFT flack's admission of same for yourself - here: <a class="jive-link-external" href="http://www.itweb.co.za/sections/enterprise/1999/9904221410.asp" target="_newWindow">http://www.itweb.co.za/sections/enterprise/1999/9904221410.asp</a>
(Mindcraft's website is still up, but it's been pretty much defunct since 2003).
--
This time, let's set it up with the ultimate - the defaults, patched to present with whatever patching/update program exists on each OS (All three have one). Fedora Core 8, OSX Leopard/10.5, and Vista w/ SP1.
Then simply turn 'em loose with public IP addys and see what comes of it.
/P
I think they should use Ubuntu, though, because that is
probably the one most widely used Linux distribution by people
departing Windows. And, yes, unbox it, set it up, and then if it
asks about installing the updates, do so. If not then run it that
way.
Let's face it, if you have an expert set up the security first even
Windows can be pretty secure. No fair installing any 3rd party
security programs.
Unless you mean to just let the machines go raw on the internet and don't publish the IP's. That would be a more realistic scenario.
No matter what the results are, people will be able to claim anything they wish. Don't like the results- skew them. Like them? Others will claim they were skewed.
It's not really something you can compare directly without favortism showing up somewhere in the equation.
I expect all 3 will be hacked. I'd be more interested in whether or not the exploits involve a lot of user interaction like the Mac one did needing to go to a specifically crafted website. User education should in theory prevent such attacks from working, however such is not the case.
As a user of Windows and Mac OS X I say only the following to fanboys of either. Both are gonna get hacked, and thats just the way it is. The only secure piece of software is one that has undiscovered bugs. For those thinking I'm a Linux fanboy for not including it, its because I don't use it myself.
configuration.
Then hack hardened operating systems.
I personally think that computers right out of the box should have links to where the NIST standards are, so that those without a lot of know how can easily find a good check for the system's security.
OS/2 was way off.
I'm even tempted to pay for a copy of eComStation and virtualize it in y Mac (OSX 10.5.1) to be able to run all the programs I had for Warp Connect.
But its days as a mainstream OS are over, it is more a workstation for certain programs, applications, and duties. I will not doubt to run it as my main file / printer SMP server. But it is more because I grew with it than what it offers right now.
/P
:)
This will be entertaining.
Vendor advises OS/2 users to switch to Linux, but ATM makers are leading push to Windows):
<a class="jive-link-external" href="http://www.computerworld.com/softwaretopics/os/story/0,10801,83884,00.html" target="_newWindow">http://www.computerworld.com/softwaretopics/os/story/0,10801,83884,00.html</a>
Hey "ethana2"! The "Real-Time" solutions (Desktop) are needed to address the nation's Sub-Prime Mortgage Crises.
If It Ain't Broke (Is Not OS/2 Then It Is Going To Be Code-Base OS/2 (Windows) Don't Fix It. M :-$ !
>>>The prizes for the contest will be "several laptops,"<<<
If Microsoft offers each of the top hackers $20,000 each to NOT hack Vista... Vista might just stand a chance. It would be worth more than just a mere $20,000 per hacker to Microsoft to come out on top.
And hackers only have a few PC's to win... thus with an amount of $20,000... in cash from Microsoft... the awfulest hackers might just bow out and cash in on a Microsoft hand-out! (* SMIRK *)
Don't think it's possible? Just look at Microsoft's reputation and pocket book as well as the human greed factor! (* GRIN *)
DO NOT underestimate Microsoft!
Walt
See: "Usage of eComStation and OS/2 Warp operating systems"
<a class="jive-link-external" href="http://en.ecomstation.ru/solutions/" target="_newWindow">http://en.ecomstation.ru/solutions/</a>
Read the subject line!
unpronounced. I don't see this contest as being either of those.
Perhaps you meant moot, which means "subject to debate or
dispute".
You probably should not use words whose meaning you don't
understand, or words which you cannot spell.
Fully patched systems with industry standard security software installed.
Stage II:
Fully patched systems, no security software installed.
Stage III:
Computer out of the box with a post it note saying, "Kick Me" on the monitor.
Give the hackers x amount of time for stage I. If no one wins, go to stage II. If no one wins, stage III.
(concerning their computer):
Stage I should be out of the box
Stage II should be fully patched, no security
Stage III should be fully patched with standard security software
Unless they manage to find and exploit a hole in Aqua, or in whatever add-ons Apple bolted onto the basic BSD rig (there's a few), well... good luck with that one.
/P
That being said I would think the most fair test would be this;
Fresh installs of OSX, Vista, and linux. Install the latest updates of each and go from there. Hacks like the quicktime hack should be out of bounds. The reason being quicktime isn't part of the OS. That is also why anti virus and firewall software should not be included. Neither is a part of the OS.
If firewalls and anti-virus programs are added to OSX and Vista would it be fair to use a linux distro in SElinux mode? I'm just curious about this since I'm not overly familiar with SELinux.
growing so much.
/P
his comments:
"Linux guys have their propaganda, Windows guys are saying this
and that, Apple guys have buried their heads in the sand as usual."
How can one not be suspect?