How long can a Mac survive the hacker jungle?

How long can a Mac survive the hacker jungle?

Summary: Apple's Mac OS X has a date with some of the world's smartest hackers.At this year's CanSecWest 2007 conference in Vancouver, BC, a "PWN to OWN" contest will pit security researchers against a MacBook Pro in an experiment to see how well a default Mac OS X install can survive hacker scrutiny.

SHARE:
TOPICS: Apple, Hardware, Security
114
Apple's Mac OS X has a date with some of the world's smartest hackers.

At this year's CanSecWest 2007 conference in Vancouver, BC, a "PWN to OWN" contest will pit security researchers against a MacBook Pro in an experiment to see how well a default Mac OS X install can survive hacker scrutiny.

The contest is the brainchild of CanSecWest organizer Dragos Ruiu, who was motivated in part by Apple's general anti-disclosure stance and the Mac commercials that trivializes security to the masses with humor.

"So, let's see how well a default OSX install really does in a room full of security researchers. How long can a default OSX install survive? How much Apple 0day is really floating out there undisclosed?," Ruiu said in an e-mail announcing hte contest.

He describes the contest as a "practical experiement" that makes "a political point."

Ruiu plans to set up two loaded MacBook Pro machines on this own access point with default installs and with the latest security updates applied. "[Hackers] will be able to walk up to it and connect to the AP ethernet or go in over WiFi. If you exploit it, you get to go home with it," Ruiu said.

The contest is limited to one per person (the same vulnerability can't be used twice) and will have certain victory conditions -- SSH connection out of the machine and contents of a file on the hard-drive.

"It will be interesting to see exactly how long they last in the "jungle" as it were. If they last the three days, they become the prizes for best lightning talk and best speaker as selected by the audience," Ruiu said of his "quantitative experiment on the real security of OSX."

CanSecWest is one of the main stops on the annual security conference calendar. It runs from April 18-20, 2007. Scheduled speakers this year include Microsoft's Mark Russinovich, Mozilla's Window Snyder, Symantec's Jim Hoagland, HD Moore of BreakingPoint Systems and Ron Gula from Tenable.

Topics: Apple, Hardware, Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

114 comments
Log in or register to join the discussion
  • ha

    I give it a day max, but I will be surprised if it lasts an hour.
    iggy1@...
    • This was done a year ago....

      The Mac Mini won that round. Maybe this time will be different, but we'll see soon enough.
      crash89
  • Hacker = Researcher?

    I don't think so.
    YinToYourYang-22527499
  • Last time they did this...

    They gave the hacker a machine and the admin password. It was a joke...
    BitTwiddler
    • So the rumor says. However...

      ...I have never seen any proof to support this "theory". Perhaps you'll be able to provide it?
      ye
    • No quite

      They gave people a local account, which was just a regular user, and whomever hacked the Mac had a zero day privilege escalation exploit.
      toadlife
    • The last time the University of Wisconsin improved on the challenge

      They put a mini on the net, without giving anyone ssh access and no one hacked
      the machine.

      The interesting thing about the test this time is that the hackers will be in the
      physical vacinity of the machine, meaning they'll be able to use George Ou's
      preferred hack, the wireless card hack. Nothing new there.

      Maybe George Ou will be given honarary first crack at it with his hacking kit's
      training wheels taken off for the first time. Then ZDNet can get an exclusive
      George Ou gloat-a-fest issue out of it.
      YinToYourYang-22527499
      • The U-Wisconsin test was not a test of OSX

        It was a test of OpenSSH and Apache.

        The test was pointless, and even the person who put the test on admitted it later.
        toadlife
        • Nice spin

          The person who hacked a mini in 30 minutes was given direct access and an account. He admitted it wasn't as hardened (secured) as well as it could have been but bragged he still would have breached it thru unknown holes.

          The Wisconsin mini was set up as a typical, (almost*) "properly secured" server and it lasted over 30 hours without a breach, until university admin had it taken down (unauthorized and fear of other system/network problems).

          Point of U-W challenge...
          http://news.com.com/Another+Mac+OS+X+hack+challenge+launched/2100-7349_3-6047038.html

          * from above link "Schroeder is asking hackers to alter the home page hosted on a Mac Mini that is running Mac OS X 10.4.5 with the latest security updates. [b]The system has two local accounts, and has SHH and HTTP open--"a lot more than most Mac OS X machines will ever have open,"[/b] Schroeder said on his Web site."

          Challenge halted...
          http://news.com.com/2100-7349-6047735.html?tag=tb

          I don't recall the W-U engineer saying the test was "pointless". He set up a typical "hacker challenge" situation vs an atypical (giving/having an account and access).

          I'm sure someone with similar access to a Windows machine would NEVER be able to breach the well known MS security (cough).

          ...
          MacCanuck
          • And here is the key to the UoW challenge:

            "The Wisconsin mini was set up as a typical, (almost*) "properly secured" server and it lasted over 30 hours without a breach"

            Note the words "properly secured". I can place a properly secured Windows 2003 system offering the same services (offering up a static web page with RDP enabled) on the net and have it last just as long as the UoW challenge.
            ye
          • IIS6

            You could take that further. IIS6 has never had a remote vulnerability that would allow an anonymous user to hack the server. You could have set a Win2k3 server is 2003 when Win2k3 was released with only port 80 exposed and it would still be standing today.

            As for RDP there has been a DoS vuln, but not a vuln that would have allowed a full compromise.
            toadlife
          • Dave "The raving Mac Zealot" Schroeder

            [i]"I don't recall the W-U engineer saying the test was "pointless"."[/i]

            I do. He admitted it the other day [url=http://yro.slashdot.org/comments.pl?sid=227295&cid=18421385]in a post on Slashdot[/url] when I called him out for being an idiot and a zealot.

            The point of the test according to him was to "disprove" the article about the mac hacking contest. Nothing however needed to be disproved, because while the article left out details at first, they were corrected soon afterwards.

            The guy (like you) has an irrational emotional attachment to his platform of choice - to the point where he almost stakes his identity on it. That's not healthy.
            toadlife
          • Some of us are just more honest

            with what we prefer and use rather than hide behind weasily nick names.

            >>> The guy (like you) has an irrational emotional attachment to his platform of choice - to the point where he almost stakes his identity on it. That's not healthy. >>>

            What's not healthy is showing rabid zealotry and irrational hatred towards something yet continuing to deny it (or hiding it). Now that's sick.

            ...
            MacCanuck
  • Will OS X finally get the credit it deserves for security?

    I think the Mac will fare pretty well, certainly better than Windows. Only time will tell.

    If no one is able to hack into it within 3 days, will Windows people finally give OS X some credit for being a pretty secure OS?

    I doubt it.....
    rolla_ifs@...
    • Don't count on it

      rolla_ifs writes: "will Windows people finally give OS X some credit for being a
      pretty secure OS?"

      Don't count on it. Microsoft has a marketing blitz going on to overturn is
      reputation as the maker of the most wide spread terrorist tool: the Windows
      operating system.

      Microsoft has a 90 day vulnerability report out right now narrowly honing the
      statistics in order to put Vista ahead of its competition. And they're making big
      hay about it. Then there are the MOAB groups, in which you can include the
      blogging whiners such as George Ou, who, like in true kamikaze style, go all out
      to defame Apple at whatever cost to their reputations.

      Microsoft is hitting hard and their money is out there in the stands being
      circulated by their infiltrators. The crowd isn't sure who's winning the fight, but
      Microsoft is fighting desperately to retake their minds. They'll use conniving
      tactics, lying and exaggeration if necessary. The referree will stop the fight and
      give Microsoft extra time to recover (afterall he's under Microsoft's take too). The
      aging champion's mind is racing with thoughts: 'The public easily bought my
      operating system before, national security risk and all. They couldn't haven't
      changed all that much in these short ten vacuous years'.

      Down goes the champ one more time. The referee helps him up again. But no
      one in the crowd, except the paid lackeys, are cheering him back.
      YinToYourYang-22527499
      • Linux

        This is the perfect time for Linux to take the stage. People are tired of Microsoft and Linux is the polar opposite. It is free, fast, reliable, and easy to use. Anyone who wants to argue ease of use either has never tried linux or has tried linux in 1997. It takes me less time to install a working ubuntu than windows, by about 30 minutes. And I have less problems in ubuntu. I regret to say that Windows is toast and most likely, although also being based on Unix, Mac is as well, because of high price of a machine. Yes I know that a Mac that you get has solid, fast, and long lasting hardware, but some people don't need that kind of system to check email and use openoffice.
        jett925@...
        • Mostly true

          but Ubuntu still won't run my LAN on my 3 month old AM2 socket Gigabyte MoBo. Other than that, it's great.
          ajole
        • I have tried every flavor of LInux I could

          And either my sound card would not work, or my ATI video card was not fully supported and I only getthe lame 16 colors, which in any operating system is crap. My last attempt was Suse 10. When I ask tech support for help, they tell me to write my own drivers. I am not a programmer, I would not even know where to start.

          Linux is great, and if all Linux distros comes together and make one really good version, and get drivers for all newer hardware, I would try again. I have one computer that I use to test linux. I like it, but I cannot keep fighting it.
          BroGnorik
        • You lost me at the first sentence.

          I got bored with your post before I even completed the second sentence! This isn't about Linux, nor even Windows. It's about Mac.

          The fanboys on ZD - Windows, Mac, or Linux, they're all the same breed - are nearly worthless.

          Discuss the merits of the test, or don't post.
          Zeppo9191
      • I'm not counting on it. The world is full of idiots

        'Nuf said!
        labarker