February 7, 2008 7:34 AM PST
Vista, Leopard, Linux to compete in hack contest
- Related Stories
-
Year in review: Botnet gains, Web 2.0 pains
December 31, 2007 -
Inviting the hackers inside
December 4, 2007 -
Black Hat 'supersizes' in Las Vegas
July 30, 2007 -
Apple plugs QuickTime zero-day flaw
May 1, 2007 -
Mac hacked through QuickTime flaw
April 24, 2007 - Related Blogs
-
IE also affected by $10,000 QuickTime bug
April 25, 2007 -
Apple issues a security update for Quicktime 7.1.6
May 29, 2007
Run by the organizers of the CanSecWest Vancouver 2008 security conference, the competition is a repeat of the "PWN to Own" contest at CanSecWest in 2007, when security researchers competed to win a MacBook Pro and $10,000. The prize was shared between security researchers Dino Dai Zovi and Shane Macauley for their successful use of a zero-day QuickTime vulnerability, which they used to compromise the MacBook. The vulnerability was subsequently found to also affect Windows platforms.
The hacking competition at CanSecWest 2008 will pit the Linux, Leopard OS X, and Vista operating systems against each other, according to CanSecWest organizer Dragos Ruiu.
"The fur is flying right now about which is more secure--Linux, Vista, or Leopard," Ruiu said on Thursday. "Linux guys have their propaganda, Windows guys are saying this and that, Apple guys have buried their heads in the sand as usual. I guess the proof is in the pudding."
The prizes for the contest will be "several laptops," according to Ruiu. When he spoke to ZDNet UK, on Thursday, the security researcher was in Tokyo partly to organize a CanSecWest event and partly to go "shopping for laptops." Ruiu had not yet decided which laptops to buy, but said he was looking for something "new and thrilling."
"We want the prizes to inspire lust amongst geeks," said Ruiu. "It's going to be something lustworthy."
Last year the $10,000 prize money was supplied by security firm TippingPoint. This year's contest still needs a sponsor, and it is possible that the nature of the contest could still change, said Ruiu, although he declined to say what other form it might take.
Tom Espiner of ZDNet UK reported from London.
greatly. What one expert calls "typical" security setup for each one
of these OS's can greatly skew the results.
They at least should have a rep from each OS to rebut/agree on a
typical setting. This is like a prosecuter presenting a case to a jury
without the defense having a chance to refute the evidence.
The last time something like this was done, was a contest in 1999 by Mindcraft... bought and paid for by Microsoft. You can only guess how stacked the odds were. Or, you can read the MSFT flack's admission of same for yourself - here: http://www.itweb.co.za/sections/enterprise/1999/9904221410.asp
(Mindcraft's website is still up, but it's been pretty much defunct since 2003).
--
This time, let's set it up with the ultimate - the defaults, patched to present with whatever patching/update program exists on each OS (All three have one). Fedora Core 8, OSX Leopard/10.5, and Vista w/ SP1.
Then simply turn 'em loose with public IP addys and see what comes of it.
/P
I expect all 3 will be hacked. I'd be more interested in whether or not the exploits involve a lot of user interaction like the Mac one did needing to go to a specifically crafted website. User education should in theory prevent such attacks from working, however such is not the case.
As a user of Windows and Mac OS X I say only the following to fanboys of either. Both are gonna get hacked, and thats just the way it is. The only secure piece of software is one that has undiscovered bugs. For those thinking I'm a Linux fanboy for not including it, its because I don't use it myself.
configuration.
Then hack hardened operating systems.
This will be entertaining.
>>>The prizes for the contest will be "several laptops,"<<<
If Microsoft offers each of the top hackers $20,000 each to NOT hack Vista... Vista might just stand a chance. It would be worth more than just a mere $20,000 per hacker to Microsoft to come out on top.
And hackers only have a few PC's to win... thus with an amount of $20,000... in cash from Microsoft... the awfulest hackers might just bow out and cash in on a Microsoft hand-out! (* SMIRK *)
Don't think it's possible? Just look at Microsoft's reputation and pocket book as well as the human greed factor! (* GRIN *)
DO NOT underestimate Microsoft!
Walt
See: "Usage of eComStation and OS/2 Warp operating systems"
http://en.ecomstation.ru/solutions/
Read the subject line!
Fully patched systems with industry standard security software installed.
Stage II:
Fully patched systems, no security software installed.
Stage III:
Computer out of the box with a post it note saying, "Kick Me" on the monitor.
Give the hackers x amount of time for stage I. If no one wins, go to stage II. If no one wins, stage III.
That being said I would think the most fair test would be this;
Fresh installs of OSX, Vista, and linux. Install the latest updates of each and go from there. Hacks like the quicktime hack should be out of bounds. The reason being quicktime isn't part of the OS. That is also why anti virus and firewall software should not be included. Neither is a part of the OS.
If firewalls and anti-virus programs are added to OSX and Vista would it be fair to use a linux distro in SElinux mode? I'm just curious about this since I'm not overly familiar with SELinux.
- Already showing his bias
-
by i,Jimbot
February 10, 2008 10:49 AM PST
- Dragos is not much of a scientist. He's showing his bias already in
-
Reply to this comment
View
reply
-
-
See all 92 Comments >>his comments:
"Linux guys have their propaganda, Windows guys are saying this
and that, Apple guys have buried their heads in the sand as usual."
How can one not be suspect?