Mac / Linux / Vista Challenge

[Texsox]

Linked

 

Sorry Jim, but on the brightside, that MacBook Air lasted longer then you . . .

 

 

The MacBook Air went first; a tiny Fujitsu laptop running Vista was hacked on the last day of the contest; but it was Linux, running on a Sony Vaio, that remained undefeated as conference organizers ended a three-way computer hacking challenge Friday at the CanSecWest conference.

 

getLHCRelSpArt("/article/08/03/31/Linux-unbeaten-in-hacking-contest_1.html","leftColumn"); Earlier this week, contest sponsors had put three laptops up for grabs to anyone who could hack into one of the systems and run their own software. A $20,000 cash prize sweetened the deal, but the payout was halved each day as contest rules were relaxed and it became easier to penetrate the computers.

 

[ See related story Gone in 2 minutes: Mac gets hacked first in contest. ]

 

 

[FlaSoxxJim]

Linked

 

Sorry Jim, but on the brightside, that MacBook Air lasted longer then you . . .

 

heh heh.

 

I'd rather not have seen the hack occur so quickly, sure, but it was on the second day after the hackers were allowed to direct the user to a website containing exploit code. That said, duping users into visiting malicious sites or installing malicious software is of course the most widespread way to exploit vulnerabilities as we have seen over and over again when all the Windows chumps get scammed into letting their machines get hijacked.

 

Also, I'm not surprised a former NSA scientist who also happens to be the guy who first hacked the iPhone was able to hack OSX so quickly.

 

 

 

[Y2HH]

The problem with this contest was in the awards. If you hacked it, you not only got the prize money but you got the keep the device you hacked.

 

Who really wants to hack a Linux box which probably costs 300$ when you could hack an Air which is worth closer to 3K? Exactly...

 

The hackers even admitted that although there was code they KNEW they could exploit in Linux, much like the code the exploited on the Windows machine (3rd party which was a cross platform vulnerability), that they didn't want to invest the time to write up the necessary code to bother.

 

Upon the start of the contest -- nobody was even trying to hack the Linux machine because everyone wanted to get the Air, probably to resell on Ebay+their prize money.

 

Here is the snippit --

 

In the end, it was reported that some folks on hand had discovered bugs in the Linux OS, but many of them "didn't want to put the work into developing the exploit code that would be required to win the contest."

 

http://www.engadget.com/2008/03/29/linux-b...-own-unscathed/

[Texsox]

The "not worth bother" is one form of protection. Back in the early 1980s, I was fishing a tournament when 5 or 6 boats were stolen from a hotel parking lot. Most of the guys had either locks to lock the boat to the hitch, or the hitch to the truck, but only a couple had both. One guy had neither. The guys with both and the guy with neither where the only ones that woke up to their boats. The only reason we could think of that the guy with neither wasn't ripped off was he had the ugliest boat in the parking lot.

 

The prize money was $20,000, it seems you are saying that there would be a much greater incentive for $20,000 plus the Mac Book ($23,000) then just $20,000? I guess everyone has their price, but $20,000 with little competition versus a potential $23,000 with lots of competition doesn't seem much different.

[Y2HH]

The "not worth bother" is one form of protection. Back in the early 1980s, I was fishing a tournament when 5 or 6 boats were stolen from a hotel parking lot. Most of the guys had either locks to lock the boat to the hitch, or the hitch to the truck, but only a couple had both. One guy had neither. The guys with both and the guy with neither where the only ones that woke up to their boats. The only reason we could think of that the guy with neither wasn't ripped off was he had the ugliest boat in the parking lot.

 

The prize money was $20,000, it seems you are saying that there would be a much greater incentive for $20,000 plus the Mac Book ($23,000) then just $20,000? I guess everyone has their price, but $20,000 with little competition versus a potential $23,000 with lots of competition doesn't seem much different.

 

The article says he only received 10,000 + the Air, not 20,000. I believe the prize money dwindles as the days go on, the that's the total prize money available, which doesn't all go to the first winner.

 

But yes, the concensus amongst the hackers at the convention said why bother with the Linux machine...it's even in the story I linked.

[Texsox]

The article says he only received 10,000 + the Air, not 20,000. I believe the prize money dwindles as the days go on, the that's the total prize money available, which doesn't all go to the first winner.

 

But yes, the concensus amongst the hackers at the convention said why bother with the Linux machine...it's even in the story I linked.

I know what was in the article, but I wonder how accurate that was. Ehh, why bother for $20,000 (the first day challenge) or even $10,000 or $5,000? So on day two the choices were

 

$10,000 + Mac

$10,000 + Vista machine

$10,000 + Linux machine

 

And they decided to pick the Mac, just because it was the most valuable? Again, the difference is $10,000 or $13,000, and I don't buy they picked their target based on that.

 

What is more plausible to me, is the randomness of people and talents at the show. To be successful, the hacker would have to have a decent knowledge of that platform. So the Mac guy walked by before the PC guy and there may not have been but a handful of Linux guys walking the show. In other words, a PC guy in all likelihood would not decide to hack the Mac and vice versa.

[Y2HH]

I know what was in the article, but I wonder how accurate that was. Ehh, why bother for $20,000 (the first day challenge) or even $10,000 or $5,000? So on day two the choices were

 

$10,000 + Mac

$10,000 + Vista machine

$10,000 + Linux machine

 

And they decided to pick the Mac, just because it was the most valuable? Again, the difference is $10,000 or $13,000, and I don't buy they picked their target based on that.

 

What is more plausible to me, is the randomness of people and talents at the show. To be successful, the hacker would have to have a decent knowledge of that platform. So the Mac guy walked by before the PC guy and there may not have been but a handful of Linux guys walking the show. In other words, a PC guy in all likelihood would not decide to hack the Mac and vice versa.

 

Excellent point.

 

Add to that the fact that the majority of *nix, especially the childlike Linux community wouldn't want to hack their beloved operating system of awesomeness. I attribute this to their general hatred, (in some ways extreme hatred to an alarming degree), toward Mac and Windows based machines/users.

 

Of course you have your Mac idiots and PC idiots, too...but I think the majority of the casual users can really care less, they just want their PC or Mac to work without having to play with drivers or configuration files for hours on end to get it "mostly working".

 

[Texsox]

Funny, this little gem from Esquire just hit my in basket

 

 

Five Reasons Why PCs Are Better Than Macs

 

[Y2HH]

Funny, this little gem from Esquire just hit my in basket

Five Reasons Why PCs Are Better Than Macs

 

Although I'm a PC owner/user, I have to say that Mac's can run XP/Vista flawlessly, so you can have the best of both with them now...at the cost of a premium price, anyway.

[Texsox]

It does say a lot that there was demand for Macs that run Vista but not PCs that run Mac OS?

[Y2HH]

It does say a lot that there was demand for Macs that run Vista but not PCs that run Mac OS?

 

There is a demand for it, but it's an illegal demand. There are PC hacked copies of OSX out there, but obviously they aren't licensed to run on non-Mac hardware (Intel or not).

 

I would run it, OSX is *really* nice, I may even consider buying a Mac next, simply because I could run both if I so wanted. I'm so sick of Vista it's not even funny how bad this 5+ year development OS is. Anyway, getting back on topic, it's nice that they can do both, in either case.

[Texsox]

I use both. My son has a MacBook and on campus I stop into whatever computer lab is closest. Both work. I have never seen an advantage for either that lasted moe than a couple months, and it is a lot quicker for the PC world to catch up that the Mac world. And they both jump ahead at times.

[StrangeSox]

There is a demand for it, but it's an illegal demand. There are PC hacked copies of OSX out there, but obviously they aren't licensed to run on non-Mac hardware (Intel or not).

 

I would run it, OSX is *really* nice, I may even consider buying a Mac next, simply because I could run both if I so wanted. I'm so sick of Vista it's not even funny how bad this 5+ year development OS is. Anyway, getting back on topic, it's nice that they can do both, in either case.

 

I might consider OSX if I could run it on decent hardware that didn't cost me twice as much as a comparable PC. Until that day, I won't be buying any overpriced Mac products.

[Texsox]

I might consider OSX if I could run it on decent hardware that didn't cost me twice as much as a comparable PC. Until that day, I won't be buying any overpriced Mac products.

 

Twice the price may be a stretch, but they do cost more and I honestly do not see any advantage in quaility between my son's Mac and my Dell. Now I have never used a bottom tier Wintel laptop, but I'm guessing I would see a difference in quality, but then there would also be a difference with my Dell.

[FlaSoxxJim]

I have never seen an advantage for either that lasted moe than a couple months, and it is a lot quicker for the PC world to catch up that the Mac world. And they both jump ahead at times.

 

Your computer work needs apparently never required the use of extended mode multiple-monitors, because that's certainly not something Windows caught up to Apple on in a couple months. Multiple monitors were first supported as a standard feature on the Mac II way back in 1987. It became a standard feature on Windows as of Windows 98. The Mac II was released on March 2 1987, and Win98 was released on June 25th 1998, so by my calculations that is 135 months' lag time, Bro.

Edited April 1, 2008 by FlaSoxxJim

[Texsox]

Your computer work needs apparently never required the use of extended mode multiple-monitors, because that's certainly not something Windows caught up to Apple on in a couple months. Multiple monitors were first supported as a standard feature on the Mac II way back in 1987. It became a standard feature on Windows as of Windows 98. The Mac II was released on March 2 1987, and Win98 was released on June 25th 1998, so by my calculations that is 135 months' lag time, Bro.

 

Nope, I was busy using the bigger and cheaper PC monitors at the time.

[FlaSoxxJim]

Nope, I was busy using the bigger and cheaper PC monitors at the time.

 

Creaper?? You would have paid $10K for a single VGA monitor that gave you anything close to the real estate of two of the standard 640x480s of the day.

 

[Texsox]

Creaper?? You would have paid $10K for a single VGA monitor that gave you anything close to the real estate of two of the standard 640x480s of the day.

 

My point was I didn't need two monitors. Still do not. My 17' laptop display is just fine. I've played with a second monitor and so far, just didn't need the clutter on my desktop. So I guess for those that needed that much real estate, Mac was the way to go.

[FlaSoxxJim]

My point was I didn't need two monitors. Still do not. My 17' laptop display is just fine. I've played with a second monitor and so far, just didn't need the clutter on my desktop. So I guess for those that needed that much real estate, Mac was the way to go.

 

That's exactly it - the right tools for the job. I started doing serious Macromedia Director authoring and Adobe Premier editing around 1992, and for those apps you needed to have enough real estate to have a half-dozen tool windows and pallets open as well as your main project window. With a single monitor you'd spend half your day opening/closing and shuffling windows and you wouldn't get anything done.

[southsideirish71]

Having "user interaction' is hardly a hack challenge. Its a valid security concern, but these hack challenges are a joke. They are usually funded by the competing companies research association. Its like these "white papers" that come out from some of these shell research groups that are funded by either Apple or Micrsooft. I guess we should just ignore the 5 million or so Windows machines out on the internet controlled in several botnets. Each operating system has its issues, and default settings without patches they are all meat. As a person who monitors internet egress traffic and manages an NSM. I can tell you that the "user interaction" malware install is something that everybody runs into. Hackers are exploiting websites now, not to get data from it ( except for the Chinese, they do want your Intellectual Property) but to get you to install their malware. Hell the newest one is the ad's. ADs are sold by companies that act as the middle man. They dont know exactly that they are selling. But just target it to a company based on some basic criteria. A few lines of code and you can redirect anyone anywhere. Soxtalk has seen this itself. They want your PC more than the site. Why, they don't care about you or your data. They want your processing power. You know how much a 500k botnet is to a spammer. How much money a terrorist would pay for a DDoS coming from 100k comcast machines. Its easy, and its hard to trace. Botherders make money on the shear number of PCs that they control. A botnet is a beautiful thing from an architectural standpoint, but from a security standpoint scary.

Edited April 1, 2008 by southsideirish71

[southsideirish71]

There is a demand for it, but it's an illegal demand. There are PC hacked copies of OSX out there, but obviously they aren't licensed to run on non-Mac hardware (Intel or not).

 

I would run it, OSX is *really* nice, I may even consider buying a Mac next, simply because I could run both if I so wanted. I'm so sick of Vista it's not even funny how bad this 5+ year development OS is. Anyway, getting back on topic, it's nice that they can do both, in either case.

 

I boot camp Vista with parallels because I have a few tools I use in the windows world including Visio. Office 2008 on the Mac has changed the amount of time I spend in my virtual machine. We have kept with XP just because of all the interop issues with Vista. The Security features in Vista and Windows 2008 are great. Its about time they had some of these, however in fixing some of the security issues they sure broke a lot of functionality/stability issues.

[Texsox]

That's exactly it - the right tools for the job. I started doing serious Macromedia Director authoring and Adobe Premier editing around 1992, and for those apps you needed to have enough real estate to have a half-dozen tool windows and pallets open as well as your main project window. With a single monitor you'd spend half your day opening/closing and shuffling windows and you wouldn't get anything done.

And for the dozens and dozens of users like yourself, a dream was realized!

[Y2HH]

Having "user interaction' is hardly a hack challenge. Its a valid security concern, but these hack challenges are a joke. They are usually funded by the competing companies research association. Its like these "white papers" that come out from some of these shell research groups that are funded by either Apple or Micrsooft. I guess we should just ignore the 5 million or so Windows machines out on the internet controlled in several botnets. Each operating system has its issues, and default settings without patches they are all meat. As a person who monitors internet egress traffic and manages an NSM. I can tell you that the "user interaction" malware install is something that everybody runs into. Hackers are exploiting websites now, not to get data from it ( except for the Chinese, they do want your Intellectual Property) but to get you to install their malware. Hell the newest one is the ad's. ADs are sold by companies that act as the middle man. They dont know exactly that they are selling. But just target it to a company based on some basic criteria. A few lines of code and you can redirect anyone anywhere. Soxtalk has seen this itself. They want your PC more than the site. Why, they don't care about you or your data. They want your processing power. You know how much a 500k botnet is to a spammer. How much money a terrorist would pay for a DDoS coming from 100k comcast machines. Its easy, and its hard to trace. Botherders make money on the shear number of PCs that they control. A botnet is a beautiful thing from an architectural standpoint, but from a security standpoint scary.

 

Wow, someone that isn't an idiot.

 

Sorry, but it's rare to find a person on the internet that actually knows what he/she is talking about when it comes to the Internet/PC Security.

 

Everyone with Google or Wiki seems to be an expert these days, but you can usually tell if the actually know anything vs regurgitating something they've heard but don't actually know anything about.

Edited April 1, 2008 by Y2HH

[RockRaines]

It does say a lot that there was demand for Macs that run Vista but not PCs that run Mac OS?

Thats because the Mac OS is so clumsy for day to day activities. The interface is so GUI centric and slow, the fact that their PC's come with ONE frickin mouse button, and just not being able to navigate your way around some of the processes makes is less useful than microsoft.

[RockRaines]

Having "user interaction' is hardly a hack challenge. Its a valid security concern, but these hack challenges are a joke. They are usually funded by the competing companies research association. Its like these "white papers" that come out from some of these shell research groups that are funded by either Apple or Micrsooft. I guess we should just ignore the 5 million or so Windows machines out on the internet controlled in several botnets. Each operating system has its issues, and default settings without patches they are all meat. As a person who monitors internet egress traffic and manages an NSM. I can tell you that the "user interaction" malware install is something that everybody runs into. Hackers are exploiting websites now, not to get data from it ( except for the Chinese, they do want your Intellectual Property) but to get you to install their malware. Hell the newest one is the ad's. ADs are sold by companies that act as the middle man. They dont know exactly that they are selling. But just target it to a company based on some basic criteria. A few lines of code and you can redirect anyone anywhere. Soxtalk has seen this itself. They want your PC more than the site. Why, they don't care about you or your data. They want your processing power. You know how much a 500k botnet is to a spammer. How much money a terrorist would pay for a DDoS coming from 100k comcast machines. Its easy, and its hard to trace. Botherders make money on the shear number of PCs that they control. A botnet is a beautiful thing from an architectural standpoint, but from a security standpoint scary.

Which NSM do you use?

 

(just so happens this is my wheelhouse)