phoneboy3
@shawcable.net | Vista and Mac lose over Linux in Hacking contest
Though this might be interesting to some.
»www.itbusiness.ca/it/client/en/h···id=47765 |
|
jdong
Eat A Beaver, Save A Tree.
Premium
join:2002-07-09
Rochester, MI
clubs:  
| This has been discussed in Security and All Things Mac
Basically, the real story here is all 3 platforms are equally vulnerable:
OS X and Linux because there are no proactive sandboxes isolating the browser from the rest of the system.
Windows Vista because Adobe wrote a broker to IE7's sandbox that allowed jailbreak.
--
Ubuntu MOTU Developer and Forums Council |
|
phoneboy3
@shawcable.net
| reply to phoneboy3
Not the way I see it. Linux won. End of story. You can argue over why it won which could have very well been because nobody wanted to successfully hack it, but the bottom line is it won. These are the very people who make these systems insecure by spreading these hacks. So they if they are not motivated to hack it then by definition, the system is more secure. |
|
sporkme
drop the crantini and move it, sister
Premium,MVM
join:2000-07-01
Morristown, NJ
 ·Optimum Online
| said by phoneboy3 :
Not the way I see it. Linux won.
Did Linux win or did Firefox win by pushing out a last minute patch that would have allowed a compromise on the Linux box? Is Firefox Linux? Is Linux Firefox? Would the Mac have won if the person at the Mac fired up Firefox instead of Safari? |
|
deblin
Dark Side of the Moon
Premium,MVM
join:2001-09-01
Middletown, DE | I guess they didn't bother testing any of the BSDs, given the short time frame. 
--
Hello...is there anybody in there? |
|
gentux
join:2004-09-05
Natick, MA
| reply to sporkme
Would the Mac have won if the person at the Mac fired up Firefox instead of Safari?
My understanding was that the mac lost in the stage before non default software was allowed so firefox could not have been fired up instead of safari. |
|
antiserious
The Future ain't what it used to be
Premium
join:2001-12-12
Scranton, PA
|
That's correct, and Vista lasted so long, in part, because it was SP1 being tested (which is kind of what a service pack is supposed to do, among other things).
When you actually read the links provided, you pick up all sorts of interesting tidbits, but why spoil a good bash-fest with facts.
It might have been more relevant if each machine had survived the same number of attacks, or if some of the same exploits had been attempted against the applicable third-party software in each O/S. So personally I wouldn't say Linux won so much as Mac lost - big - but I do feel a little better about my choice of platform. The thread in the Security forum had some more links and commentary from the participants, worth reading.
fwiw
--
"My goal in life is to become the kind of problem that people throw money at".
|
|
sporkme
drop the crantini and move it, sister
Premium,MVM
join:2000-07-01
Morristown, NJ
·Optimum Online
| reply to gentux
said by gentux  :My understanding was that the mac lost in the stage before non default software was allowed so firefox could not have been fired up instead of safari. What is "the" default browser on "Linux"? What if the distro does not include a browser? Or what if it's lynx?  |
|
antiserious
The Future ain't what it used to be
Premium
join:2001-12-12
Scranton, PA
1 edit | said by sporkme :What is "the" default browser on "Linux"? What if the distro does not include a browser? Or what if it's lynx?
The target box - VAIO VGN-TZ37CN running Ubuntu 7.10 - which means they had their choice of Konqueror or Firefox, since it 'ships' with both.
In this case, for this particular contest, 'Linux' only applies to that combination - obviously they didn't test any other distro.
* edit - the other targets: Fujitsu U810 running Vista Ultimate SP1, MacBook Air running OSX 10.5.2
--
"My goal in life is to become the kind of problem that people throw money at".
|
|
firephoto
KDE
Premium
join:2003-03-18
 ·Verizon west (ex G..
| reply to phoneboy3
Linux has thousands of eyes viewing the publicly disclosed code and talking about it on publicly visible mailing lists. Exploits are fixed very quickly and the means are in place to push those fixes to users within a day or so if needed. There's no fame and glory for exposing or even fixing a Linux weakness, it just happens everyday.
The winner has a bone to pick with Apple and used an exploit he's been sitting on for a while. Webkit code is in the open but the development process isn't always transparent so it's easy to find where it's weak but the process leaves the opportunity for people to find exploits for glory. Look at most all the headlines that came out of Vancouver. "MacBook Air first to fail" and similar. The organizers picked a high profile piece of hardware and got more attention when it was able to be the headline getter. The first person up on the first day something was likely to be cracked was the probably the number one person likely to have an exploit for the Mac platform.
Most Windows exploits that work are sold for cash because there's a market for them and Microsoft themselves will even buy them. Apple does not buy exploits and that's how it should be. Microsoft is just promoting the malware industry by paying into it.
It was a MacBook Air that was reported as 'losing'. So specific hardware lost and some other software lost and won and that isn't biased? I didn't see any news about Sony winning. This was a chance to bash Apple and they succeeded, stupid people will believe it and most people won't know, and the rest don't care. Yes... stupid people will believe it. That's life.
--
~~This is not The Greatest Sig in the World without annoying urls, no. This is just a tribute.~~ |
|
firephoto
KDE
Premium
join:2003-03-18
·Verizon west (ex G..
| reply to antiserious
said by antiserious :The target box - VAIO VGN-TZ37CN running Ubuntu 7.10 - which means they had their choice of Konqueror or Firefox, since it 'ships' with both. In this case, for this particular contest, 'Linux' only applies to that combination - obviously they didn't test any other distro. * edit - the other targets: Fujitsu U810 running Vista Ultimate SP1, MacBook Air running OSX 10.5.2 Ubuntu has Firefox.
Kubuntu has Konqueror.
Other ubuntus probably have Firefox as default.
all non default browsers are an optional install on all
flavors.
Webkit based browsers or rendering engines are an option also.
No one really tried to hack the Ubuntu box so a wet paper sack could even survive that kind of abuse.  |
|
sporkme
drop the crantini and move it, sister
Premium,MVM
join:2000-07-01
Morristown, NJ
·Optimum Online
| said by firephoto :Webkit based browsers or rendering engines are an option also. It would have been a hoot if the guy's Mac exploit was based on a WebKit flaw and he went and downed both boxes (Safari + Konq) in 15 minutes. |
|
firephoto
KDE
Premium
join:2003-03-18
·Verizon west (ex G..
| reply to phoneboy3
said by Computerworlduk :
It was lack of interest in Linux rather than the operating system's inherent security that left an Ubuntu laptop unbreached in a hacking contest, said the security expert who oversaw the contest.
"There was just no interest in Ubuntu," said Terri Forslof, manager of security response for 3Com's TippingPoint, which put up the cash prizes awarded at the contest last week at CanSecWest. "A contest such as this is not a measure of relative security between operating systems. It's not an accurate barometer."
Just because the laptop - a Sony running the Ubuntu 7.10 distribution of Linux - had been untouched doesn't mean that the operating system is any more secure than either Mac OS X or Windows Vista, both which fell to attacks.
"It was actually a lack of interest" on the part of the PWN To OWN contestants, Forslof said. "Shane's [Macaulay] exploit would have worked on Linux. He could have knocked it over. But [the contestants] get a lot more mileage out of attacks on the Mac or Windows," she continued.
|
|
phoneboy3
@shawcable.net
| reply to phoneboy3
You can try throw rocks at the facts which is the nature of hackers I suppose. I have to assume an event this big with this much money involved would have been well thought out and organized such that the playing field was as equal as possible.
If anything, the fact Vista had SP1 on it so soon after it's release gave it an unfair advantage over all the rest so the fact it made it to the end doesn't mean all that much to me. |
|
jdong
Eat A Beaver, Save A Tree.
Premium
join:2002-07-09
Rochester, MI
clubs:
| said by phoneboy3 :
You can try throw rocks at the facts which is the nature of hackers I suppose. I have to assume an event this big with this much money involved would have been well thought out and organized such that the playing field was as equal as possible.
If anything, the fact Vista had SP1 on it so soon after it's release gave it an unfair advantage over all the rest so the fact it made it to the end doesn't mean all that much to me.
Frankly, I don't care. None of the OSes showed any intrinsic mechanism to prevent these kinds of attacks. As far as I'm concerned, in the big picture they all lost for the reasons I provided. OS X and Linux for failing to sandbox the browser, IE7 for allowing things to so easily backdoor the sandbox.
--
Ubuntu MOTU Developer and Forums Council |
|
phoneboy3
@shawcable.net | reply to phoneboy3
So what is your point? Don't connect computers to the internet? Put them all in sealed rooms with retna scan access?
It never ceases to amaze me how paranoid some people can get about security. |
|
phoneboy3
@shawcable.net | reply to phoneboy3
.....and smug. |
|
jdong
Eat A Beaver, Save A Tree.
Premium
join:2002-07-09
Rochester, MI
clubs:
| reply to phoneboy3
No, my point is, there should be more work going into proactive security measures such as establishing SELinux/Apparmor security contexts for desktop applications that are prone to exploitation, such as web browsers or untrusted code.
Even as an Ubuntu developer and advocate, I wouldn't think to conclude from this contest that Ubuntu is somehow more secure. It may be, it may not be, but what's apparent is that this class of exploits would work perfectly fine on Ubuntu -- we have nothing that actively stops it other than general stack-smashing protection from buffer overflows.
--
Ubuntu MOTU Developer and Forums Council |
|
