Forgot your password?
typodupeerror
Portables Businesses Security Apple Hardware

MacBook Air First To Be Compromised In Hacking Contest 493

Posted by Soulskill
from the potential-reality-tv-show dept.
Multiple readers have written to let us know that the MacBook Air was the first laptop to fall in the CanSecWest hacking contest. The successful hijacking took place only two minutes into the second day of the competition, after the rules had been relaxed to allow the visiting of websites and opening of emails. The TippingPoint blog reveals that the vulnerability was located within Safari, but they won't release specific details until Apple has had a chance to correct the problem. The winner, Charlie Miller, gets to keep the laptop and $10,000. We covered the contest last year, and the results were similar.
This discussion has been archived. No new comments can be posted.

MacBook Air First To Be Compromised In Hacking Contest

Comments Filter:
  • 0wnership (Score:5, Funny)

    by Anonymous Coward on Thursday March 27, 2008 @11:10PM (#22890086)
    Ah, the pride of 0wnership.
  • by Anonymous Coward on Thursday March 27, 2008 @11:10PM (#22890090)
    the sound of a million fanbois as they screamed Nooooooooooooo i sense i disturbance in the reality distortion generator set comments to flamebait and activate the extra moderation modules captain taco
    • by Lovat (1248352) on Thursday March 27, 2008 @11:14PM (#22890118) Journal
      You are correct, sir. Flaimbait tags on both the story and half the comments here in 3 . . . 2 . . . 1 . . .
    • I say well done. (Score:5, Insightful)

      by catwh0re (540371) on Friday March 28, 2008 @12:07AM (#22890446)
      In the past I've written replies which effectively defended the mac platform, not due to some loyalty, but because most of the feedback people write is pure b/s. I prefer factual arguments, not near-random fear mongering.

      I haven't RTFA but from the surface it sounds like a fair exploit test, and sure it only fell over with user interaction, but it still fell first. So good on them, they'll enjoy their prize of a macbook air and a sweet $10k.

      • by sootman (158191) on Friday March 28, 2008 @09:58AM (#22893724) Homepage Journal
        My teenage son can demolish any PC in an afternoon of unsupervised surfing. My neighbor's Vista box barely runs; God knows what they've got on it. (Unlike the Ubuntu box I let them borrow for two years before they bought their new Dell 3 months ago.) The Mac mini my son uses to surf (when he's allowed) runs as well as it did two years ago and I haven't even run software updates on it. (No sense mentioning it has no antivirus software either.)

        I don't care if it's spyware, adware, a virus, a tray icon, or or even just a simple browser toolbar or homepage or search-engine hijacking; or if it's installed manually or via drive-by methods--whether its due to small market share, inherent (UNIX) security, or something else, I will continue to argue that Mac and Linux are the better platforms, IN PRACTICE, for the average user.
        • Re: (Score:3, Insightful)

          by javelinco (652113)
          Paraphrased: "I don't care what the verifiable FACTS are - I only care about my unverified anecdotal stories." (a) Please don't ever consider going into science as a career field; (b) Hopefully it's clear (at least to the majority of readers out there), that personal, unverifiable anecdotal "evidence" is not a valid counterargument to factual data. That ISN'T to say that there aren't problems with the facts in this case - just saying that this "evidence" isn't worth anything in response to those facts.
        • Re: (Score:3, Insightful)

          by Mister Whirly (964219)
          I can summarize your post -

          "I have no idea why some of my boxes fall prey to security holes, so I am just going to blindly assume that X operating system is more secure than Y operating system."

          There is no such thing as a "secure OS". Security is a process that is ongoing and the principles of securing a system apply to ALL operating systems. If you want a real explanation as to why your Windows machines are attacked more often than your Macs or Linux machines, try the concept of "marketshare" out. Reme
  • by BadAnalogyGuy (945258) <BadAnalogyGuy@gmail.com> on Thursday March 27, 2008 @11:11PM (#22890094)
    Safari browser has massive security hole.

    It's funny how they turned a huge hole in the Safari browser into a commercial for the Mac Air.

    "Small size, big holes"
  • Identical articles (Score:3, Insightful)

    by Robert1 (513674) on Thursday March 27, 2008 @11:11PM (#22890096) Homepage
    They're nearly perfect mirrors of one another. Really the only difference between this year and lasts was the word "Air."
    • by Anonymous Coward on Thursday March 27, 2008 @11:14PM (#22890116)
      No, this year Vista and Ubuntu were in the contest as well. But the mac got hacked in two minutes and the Vista and Ubuntu machines resisted every hack. Big difference there. Oh, and I'd like to say, HA HA /nelson - now tell us again how absense of mac malware is not because of small market share.
      • by Anonymous Coward on Thursday March 27, 2008 @11:36PM (#22890240)
        The Vista machine would have been hacked quicker if it ran faster
      • Miller, best known as one of the researchers who first hacked Apple's iPhone last year, didn't take much time. Within 2 minutes, he directed the contest's organizers to visit a Web site that contained his exploit code, which then allowed him to seize control of the computer, as about 20 onlookers cheered him on.

        He was the first contestant to attempt an attack on any of the systems.

        But the issue is really not which is more vulnerable, it is that you can't run a secure browser and a convenient browse

        • by recoiledsnake (879048) on Thursday March 27, 2008 @11:54PM (#22890360)

          It's time to abandon the general purpose browser. It's also time to quit surfing as your log-in user. You need a browser for surfing that you run (sudo or something) as a strictly limited privilege user without log-in capabilities.
          If you pulled your head out of the sand and informed yourself beyond the anti-Vista tripe that's posted on here, you might have known that IE7 on Vista does exactly what you described ever since it came out more than a year ago.
    • Re: (Score:2, Interesting)

      by Anonymous Coward
      Something else the same that should be pointed out: Microsoft sponsored the contest both times. It is important to know where the money is coming from [slashdot.org] (and who is writing the rules [wired.com]).
  • by Anonymous Coward on Thursday March 27, 2008 @11:13PM (#22890108)
    There goes their geek cred. Hey, at least they still sell a metric crap load of iPods!
    • Re: (Score:3, Funny)

      by Almahtar (991773)
      The crap load is a metric unit?
  • by ashridah (72567) on Thursday March 27, 2008 @11:19PM (#22890140)
    Well. Big shock there. These days, most vulnerabilities require the user to be at the helm.

    Good to see that social engineering is still all it requires to compromise something.
    • by recoiledsnake (879048) on Thursday March 27, 2008 @11:43PM (#22890284)

      Good to see that social engineering is still all it requires to compromise something.
      So why weren't the Windows and Linux machines be able to be hacked inspite of the social engineering and users being at the helm all day?
      • Re: (Score:3, Insightful)

        by ashridah (72567)
        Bigger hoops to jump through? Linux has fairly high levels of user/admin separation, and windows has been burned enough times that the sandbox that IE runs with is effective enough to slow people down, far more than it was back in the ie6 or ie5.5 days.

        I doubt it'll take much longer for all three to get taken over. There'll be some office bug, or a local service vulnerability that hasn't been patched yet, and it'll be game over, sooner rather than later.

        There's a lot to be said for being exposed, it does gi
  • by iliketrash (624051) on Thursday March 27, 2008 @11:20PM (#22890150)
    "The winner, Charlie Miller, gets to keep the laptop and $10,000."

    You mean like when your airplane flight is cancelled and the airline offers you a free ticket. Or when the food at a restaurant is crappy and they give you a coupon to eat there again.
    • Re:Keep the laptop (Score:5, Insightful)

      by MobileTatsu-NJG (946591) on Thursday March 27, 2008 @11:27PM (#22890188)

      You mean like when your airplane flight is cancelled and the airline offers you a free ticket. Or when the food at a restaurant is crappy and they give you a coupon to eat there again.
      Well.. sorta. It's more like when a company loans you a laptop to hack, then they let ya keep it, then they give ya ten thousand dollars on top of that.
  • by jht (5006) on Thursday March 27, 2008 @11:45PM (#22890296) Homepage Journal
    To me, a web hack to worry about (on any platform/browser) is one that can just be triggered by viewing a compromised page (like happens to most unpatched Windows machines that get nailed by drive-bys). I'm not nearly as worried about ones that require user intervention - clicking on a link, button, or something of the sort.

    So if the Mac was tagged by just loading a page that delivered the hack, that's bad. Quite bad. If he had to click and download something (and perhaps defeat the auto-quarantine they use), that's not so much a big deal, though still a hole that needs patching.

    One of the things about vulnerabilities on all platforms is that a significant part of the magnitude depends on how difficult it is to exploit. Remote connections to a system that avoid/defeat a firewall are really dangerous. Attacks that require the user to do something stupid are inevitable, but far less dangerous.

    Thus far most of the Mac vulnerabilities have been the second type. Luckily.
  • Day 2 results (Score:5, Informative)

    by Nightspirit (846159) on Thursday March 27, 2008 @11:47PM (#22890312)
    If you look at their blog it seems the Vista and Ubuntu laptops are still not hacked yet at the end of day 2:
    http://dvlabs.tippingpoint.com/blog/2008/03/27/day-two-of-cansecwest-pwn-to-own---we-have-our-first-official-winner-with-picture [tippingpoint.com]
  • by Marbleless (640965) on Thursday March 27, 2008 @11:55PM (#22890376)
    So it is just coincidence that Apple are now pushing an unsafe Safari to Windows users (http://apple.slashdot.org/article.pl?sid=08/03/27/129236)?

    Or am I being a conspiracy nut? ;)
  • Good. (Score:5, Insightful)

    by brainfsck (1078697) on Friday March 28, 2008 @12:54AM (#22890682)
    I'm typing this on a Macbook Pro running Safari, and I'm happy about the results of this competition. As Apple computers (slowly?) gain market share, they will eventually be forced to significantly adjust their terrible attitude in terms of security.

    I would rather have Apple "shamed" into providing me (and other OS X users) a more secure web browser/operating system than gain some pathetic "my system is more secure than yours" bragging rights.
  • by SpeedyG5 (762403) on Friday March 28, 2008 @01:44AM (#22890966) Homepage
    I am an apple fan and enjoy a lot of their products.

    There is no way any system can be perfectly secure, but this is a significant hole. While they probably won't get me to click that stupid link, they might get my mom or any number of the other avg everyday users.

    At least now we can get beyond the macs can't be hacked BS and move on to securing my favorite OS and keeping it that way.

    Now lets see how long it takes for apple to post a patch, that is really where the rubber meets the road.

  • I don't get it (Score:5, Insightful)

    by CannonballHead (842625) on Friday March 28, 2008 @02:34AM (#22891136)

    Can't we admit that, for whatever reason, the Air/Safari was easier hacked than Vista/IE7? I know this is an unpopular bandwagon to be on, especially on Slashdot, but it seems there's no two ways about it. I refuse to believe that it was a conspiracy and that every hacker was actually just trying to hack the Air and make Ubuntu and Vista pass, that's stupid. If I were a hacker, I'd totally hack the EASIEST one simply to get the $10k and the laptop. And if there were known or open vulnerabilities, it should have fallen in what, 30 seconds?

    Seriously, it's not a huge deal. If we, like good open source cronies, admit that there was a problem with *gasp* part of the Apple software/laptop combo (whether it was Safari or the OS or whatever), then maybe it will be fixed. Isn't that the main idea here? I thought the point of these things were to discover vulnerabilities so that they could be fixed, not to place bets on Microsoft falling and go up in arms if it doesn't.

    Unless, of course, we really aren't interested in open source software or good software at all, but are more about claiming a company name as our own.

  • Tags? (Score:3, Interesting)

    by dreamchaser (49529) on Friday March 28, 2008 @02:37AM (#22891144) Homepage Journal
    If a Vista machine had been first there would be a 'haha' tag on this article, as well as on yesterday's article talking about how MS issues patches faster.

    Just sayin...
  • A real hero (Score:5, Interesting)

    by Fulkkari (603331) on Friday March 28, 2008 @04:04AM (#22891444)

    The successful hijacking took place only two minutes into the second day of the competition, after the rules had been relaxed to allow the visiting of websites and opening of emails. The TippingPoint blog reveals that the vulnerability was located within Safari, but they won't release specific details until Apple has had a chance to correct the problem. The winner, Charlie Miller, gets to keep the laptop and $10,000.

    In other words this guy most likely found a security bug in Safari, but instead of reporting it directly, made an exploit and waited for a hacking contest to get a monetary benefit out of it. A real hero. Or maybe he was just quick. Which seems more plausible?

    • Re: (Score:3, Insightful)

      by Weedlekin (836313)
      "In other words this guy most likely found a security bug in Safari, but instead of reporting it directly, made an exploit and waited for a hacking contest to get a monetary benefit out of it."

      So what if he did? As somebody who uses a Mac (and Linux, and Windows XP), I'm much happier with him having taken this route to gaining from the exploit than the one so many Windows hackers use of putting it up for auction to the highest bidder, or the Month Of Apple Bugs tactic of making exploits public before giving
  • by shatfield (199969) on Friday March 28, 2008 @05:57AM (#22891890)
    I am worried that Apple is assuming too much about the security of the Mac OS X operating system. I am a long time user (since first beta) and it has been an incredible ride, but I'd really like for Apple to "step up" and take this bull by the horns and let the world know that they are very serious about security and eliminating *any* means of intrusion, either automated or user driven... and not just rely on the FOSS community to remedy the security problems in the software that they have incorporated into the OS.

    Just as long as they don't implement some Vista like "Allow or Deny?" crap... God that would drive me *nuts*!
  • by DECS (891519) on Friday March 28, 2008 @06:36AM (#22892086) Homepage Journal
    While the quick win makes for a perfect headline and reflects the Hollywood image of "hackers" that twiddle on a keyboard and almost instantly "access the mainframe" while a counter runs in the background, a more intelligent question is: why did the Mac get hacked first, and why was the attack so quick?

    CanSecWest and Swiss Federal Institute of Tech Deliver Attacks on the Reality of Mac Security [roughlydrafted.com]
  • Ho-hum (Score:3, Insightful)

    by Anonymous Coward on Friday March 28, 2008 @08:23AM (#22892764)
    The thing I enjoy most about the responses to this article is the rather predictable "Ha, so Apple DOES suck!!! Take that fanbois!" responses. It's certainly true that this is an important find and that an exploit in the wild is something to be concerned about. But the point of this is really that there's no such thing as a secure OS yet (and there probably never will be). Not unless you've removed the power source from your system, encased it in concrete and sunk it to the bottom of the sea.

    The perceived general level of security in a system can be directly correlated to the most recent compromise of that system. The fact that the Linux and Windows systems involved in this contest have not yet been compromised does not indicate that they are more or less secure in a general sense than the Mac. It does indicate that no one has found the vulnerability that inevitably lurks within the kernal or a piece of installed software on those system. But rest assured, the exploits are there.

    "FireFox is more secure than IE", you say on Monday. Then Slashdot posts "HUGE FRIGGING HOLE FOUND IN FIREFOX: DOOM!!!" on Tuesday. And suddenly the absolute statement you've made sounds silly.

    If you don't believe this is true, try this: get hold of a system exactly like the ones currently considered "unhackable" in the contest and disable any automatic updates (and don't install any manually). Wait three months and then compare that system against one with the most recent updates. You're sure to find that your unhackable system is now full of known exploits and security holes.

    The systems we rely on today are very complex and in a very real sense cannot be completely understood. There are techniques that can make them generally more secure and all of the OS developers are working to bring these features online every day. Some are better than this than others (or so it seems), but they all do it. Even Microsoft. But the thing about security is this: the bad guys only need one hole and the good guys have to cover all the bases.

    The only real security in a system comes from user practices, not software. If you don't install updates on your system, it will be vulnerable. If you don't consider HOW and where you use your system, it will be vulnerable. In other words, the core component in a secure system is YOU.

    It's probably true that there is a "most" secure OS and a "least" secure OS right at this moment. Take a guess which is which and you might even be correct. But there's no absolute answer that will be true tomorrow. We need to stop with the absolutes and "MY FLAVA ROCKS YER FLAVA" hyperbole and start to think more like real security experts do. The next big hack for your favorite OS is just around the corner. And there's no doubt about that.

This file will self-destruct in five minutes.

Working...