MacBook Air First To Be Compromised In Hacking Contest

Multiple readers have written to let us know that the MacBook Air was the first laptop to fall in the CanSecWest hacking contest. The successful hijacking took place only two minutes into the second day of the competition, after the rules had been relaxed to allow the visiting of websites and opening of emails. The TippingPoint blog reveals that the vulnerability was located within Safari, but they won't release specific details until Apple has had a chance to correct the problem. The winner, Charlie Miller, gets to keep the laptop and $10,000. We covered the contest last year, and the results were similar.

Re:Identical articles

[Anonymous Coward]

Something else the same that should be pointed out: Microsoft sponsored the contest both times. It is important to know where the money is coming from [slashdot.org] (and who is writing the rules [wired.com]).

Owning Beauty

[goombah99]

Ownership (no pun) was the key to understanding this. I real contest would have let the winner (the first to hack in) keep one of the computers they did not break. The contest doesn't measure much when the competitors target the one they want to win: the sexiest machine so they attack it.

Instead if they had a choice they would attack the weakest machine and you'd see people voting with their feet as to which machine was the weakest. An actually measurement.

instead you got a beauty contest. Which apple apparently won.

Re:Owning Beauty

[goombah99]

You forgot to factor in the $10,000 cash prize.

And you forgot the prospect for employment. Hack a mac and you put it on your resume, hack a PC and no one cares or worse thinks your are a script kiddie.

More to the point, what you can't measure here is the real world vulnerability. I cringe at keeping my Linux machines up-to-date and protected. I rely on firewalls not themachines. With the machines, which are production machines, it's huge roll of the dice to try to apply a patch and descend into dependency hell and discover over the next week which parts of your production got broken and which need compat libs and so on. With my fleet of macs, I don't hesistate to software update (well actually, unless the vulnerability is rampant I wait a week cause even apple screws the pooch. But just a week, and then you know it's safe.)

SO in the real world macs are highly patched. MS can be and it's only a wee bit harder. (And when they fuck up (SP1) they go big, but it's mainly a function of your hardware.) Linux requires real expertise and knowledge of how your specific magic mixture of packages will be affected.

Re:Low? What's Low?

[Anonymous Coward]

They implemented the Biba Integrity model [wikipedia.org], which isn't exactly slapped together. The idea is that the data that comes from the web is untrusted, and therefore is of low integrity. Data from the system itself is trusted, and thus of high integrity.

A low integrity process cannot write to a high integrity process, so bad information (like malware) cannot get to the system. Likewise, it cannot write to any medium integrity objects (windows, files, processes, etc.), such as those owned by the user running the browser. This means that a buffer overflow exploit in a plug-in will not allow the code to write to the filesystem outside its sandbox, nor will it be able to do things like hijack your homepage.

Of course no security system will prevent you from entering your CC# into a fraudulent online store, so it still has to have a phishing filter.

dom

Tags?

[dreamchaser]

If a Vista machine had been first there would be a 'haha' tag on this article, as well as on yesterday's article talking about how MS issues patches faster.

Just sayin...

Safe Browsing for real

[Heembo]

Parents are still in safe browsing grade school. Let me help you get right to the PhD level of safe browsing - http://www.tssci-security.com/archives/2008/03/25/security-and-safe-browsing-for-firefox/ [tssci-security.com]

A real hero

[Fulkkari]

The successful hijacking took place only two minutes into the second day of the competition, after the rules had been relaxed to allow the visiting of websites and opening of emails. The TippingPoint blog reveals that the vulnerability was located within Safari, but they won't release specific details until Apple has had a chance to correct the problem. The winner, Charlie Miller, gets to keep the laptop and $10,000.

In other words this guy most likely found a security bug in Safari, but instead of reporting it directly, made an exploit and waited for a hacking contest to get a monetary benefit out of it. A real hero. Or maybe he was just quick. Which seems more plausible?

Re:Identical articles

[daBass]

No, he said it had a reputation, not what that reputation was nor wether he agreed with it.

Congratulations sir. Apple hating Slashdotters' capacity for misquoting for libelous use and getting modded "insightful" for it never ceases to amaze me.

Alternate headline: Mac last hacked IRL

[sootman]

My teenage son can demolish any PC in an afternoon of unsupervised surfing. My neighbor's Vista box barely runs; God knows what they've got on it. (Unlike the Ubuntu box I let them borrow for two years before they bought their new Dell 3 months ago.) The Mac mini my son uses to surf (when he's allowed) runs as well as it did two years ago and I haven't even run software updates on it. (No sense mentioning it has no antivirus software either.)

I don't care if it's spyware, adware, a virus, a tray icon, or or even just a simple browser toolbar or homepage or search-engine hijacking; or if it's installed manually or via drive-by methods--whether its due to small market share, inherent (UNIX) security, or something else, I will continue to argue that Mac and Linux are the better platforms, IN PRACTICE, for the average user.