MacDailyNews - Where Mac news comes first

awesome, i gotta get coding. although the more i think about it the more i realize that its gonna be really hard.

i think this is a great contest. its not going to hurt the general public using OS X, and it will finally put the "security through obscurity" myth to rest.

ill bet a dollar that the winner, if there is a winner is an old UNIX virus updated to do what needs to be done for this competition. small, quick, go through some old forgotten UNIX hole (yeah there still there, ya just gotta look in the right places).

if apple legal is smart they will let this go. i dont think they really give 2 shiats anyway.

With "friends" like this...

This has got me thinking: Mozilla offers a $500 bug bounty for security holes, why can't Apple?

Conditions, obviously, are that the bug has to be given to Apple for evaluation, NOT BE RELEASED in the wild, not go public until Apple has a fix RELEASED, and, to make it look good, maybe involve an external auditor.

The person winning should be acknowledged publically, and for first submitter, be given at least $1000, maybe $5000. And the contest has run for a really long time - at least a year or two, ideally forever.

This way Apple gets product improvement at a modest price (compare that to a formal security audit's cost in staffing expense). The downside is Microsoft could do the same thing, but it generally takes them 5 years to reverse engineer/steal/buy, and another 5 to do it properly.

The upside is that any legitimately curious guys targeting Apple would be redirected to get their publicity legally, and be compensated, i.e. effectively hired. By reducing the appeal of the illegal virus, all Mac users win. This also should have the effect of keeping the, so far, perfect score of 0 viruses released in the wild for OS X a bit longer.

(tangent: surely this perfect score is going to be compromised by people failing to upgrade, at some point, so we can't get too cocky.)

executive summary, courtesy of MDN:

While no computer system is ever perfect, the number of exploits to date is instructive:

IntDows (windows) 68,736 viruses et. al. in the wild (they are in the wild, right MDN?)

OS X 0 (yes *** ZERO ***)

we have to keep HAMMERING PC people with this.

It really would have to be a "cash" payment, as the hacker slinks off into the night.

Sounds like great fun to me, and it can only be good press for osX. Even if someone manages to create a bug that will autoexecute on a mac, it is still 500,000 to one, windows over mac.

Not that it is hard to avoid viruses no matter what the platform.

You guys are all worrying over nothing! This contest will NOT be won and NO ONE will claim the $25K. They're simply NOT GOING TO BE ABLE TO DO IT!!

I bet Apple will have an executive meeting sometime on Monday to think this through verrrrrrryyy carefully. Because their coders have to know that the odds are stacked SO LARGELY in Apple's favor that this just might be a dream come true. Imagine, after this contest ends WITHOUT a winner, Apple gets all the benefit from the buzz in the press and on the bulletin boards -- and STILL they won't need to put their own reputation on the line by advertising the Mac's inherent strength against virii.

I bet Apple let's this contest ride!

cptnkirk, G Spank, You Punks,

I agree 100%.
What are we afraid of ?
When Symantec spreads FUD we all go nuts in the forums saying OS X is rock solid.
When a PC article mentions the security through obscurity myth, we all go crazy.
But when it comes to prove it, who really stand up for their ideas ?

Symantec illegitimately tries to TAKE MONEY FROM YOU for protection software you don't need.
On the other hand, a guy GIVES AWAY a large amount of money if you can prove him wrong.

I see this as a chance to stop the false rumors that hurt our platform.
In the worst case, it is a challenge to Apple for making an even more secure OS.
What are we afraid of ?

Magic word: "Believe".

There sure are a lot of bored Mac geeks on a Saturday morning.

Oh Ye of little faith....

I'm really surprised at the number of people here who have negative comments about this. I would think a true-blue Mac head would cherish the thought of a contest like this. I recall when a web site in Denmark (?) offered $10k to anyone who could deface a web page hosted on a Mac, I was elated, and 10 times over once the contest expired and the web site was untouched. I for one believe that their $25k (and the $50k) is, as someone said, as safe as if it were in Ft. Knox. And just because the one who offered it is known for publicity stunts, so what? Mac OSX could use a little publicity.

As someone I admire once said... "Bring it on".

пустая головка

Which keys on your keyboard type letters like that ?

I'll bet $5 that his $50,000 is going to be quite safe.

What happens if they actually succeed?
Will this be start of the new virus era for OS X?

Please read my l;etter to Mr Campbell Below:

I here MR Campbell has a competition to write a virus for Mac OSX.
May I suggest he looks carefully at the legal aspects of this.
If someone writes one can you be sued? It would seem that you can be locked up for inciting a riot... The incitier doesn’t actually do the rioting or do the damage but pays dearly for it in the court system.
Maybe you can have the same thing happen if you incite someone to damage other peoples computer systems through a virus... I would suggest you look closely at this as I will actively be emcouraging other systems users too with the possibility of doing this. Please contact your lawyers as I will be contacting mine first thing on Monday to discuss this.

Gaga,

If it is meant to happen, it will. Accept your destiny.


Anyway, let's not act like ostriches who hide their head in a hole to avoid the storm.

If there is a fault in OS X, it will be exploited one day or the other.
The sooner it is, the faster it will get fixed.

I took TheRealist's advice and had another alcoholic beverage and went back to sleep thinking I would change my mind after I woke up... it didn't help.

Link to crack a mac contest 1997
http://db.tidbits.com/getbits.acgi?tbart=02166

I find DVForge's contest in extremely poor taste. To show my dissatisfaction, I vow NEVER to purchase any DVForge product and will promptly return or throw away any that are received as gifts. I sincerely hope others that feel likewise will do the same.

Contest is cancelled.

Really too bad in my opinion.

http://www.dvforge.com/virus.shtml

On the website:

"Liability Statement

We do not endorse the creation or distribution of computer viruses. U.S. and international law, as well as simple good judgment forbid the transmission of computer viruses."

As I recall, a Swedish Mac dealer or VAR offered a $10,000 prize tothe first hacker who successfully cracked the Classic Mac OS at the time. No one got anywhere until some clever fellow found a hole in a web-related application and the developer of the application isued a patch about 3 weeks later.

Apple did not sic its legal beagles on the Swedes who set up this earlier contest, so why should they do so now?

At any rate, kudos to DVForge for calling Symantec's bluff!

MW = required. As in proof of allegations of security vulnerabilities are required by the Mac community.

THE CONTEST IS CANCELLED.

Does anybody think, just because someone has offered $25,000 for this that there has never, or will never be , a jerk who can and will try to write a workable virus for OSX????????????????????

If you think that, then you obviously have no idea how many malicious sociopaths there are out there who will happily do it FOR NOTHING!

Does it put a "target" on the back of OSX? Maybe.

In the real world, it has always been there!

And always will be because evil SOB sociopaths have always existed in the world, and will always exist.

Can someone write a virus for OSX? You have to believe it is possible, but why has no one done it sucessfully? It will always come down to that question. Personally, I do not believe in magic although I believe in miracles. But miracles only come from the good, not the bad.

Dirty Harry(Clint Eastwood) said: Make My Day, Punk.
Was he bragging when he said it? Depends on your basic beliefs, but Babe Ruth said: it's not bragging if you can do it.

The writers of OSX may have done it.

Time will tell, but I will bet on OSX over any existing alternative.

Thanks, Seahawk, as always ,you explain complicated things in understandable language. The threat that you pose to the dumbasses always brings them out of the holes. That is a good thing. You always benefit by knowing more about your opponent.

Why is it that a teenager who creates a virus for windows is tried and sent to jail, while anyone who writes a virus for OS X is rewarded? There is something very wrong with all of this. I'm very tired of hackers treating virus creation like an achievement. It wreaks havoc on people's lives, and for what? People (like me!) who depend on their computers to make a living can't afford a contest like this. This is a crime in progress and should be stopped by the law.

I like my OS X just the way it is: Secure and Obscure!

DVForge Inc.,

It was a great idea, and you guys are very brave, and great supporters of the Mac community.
I hope you find a way around another time.

Did you speak with Apple at all ? Or did they speak to you ?

DVForge rescended the contest! End of thread.

To the people who think they remember the web site challenges...

There were several such challenges. Some had the prize as free pizza. Some had the prize as high as $10,000 cash. Some had a challenge to change data in a data base. Some had a challenge of replacing the home page. Some had a challenge of changing anything on the web site.

Of all the challenges (pre-OS X) that were done concerning Mac based web sites only one had to give up the prize money: $10,000. The organization setting up the prize was in Sweden. The challenge was to change a web page on a server directly connected to the Internet. The ONLY thing you were not allowed to try was physically breaking into their company and physically touching the computer. All other attacks on the computer were explicitly allowed. The winner (IIRC) was from Australia. He got in and changed the web page (the actual challenge) by getting into the data base through a whole in a product called Lasso. He got his money. The company (Lasso's developer) issued a fix for the whole within 24 hours of notification.

Thus the web site security on Macs has stood at ONE successful hacking versus thousands upon thousands of attempts.

I believe there will eventually be visruses, trojans and worms for OS X. It is only a matter of time.

However, it is inappropriate for anyone to set up a challenge like this to encourage and hurry the process along.

The point is this in talking with people who are bigotted against Macs sometimes the only thing that makes them pause is a very black and white response. They jump on even the slightest gray area as a weakness in the Mac.

So the concept goes like this...
Can any knowledgeable person honestly claim no Mac based web server has ever been hacked? No. (In the anti-Mac bigot's mind one hacking allows for the possibility of millions of hackings in the future.)

Today, can any knowledgeable person honestly say there are no, in the wild, viruses, trojans or worms for Mac OS X? YES! (In the anti-Mac bigot's mind this means it will definitely happen in the future. But in the discussion it must be left open that it may not happen for many years.)

To encourage the change of that purely back and white answer is not something I want to see soon. There are many times I have talked to people over the past couple years that the only time they pause in their diatribe against Macs is when I can honestly say "NO!" to that question. (Most of the people I talk to know I track this stuff rather closely and honestly state such things as the single web site hackings in Scandinavia.)

To have to change the answer to that question to "Yes." someday will severely weaken the pro Mac argument. Even saying "But there was only one." holds significantly less weight than a simple and succint, "NO. None. Not ever." In the anti-Mac community's minds one break in allows for the possibility of millions upon millions of break ins.

A new Virus on Windows = Microsoft does nothing. They probably like it that way !

A new virus on the Mac = Apple will do their best to solve the problem within hours and they will probably hit themselves for not having spotted the hole before. Because they care for the user.

M$ doesn't give a shit. And this is why, montex, a teenager who writes a virus for Windows will be sent to jail by Microsoft lawyers. That, they're very good at.

On the other hand, Apple may thank a hacker for pointing out a fault in their OS. Apple may not be perfect, but I think they have the right attitude because they care about evolving, improving, becoming better everyday.

I say Bring It On!!!

Check out Jack's Picture at the below link...
http://www.dvforge.com/directors.shtml

Additionally, I really like Sure Am Releived's proposal.

Apple should put a bounty on security holes in Mac OS X. The bounty should be significant and should scale as the severity of the security hole found. An fatal hole (such as one which would allow the attacker to change the OS itself, delete files at will, etc.) would rate a large prize, maybe $20,000 or so. For a security hole which causes a program to crash but upon program restart the program and the data files associated with the program are fine (and the OS is always fine) the bounty could be as little as $500. However, the prizes (bounties) should be sizeable. The worst case scenario prize should be at least $10,000 but would be even better if it were $50,000 or more.

Apple should run this as an open program -- forever.

The conditions would be somewhat as Sure Am Relieved stated:
The developer who finds the hole must contact Apple and no one else about it.
Apple enlists a trusted third party to review the submission as well as Apple reviewing it internally.
Within 72 hours of verification of the hole by both Apple and the third party the developer get's paid the prize money.
Within 48 hours of Apple issuing the fix the developer is publicly acknowledged for finding the hole.
Apple has a maximimum of 180 days to issue a fix. Apple might issue a fix in a couple days, but Apple has a maximum 180 days to issue the fix.
If Apple has not issued a fix within 180 days the developer gets to announce the hole publicly if he/she so desires.
If Apple has not issued a fix within 180 days the developer who found the security hole can issue a patch themselves if he/she so desires.

Apple could even run a similar program internally to Apple for Apple employees. However, people could not be awarded bounties in areas where they are working (i.e., people who are working on the micro-kernel could not get bounties for finding holes in the micro-kernel) as that is what Apple is paying them to do already. However, if people find a hole far outside their area of responsibility (such as a programmer working on the micro-kernel finding a hole in a printer driver) they should be rewarded.

Either saying, or not saying: "Bring It On" , or "painting targets" has no bearing on whether there will or will not be someone attempting to write the workable virus. My guess is that there have been hundreds, or many thousands of attempts ,some of which probably by those same kids who download the Windows virus writing kits and think they can make themselves famous by writing an OSX virus.

And make no mistake about it, if someone wrote a workable virus, it WOULD make all the network news and that person would be famous overnight, and to a lot of them that matters more than money.
(Although, they usually assume that money will automatically follow fame. Dumbass!)

But then dumbasses gravitate to writing Windows viruses, not because there are a lot of Windows computers, but because it is EASY!

What really blows my mind is that after reading Seahawk's explanation of the mathmatical improbabilities of an OSX virus spreading even if it does exist, people still fling out the Obscurity thing. I can't believe that!

Maybe they believe in random magic, like people who believe that trees jump out in front of cars. Just because a tree has never jumped out in front a car before does not mean it will not do it in the future, yada, yada, yada.....so, some dumb 15 year old will find the "magic" key combination that brings down OSX. Happens in movies, but having spent all my life in either auto racing or martial arts , and having seen every movie ever made about both subjects, Hollywood must be genetically incabable of getting ANYTHING right, so I put no stock in popular opinion unless I see real evidence. After 4 years of OSX, and with it becoming more secure, not less, I am not seeing it.

Ok.......... believe what you want, but I won't live my life in that kind of fear. I will bet on OSX, thank you very much, even if somebody does accomplish a minor temporary crack at some time in the "randomly ordered future"

Only 4 comments out of 60 mention Jack Campbell- YOU NEED TO DO YOUR HOMEWORK!

Check the messenger here folks ...

Jack Campbell's going to pay $25,000 or $50,000 out of his own pocket??? ....... that's a sick joke

THERE WILL NEVER BE ANY PAYOUT OF ANY PRIZE MONEY- THIS GUY IS A SCAM

honestly, if a hacker broke into OS X with a virus, he/she would be FAMOUS! If anyone out there thinks that isn't a MAJOR motivating factor in writing viruses (virii?) then you got another thing coming. People have been trying for years now to write a virus for OS X. It's just that noone has succeeded. This contest doesn't really change what people are already trying to do.

From the article:

"No trick, no hidden barriers... just two open internet connections to two non-firewalled, unmodified, bone-stock OS X 10.3 Panther systems, each tied directly to the 'net by a T-1 line."

I hate to say it, but with a setup like that someone's probably going to get through. Anybody STUPID enough to hook a bone-stock system to a high-speed Internet connection, sans firewall and security updates, DESERVES WHAT THEY GET! I don't care which OS they're using! This is as basic as seat belts in a car: for safety you need to buckle things up.

Although to Apple's credit, it'll be interesting to see how Mac OS X holds up even without being locked down. Everyone knows a Windows setup like that would be down in short order. Wouldn't it be fun if they set up a couple of bone-stock XP boxes alongside the OS X machines, and tracked the results.

Look I think they are right in making thing clear. They should not be on there own saying either.

I think it's legal to participate, because you don't need to write code that will harm the machines, you just prove you can do it by getting it onto the machines.

Well, shucks. I'm very disappointed they had to cancel.

And, Shadowself, I think I remember the Mac challenge from the web site in Sweden quite well (but maybe not well enough to recall *where* it took place). Could you be so kind as to point me to a link or two to support your memory?

Has anyone not noticed what date this next Friday is?

Uh... The fact that there have been 0 virii and you're paying sb 25 grand to write just ONE.. kind of lays it to rest anyway..

If this competition were actually to be continued (it has been cancelled), and an actual virus was released and the author went to claim his/her cash... Well there would be legal action, right? (say yes now).

Mac user base not growing, or even shrinking because the one _really_ big advantage the Mac has over Windows was removed, well, watch software development for the Mac go down some more.

This guy is (was) effectively contracting for illegal activity. Now we boycot his business! what a f**kwit!

How quickly we forget that NSA loves Macs and Mac OS X and that Apple was security certified for government use:

http://www.maccompanion.com/ExpressionEngine1.2/index.php?/macCompanionModern/comments/sit_down_and_enjoy_a_snac/

I still believe that one of the reasons that there are no viruses for the Mac OS is that you have to know an OS well before you can write a virus for it. When a potential virus writer starts to learn OS X the chances of him falling in love with it and deciding he doesn't want to harm it after all are great.

What this tool Jack Campbell has done is provide a reason to know OS X well and love it and STILL have a reason for going through with it and harming it - 25,000 reasons to be exact. He is either an idiot or a self serving con artist.

(apparently I don't have enough to do today )

1. We have to be careful about tossing figures around. The figure of 68,736 appears to be from

http://securityresponse.symantec.com/avcenter/download.html

and, by the way, its up to 69,225 as of today (vs 69,224 yesterday, if you care).

But this is from a company, Symantec, that we're correctly slamming for FUD. In other words, we should be very skeptical of this figure, since it came from a highly disreputable source (just like we should be skeptical of everything that comes from the Microsoft Felon).

It also isn't clear if this figure includes "mac viruses".

2. The flip side of point 1 is what does Symantec say about the Mac? We know there are no exploits in the wild, but lets hear it from the mouth of the lying horse:

http://www.macworld.com/news/2002/05/28/virus/index.php

A symantec spokesperson claims there are over 7,000 macro viruses that can hit both Macs and PCs. He doesn't mention it but none of them are in the wild on OS X (more FUD, this time through omission).

On the other hand, based on the track record, it is also a safe bet that a good bunch of the 69,225 aren't in the wild either.

3. From another source:

http://www.macobserver.com/editorial/2003/08/29.1.shtml

Nai (McAfee's holding company) reports that there are over 71,000 viruses as of August 2003 (now its "over 100,000"). Presumably this is for all platforms, not just Mac and Intdows.

At the time, the author was able to do filtered searches (it appears this feature has been removed), and filtered out Macintosh, producing 612 viruses. Sounds awful, right?

They include hoaxes, unbelievably, in my opinion. In other words if some fool/anti-mac bigot starts an urban myth about macs, and enough mindless minions pass it along, it gets logged as a virus. Now I agree this stuff should be tracked, but putting it in the virus database seems to be rather aggressive. On the other hand, having worked in an office of a high tech firm containing people who should know better, and having said people forward this drivel, perhaps I'm being harsh.

I'm beginning to see how the figures get so high though.

Stripping out the hoaxes leaves 580 all of which are old office macro viruses or mac os classic viruses, leaving, 0.

4. I decided I would try and reproduce the search. A search at McAfee for os x resulted in 77 hits.

I have no idea what criteria they use for searching, but I suggest they go back to the drawing board. After filtering out Intdows (most of them), hoaxes and bunch of sybian phone viruses, running a google search for some of the viruses that didn't have any description for some odd reason we're left with 3:

(notice that none of the microsoft macro viruses are listed for anything > word 6, i.e. OS 9)

#1 http://vil.nai.com/vil/content/v_125299.htm

The fake ms-word script that deletes a single user's files (but doesn't spread).

So, the message here is that these counts include absolutely anything bad, and, using this criteria, the mac has a piece of malware, already. Notice that it doesn't corrupt the o/s, also.

Obviously, be careful about running stuff you pull down off p2p networks, get through email....

Apple can NEVER protect against this.

It seems the criteria for getting on the list is popularity/widespread distribution, which is fair, as long as they use a reasonable definition of popular/widespread.

#2. http://vil.nai.com/vil/content/v_129163.htm

discussed at

http://www.macworld.com/news/2004/10/25/opener/index.php

tons of detail at

http://www.macintouch.com/opener.html

this is opener, which requires the admin password.

A nasty pile of scripting, but, as long as you are sure to not give the admin password to install a program you're not absolutely sure about you're safe (unlike Intdows, which lets this stuff run free - another thing we have to POUND the PC users on).

#3 http://vil.nai.com/vil/content/v_101173.htm

the file with the mp3 icon that is actually a program, but, beyond displaying a message it does nothing. Details at

http://www.houstonrecord.com/nation/nation_003.html

A nasty person could have combined #1 and #3.

continued...

...continuation

5. So where does this leave us?

a) Yes, we don't have replicating viruses on os x, still, after 4 years.

b) We have a nasty trojan that could have been replicating if it was widely installed but it wasn't. If you get it, and its really hard to get it (requires admin password), you will be very unhappy.

c) It is trivial to create a nasty program (always has been, always will be), and, if people are stupid enough to download it/receive it from email and run it, the malware can do anything that the user can do, without notice, as long as it doesn't need the admin password. The worst thing here would appear to be deleting all that user's files.

If the user is foolish enough to give away the admin password, the machine is compromised, and all bets are off, for that machine. This is ok, in general, since this won't spread - a whole bunch of people aren't going to give away the admin password to a bad program, quickly.

d) The numbers people are tossing around are absolutely ridiculiously inflated by disreputable companies with a conflict of interest (like, would you trust a company that lies about the threat to protect you?).

e) Personally, I think we've been spinnng this a bit (not a lot, but a bit). There are bad programs out there for macs, specifically targeting os x, but they don't spread by themselves.

Technically, they aren't viruses, but try telling that to a naive/unsophisticated user who just downloaded, say, the fake ms-word script and lost all their files.

On the other hand, symantec is being a disgusting slimeball, who should not be rewarded with revenue.

Its the old thing - balance - not too far on one side ("the mac is perfect, security wise"), not too far the other side ("the mac is going to get a ton of security problems now that they're selling more").

Kinda like a lot of things in life...

SAR: get your info on security weaknesses from:

http://www.ciac.org/ciac/bulletinsByType/bul_vendor_list.html

Hey Jack,

Thanks for cancelling that darn contest. Do you want cash or MS stock?

Regards,

Bill

For what it's worth, I am meeting with our attorneys and a couple of sharp network Unix guys on Monday to reevaluate the contest structure. If I can be convinced that there is a way to make the challenge for a self-replicating, self-propagating OS X virus that executes on multiple machines, spreads only through an Internet connection, and does so without user enablement, I will relaunch such a contest.

I am being attacke by both Windows and Mac people for stepping up and calling the bluff to this ridiculous lie that's been festering aournd the OS X platform for 4 years. I don't care about being called names. I can handle it. What I care about is that this lie about OS X virus susceptibility once and for all be put to rest.

Again, if I can structure a contest that is both utterly legal, and also sufficiently targeted at just the specific beast I am chasing, I will be right back wiht that new challenge.

Our company is doing well wiht our Apple peripheral products. I can afford the heat and the cost to contribute something back to the platform. So, I am.

It's that simple.

There have been some very knowledgeable posts here. If any of you have any suggested methodology that I can consider for such a legal/effective challenge format, I would be very interested in hearing your suggestions. I am willing to put two or more of our own day to day Macs up as targets... no problem, as I actually am convinced of the invulnerability of OS X to an in-the-wild virus attack, given the no-user help requirement.

Any ideas?

Jack Cambell:

Ideas?

Yes. Drop it.

Stop encouraging vile behaviour in an attempt to take down Mac OS X.

Seahawk:

A neutral, reputable source of information - thanks - exactly what I was looking for.

Can "Sure Am Relieved" contact me please? I'd love to get his/her research published in macCompanion for May.

Jack Campbell is a hopelessly stupid publicity whore.

We have posted our Mac Malware Status artice at

http://www.maccompanion.com/archives/may2005/Columns/MacMalwareStatus.htm

with our invitation to "Sure Am Relieved".