Contest goal: To lay to rest, once and for all, the myths surrounding the lack of spreading computer virii on the Macintosh OS X operating system.
Today, DVForge, Inc. announced the Mac OS X Virus Prize 2005, where the company is openly challenging all of the computer coders of the world to go after the $25,000 cash prize that they are offering to the first person to successfully create and deploy an “in the wild” active virus for the Mac OS X operating system.
For the contest, a ‘virus’ is defined as executable code that attaches itself to a program or file so that it can spread from one computer to another, leaving infections as it travels between computers.
For the contest, an ‘in the wild’ virus is defined as one that is able to spread as a result of normal day-to-day usage onto two or more randomly selected computers that are connected only via the internet.
Are you a clever software geek, bored, looking for a challenge for your immense skills? Would you like world-reaching fame, and, a $25,000 cash prize? Well, here’s your chance for fame and fortune. All you have to do is put a virus into circulation that makes its way onto two totally unprotected Mac OS X computers we have running in Hendersonville, Tennessee. No trick, no hidden barriers… just two open internet connections to two non-firewalled, unmodified, bone-stock OS X 10.3 Panther systems, each tied directly to the ‘net by a T-1 line. According to the PC press, picking up this 25-grand should be child’s play.
“Symantec Corporation has recently released information to the press suggesting that they believe that the Mac OS X platform is at substantial risk to a new virus infection, and that the principal reason that OS X presently has zero in-the-wild virii is simply the lack of interest by virus coders, due to the platform’s comparatively small market share,” says DVForge CEO, Jack Campbell in the press release. “We recognize that assessment as complete nonsense, and, we have chosen to make a challenge that is interesting enough to grab the attention of any malicious coder… $25,000 worth of interesting. I happen to believe that Apple should be offering this prize. But, since they have not, I will. On behalf of knowledgeable Mac users everywhere, I am putting my money where my mouth is.”
We have designated two G5 Power Mac computer systems, each running an unmodified retail installation of OS X 10.3 Panther, each located in the Hendersonville, Tennessee area, but located approximately 3-miles away from each other in entirely different facilities. The only network connection between the two systems is the internet. Both Power Macs are on a minimum 8 to 12 hour per day, five to seven day per week usage, and run any number of popular Mac software applications. Each uses OS X mail.app as the email client, and Safari as the web browser, with neither machine or its LAN having a firewall in use. Each is connected to the internet through an unencrypted Airport network, to a full T-1 line.
Each day, we will scan both Power Macs for the presence of an OS X native executable virus, using a commercially available virus scanning utility. The day we locate a copy of the same virus running on both Power Macs, that virus is the winner of our contest.
To win the contest, the person coding the virus must submit an email notice to us with a transcript of at least 32 contiguous characters of code included in the virus, a brief description of the functionality and symptoms of the virus, and contact information for contest notification and payment of the $25,000 prize. The prize will be awarded to the person whose 32-character code sample, and functionality and symptoms description match the actual virus detected on the two contest Power Macs.
There has been much misinformation publicized recently about a supposed risk to the OS X operating system from virus attacks, with the ‘risk’ supposedly increasing as Mac computer sales are increasing. As a Mac dedicated business, and as a group of long-term Mac users, we know that these warnings are not true, and that there are a number of fundamental safeguards against virus attacks that keep the OS X operating system without its first in-the-wild virus. The ‘small number’ of Macs has nothing to do with the lack of virus incidents. It is the architecture of Apple’s operating system that protects its users from these bugs.
We are operating this contest until midnight July 31, 2005. Should the conditions for winning be met prior to that time, we will immediately award the $25,000 payment to the virus developer who succeeded in cracking the Mac’s inherent immunities.
Prize Doubled For Symantec
DVForge, Inc. has specifically invited the programming staff at Symantec Corporation to participate in their contest by creating and successfully delivering an executable virus to the two contest Power Macs. Should an employee or independent contractor of Symantec corporation win the contest, they will double the prize to $50,000 for that person.
Complete details on the DVForge Mac OS X Virus Prize 2005 contest can be found at http://www.dvforge.com/virus.shtml
Related MacDailyNews articles:
DVForge cancels Mac OS X Virus Prize Contest – March 26, 2005
Motley Fool writer: ‘I’d be surprised if Symantec ever sells a single product to a Mac user again’ – March 24, 2005
Symantec cries wolf with misplaced Mac OS X ‘security’ warning – March 23, 2005
Symantec’s Mac OS X claims dismissed as nonsense, FUD – March 22, 2005
Symantec warns about Mac OS X security threat – March 21, 2005
68,736 Microsoft Windows viruses vs. zero for Apple Mac’s OS X – March 12, 2005
Mac OS X has no viruses; what’s wrong with Windows? – February 11, 2004
BriA: sorry, there is no ‘security through obscurity’. It is a misused term turned into a PR spin by detractors of the Mac relating it – wrongly – to market share. At least here let’s put things straight.
The term “security through obscurity” has no relation whatsoever with number of machines but to unavailability of a particular OS API. The security comes from the less know or not know at all details about an OS. If you do not know how it works then it is SECURE because it is OBSCURE.
Security through obscurity could be achieved even with a ball park of BILLIONS of machines online if the manufacturer and OS provider succeeds in not making the source code of the OS available and/or prevent reverse engineering.
This, obviously, is not at all the case with OS X, with its BSD Unix guts. Nothing could be more shining for a cracker than a Unix based OS.
In this sense, Windows is more obscure than OS X as Windows has some innards that are not publicly available while Darwin – the OS X guts – is an Open Source project. Nothing could be less obscure than OS X.
Having said this, ie, that “security through obscurity” is an IT nonsense when talking about anything Unix, OS X included, the security OS X enjoys, luckily for all of us, has truly nothing to do with OS X having a small market share. The only thing this will have an impact on is the infection rate at its peak should a virus for OS X emerge one day.
The inherent pre-condition to make virus making meaningful targeting a particular OS is how easy is to spread a virus. In order to do that the virus HAS to find the very same configuration machine after machine. If a slight change in what the virus NEEDS to find an a computer in order to infect it should be present then the virus operational mode would be undermined and probably prevent infection and/or spreading.
Now, Windows ensures that all and other PCs around are essentially the copy-cat installation of one another. On the Unix world this does not happen and it is inherent to Unix. Finding two Unix run machines with the very same configuration amounts almost to a miracle. This alone explains why on Unix and Linux the rate of infection is a single digit even at peak infection, roughly 5%.
On Windows it is well over 60%. This is what makes Windows the favorite target for crackers. Windows would sport higher infections with respect to OS X even if Windows market share was at 5% and OS X at 95%. Crackers would STILL go after Windows as they would get more machines infected there (both as absolute value and in percentage), hence more outcome, than with Unix or OS X.
Windows, thanks Bill, is the best ever anti-virus product of all: it attracts them all. With Windows around, a cracker would have to be stupid to go after another OS. AND this will not change even with a reversal of fortune turning Windows into a niche 5% market.
You want to infect lots of machines? Go after Windows, no matter the market share.
To “You Punks…”,
You’re a clueless moron. OS X will NEVER have anywhere near the problems that Windows has, but no one ever said there will never be ANY viruses for it. I’m quite certain there will be someday, but there’s no need to expedite it offering money to do it. Besides, that it’s not his product. Maybe he should offer $25,000 to the first person that can redesign his “The Mouse” so that the cursor can go slow enough to use actually effectively use it, or make the buttons easy enough to push that the cursor doesn’t move off of what you’re trying to activate. Those would both be much better use of $25,000.
You punks….
“put your money where your mouths are”… puuuullllllease
I have… and the day that my mortgage, gas, electric, phone, cable, food and clothing bills… as well as my childrens educational and hopefully one day my daughter’s wedding expenses are sent to your address for your prompt payment is the day I will agree with you.
I have never believed that OS X is completely secure… no software system EVER is. I have a computer engineering degree as well as 24 years of control and protection system design experience. I design networked and embebbed control and protection systems that people’s lives depend on which are MUCH more secure than any commercial OS available to you or I. But we still realize that our systems are fragile and “breakable” by the nature of software design. One of the first lessons that we learn is to take the attitude that we are not immune. I would hate the day that someone offered money to compromise the safety of say…. a nuclear power plant control room or.. ummm… an air traffic control room… or.. ummm. an automatic train protection system to name a few. I just don’t see the difference here…. sorry.
You lose your argument when you resort to name calling… I thought your mom would have taught you that at an early age.
Having said that, I too do not like the idea of putting a big target on OS X. Still, when the deadline will come and no virus could claim the prize, maybe some pundit will stop saying that there is no incentive to write viruses for OS X.
AND, maybe, Symantec people will stop spreading FUDs if even them have not been able to collect $50000 from the contest.
Incidentally, there was a $10000 contest to deface a web site run on a Mac server. No one ever has been able to collect the prize.
Last comment: the contest asks for the virus to infect the two specific machines. That means that a virus a la MSBlaster has to be written from here to the deadline. That means something that enters a door, when by default they are closed in OS X, penetrate the machine without user intervention, install itself without user intervention, replicate without user intervention, spread without user intervention.
Sorry guys, call me crazy. I still do not like this idea but those $ are more safe than if they were at Fort Knox.
Fatty Arbuckle,
Thanks… i stand corrected for my spelling error, it’s greatly appreciated.
I just didn’t realize that DVForge owned the keys to the home. You need to read his offer and understand that he is asking for the virus to be let lose on the NET and not just to his isolated machines. If and when his machines are infected is when he will pay out the prize money.
This is a really dumb contest. Let’s encourage people to cause damage to other peoples systems. Let’s encourage all the young people to do illegal software encoding. That’s really brillant, NOT!!
Note: Unless they have the admin rights to the machine it’s impossible.
OSX will not let you install without the admins password.
This is not Windows!
From the ‘contest’ page: “Your virus may be put into general circulation on the internet. Or, it may be sent by email to virus@dvforge.com.”
I wonder if he thought this through before starting up this contest.
John: and even the admin pass will not be enough. For that kind of things the machine must have the root account enabled and they have to crack the root password. Those guys said: “unmodified retail installation”, that means that not even the BSD Unix package is installed on those machines.
Without user help the OS X vanilla installation is simply not a breeding environment for viruses of any sort.
I’d have felt a lot better if the two target machines were on an isolated network and submissions from the contest were accepted via email on a third machine then physically moved to one of the targets for testing.
As written, the rules seem to require the release of a virus onto the public network… a criminal offense, even if it does no “harm.” Even if it’s intended to be benign, bugs can cause serious problems. And if such a “harmless” virus is released, people will still spend a lot of time, effort and money to eliminate it from their machines rather than trusting a virus writer who asserts that it’s not going to damage anything. Not to mention someone who might reverse engineer it and modify it into something with a devastating payload.
In short, this is perhaps an interesting idea but recklessly implemented.
Yes I think the contest will get shut down. It is called a publicity stunt. A pretty fun one if you ask me – one that Apple couldn’t do for the obvious reasons.
This guy just bitch slapped Symantic in front of the whole world. Doubling the price to Symantic employees – brilliant! The contest will be taken down, no programmer is going to spend time without the cash payoff so no harm is done.
The local game warden had been told that a local man had been fishing with explosives, in violation of the law. As the man was poor, with a large family to feed, he decided to go fishing with him and warn him rather than lay in wait for an arrest.
Fishing day comes and the man in question is throwing surplus hand grenades in the water and scooping up the dead and stunned fish with a net. The game warden starts rambling about how what he is doing is illegal and how he should really stop. The fisherman looks up, pulls the pin on a grenade and hands it to him. He then asks the following question:
“Son are you going to talk, or are you going to fish?”
DV Forge has just pulled the pin on a grenade and handed it to Symantec. Well Done. Put up or shut up.
this has got to be a hoax. And yes, for those of you who are wondering, it IS an apparent violation of The Computer Fraud And Abuse Act, Section 1030. See it here:
http://www.panix.com/~eck/computer-fraud-act.html
Here’s the thing: the way the law reads, it is a violation to assault a protected computer without authorization in order to cause some kind of disruption or other damage. If DVForge is saying “here are our unprotected computers, please hack them at your leisure” then that, the way I’m reading it, is not illegal. Now if the hacker(s) should happen to infect a few other computers along the way, THAT’S a different story. And if this thing happens to wind up infecting a government database of any kind (state, county, municipal, and god help you if it’s federal), I would think you’re looking at some very serious consequence.
just my opinion…
How mentaly sick you can be, behind a computer …
I agree in spirit with “You Punks”. This contest is manly, it’s awesome, and I as a Mac owner and shareholder welcome it. All the windows advocates, and I am including MS itself in this, are scared as hell of this contest, and so are a bunch of Mac-heads in this forum. What both factions are scared of is the truth! 25K should be plenty of incentive (not to mention the noteriety) for any hacker – now lets see if they can do it. If they do, Apple will make a patch to correct that, and our OS will get stronger. If they can’t, well then that is just gonna rock hard for Apple.
Let the games begin!
I have a $25,000 bounty on this guy. This guy is soliciting illegal activity, maybe the FBi should be informed of his actions.
iSteve, beatsme,
you’re right, it’s a publicity stunt. Look what the guy behind DVForge said about the Luxpro Shuffle:
“An iPod shuffle knockoff shown at CeBit by LuxPro may have been nothing more than a publicity stunt, according to information collected by Jack Campbell from DVForge…”This was not a prank, nor was it an act of blind stupidity. In my view, it was one of the most clever PR maneuvers I have ever seen executed by a small company.” “
So this guy likes publicity stunts. Turns out he has a long history:
http://www.macintouch.com/mactable.html#tip
We’ve all been bamboozled. Let’s all have another alcoholic beverage and go back to sleep…
What’s WORSE is that Mac Daily Crap gives this guy web space for his ridiculous announcement.
We all say how secure OS X is… here’s a chance to prove it.
However, that said, this guy’s “contest” is reckless. The idea to invite people to do something malicious is terrible and shows the character of this fellow. Why doesn’t he offer $25,000 for someone to design a SECURE Windows??? God forbid you do something positive with your money… better to be an a**hole I guess….
http://www.jackwhispers.com/jackwhispersII.html
I can’t see how anybody thought this was a good idea. Dear people, infect my machine. Wtf?
Plus, there’s a REASON that Apple doesn’t publicly advertise on television that there are no viruses. Because as soon as they do, it’s open season, and people will want to prove them wrong. OS X is not impenetrable…why the hell do you think they publish SECURITY UPDATES?!
Face it, it’s better, but not perfect. As soon as somebody wins this, then Apple is no longer virus free. Way to go and make one more reason why Apple’s might be less appealing to a devoted Windows user (i.e. they are NOT virus free).
Hell, think this out for a minute. When does the contest end? When nobody wins? How is that ANY different than what we have now? The same dare is basically out there. And what if somebody does win? Then there are Mac viruses.
Great, you lose or you lose…
1. more on Jack Campbell
http://www.macintouch.com/mactable.html
summary: a fairly long history of dubious/illegal activities/scams and aggressive self promotion.
It would seem that the probability of someone who meets all of the criteria in the contest actually getting the $25,000 is less than 100%…
(in other words, the contest itself, is, if the past is any indication, a scam designed to create publicity).
2. *** IF *** this was done in a highly restricted environment, I think the contest would have some legitimacy and be useful. It does have the unpleasant side effect of painting a large target on the Mac, but, that was coming anyway, with recent Apple product success. Personally, I would prefer that Mac walk around without a target as long as possible.
The fact that general internet distribution is not forcefully eliminated is a severe problem for all Mac users, should this contest be successful, until Apple distributes a fix. It is also, it would appear, a serious crime should it occur.
I do share Jack’s outrage at Symantec, however, as do a lot of Mac people.
3. What is stopping somebody from creating something that utilizes one of the holes already fixed in 10.3.1-10.3.8? Surely this is cheating, yet it would appear to be an easy way to win the contest.
This does bring up a point: OS X, should, as part of the initial connect to the internet (either after a fresh install or first use), ask to pull down all outstanding security updates, at a minimum. (or does it already?).
4. I am troubled that Apple doesn’t turn on the firewall by default. In my view, this is a security lapse. Even IntDows XP-SP2 turned on the firewall by default, albiet in much different circumstances – a full blown security crisis that has only received band-aids for years, and still only receives band-aids.
And is grounds, in my humble opinion, for a massive class action lawsuit and product recall – I can’t believe there isn’t a rip-the-meat-off-your-bones lawyer who isn’t jumping all over this. Like, move 10% of your auto manufacturer chasing team – is this too much to ask? Look at the ill-gotten gains money sitting there just waiting to be returned to its rightful owner – the Microsoft customer base, and society at large, for suffering through the damaging of the industry caused by Microsoft.
This is a golden opportunity for the legal profession to gain some good PR, also – yet another reason. But I digress…
It’s Mac Os X 10.3.0 or Mac Os X 10.3.8 (All updates) with the default configuration?
Because.. You know.. There are some security bugs..
” width=”19″ height=”19″ alt=”raspberry” style=”border:0;” />
“…..Incidentally, there was a $10000 contest to deface a web site run on a Mac server. No one ever has been able to collect the prize…”
Seahawk…
I do remember reading about an incident back when the US Army decided to replace all their WinTel servers with the (new) G4 “SawTooth” Servers.. and while they were in the process… one of their web pages was defaced… but it happened to reside on the lone WinTel server… which they hadnt removed yet… A look at the server logs showed that the hackers tried to enter all the Mac Servers and were unsuccessful, until they hit upon the lone WinTel server…
also…
There used to be an organization… (I think.. hackamac.org…or some such) … who…once a year… would place an unprotected Apple Server online… publish the Telnet and IP info… and invite the “hacking community” to “have a go” at it…. The idea was … if you could hack the server … and prove you did it…. they would award you with that server…
As far as I know… I never heard about anyone being successful in hacking the servers….
And all this was done way before the advent of OSX !
So, while there surely must be some legal ramifications concerning this “contest”…. maybe even a “conspiracy” charge… as mentioned above… I’m fairly confident that the 25k – 50k prize won’t be given away ..
uhhh … at least, not any time soon !
Back in the 90s, if I remember correctly, some company in Europe put a Mac server out there to be broken into. There was similar reward. No one ever did manage to break into it.
This is similar and will prove a very good point. And it doesn’t matter whether some coder is successful or not. If he or she is, I want to know. I can protect myself. If no one is, I want to know. SO I CAN SHOUT IT FROM THE ROOFTOPS!