“Two tricked-out MacBook laptops have survived the first day of a ‘PWN to OWN’ contest that dared hackers to take control of default Mac OS X installations,” Ryan Naraine blogs for ZDNet.
“The contest started around midday Thursday, the second day of the CanSecWest conference here and triggered interest from hackers in attendance… Organizers say they have seen ‘some activity’ on the network set up with the two new MacBooks — a 17″ and a 15″ — but details remained scarce when the day ended,” Naraine reports. “To win, the attacker must commandeer the machine and find a file with instructions on how to SSH to a server to authenticate the hijack.”
Naraine reports, “On the second day, the barrier will be lowered a bit and the attackers will be allowed to put exploit code on a special wiki and launch drive-by exploits on the Mac’s built-in Safari browser. If the machines survive this level, the attacker will be allowed to connect to over USB or Bluetooth.”
Full article here.
If they really want to give away the MacBooks and the $10,00 prize, on the third day they ought to install Boot Camp and Windows on them. It would probably take about 10 minutes to find a winner.
Related articles:
CanSecWest sweetens ‘Hack a Mac’ contest pot to $10,000 – April 20, 2007
CanSecWest to hold ‘PWN to OWN’ contest: pits Apple MacBook Pros vs. hackers – March 26, 2007
Microsoft’s oft-delayed, much-pared-down Windows Vista hacked at Black Hat – August 07, 2006
Microsoft publicity stunt asks hackers to attack Windows Vista – August 04, 2006
Apple Mac remains ‘unhacked’ as University of Wisconsin’s Mac OS X Security Challenge ends – March 08, 2006
Mac OS X ‘unhacked’ over 24 hours and counting in genuine security challenge – March 07, 2006
Yeah, it’s pretty lame to lower the barrier. It’s like leaving your front door unlocked or open, depending on how they lower the barrier, and then asking if the house can be burglarized. Hehehe.
Windows users will only want to hear a hijacked Mac, IF IT HAPPENS, and not how it was hijacked.
@MDN, can somebody please fix the link? Thanks.
Another article on this, with some different facts:
http://www.securityfocus.com/news/11460
So M.X.N.T.4.1, someone is actually sitting there watching the hardware, and has a third computer monitoring the other two.
Question for you readers in the know: Apple issued a Sec update yesterday. Assuming it is not applied to the MacBook pros used in this contest can hackers use the breaches the patch fixes and to gain control of the machines?
Gee, to hear them talk, Bill Gates and George Ou should have strolled in there and taken the MacBooks by now.
[B]Not a true contest, conditions rigged
Under normal conditiions the Mac would on the internet 24/7.
Put those two bitches online, they would be pwned in a day guarranteed.
So put that fanboism back in the can right now.
Frank:
Yesterday’s Security Update was applied to the machines, and then they were put online.
Wiseguy is smokin’ that funny weed again.
The first phase of “lowering the barriers” is entirely realistic! The second phase, direct connect, is not. Quite a number of the exploits hitting the Windows crowd are Web-based, so there’s little reason to deny them the chance to take advantage of that option. USB or Bluetooth? You are not getting that close to my workstation … not without an escort.
Oh, and Wiseguy? What’s with the bogus attempt to open BOLD text without a “close” statement? Sounds like something a troll would do.
DLMeyer – the Voice of G.L.Horton’s Stage Page Pod-Cast
Hey WiseGuy, isn’t this a competition only for those at the conference? So the Macs are open to only them on the network. That’s the point of the whole thing.
@ Wiseguy. “Put those two bitches online, they would be pwned in a day guarranteed [sp].” I don’t know how you would get the idea that these macs are not connected to the internet. Let me spell it out for you, these Macbooks are connected to the internet, Hackers are connecting remotely from their computers and trying to hack it to gain access to files on it. How would the contest work if the mac were not networked? Did you think the hackers were physically sitting in front of the laptop?
About people complaining about “lowering the barriers”: I think that’s an excellent idea, and the conditions are fair. On the second day, the mac will visit a wiki page in Safari that hackers will be using to attempt drive-by exploits. This is fair because in the wild, a user might run into a website specifically engineered to perform an exploit. I know a couple URLs like that, that will instantly fuck up a Windows computer on Internet Explorer. It’s only fair to test the mac under these conditions, since computers are often hacked through malicious websites.
On the third day, hackers will be connecting directly through USB and Bluetooth. Again, this is fair, because users might be subjected to this type of thing in the wild. I’ve accidentally infected a Windows computer over USB before.
This will be a tough challenge, and I for one want to know the results. I have confidence that Mac OS X under default settings will once again emerge itself impervious. If it is possible to hack into Mac OS X, I want to know the truth. I don’t want to be coddled like some half-retarded fanboy. If someone can hack into one of these Macbooks, I can handle the news, and have great interest in knowing the truth of the matter.
CHEAT PEOPLE!!!!
CHEAT!!!!
THAT’S THE FOUNDATION OF HACKING!!! DON’T JUST TRY TO HACK THE COMPUTER!!! HACK THE CONTEST!!!
Jeeze. Do I have to do everything?
@ Drunk Cheney
Where is the VISTA $10,000 hack challenge?
At $20 right now. (See my last post.)
@ theloniousMac
CHEAT PEOPLE!!!!
CHEAT!!!!
THAT’S THE FOUNDATION OF HACKING!!! DON’T JUST TRY TO HACK THE COMPUTER!!! HACK THE CONTEST!!!
Yeah, that’s right! Go right to the contest location and manually use the machine. If the MacBook won’t let you, then you know what they say…
IF YOU CAN’T HACK IT, WHACK IT!!!!
Thank you for your lack of support, and remember that the “Hack a PC” contest reward has just dropped from a $20 bill to a $18.96 bill.
today is last day of the contest.
Seems those $10k were as safe as if in a bank.
I’m certainly not going to be “lowering any barriers” to make it easier for a hacker/cracker to get into my machine, and I’m surrounded by PCs at work, so why should they? Realistic or not, doing that seems to me to be changing the terms of the contest in mid-stream. Lessens the impact of success, and will surely be fodder for FUD in the mainstream press if someone manages to do something with the “lesser” barrier, let alone the absolutely crazy notion of giving physical access.
My take is that if nobody could PWN the machines under the original parameters, then no one gets to OWN – and the $10k does not change hands.
> How far down must the defenses go before the Mac can be hijacked?
Not until someone sticks a Post-It note on the edge of the display with the user name and password (an all too common practice).
Bill Gates says Macs are hacked everyday.
Not yesterday!
BuriedCaesar: “I’m certainly not going to be “lowering any barriers” to make it easier for a hacker/cracker to get into my machine, and I’m surrounded by PCs at work, so why should they? Realistic or not, doing that seems to me to be changing the terms of the contest in mid-stream. Lessens the impact of success, and will surely be fodder for FUD in the mainstream press if someone manages to do something with the “lesser” barrier, let alone the absolutely crazy notion of giving physical access.”
I think lowering the barrier is a good idea of a measure at how hard it is to hack into something. If you stick only with the original condition, all you know is no one hacked into it at that condition and did not investigate other vectors of attack based on easier conditions which are just as realistic (i.e. if you browse a suspicious website or if someone has a physical access to your computer). It is one way of finding that lowest level of the barrier and try to raise it from that level. This is a security conference and not a PR job. They probably couldn’t care less about what journalists think.
@../.
Good point, and I agree with you in principle about those parameters in that respect, but we can also be absolutely sure there are some “journalists” out there who are lurking around, hoping beyond hope that something DOES happen, and they’re going to get their hands on this news one way or another, especially if there IS a successful crack, and they certainly won’t care at what “level” that occurred, and they certainly won’t attempt to explain it to the masses in any way that makes sense.
If there’s no successful “attack”, then it becomes non-news. A non-event. And sadly, it will be much, much less likely to get reported, because those same media sharks won’t smell any blood.
Hey WiseGuy, isn’t this a competition only for those at the conference? So the Macs are open to only them on the (local) network. That’s the point of the whole thing.
Well that’s why I said it’s rigged.
Put those bitches on the internet instead and they would be pwned.
It’s not a matter of lowering the conditions, but making the challenge more realistic to actual conditions that all our Mac’s face.
Let’s hope the Admin password is not steve or jobs or apple or something equally as obvious.
Physical access is physical access. Every previous proof of concept exploit used physical access.
Of course, every previous exploiter, with their proof of concept exploit, also had the admin password. Anyone can hack their own computer.
There is no Airport Extreme wireless card in either machine, that’s why no one has hacked ’em. Fooled ya!
One Macbook Pro down. An exploitable safari flaw, triggered by a malicious webpage.
I love Apple, I use Apple. But I’ve NEVER understood the total smugness on the part of the fanboys-review all of the early comments, particularly MDN’s. Apple is safer by far than Doze, but I hope this is a wakeup. A serious in the wild compromise WILL happen, it’s just a matter of time.
@t0mb0, do you have a link about this? I can’t find coverage to confirm or deny that.
Link below:
http://www.macworld.com/news/2007/04/20/hacker/index.php