Apple’s OS X, Microsoft Windows, and Linux operating systems are to be pitted against each other in an ethical hacking contest in Vancouver next month. Run by the organizers of the CanSecWest Vancouver 2008 security conference, the competition is a repeat of the ‘PWN to Own’ contest at CanSecWest in 2007, when security researchers competed to win a MacBook Pro and USD 10000.
It looks like fun. I wonder which OS will fare the best. These flaws fixed counts that frequently bash OSX are flawed. As well as those that bash Linux and sometimes even Windows. Often such comparison are biased to create a result that sounds surprising and catches our attention (we usually consider OSX and Linux secure and windows not).
PS. Sorry for my sleepy feeling right now. It is affecting my writing.
I think it depends on what they actually mean by the term “hacking”.
If it is classic hacking, and it just boils down to obtaining a logon via brute force attack or password guessing, the all three (Linux, OS X and Windows) would be equally vulnerable, depending only upon how strong the passwords were.
I guess I just don’t get it.
Another method of “hacking” worth mentioning would be a way to provide a kind of spoofing attack, resembling a system prompt to get a response from a user. This could be realized via a web page or even an e-mail. “Hi there, this is your support center. Please reply with your administrator password. Thank you!”
But that wouldn’t be something I’d consider “hacking”. It’s not very innovative and depends on the reacting of a (stupid?) user.
The most interesting point is…last year they did not compete to win a new Linux laptop, or Vista machine. The prize was a MacBook Pro and $10K.
Yes, yes. I’m sure with $10K, they could have easily sold the MBP and buy nearly any rig they want, but it’s all in the marketing!
-Karrick
Edited 2008-02-08 04:30 UTC
It is no sweat. A MacBook Pro will run Linux pretty well.
http://modular.math.washington.edu/macbook/
What a waste. Pretty hardware should run pretty OS.
So its the OS that will do the actual hacking then?
Seriously though, it should be interesting.
I wonder what they’ll be using for the linux box.
They really should include the BSDs as well.
I guess it’d make for a pretty uneven contest, though.
Good luck to anyone trying to break in to an OpenBSD system….
They really should include the BSDs as well.
I guess it’d make for a pretty uneven contest, though.
Good luck to anyone trying to break in to an OpenBSD system….
Linux guys..err… Sorry- GNU/Linux guys tend to ignore existence of superior operating systems til’ their half assed servers got pwned multiple times in a row.
What will be interesting is the linux distro that is ultimately chosen. I guess a default system bought from Dell (i.e. Ubuntu) could be tested. But there are many distros which each take a different approach to security. Consider Debian systems, no root user, instead use sudo, vs. RPM type systems which have a root user with a different password to the ordinary user.
Also, you have different security apps, e.g. AppArmor, and different firewalls.
I agree, but also, wireless card also matters (because there can be bugs in the drivers). If they don’t use the same wireless card on OSX as on the rest of them (generally they are atheros), it means it is not fair. Vista, most linux distro’s and OSX pretty much support atheros out of the box. And also, if outbound connections will be permitted (ie, safari connects to a webpage).
Any hackers joining though, I know they will find OSX to be the easiest to exploit as at the moment, its programs are the least refined since their release (Vista has had 1 year to stabilise its programs, and linux, well, thats gonna be dependant, as mentioned on the distro).
But yeah, I agree with MiliTux, I hope they have a good gameplan and at least make it fair.
I hope everyone just sees it as fun though, because, I’d hate to put up with either linux, OSX,BSD,OS/2 OR windows fanboys all week bragging about how secure they are over a poorly set up contest.
But honestly, my guess, is that they may all be hacked within an hour anyway depending on the rules. Safari, firefox and Internet explorer probably all have a lot of exploits (lets face it, web browsers are getting so complex these days, you could run one in EFI, and use it as your OS, and in fact, some bios’ already let you run a web browser inside them).
And there better be NX on all three… Otherwise, the whole thing is a joke
That isn’t a Debian characteristic, it is strictly an “Ubuntuism”.
https://help.ubuntu.com/community/RootSudo
Personally, when I am using an Ubuntu system, and I need to be root, I generally just use the command ‘sudo su’.
Debian systems have a normal root user, just like most other Linux distributions do.
http://www.tonotono.net/ua/nph-.cgi/000000A/http/www.linuxdevcenter…
Fedora ships with SELinux.
http://fedoraproject.org/wiki/Security/Features
Fedora is probably the most well known desktop Linux distribution you would go for if you were after the best security out-of-the-box.
Edited 2008-02-08 09:48 UTC
If you want to change shells you may also do:
sudo zsh_or_other_choice –
And be the root user until you exit your shell of choice.
“Consider Debian systems, no root user, instead use sudo”
Debian itself, it has a root user ,and is enabled by default. Some derivatives of Debian, (*Ubuntu) use sudo. But you’re right, I think the choice of distro will be very interesting.
It will be interesting to see if they configure them in a usable configuration. Will it they all be able to play quicktime movies from the web, work with youtube, flash, shockwave etc. Last time they did this it took a while, and if the wrong ‘experts’ are there it may not be that easy. Will they only use attacks where the defending OS is passive (ie no surfing) or will the attackers be allowed to make a website where someone drives the OS off a cliff into it.
I’m guessing they’ll start with passive, then if none get hacked, they’ll start installing Adobe software and surfing the machines to crusty websites.
How about they test 2 other operating systems as a baseline?
Say, Trusted Solaris and OpenVMS.
It would be interesting to see how older commercial grade operating systems compare aganst consumer grade systems.