CanSecWest: Countering Misinformation

As you surely know by now, the CanSecWest conference was the stage for a contest, PWN to OWN. Three laptops were set up; laptops running Windows Vista, Ubuntu Linux, and Mac OS X. The goal was to hack the computer and read the contents of a file located on each of the machines, using a 0day code execution vulnerability. During the first day, you can only attack the machine over the network, without physical access. On the second day, user interaction comes into play (visiting a website, opening an email). On the third and final day, third-party applications are added to the mix. Each machine had the same cash prize on its head. As you all know, the Mac was hacked first, on day two. The user only had to visit a website, and the Mac was hacked. Vista got hacked on the third day using a security hole in Adobe’s Flash, and the Ubuntu machine did not get hacked at all. Update: Roughly Drafted responds.

This of course resulted in the usual flurry of internet attention, and OSAlert, too, paid attention to the whole thing. I tried to be as complete as possible in the OSAlert blurb, trying hard to shove all the relevant details into the limited space of an OSAlert item.

This morning, someone submitted a link to an article on Roughly Drafted, a Mac and Apple website that gets considerable attention on especially Apple-centric websites. They published an article on the whole PWN to OWN contest, titled “Mac Shot First: 10 Reasons Why CanSecWest Targets Apple“. This article is filled with so many factual errors and other forms of misinformation that I felt obliged to add some nuance to the mix.

I will touch on each of the ten reasons, following the original article’s order.

1. “Exploits discovered for the Mac have little other value outside of contests like CanSecWest.”

This is the only one of the ten reasons which has a solid base in reality, and actually makes sense. Indeed, there is little market (at his point in time) for selling exploits for the Mac, simply because the Apple user base is still too small to be of significant use to malware creators. This is no rocket science; malware creators are after easy profit, and attacking 90% of the market makes more sense than attacking 5% of the market.

However, this does not mean that the exploit used to win the contest is of any less relevance. It is still a security hole, and it needs to be fixed. The details of the exploit have been forwarded to Apple, without making them public, allowing Apple to fix the issue. Therefore, this exploit will most likely not affect the real-world security of Mac OS X – but the theoretical security has been severely compromised, which is not something to sneeze at.

2. “The CanSecWest contest clearly appears intent to transfer the security focus belaboring Windows to other platforms.”

Here, we see a major case of what I usually refer to as the “black helicopter factor”, more commonly known as conspiracy thinking. Roughly Drafted tries to imply that the people behind the CanSecWest conference (or the contest itself) are somehow anti-Apple, pro-Microsoft, but delivers no actual proof that this is really the case. I am not really sure why they detail Microsoft’s “Get the facts” debacle, as it is of no relevance at all.

Here, Roughly Drafted also tries to imply as if CanSecWest “announced that Macs are less secure than Windows” – which is a curious way of putting things. If you look at the original announcement of the winner, you will see that no such claim is being made. The final wrap-up article on the contest does not make any such claims either. In other words, Roughly Drafted is clearly spreading misinformation to discredit CanSecWest.

3. “The contest prominently focused attention on the brand name of the MacBook Air.”

Roughly Drafted claims that only the MacBook Air was mentioned by name, while the other laptops remained unnamed, without any details on what brand they were. According to Roughly Drafted, this would have resulted in “the most sensational headline payload possible”. This is, again, a case of misinformation, as the contest’s rules page clearly states the brand and types of laptops used (“VAIO VGN-TZ37CN running Ubuntu 7.10, Fujitsu U810 running Vista Ultimate SP1, MacBook Air running OSX 10.5.2”).

4. “The Mac exploit was something Charlie Miller had in hand when he arrived.”

This one baffles me a bit. Of course he had it in mind! This is an irrelevant remark, as the exact same thing went for people wanting to attack and win the Vista or Ubuntu laptop and their associated sacks of money. This is the whole goal of the contest: to find new and unknown exploits, and deliver them to the relevant companies so they can fix them before they do any real damage – responsible disclosure.

If I partake in a squash match, am I not allowed to practice and study my opponent before taking him or her on?

5. “The researcher who cracked the Vista machine was stymied by the fact that he didn’t expect it to have SP1 installed, according to a follow up report by IDG’s Robert McMillan.”

The first service pack to Windows Vista (that would be SP1) was released into the wild on 18 March of this year. The contest rules clearly state that the laptops would run “the most up to date and patched installations” of the three operating systems. If the researcher who cracked the Vista machine was surprised by seeing SP1 on the machine, he simply did not read the rules very well, or he simply does not keep up with the news.

Roughly Drafted goes on and says the Vista laptop “only reflects the state of Vista for users who have elected to install SP1”, and not of users throughout 2007. So, where is the cut-off point? Safari 3.1, with a whole batch of security fixes, was released a few days after Vista SP1. Should it have been excluded? Since it does not properly reflect the state of Safari in 2007?

This is why basically always the baseline for these types of tests and comparisons is latest versions, fully updated, fully patched. This creates a level playing field for all the platforms, and everyone participating in the contest can know what to expect.

6. “Miller reported hacking something related to Safari, but the details haven’t been revealed.”

Safari is a default part of Mac OS X, and is, as such, a possible attack vector, in the exact same way that Ubuntu has Firefox, and Vista has Internet Explorer 7. A chain is only as strong as its weakest link, and if that weakest link is the browser, than the operating system has an insecurity. There was still a remote code execution and privilege escalation, and whether this is done through the kernel, Safari, or the folder icon’s 56th pixel in the 15th row is completely irrelevant. Many of the big security threats to Windows XP were related to Internet Explorer and/or Outlook Express, does this make them any less severe or relevant?

In an update to the article, Roughly Drafted states that John Gruber claims the weakest link was a library used by WebKit’s JavaScript engine, which has already been fixed by the WebKit team. According to Roughly Drafted, “this suggests that the entire contest was about Miller proving he could temporarily outsmart an open source development project for a few days, rather than having anything significant to do with relative platform security between Macs, Windows, and Linux”. Again, something about a chain and weak links? Apple is responsible for the code it decides to ship with its OS, and for the speed with which they incorporate patches from the original developers into their trees. If Apple fails here, it is Apple’s fault.

7. “Attendees with the ability to crack Linux ‘didn’t want to put the work into developing the exploit code that would be required to win the contest’, according to [an] IDG article.”

Roughly Drafted continues: “Why not? Because they lacked the political motivation to prove Linux was easy to hack, and they lacked the financial motivation to earn USD 10000 at a contest when they might be able to sell their vulnerability discovery for more than that.”

Firstly, Roughly Drafted contradicts itself here. They stated that exploits for Macs were not used by malware creators in the wild because the Mac’s userbase is too small, and now they claim that an exploit for a home operating system whose userbase is probably even smaller can be sold for a lot of cash? In their hurry to discredit Ubuntu, they contradicted themselves quite severely.

However, this is not the biggest problem with reason #7. The biggest problem is that they grossly misquote the original IDG article they say to have taken the quote from. This is what the article actually says:

“Although several attendees tried to crack the Linux box, nobody could pull it off, said Terri Forslof, a manager of security response with TippingPoint. “I was surprised that it didn’t go,” she said.

Some of the show’s 400 attendees had found bugs in the Linux operating system, she said, but many of them didn’t want to put the work into developing the exploit code that would be required to win the contest.”

There is nothing on political motivation, nothing on selling exploits, nothing at all. All we have here is an highly anecdotal piece of evidence that “several attendees” had found bugs in Ubuntu, but that none of them wanted to “put the work into developing exploit code”. This statement is not backed up by any evidence, or interviews with any of these “several attendees”.

8. “Many exploits and vulnerabilities are not unique to ‘Mac, Windows, or Linux’, but instead are cross platform threats.”

This is a very valid remark, but also an utterly irrelevant one in this specific context. Windows Vista does not ship with WebKit. Ubuntu does not ship with WebKit. Mac OS X does ship with WebKit. As such, this exploit is not cross-platform at all. It will only become cross-platform (possibly!) when you install Safari on Windows, or Konqueror on Ubuntu. This defeats the purpose of the contest rules on day two, which clearly stated only default installations were used (third party applications were added to the mix on day three).

Even if this was a cross-platform exploit, the reasoning is weak. This is actually a dressed up case of “but they are doing it too!” reasoning, usually employed by young kids trying to get stuff from their parents. But mom, Timmy gets two cookies with his milk, and I only one. I should get two cookies too because Timmy gets two too! The fact that an exploit exists on Windows does not absolve Mac OS X (or any other operating system) from its responsibilities. Exploitable on other operating systems or not, it is still and exploit on your platform.

9. “Miller has repeatedly stated that his life’s work is to discredit the security of the Apple’s platforms.”

Roughly Drafted claims that the fact that Miller exploited outdated FOSS code in Mac OS X says more about his “knowledge, expertise, and motivations” than it does about Mac OS X, Windows, and Linux. They state that somehow, Miller had it easy because he is a security expert, who only had to battle with “non-motivated colleagues on Windows who have sold their exploits to spammers” and “Linux expert colleagues who have no interest in trying to make FOSS look bad”.

Let’s start with the Linux guys. Linux developers make FOSS look bad all the time. Try and load up the kernel’s bug database, follow the kernel’s mailing list. Read Ubuntu’s LaunchPad, GNOME’s Bugzilla. They are filled with Linux experts making FOSS look really, really bad by reporting bugs and security threats. In addition, I have a hard time believing the numerous Linux experts out there are not interested in 20000, 10000, or 5000 USD.

As for the Windows guys, the proceedings of the contest severely contradict Roughly Drafted’s assumptions. If the Windows guys are indeed only interested in selling their exploits for huge profits to spammers, then why did Vista get hacked on the third day, for a relatively mere 5000 USD, using an exploit in Flash, which is installed on just about any machine out there? A major security hole in Flash, installed on so many Windows boxes, would be worth a lot of money according to Roughly Drafted’s reasoning – yet, the Windows guys decided to only score 5000 USD with it.

10. “Apple’s use of open source makes it easier for researchers like Miller to identify exploits.”

This is not true. The reason researchers like Miller can use open source software as an attack vector is not because of the inclusion of open source software in and of itself, but because Apple lags behind when it comes to integrating patches from open source software projects back into Mac OS X. Even though Roughly Drafted points out, rightly so, that Apple needs a lot of testing before releasing patches, this still does not negate the fact that this leaves known attack vectors open, adding insecurity to Mac OS X – and allowing smart people like Miller to win lots of money.

Apple includes open source software because it means they have to hire less people to write software for them, which, logically, cuts costs. However, this also presents new problems for Apple, including one of security. Structural security problems like this might be beyond Apple’s control, but that does not mean the security threats posed are any less severe or relevant than security exploits in Windows.

Conclusion

The reason I decided to write this rebuttal was not to discredit Apple, or because I have been paid by Canonical or Microsoft. The reason I wrote it is because the article contains an unrivaled wealth of misinformation, some things even bordering on slander, trying to attack the credibility of CanSecWest and its organisers. Apple does not need a ‘Get the facts’ campaign with websites like Roughly Drafted ready to do it for them.

Usually I ignore articles like this, but when they contain easily rebuttable misinformation and slander, I see it as my obligation to counter them, especially seeing how many in Mac-centric circles refer to Roughly Drafted as a reputable source. And trust me – this is just one example of the types of misinformation-laden articles on Roughly Drafted.

Do with it as you please.


If you would like to see your thoughts or experiences with technology published, please consider writing an article for OSAlert.

81 Comments

  1. 2008-03-30 9:15 pm
    • 2008-03-30 10:20 pm
      • 2008-03-30 11:02 pm
  2. 2008-03-30 9:17 pm
    • 2008-03-30 9:45 pm
      • 2008-03-30 9:52 pm
        • 2008-03-30 10:30 pm
          • 2008-03-31 12:16 am
      • 2008-03-31 1:56 am
  3. 2008-03-30 9:20 pm
    • 2008-03-30 9:28 pm
    • 2008-03-30 9:53 pm
      • 2008-03-30 10:00 pm
        • 2008-03-30 11:21 pm
          • 2008-03-30 11:59 pm
    • 2008-03-30 10:41 pm
    • 2008-03-30 11:20 pm
    • 2008-03-30 11:22 pm
  4. 2008-03-30 9:27 pm
    • 2008-03-30 11:21 pm
      • 2008-03-30 11:28 pm
      • 2008-03-31 12:30 am
        • 2008-03-31 8:24 am
          • 2008-03-31 12:14 pm
          • 2008-03-31 12:24 pm
          • 2008-03-31 5:41 pm
          • 2008-03-31 5:48 pm
          • 2008-04-01 1:00 am
      • 2008-03-31 12:33 am
      • 2008-03-31 3:27 am
      • 2008-03-31 5:25 am
        • 2008-03-31 9:02 am
      • 2008-03-31 7:56 am
      • 2008-03-31 11:33 am
        • 2008-03-31 5:35 pm
      • 2008-03-31 8:33 pm
        • 2008-03-31 9:56 pm
  5. 2008-03-30 9:44 pm
    • 2008-03-30 10:23 pm
  6. 2008-03-30 10:16 pm
  7. 2008-03-30 10:42 pm
    • 2008-03-30 10:56 pm
    • 2008-03-30 11:15 pm
  8. 2008-03-31 12:16 am
  9. 2008-03-31 12:17 am
  10. 2008-03-31 1:25 am
    • 2008-03-31 2:10 am
      • 2008-03-31 6:14 am
        • 2008-03-31 8:50 am
          • 2008-03-31 1:21 pm
          • 2008-03-31 5:46 pm
          • 2008-03-31 6:44 pm
          • 2008-03-31 6:58 pm
          • 2008-03-31 7:23 pm
          • 2008-03-31 7:27 pm
          • 2008-03-31 8:57 pm
          • 2008-03-31 10:06 pm
          • 2008-03-31 10:15 pm
          • 2008-03-31 10:34 pm
          • 2008-03-31 11:03 pm
          • 2008-03-31 11:10 pm
          • 2008-04-01 12:22 am
          • 2008-03-31 8:42 pm
        • 2008-03-31 2:21 pm
  11. 2008-03-31 3:05 am
  12. 2008-03-31 6:39 am
  13. 2008-03-31 6:42 am
  14. 2008-03-31 7:08 am
  15. 2008-03-31 8:22 am
    • 2008-03-31 9:29 am
    • 2008-03-31 7:54 pm
  16. 2008-03-31 8:23 am
  17. 2008-03-31 10:35 am
  18. 2008-03-31 1:22 pm
  19. 2008-03-31 5:32 pm
    • 2008-03-31 8:09 pm
    • 2008-04-01 4:02 am
  20. 2008-03-31 7:14 pm
  21. 2008-03-31 7:53 pm
  22. 2008-04-01 1:01 am
  23. 2008-04-01 10:35 am