The When: April 18-20, 2007.

The Where: The CanSecWes Digital Security Conference, Vancouver, BC.

The What: Two fully updated MacBook Pros, left in default config.

The How: Via Ethernet or Wifi only.

The prize: If you hax it, you pwn it!

http://blogs.zdnet.com/security/?p=137

http://cansecwest.com/post/2007-03-21.15:10:00.PWN_to_OWN

A great reader (http://talkback.zdnet.com/5208-12691-0.html?forumID=1&threadID=31824&messageID=587098&start=53) post by someone who usually rips into Macs at ZDNet, regularily.

It will be interesting to see if anyone will be able to break in - I assume of course they won't be able to touch the computer and they do mean default install. I would think anyone with that much hacker knowledge and time on their hands could break into it.

I think the best hacker out there could crack Mac OS X...

Though, why that would be a concern to any of us leaves me wondering. Most users are worried about "script kiddies" getting in our Macs, not someone who's spent all their life hacking security and actually attends these conferences and contests to win prizes. ;)

You think so?

And yet it hasn't happened.

Go figure.

I think the best hacker out there could crack Mac OS X...

Though, why that would be a concern to any of us leaves me wondering. Most users are worried about "script kiddies" getting in our Macs, not someone who's spent all their life hacking security and actually attends these conferences and contests to win prizes. ;)

You think so?

And yet it hasn't happened.

Go figure.

I think so, yes. No one said the "best hacker" has ever attended said conference to prove it - doesn't mean he doesn't exist.

I'd bet that it's doable. I have no idea how -- I'm no security überdude -- but I can't imagine that it's IMPOSSIBLE.

I doubt that it will be done this time around. Oh sure, maybe it will be done sometime in the future but I am looking at the track record OS X has had in the past 5-6 years and in its various incarnations.

And, the argument of "security through obscurity" is increasingly becoming thinner than the Bush admin's arguments for going into Iraq. :lmao:

And, the argument of "security through obscurity" is increasingly becoming thinner than the Bush admin's arguments for going into Iraq. :lmao:

Ya think?? I don't. I'm certainly not saying it's the ONLY reason life is easy 'n breezy for Mac users, but I'd say it's a big one. Like, come on; other than to shut up smug Mac users, where's the profit coding malware for the Mac when there are hundreds of millions more Windows systems. We're so small in comparison, they probably don't care to even try and find out vulnerabilities.

... other than to shut up smug Mac users, where's the profit coding malware for the Mac ....
Haven't there been various and substantial cash prizes offered over the years, to anyone who could prove they'd created viable malware for OS X?
And from what I understand, these prizes didn't require illegal activity, just make the malware and get your money.
Yes? No?

There have been a couple of shaky cases. There have been a few proof-of-concept trojans. Being a threat to ANY operating system, trojans of course require human engineering to propagate (no OS can protect itself from their stupid end-user). Indeed, there was one trojan in the wild last year, called "Ooompa Loompa (http://news.com.com/New+worm+targets+Apple+chat+users/2100-7349_3-6040681.html)" but it didn't have much legs.

We all know that Apple issues security updates. It seems many involve Quicktime and memory stack overflows. God knows what could happen with stack overflows.

And then, there have been "the challenges". "rm my Mac (http://software.silicon.com/security/0,39024655,39157023,00.htm)" was one where the Mac was allegedly hacked in under 30 minutes. But, this was kinda a lame one, because the contestants were given local account privileges, and the real point of the challenge was a privilege escalation to root status. Not quite a virus, and again, if you can't trust someone you GIVE an account to, who can ya trust? :D

A more challenging one was a second "hack my Mac" (http://www.informationweek.com/news/showArticle.jhtml?articleID=181502078&subSection=Columns) in response to the above challenge. This one was more "typical": no account privileges, connected to the web, even a couple of settings changed to make it a little easier to hack. The system hung in there!

Perhaps the scariest one was when, at a "ShmooCon" hacking conference, a security researcher's Powerbook was accessed and turned into a file serve (http://www.theregister.co.uk/2006/02/08/apple_vulnerability/)r! :D Ouch! That had to hurt!

But, the big money in malware are worms. Self-Propagating exploits are where it's at, and I don't think that UNIX is sufficiently weak enough to let stuff like that run through the Mac userbase like a bull in a china shop.

We may get some minor paint scratches once in a while, and I am confodent that OS X is more secure than Windows, but I think that we're just too small a userbase for the jerks out there to profit by.

My http://deephousepage.com/smilies/twocents.gif

There have been cash prizes offered in the past, like this one from 1996 (http://www.tidbits.com/tb-issues/TidBITS-317.html#lnk5) where a $ 10,000 prize was offered over a 45 day window (no one won), and this one from 1998 (http://www.tidbits.com/tb-issues/TidBITS-378.html#lnk4) with a $ 13,000 (100,000 Swedish Krone) prize over two months (nobody won) but I would think that OSX, although it can be configured to be very secure, can also be configured to be swiss cheese. The beauty of UNIX is you can do almost anything at a system level, including cutting your own throat.

OSX would be vulnerable to the occasional exploit found in the open source packages that accompany it. For the most part, they are turned off by default, but I would think an Apache or SendMail exploit would work (they happen from time to time, although they are patched quickly and Apple is pretty good at releasing the patches with Software Update). For a desktop system, you would need to be hacking the right box at the right (unpatched) time but a server or other exposed machine is no different than other UNIX or Linux boxes and there are such things as exploits from time to time, as well as plain bad configuration.

Not to worry much, really, but hardly impossible and very dependent on how you set this and that on your own machine.

For the curious, the story on the "Month of Apple Bugs" (or whatever they called it) guys finally came out: they had found a vulnerability in some thing or other during the summer of 2006 and had eMailed Apple about it. A month or two later, Apple released a patch but didn't mention the two hackers, which pissed them off royally. (It's quite possible that Apple knew about the problem already and thus it would be normal for them not to mention them, but these guys perceived a snub).

So they set about creating some havoc, and actually did unearth a few real issues, although many of them were non-Apple software, Intel-chip issues that affected all x86 systems, and Windows versions of Apple software like QuickTime. Still, they did dig up a couple of genuine Mac OSX and QuickTime bugs (they've been patched, if you are current, by the way).

Ya think?? I don't. I'm certainly not saying it's the ONLY reason life is easy 'n breezy for Mac users, but I'd say it's a big one. Like, come on; other than to shut up smug Mac users, where's the profit coding malware for the Mac when there are hundreds of millions more Windows systems. We're so small in comparison, they probably don't care to even try and find out vulnerabilities.

It's called bragging rights. Let's be realistic here, the person who can do a real number on Mac OS X will be deluged with job offers. Remember that Filipino kid who did the "I love you" virus in 2001?

Remember that Filipino kid who did the "I love you" virus in 2001?

No, I don't remember the kid but I definitely remember getting the I Love You virus on my PC at work... courtesy of one of the directors of the computing services department. Heh heh.

It's called bragging rights. Let's be realistic here, the person who can do a real number on Mac OS X will be deluged with job offers. Remember that Filipino kid who did the "I love you" virus in 2001?

Oh. One guy. Point taken. Ya got me!

Just how long will such "bragging rights" hold their cache? For the first guy? Probably. How about the second? Or the third? No, this 15 nanoseconds of fame will become so valueless so fast that such a notion isn't worth considering. I say let the first one enjoy his bragging rights with his other geeky losers on IRC. Meanwhile, our life will go on, undeterred.

In the same way that "no IT guy ever got fired for buying Microsoft" with >300,000,000 users, no hacker is going to get hired for hacking only a potential of <30,000,000 (he'd show TERRIBLE business acumen for choosing such a small market) -- which isn't to say that, if an OS X worm or something did get out in the wild, that we would ALL be infected.

Sorry, but I don't think that the numbers support your "reality".

The point isn't about how many computers he can infect, but how good of a hacker he is. If one is able to hack or develop malware to self-propagate on OSX, then he must be one hell of a programmer. And the tech industry is always looking for good programmers.

Ever heard of Google's {first 10-digit prime found in consecutive digits of e}.com? These are the sort of people tech companies want on their programming teams.

Hell, if someone manages to win one of these contests, I would wager he'll get a job offer from Apple, Inc.

Sure, black hats have gone white. But there's just not going to be the "upside" hacking Macs that hacking PCs presents, and given this we've little to worry about.

My (additional) http://deephousepage.com/smilies/twocents.gif and I'll leave this thread -- and my position -- at that :)