MacBook Air first to fall in hacking contest - 2 minutes

http://blogs.guardian.co.uk:80/technology/2008/03/28/macbook_air_first_to_fall_in_hacking_contest_vs_vista_and_linux.html

MacBook Air first to fall in hacking contest vs Vista and Linux

A MacBook Air running OS X 10.5.2 has won hacker (in all senses) Charlie Miller $10,000 - plus the MacBook Pro that he managed to hack into.

Miller was taking part in the CanSecEWest conference, in Vancouver, where everyone who wanted could have a go at taking over any of three machines - a MacBook Air, a PC running Vista SP1 and a machine running Ubuntu 7.10.

And it turns out the Mac fell first. Miller, who managed the first exploits of the iPhone, exploited a bug in Safari. (As part of the second day of the challenge, would-be hackers could get the machines to click on links in URLs.)
-----------------------------------------------
A friend of last year's winner (MW reports still) had a go at the Vista machine but didn't manage to crack it. The rules make it easier on Friday (remember, Vancouver is 8 hours behind GMT) to break into the machines.

===============================================

Gone in 2 minutes: Mac gets hacked first in contest

http://news.yahoo.com/s/infoworld/20080327/tc_infoworld/96676

It may be the quickest $10,000 Charlie Miller ever earned.

He took the first of three laptop computers -- and a $10,000 cash prize -- Thursday after breaking into a MacBook Air at the CanSecWest security conference's PWN 2 OWN hacking contest.

Show organizers offered a Sony Vaio, Fujitsu U810, and the MacBook as prizes, saying that they could be won by anybody at the show who could find a way to hack into each of them and read the contents of a file on the system using a previously undisclosed "0day" attack.

Nobody was able to hack into the systems on the first day of the contest when contestants were only allowed to attack the computers over the network, but on Thursday, the rules were relaxed so that attackers could direct contest organizers using the computers to do things like visit Web sites or open e-mail messages.

I know because I have one. Its bad because there is no awareness that it bad, its just protected by a forcefield of smugness about how secure they are. With windows there is enough of a knowledge that its bad that there are enough countermeasures in place to make it decent, and the diversity and transparency of linux does a lot for it.

Hehe. That's perfect.

the same thing. It is perfect. I live with one of those smug people. He is forever yelling about my piece of crap machine and my piece of crap (American truck) and my piece of crap smartphone. It gets so damned old. This link is getting sent as soon as I get off this thread. :)

That is a great line.

Also, the decade or so of rampant pwnage has taught Microsoft a few things about security. They've still not gotten it exactly right yet, but they've learned some hard lessons. Apple has two things going for it: low target profile, and unix-ey goodness inherited from the BSD underpinnings. Neither is going to stop a determined hacker.

If some browser has a security flaw, the hacker is going to be able to take over that process no matter what its running on top of, BSD, windows etc. Then it has what powers that process has.

The machine fell to a SAFARI exploit, not an OS hack.

The thing about the article that actually impressed me
most was that Vista™ survived the first round of attacks,
just like the others. That's a SERIOUS feather in its cap,
as far as I'm concerned.

This wasn't a coffee shop full of high-school kids; this
was a serious competition that some world-class hackers
spent a lot of time gearing up for.

The fact that ALL the machines survived the first day of attacks-
now THAT's news! That's news that should give us all HOPE
for the future of "secure computing", Itellyawhut!

Standard OS security rules apply... an OS is only as secure as the applications that it exposes. Microsoft found this out with IE, and (eventually) took measures to protect itself from IE. Hopefully Apple will do the same with Safari.

I've never been particularly impressed with Safari. The first thing I do when I do a clean install of a Mac (or a PC for that matter) is install some Mozilla variant, be it Firefox or Camino. And in Windows, I have the IE Tab plugin for those few websites that require IE.

Sid

That makes me feel good.

So, it is just who could do Social Engineering better than others.

And they told Apple about it, and didn't publish it. It required waiting until they could have the automated user click a link.

Next time, they should put Vista on another Mac Book Air, and see which goes first. :)

Here in the real world, almost nobody's stupid enough to open a file some random dude has emailed, or to click on a URL for no reason.

Despite years of user conditioning, perfectly intelligent people still click on links they are given or open files they are sent. In fact, that's what most of the Microsoft security flaws are all about, too. So far the last two posts on this thread have been making excuses for a security hole in APPLE software. Pathetic excuses at that.

ALL operating systems and ALL software have flaws.

I work with these users every day. Many of them will click on ANYTHING that is sent their way.

Seems like all I ever hear are the horror stories about it;
this makes it apparent that its "improved security" is very
real, not just MS marketing BS.

I haven't heard of a single one. I'm sure there's the odd trojan here and there that will delete the user's files (not system files), but there's no way to stop that.