Submitted by People shouldn’t read anything into the fact that of the three laptops set up for last week’s ‘PWN to OWN’ hack challenge, the only one left standing was running Linux, said the security expert who oversaw the contest. “There was just no interest in Ubuntu,” said Terri Forslof, manager of security response at 3Com Corp.’s TippingPoint subsidiary, which put up the cash prizes awarded at the contest last week at CanSecWest. “A contest such as this is not a measure of relative security between operating systems. It’s not an accurate barometer.”
I thought they got paid 20k if any of the machines got cracked the first day. I guess hackers dont like money enough to crack ubuntu.
Ten thousand, and the idea that people would pass up $10k just because they couldn’t be bothered to try is nuts!
“Ten thousand, and the idea that people would pass up $10k just because they couldn’t be bothered to try is nuts!”
Maybe people can only enter one competition and the full details of the exploit are not publicized until after the competition. What I got from the article was that there were tons of talented people who were working on breaking Windows and MacOS while only a few people entered to hack Ubuntu. After all, it seems that it was a Flash exploit that is already confirmed to work on Linux that took Windows down.
Surely then one would use the same exploit to get additional $5k
No one wouldn’t, because it is against the rules:
http://cansecwest.com/post/2008-03-20.21:33:00.CanSecWest_PWN2OWN_2…
I think using the same exploit would be blocked by the “known” clause. You’ve already popped a machine through Flash demonstraiting the exploit and it is the same exploit that would be used across the platforms. You would have to find a different exploit to pop the second machine.
IMO, an extension of this statement/logic is that you get the most mileage out of the most widely used OS. Therefore:
* You get the most mileage out of a Windows attack.
* You get the next most mileage out of a Mac OS X attack.
* You get the next most mileage out of an Ubuntu attack.
The results don’t reflect that, though. The Mac was pwned first, and the Vista box second. Ubuntu didn’t get cracked, in spite of incentives to do so ($$).
I’m not sure exactly what this means, and it’s certainly possible Ubuntu could have been cracked just as easily as Vista, but the quoted “explanation” seems shaky to me.
one reason for the mac going first could be in the way the contest was set up.
day 1, only the os and base apps, with latest patches applied. only remote attacks allowed (open ports and that kind of stuff). here none got hacked.
day 2, user assisted attacks, like a email or web page being opened. here osx got hacked via safari.
day 3, popular apps and similar added to the day 2 requirements. here vista got hacked via flash.
the impression i have was that they could have taken ubuntu at day 3, but vista was a easier target. low hanging fruit and all that…
Am I the only person who doesn’t get the point of stages 2 and 3?
They seem to depend on the user doing stupid things. If you’re counting on the user being stupid, it doesn’t matter which OS you go for.
It’s not that stupid to click on a link, or to have Flash installed. The link might come from a blog comment or an email. The SWF file might come in an advertisement or off of an innocent-looking link.
Application bugs can be real security vulnerabilities, just like OS bugs. Especially when the application is extremely widespread, like Safari or Flash.
You may not get the most out of attacking Mac OS X first but you shock the fanatics and really upset them once you’re successful. It’s worth more than money.
It’s likely that there was some pride involved in not attacking the Ubuntu machine.
It’s not even about the money, being one of the few people who can claim to have hacked OS X does a lot to boost your acclaim.
Since the flaws found in any of the OS would be forwarded for a fix, I’d say every Linux-loving person would want to hack the Ubuntu machine to improve the OS. Especially if at the same time you can slap Adobe in the face for endangering Linux’s security with a badly coded Flash (and Flash _is_ really an eyesore for every Linux user).
I’d also say that nobody’s really going to get a rep cracking Visa (right or wrong, it’s Windows’ reputation that even a newbie can crack it by following a few simple explanations). And you’d make more money by cracking Ubuntu, getting the cash and the pride, then selling whatever cracks you have for Vista).
And am I the only one not believing that even without the Flash crack there would be many other options to crack Windows or Ubuntu? Only thing we now it that nobody was able to crack the Ubuntu machine for the rest of the day.
Or were there only two decent hackers, and the other ones were there just for show?
Edited 2008-04-04 18:35 UTC
No interest of hackers for me it is a clear linux advantage and it is the resaon why I use linux as desktop.
Also Linux is not a main target because its users are “smarter” (in mean sense) than windows and mac users. They don’t use a login with administrator privileges nor use flawed products as Internet Explorer, Outlook, ActiveX, etc.
Whew, it’s a good thing to know that I’m not a Mac user because I use a staff account rather than an admin account on all of my machines. Oh wait, I am a Mac user… What the hell am I thinking! I’m supposed to be some sort of elitist knuckle dragger.
Sorry to blow your “theory.”
You didn’t. On average, he’s right. People who use Linux often do it because of an interest in computers. That makes them “smarter” when it comes to knowing what you should and shouldn’t do with computers.
It doesn’t mean people who use Macs are less smart, but they probably focus less on computers than the people using Linux.
By extending your logic I must be smarter about computers than you are because I use BSD quite a bit. 🙂
I love all this snobbery about user X must be smarter about computers than user Y because Y uses such and such OS. Or the average user of one OS is more savvy than those who use another. Come on people, get over it. There are a lot of computer smart people who use Windows and OS X.
Anyway, as for the article, I have to say I doubt the explanation as to why Linux was not targeted. When money is involved you go for the easy mark first. Could it have been compromised, quite possibly but the fact that it wasn’t tells me the contestants felt it would be the hardest to crack. Now if they really want to have fun at the next one why don’t they throw in a BSD system?
That would be sweet. Then there would really be some competition.
Even though I’m a Linux user, I’d love to see Linux cracked in one of those contests to boost distro’s attention towards providing an iron system by default.
I was just really being a smart ass, but I do know quite a few Mac users that don’t run as admin. You linux guys have better beware though… If linux does start to catch the interest of Mom and Pop/novice users for desktop use, you’re “smartness” is going to suddenly find itself at the level of us knuckle-draggers…
I wouldn’t recommend not placing too much trust in obscurity or market share. It tends to be the responsiveness of the developers and the higher average user knowledge that help Posix like OS. Vulnerabilities tend to be configuring issues.
Obscurity is only of use to the attacker who has to eventually evade and escape. The defender has to be able to shine a spotlight on themself and still not be movable.
If you have something someone wants, they’ll target whatever platform your using.
If what I’m supposed to walk away with is that Vista is not worse than Linux in the security department because there just wasn’t any interest in hacking Ubuntu, then can I assume that OS X is not worse than Vista or Linux in the security department either, but simply that it is the most popular OS?
OK.
Linux ignored, not immune?
The kind of hacker that wants to subvert a desktop, or phish from its user, would say just this. Keep this in context. When it comes to servers, Linux is very high profile and you will not see such things stated there.
Bite-size headlines like these can be so deceiving.
If you want to own a linux server, you attack php or apache. I don’t think that was part of the config here (otherwise it would have been a dumb contest: two desktops versus one server). I’ve personally seen a linux server run by a friend (who misconfigured it) get taken over and used as a remote proxy. People target linux servers all the time.
I’d chalk this article under FUD. Think about it: The Vista supporters can’t claim they didn’t get hacked, so they have to find some other way to make the winner (Ubuntu, i.e. Linux, of the cancerous GPL license, blah blah blah) look less impenetrable. They can laugh at Apple for having been hacked first, but they still have a black eye.
The results of the CanSecWest contest definitely made the major news, because my mother-in-law (who knows very little about computers, but knows I run Linux at home) heard about it over the radio and gave me a call.
In her words: “You’ve been saying all along that Linux is more secure, but it’s interesting to have it proven out in a real contest.”
Regardless of whether Ubuntu could have been hacked, it wasn’t. That still means something, no matter how much FUD you throw at it.
It used to be “If Linux had the same number of users, you’d see the same amount of holes as in XP”.
I always enjoyed asking them if the new security features in Vista was pointless then, because once it would be as widely used as XP, by the same logic, it should have the same problems.
“Prior to joining TippingPoint, Terri was a Security Program Manager for the Microsoft Security Response Center, focused on driving the resolution of security vulnerabilities within Microsoft products.”
http://dvlabs.tippingpoint.com/team/tforslof
This at least explains why the vast majority of the second page is spent talking about how hard it was to hack Vista SP1. It is also interesting that there was no laptop submitted containing Windows XP with SP2/3…maybe they knew that would be too easy…
A security professional who worked in information security before his current job in information security? Say it isn’t so!! What is this world coming too?
(hehe.. I couldn’t resist)
… what firewall and antivirus software are you using on your Linux boxes ? 😉
The normal firewall and Clamav. Why?
The firewall is built into the kernel and I run ClamAV to protect any Windows machines I may have to interact with.
What AV and Firewall are you running?
… what firewall and antivirus software are you using on your Linux boxes ? 😉
Hmm. I am not running any firewall or antivirus software on any of my Linux boxes :O
I think the three OS’s and others have steeled hackers thunder, if thats the best they can do then we are safer than ever.
It was all about egos and how to get the most media by it, gone are the days where they can course wide spread destruction. The whole we left Ubuntu alone, proves they want nothing more than to be talked about and how we should fear them in some way.
I find it sad they wouldn’t hack Linux for a Sony Vaio laptop and $5,000, I’d feel stupid if I was them.
The exploits represent someone being able to read any file which the browser can access. This could be (on Windows) any credit-card or personal information you store in your user profile.
I’m not a Linux “activist”, I’m willing to point out 100 deficiencies in the Linux desktop experience, but the one thing I’m willing to argue is that Linux is “at least” as secure (and probably much more, for various reasons) than what the competition has to offer.
The hackers obviously would try to figure out how the crack the system before entering into the cracking contest. Either the hackers before hand could not find a way to crack it, or figured that linux was so secure that they weren’t going to be bothered. They should have done the 3 os at different times, and if a hacker could hack all three they get triple the money. It’s like the hackers just choose the easiest system to hack, because it would be the most likely to deliver them cash.
A contest such as this is not a measure of relative security between operating systems. It’s not an accurate barometer.
Isn’t it? At the very least, if the Ubuntu machine was easier to crack, it would be hard to see why there is no interest, given the possible compensation. Additionally, the source is available, making it easier to find security errors, if Ubuntu was insecure.
If there was no interest to own the Ubuntu laptop, it was possibly because the contestants judged the Ubuntu machine harder to crack. Given the expertise of the contestants, they would probably be qualified to make such judgments.
But I see someone has already followed the money trail
.
I think what was meant is that people spend more time and energy tryng to hack windows and apple boxes, and as such have more experience at. I’m sure Haiku or SkyOS (for example) is plenty hackable, but if you have no experience doing it, you will be spending time figuring out strategies before you start spending time employing said strategies.
I do think that it was a bit too dismissive of the fact that out of the three OSs, ubuntu was the only one that didn’t go down though. Even with the fact that it is by far the most obscure, it is still an accomplishment.
Obscure to end users and script kiddies maybe, but that’d hardly be the case for security professionals (regardless of which side of the fence thy happen to fall on). If anything it should be easier to formulate an attack strategy for the open source *nixes, you have more or less the entire OS freely available for your perusal.
You are right, but that still doesn’t mean that millions of lines of code can be read, understood, and analyzed in a short amount of time, especially if you are not familiar with it.
All I’m really saying is he may have a point, to a degree at any rate.
Maybe most of the guys there were Linux fans and would prefer to see Windows fall than Ubuntu.
Assuming you can only use the flash hack on 1 of the 2 machines, and you’re a Linux fan, you’re obviously gonna use it to bring down the Windows machine.
Maybe. Linus likes Macs. Maybe that’s why the hackers were running Mac laptops.
If I was a Linux fan and could take down either or any of the OSes I’d be tempted to go for the Vaio and get the vulnerability in Linux patched. Perhaps that’s because I have no interest in Vista…
Maybe sponsors of such contests should mark certain systems considered “more secure” by substantially higher reward ?
And in case when still no one will try to crack such system, they should hire some Steve Ballmer’s look-alike, dress him in that famous sweated shirt and give him a briefcase full of money and a line to say: “Hi! Im Steve Ballmer, and I come here to give you some of my last year income. Take it and spend as you like.”
When still no one will be interested, then we all have a proof that hackers indeed believe in “free lunch”
This article reminds me of the wimp who does not join in the fight because “they did not want to hurt him”…
They do not give themselves away knowing that they would loose, but they give the impression that they are still a threat.
One thing I have noticed using Linux for so long, is just how tight the system is. There is ways that someone could be coerced into compromising their own machines, but that is social engineering, not really hacking a system.
I have encountered a lot of people contacting my workplace with hosed Vista machines, one said he was hacked by remote desktop assistance hehehe, and so far only one company who said their Linux machine had been hacked. It had indeed been hacked, someone had logged in as root, deleted all log files, and set up an AT command to continually call a script to “ls -R -all”
This slowed the server down no end…. However, it was actually done by an employee who knew the root password and was sacked. Not exactly hacking. He knew the password.
In fact Linux is that hard to get applications to run on, never mind malware running covertly hehehee :p
Why Wasn’t there a so-called interest in Ubuntu?
Answer:
Out of all Three, Ubuntu Posed the greatest challenge. Why would those hungry Hackers Try to attack a cold, slippery, wet penguin of an OS securitywise of the three, than Just efficiently and with less effort, Plucking an apple from the tree in the challenge for the prize? That’s unthinkable.
But You did notice, OpenBSD wasn’t even considered!
When the fox dont get the grapes he says they are sour.
..“A contest such as this is not a measure of relative security between operating systems. It’s not an accurate barometer.”
Hmm….so why bother organising the thing in the first place?
More a case of ‘our little scheme backfired so please don’t look at the results’…
Edited 2008-04-04 01:46 UTC
I totally agree with you. Why putting 20K-10k-5k for the prizes if in the end. The organizer itself states that it does not mean anything.
Do I have to say that there might be some interests in between?
I don’t really know what the reason is, but I think that saying something like that just shows how they try to put down the effort of thousands of developers out there that try to make free software usable, stable, and last but not least, SECURE.
I agree, hacking Ubuntu and any x86 Linux for that matter would be a matter of time as retrofitting the same exploit would not be that difficult. Moral of this story is if you want more security, stay the hell away from x86 processors. More serious processor architectures offered non-executable stacks out of the box for years, which foils 99.9% of all stack smashing exploits out there. If you want security, go for Power or Sparc.
That now we are on the other side. The Linux fanboys refuse to believe their OS was vulnerable but nobody wanted to try.
I am an OSX fanboy. I believe my OS is vulnerable and I am glad when responsible stuff like this happens to find bugs for my OS.
Next year, put 3 Macs, running OSX, Windows, and Linux. Something tells me that they will get owned much quickier than a Fujitsu or a Sony or whatever else…