This story was updated to correct the maximum prize amount available. Tired of all the knee-jerk banter from fanboys about whose operating system is the most secure? So are the organizers of the CanSecWest security conference, which will be held in Vancouver later this month. And with a contest awarding as much as $20,000 worth …
The easiest box to hack...
....is the one with the dumbest owner.
I'll put my money on Flaky Buggy Swiss Cheese OS X
and all the MacMonkey Kool Aid Drinkers will faint from acute Denial Fantasy. The more and more evidence that it's OS X that's a POS, the deeper the Apple FanBoys stick their heads up their arses to escape reality.
Whoever hacks a laptop first gets to take it away with them?
So once they've proven how crap the OS is they get to keep the vista machine?
I suppose at least if they won the mac they could put any OS on it, whereas the vista/ubuntu machines you're limited to windows/linux(/dos/etc)
What's the betting that they have XP running within fusion on the mac? that'd double the vulnerabilities while still keeping to the rules of popular software.
Not a fair contest
It all depends upon who wants which box the most. I personally wouldn't want a MacBook air, I'd prefer a good ol' MacBook Pro. As for the PCs, I'd rather have a new Thinkpad so wouldn't bother attempting them. This is all pretty academic as I'm by no means some kick ass hacker.
So they invert the economical factor?
Which of the three is the shiniest? Then that one will be targeted more than the others I guess!
Paris coz' she also can't separate economical logic from shinycity.
Will you put your Reg commenting privileges on it?
And I look forward to you eating your words... Care to make a real wager?
@ Tim Spence
"with the world+dog currently hacking Vista, there can't be that many exploits left undiscovered."
O ye of little faith! There are literally million of lines of code in Vista; even Microsoft isn't aware of all the exploits.
Have to agree with Tim there
Surely a known security hole that is still present in the most up to date patches is much more of a concern that a one-off homebrew hack by a pro? In the interests of exciting competition i can see the reasoning behind that rule, but it most certainly invalidates this as a test of the most secure OS.
@ Webster Phreaky
It's funny. I don't own a Mac, don't use a Mac, and I think the MacBook Air is design for morons.
But I am absolutely certain that OS X is orders of magnitude more secure than any version of Windows; OS X doesn't come with Internet Explorer, and IE is *designed* to allow remote code execution.
The problem with this. . .
"Winning exploits must target a previously unknown vulnerability; vulns that have already been reported to the affected software maker or a third party are not eligible."
That is horribly unfair, because Apple in particular fails to fix vulnerabilities even after they've been reported. This skews it horribly in Apple's favor. After all, what other company sits on a publicly disclosed security vulnerability for a year and STILL doesn't fix it?
bargin - for them
yeah submit a previously unknown bug allowing code to execute for the price of a laptop PC - what a bargin - for them.
Watch out for a few hours into the competition the rules being relaxed to the point of uselessness so they can announce a 'winner'
"with the world+dog currently hacking Vista, there can't be that many exploits left undiscovered"
As Oscar Wilde said of second marriages "the triumph of optimism over experience".
Are you really suggesting that, after several years, XP has no vulnerabilities left undiscovered?
The advantage the linux hacker has, of course, is that he/she has full access to ALL the coding - which is why its hacked so much more often than Microsoft produts, isn't it?
It doesn't matter
It doesn't matter what the story is about, if it mentions Apple/MS/Linux or anything vaguely related, people write bad comments about it or the competitors.
Here's a quick template to save them coming up with something even vaguely original:
*Delete were appropriate
Apple/Microsoft* are awful, why does anyone use the overpriced stuff created by them? The should try using a proper operating system like OSX/XP/Vista/W2000/Ubuntu/OtherLinuxDistro*. I had a OSX/XP/Vista/W2000/Ubuntu/OtherLinuxDistro* system and it was awful, so many problems with it. In the end I got OSX/XP/Vista/W2000/Ubuntu/OtherLinuxDistro* and it works great. The Apple/Microsoft/Linux* fanboys should stop licking obs/Gates/Ballmer/Linus* by ignoring the failings and start using free/stable/flexible/innovative/intuitive/secure* stuff like me. Take your JesusPhone/Microshaft/Freetardware* and shove it!
@ Morely Dotes
Quote: "Vista; even Microsoft isn't aware of all the exploits."
Waddya mean, "even"? Microsoft seems less likely than most to be aware of Windows exploits - or, rather, to admit they exist.
Your remark about IE's designed-in code execution is cock on.
Wait a minute couldn't they
just sell the vulnerability + exploit code and buy whatever they wanted this contest rule doesn't make any sense.
If you're used to writing exploits for windows machines wouldn't you go for the Vista box as it'd be the easiest for you?
The counter to that people may avoid the Vista machine just for the sake of proving linux/mac isn't secure - as you're only allowed to target one machine you'd have to pick one.
Also the shiny aspect has been mentioned - butt ugly flakey fuji, sexy sony or sleek air?
All the air's and graces of a fair fight but still not cutting it - you can never get a fair balance due to the above, and other, circumstances.
@Morely Dotes, Funny ... OS X was the loser LAST YEAR!
How do you Apple FUDS account for that??
And as for the inane comment "Dumb prize", a computer is a computer whether it's a notebook or a desktop. The target is the OS, not the conveyance, dope. A MacBook Air is more attractive when it's free than having to buy the under-featured POS.
I'll have plenty of Catsup for you MacTards to eat your Crow with. Keep watchin.
John Doe got it right, the biggest security hole on any computer is the user.
If you really want to count security holes, you can always look at the CERT advisories. Over the years, the number of threats has been remarkably close to equal for Windows and Linux.
@The problem with this. . .
"That is horribly unfair, because Apple in particular fails to fix vulnerabilities even after they've been reported. This skews it horribly in Apple's favor. After all, what other company sits on a publicly disclosed security vulnerability for a year and STILL doesn't fix it?"
Couldn't have said it better myself, nearly spat coffee all over my keyboard after reading that.
+1 for IR
Well said that person!
Also, i was under the impression that the going rate for an unknown vuln was on the order or several grand anyway. so....
~£700 - £mackbook pro and 1337 glory. (and 10k prize for the last compo? nice! assuming you win...)
fair bit of cash for selling expoit to legit people (no time limit)
loadsa £££ for going black hat on peoples a$$es (both selling and using exploit) (no time limit)
besides, whats the point in finding a shiny new exploit when there are plenty of known ones that are not yet patched?
as paris might say:
glory is nice, cash is better. ;)
Soft Linux target
I would have thought that Fedora running SELinux would have been the harder Linux target. Zero remotely exploitable flaws to date.
My coat is the one with Mandatory Access Control.
And to think
that we were getting worried that Webster might be sick or have expired from excessive spleen. Back to his usual rabid form after all. If you don't want to buy something then don't buy it. No need to make it your mission in life to insult the item and anyone who does actually buy it.
And here is the articles from last years:
Way they're written suggest that is that Mac was the looser because it was the only contestent (can anyone confirm).... Gee Webster, hardly a fair fight if the other guy doesnt show up.
uh, what? a contest? maybe you need to go to journalism school
What the hell kind of article is this, anyway? It seems more like an advertisement for the "contest" than an actual, objective, researched account of the event-to-be. You're implying that such a "contest" can *end* or serve to be a talking point for fans of one operating system over another? One commenter already pointed out that CERT numbers over the year are very close for Linux and Windows, there's no mention of how different the code bases are, how mature any of the individual products are at the time of the "contest," nor does it mention how absurd it is to call such a thing a fair competition at all. Sounds more to me like you either have no idea what you're talking about, you're one of those who actually thinks Fox News is "fair and balanced," and/or just wanted to plug the event and get another dollar for posting another article. Too bad the register doesn't pay for quality instead of quantity.
As for those who are wasting your time and ours touting the wonders of your operating system, hey, let's have an subjective argument about car brands next! How about shampoo! Because we've all had *exactly* the same amount of experience and training and marketing spewed at us for every brand of shampoo and every brand of car, so certainly we can form rational, logical opinions on which is the 'best' for every or any situation. Christ, people, flame wars were so last century. Stop wasting the bandwidth of those of us who want to use the internet for more than a giant circle jerk.
Re: Soft Linux target
"I would have thought that Fedora running SELinux would have been the harder Linux target."
Agreed. I have enough trouble running things normally with SELinux installed. I wouldn't even know where to begin with a remote exploit.
... and my coat is the one next to it. The one with all the sleeves and pockets sewn up.
@ some person
You forgot to include the (still unresolved) issue of whether valves are better than transistors.
Mine's the one with the 1968 Newnes Valve and Transistor catalogue sticking out the pocket.
Let us know how this turns out. I for one want to know which falls first though for all intents and purposes I think whoever tries the Vista box will get so frustrated with the UAC on Vista they will probably crack the laptop faster by hitting it with ol' trusty the sledgehammer. But let us know :)
shampoo and cars
i often find head and shoulder leaves my hair nice and managable where as herbal escences and pantenne make my hair feel frizzy. so head and shoulders ftw
i think the newer model fiesta look spiffy, but have never driven one.
ok ill bite
yes the article is obvious flame bait - sorry - "a thoughtful piece intended to encourage debate" but it hardly warrants your level of vitriol.
the contest is between the *people* and assuming the CERT metric makes all Os included "very close", then *it doesnt matter which system is hacked first*, only how fast the person is.
"Stop wasting the bandwidth of those of us who want to use the internet for more than..." looking down our noses at people who dare discuss things?
or to sum up
"Stop wasting the bandwidth of those of us who want to use the internet for more than..." Trolling
And who knows...
After they're done they might even get up the courage to talk to a real human girl!
No sorry, I'm just being daft now.
Its probably a PR stunt
Its another attempt to demonstrate "Look, see, Windows is as good as OS-X and Linux!" (They might shoot for "better" but that's probably too ambitious.)
re: cert statistics
from the register itself
"We queried the United States Computer Emergency Readiness Team (CERT) database, and the CERT data confirms our conclusions by a more dramatic margin. When we queried the database to present results in order of severity from most critical to least critical, 39 of the first 40 entries in the CERT database for Windows are rated above the CERT threshold for a severe alert. Only three of the first 40 entries were above the threshold when we queried the database about Red Hat. When we queried the CERT database about Linux, only 6 of the first 40 entries were above the threshold."
looking at cert numbers alone is pointless.
36 issues fixed
Lucky Apple fixed 36 security issues yesterday :)
You all miss the point
The problem of security holes is nearly pointless. Windows doesn't need to be attacked, it runs slower and slower each week from the minute you buy a new computer until it is so slow that it is worthless. Linux doesn't work with my printer or my wireless card, and the free freaks drop subsysyems that work for things that don't simply because they have more utopian licenses (sound and printing) OS X is worthless by itself without $$$ of purchased software and cost $$$ for every minor update and codebase patch.
I have all three, and an exploit would be refreshing, better than products that I pay good money for that in one way or another render themselvers inoperable.
They all suck.
I wager the first system is broken when person A hits person B and C with brick and throws all three on floors, jumps on them, etc
Mines the windbreaker with the Commodore 64 behind it
You don't get it, do you?!
The SOLE purpose of this event is to uncover new vulnerabilities which aren't yet known and obtain full disclosure of how they can be exploited. It has absolutely nothing to do with comparing different products.
My guess is unbuntu
personally, i think i think they shouldn't install third party software, just defaults with full patches.
The quicktime exploit last year would have also worked against windows, but the exploit writer was quoted saying he targeted mac on purpose 'because of smug attitude' (because i wanted to join the smug club)
Re "You don't get it, do you"
Errm, the contest is IMHO mildly pointless for a variety of reasons:
(1) Skillset. As with any pen test (which is what this is), it only proves that at a certain point in time a certain operating system in a certain configuration was (not) hackable by a certain person with a certain skillset, and who was or was not entirely awake at the time. That's quite a few variables that can change and invalidate the result so ever if you get an OK it may only be valid for a second.
(2) Return on Investment. You assert that the idea is to find new vulnerabilities (which, incidentally, are by definition "not yet known" :-). The question you forgot to ask is just how useful that public announcement would be to the wannabee hacker. Not only could he get exposed as "a danger to society, better make him a terrorist" - remember, there are laws out there that make security research legally dangerous, from a pure return on investment point of view such an skilled individual may turn instead to use his knowledge in writing toolkits for organised crime if he's not too worried about the police (or is pressed into "service"). So he's not going to show up on the radar.
And don't get me started on the risk factor of discovering a zero day publicly so that the supplier doesn't get a chance to fix the problem before announcement. Could become quite an entertaining liability problem for the organisers..
I bet that
The attacks on the Linux machine are going to focus on skype, a proprietary application or driver is not easy to secure or to test for security problems. I find the very idea of having skype on the linux machine to be unfair.
the above post is right, all operating systems suck; the question is what the hell are you doing about it punk.
Seems rather boring to me
Of course They had to choose Ubuntu, which is one of those excellently loaded distros that runs god knows what services by default. They should have thrown in some BSD just to make it interesting. And some machines that anyone would actually want to own (I mean have as personal property... not crack...).
Not exactly a balanced contest...
Few problems as I see it..
1) Different hardware in each lappy. There may be a vuln available in one particular laptop that isnt available in the other 2. BIOS, manufacturer drivers etc
2) This is a test of stable OS. I dont know anything about OSX, but Windows you cant just "install the OS", where you can with any form of linux. When does it stop being a test of OS, and more a test of "which 3rd party dev writes the shittiest code?"
3) Last year it was won by hacking an application, Quicktime. This year, the Vista box could be hacked via Quicktime, or the Mac box hacked via Office for Mac. Do you honestly think Microsoft would spend as much time on stability/security on a product for a competitor compared to one for their own market. Think Apple would return the favour?
Mine the tartan trenchcoat with "Cyncial Prick" on the back.
Seems a bit odd
Shouldn't the prize be the 2 computers that resisted hacking?
best tool for the job
... given the competition permits a hardwire (cross-over cable?) link - we must assume that the target system is in the room... so the most effective tool for getting anything out of this system is a philips screwdriver.
In all honesty though, as we already know, the easiest system to hack is one that was designed or operated by any member of a british government agency.
"The advantage the linux hacker has, of course, is that he/she has full access to ALL the coding - which is why its hacked so much more often than Microsoft produts, isn't it?"
Kinda, there are lots of theoretical vulnerabilities that are patched regularly - as people can see the code and guess. But I hate to disappoint you - there are not that many real world exploits.
I think if you read the CERTs, you will find that a large number of the Linux vulnerabillities are theroetical, unexploited problems that have been identified by examination of the code. Do you really think that the buffer overrun security pronlems were all discovered by experimentation? Many of these problems have not even got example exploit code published.
So, which do you trust more. The code that has been examined and found that there may be theoretical problems (which are fixed reeeal quick), or the code that has definite exploits published, and may not get patched for months. Just imagine how many problems are likely to be found in Windows if the code was open, if there are this many discovered by experimentation.
Please don't just count the exploits, examine them in detail, and you then won't compare apples and oranges.
The reason that they will be running Ubuntu is that it is probably the most popular/mainstream Linux that regular people would try.
Fair enough if some other distro is more secure "with no known exploits" but if a regular person like myself can't install it becuse you need and command line stuff then we would just go with OSX, Vista or Ubuntu.
This is a comp to find the flaws in the biggest/latest distros of each and not a competition of which version of an OS has the most secure version.
I'm sure someone could write a Linux distro that was 100% remote secure but if an everyday user can't use it easily then it is useless for everyday people. Thats also why they are having common apps installed on all of them, because people use them. If you had a OS with no apps then it kind of serves no point except to heat and light the room slightly!!
I don't get it.
If you have a fully patched machine without viruses or trojans etc, and you have a Norton / McAfee / TrendMicro etc. type firewall with all the ports except internet and email locked down, are you still vulnerable to be taken over completely from the Internet?
What about if you also have a modern router with an ADDITIONAL firewall?
Surely that must be safe? Or is this competition not using firewalls and third party security products?
On the money
are the posts pointing out that the real weak point is the WetWare. I'd wager that 90% of *real world* inappropriate disclosure of computer data (which is what actually matters in the end) and creation of botnets comes down to social engineering.
Even on the notoriously hackable XP/2000 + IE combo I reduced real world infections by Malware by about 99% by finally separating users from the admin rights which they'd historically become accustomed to believe they were entitled to have and run with - admittedly, at the time when the only remote mass configuration options we had were NetWare login scripts, which run as the user logging in, this was pretty much true. But I digress.
A better use of time than this contest would be finding the writers of software who expect the user to have admin rights on Windows boxes and putting them up against the wall. Mind you, they'll be out of a job soon anyway because their shite won't work on Vista with UAC.