PWN 2 OWN over: MacBook Air gets seized in 2 minutes flat
Filed under: Laptops
Previous
Editorial: Taking the iPhone 3GS off the job market
myTouch 3G hands-on (with video!)
Olympus E-P1 hands-on, test shots, and mini-review
Wii MotionPlus impressions
HTC Hero hands-on
MacBook Pro (mid 2009) in-depth impressions
Engadget Podcast 154 - 07.11.2009
Breaking news Feed
- Sony Ericsson Rachael UI video leaks out, Kiki comes for the ride
- T-Mobile's myTouch 3G launch event: pre-orders now available
- Google announces Chrome OS, coming to netbooks second half of 2010
- LG teases next-generation Chocolate for August unveiling
- Sony Vaio W netbook now official in US, coming August for $499
- Palm Pre official on O2 and Movistar in Europe, launch "in time for holidays"
- Creative Zii and Zii EGG touchscreen players with HD cameras served up by FCC
- Sony announces VAIO W... netbook!
- Sony Ericsson "Rachael" Android XPERIA handset unveiled?
- Sprint matches Verizon's pace, launching BlackBerry Tour on July 12
Featured stories Feed
- How would you change Sony's OLED Walkman?
- Editorial: Taking the iPhone 3GS off the job market
- Video: Toshiba TG01 gets UK launch, we handle it again
- Ask Engadget: What's the best nettop out there now?
- HTC Hero vs. T-Mobile myTouch 3G... fight!
- Switched On: With Google, this is not your father's OS war
- myTouch 3G hands-on (with video!)
- T-Mobile's myTouch 3G launch event: pre-orders now available
- Verizon BlackBerry Tour 9630 review
- How would you change the Palm Pre?
Engadget Video
Resources
Sections
WIN Network
- Autos
- Technology
- Lifestyle
- Gaming
- Entertainment
- Finance
- Sports
- Also on AOL
Reader Comments (Page 1 of 6)
peshue @ Mar 27th 2008 6:00PM
Oh my, I predict some extremely entertaining comments on this one.
Mike10010100 @ Mar 27th 2008 6:18PM
This is not directly at peshue, but at all of the posters here.
Before you go on saying how sucky Apple is, or how Microsoft sucks too, think about this.
Hacking with physical contact is only data mining. This can happen with any computer, not just Microsoft or Apple, or Linux even for that matter. It is when there are back doors in the software that allow for others of outside influence to get access to your data that is worrying.
Computers do what they are told, implicitly.
Therefore, if the programmer programming the software is flawed in any way, the ending result will also be flawed. This is true with everything we try to create with human hands. While humans are flawed, the things we create will invariably be flawed as well.
Therefore, be kind on others; the programmers that worked long and hard on your precious software couldn't think of everything that might go wrong. They imposed their flawed view of the world and how things work onto their programs.
None of the failures of software you might encounter on a day to day basis is personal. The programmers aren't saying they hate you, they simply didn't account for every possible outcome.
That is the reason we have updates. Humans would be doomed without the ability to think on their feet. We simply can't plan out every aspect of a situation before doing it. The updates to a piece of software are the programmer's version of "thinking on their feet".
Just take all of this into consideration before posting a hateful comment. Be nice to people, because they might be nice to you in return. People who have different opinions with us are what makes the world so interesting.
Thanks all, and thanks Engadget.
Mike10010100 @ Mar 27th 2008 6:21PM
Don't post a reply comment to me saying that he didn't have direct access to the computer. Sorry. If you disagree with my first paragraph, the rest will still make sense if you ignore it.
blah @ Mar 27th 2008 6:30PM
Where were you when Internet Explorer had these sorts of bugs? Gloating about how your Macs were superior.
Ray @ Mar 27th 2008 6:39PM
I call steroids.
Cal @ Mar 27th 2008 6:42PM
@ Blah
I was using firefox
Cal @ Mar 27th 2008 6:43PM
(thats about the IE, not macs)
IMHO @ Mar 27th 2008 6:53PM
There are two reasons why it's extremely difficult to draw any meaningful security conclusions using this type of competition. 1) Different hackers are hacking different equipment. How do you distinguish between skill of the hacker and security of the system (e.g. there's not enough data to solve a two variable equation). 2) If the hack was performed in two minutes, all he had time to do was call on a pre-developed hack already saved to the internet. This doesn't accurately reflect the time/effort required to develop the exploit. Even if it takes 24+ hours for the other systems, does this mean that the systems are more secure, or just that the Mac hacker came to the competition better prepared? About the only comparison that I would think would be meaningful would be the same hacker requiring different levels of access (different competition rule sets) to acheive a similar outcome.
John @ Mar 27th 2008 9:30PM
"Therefore, if the programmer programming the software is flawed in any way, the ending result will also be flawed. This is true with everything we try to create with human hands. While humans are flawed, the things we create will invariably be flawed as well."
The solution is simple. Destroy every human.
roz @ Mar 27th 2008 11:20PM
From the original article:
"Nobody was able to hack into the systems on the first day of the contest when contestants were only allowed to attack the computers over the network, but on Thursday, the rules were relaxed so that attackers could direct contest organizers using the computers to do things like visit Web sites or open e-mail messages."
Not quite as bad if you read that section. Assuming there was a cue of people asking things to be done to the machines. Any of the machines could have been hacked first, assuming they were eventually hacked under these conditions. Maybe the Air was just the most sought after. :) :)
XGM @ Mar 27th 2008 11:17PM
You sir are right because truth is that there will always be security flaws no matter what OS you run. The problem is that fanboys from all sides will claim that their OS is better. Now that a Mac has been hacked the windows people will rejoice, and I will start backing up my Linux server and MacBook Pro with both Leopard and XP.
bob @ Mar 28th 2008 12:46AM
@mike10010100
You, sir, are a genius. I absolutely loved your post. If I ever lectured in compsci, I will be sure to include the because human hands are flawed bit, as well as the gist of everything else. Thank you for the simple pleasure of reading that.
Mike10010100 @ Mar 28th 2008 6:04AM
Thank you so much for the positive replies. I just get so ticked when i see people arguing over which computer system is better, because they always eventually end up making fun of the other's flaws. Then they cling on to those flaws and never concede.
Instead of finding flaws in other people's work (which is great for upgrades and such, but it doesn't have to be nasty and personal like it always is), maybe they should be finding ways to make themselves a better person by looking at THEIR flaws. It's really interesting, because it's a great analogy to how people react to other people. If they are really accepting to other people, they won't be too critical because they know that like people, software can change and become better.
Thank you for the positive support bob; it gives me great pleasure to give something to the internet community.
(also this post might not be as clear and articulate as the last one, as it is 6 in the morning and the coffee hasn't worked its magic yet)
Thanks,
Mike(binary)
fanman @ Mar 28th 2008 6:06AM
ZOMG GOSH MA MAC IS VIRUS PROOFS!!!11!one!!
BigDaddyM @ Mar 27th 2008 6:01PM
Like all computers suck?
M
Mike10010100 @ Mar 27th 2008 6:09PM
It is not the computer that sucks; it is carrying out it's purpose perfectly. It's when the hardware starts to short circuit and say that 2+2 is 5, that's when the computer sucks.
The computer is only as smart as the programmer.
Flashpoint @ Mar 27th 2008 9:00PM
THE RULES OF HACKING
RULE #1 - If a hacker has physical access to a machine IT IS VULNERABLE.
The only thing that will stop hackers eventually is ARTIFICIAL INTELLIGENCE. A computer that thinks could theoretically detect an attack and either block it, or change the vulnerable software in ways that would resemble a virus adapting to vaccines.
FRZ @ Mar 27th 2008 10:15PM
Artificial Intelligence=some human program that suppose to mimic human intelligence=flawed.
Does anyone else see the error here?
jhaks @ Mar 28th 2008 4:58AM
@ Flashpoint
The thing is though these hackers didn't have physical access to the machines. First they tried to break into the machines with only network access, then the second day they were allowed to tell the coordinators to do certain actions on the machines like go to websites and open emails. I'm assuming the rules were that the hackers could not ask the users to do super user tasks. Normal computer use by the end user resulting in a compromised system is still a hack without physical access.
Flashpoint @ Mar 28th 2008 8:08AM
jhacks
Being able to CONNECT TO A MACHINE OVER ETHERNET IS "PHYSICAL ACCESS"
There is no difference between connecting to a computer remotely and being next to it with a mouse/keyboard. Sure there are stops to keep you from having full access to it remotely but a true hacker can break those locks.
non-physical access (stand alone) means a computer is in a room with no network access - and its peripherals are completely guarded
OneLove @ Mar 28th 2008 12:08PM
I cant take a guy with a kitten avatar seriously. lol
Paul @ Mar 27th 2008 6:02PM
Does this mean there will be anti-virus made for macs? That would be HILARIOUS
James Mack @ Mar 27th 2008 6:10PM
There are anti-virus programs made for macs (ClamXav, Norton 11, Sophos, etc) just not very many people use them.
kal326 @ Mar 27th 2008 6:14PM
@Paul
Thats not nearly as entertaining as knowing that there is an antivirus program for the PS3....
Clinton @ Mar 27th 2008 6:18PM
No, it just means that they'll patch the OS/application via a security update.
That's what usually happens.
Max @ Mar 27th 2008 7:12PM
The reason there are so many hacks and viruses for Windows machines is because that's where you find all the sensitive and/or useful data.
Kelmon @ Mar 28th 2008 4:01AM
While this exploit was performed on a Mac it wasn't done by a virus but rather it appears to have been done through an exploit in Safari. Given this there remains no real need for anti-virus software but I'm sure people will buy it (since it has existed as long as I've had a Mac) with the expectation that it will protect against such attacks, which it won't.
Vikram Desai @ Mar 27th 2008 6:02PM
Take that! Fanboys!
Derek @ Mar 27th 2008 6:56PM
I'm probably going to be low ranked, but if the hacker has physical access to the machine, it can be hacked... it doesn't even need to be hacked, he can just take it and run. Safari could be hacked, from a stupid user going to a site that probably is obvious that it will hack your computer, but a hacker getting control of a computer while sitting at the computer? What is impressive about that? Someone please enlighten me...
Phantom @ Mar 27th 2008 7:24PM
The idea is the cracker gets his code planted on legitimate websites, the victim visits one of those those sites, and click the poisoned links. Suddenly the system is downloading malware and turning into a zombie bot.
roz @ Mar 27th 2008 11:07PM
Would be helpful to know how far he went with it. Did he just click a link. Did he accept the downloaded app? Did he launch it? Those are a lot of steps.
If he was just able to crack it from a link that is admittedly quite bad for mac.
jhaks @ Mar 28th 2008 6:52AM
@ derek
There was no direct physical access; the hacker had network access and was allowed to tell the user to use the normal bundled apps in the OS. The hacker was never able to do anything on the client machine. Considering that the computer was taken over by the hacker after the end user went to a website is not a trivial exploit and is actually a pretty bad security issue.
From the 2nd day rules:
"The attack surfaces increases to also include any default installed client-side applications which can be exploited by following a link through email, vendor supplied IM client or visiting a malicious website."
@ roz
The rules don't allow for downloading and running a program but even if an exploit was done in this way it is still pretty severe since a low privileged program gaining root access is still a big vulnerability.
Whaleman @ Mar 28th 2008 7:08AM
@Phantom
More likely he found a way to open up the computer through a flaw in Safari alone, since if it was installing malware, the computer would ask the victim for permission to start a downloaded software... most probably requiring an administrator password as well.
I agree with the consensus that he must have had this prepared long before... set on winning those money and the MacBook Air. I guess the PC and Linux machines weren't as attractive ;)
o rly @ Mar 27th 2008 6:03PM
Cue the fanboy wars in 3, 2, 1...
Jon Kit @ Mar 27th 2008 7:22PM
nevermind 3...2...1..., they're already happening above your post! (yes i'm aware they're replies and chronologically are probably after your post)
BobTurbo @ Mar 28th 2008 12:09AM
It's a storm of Apple fanboys unleashing hell in the form of text. Their minds must be overloading at this point.
zargon @ Mar 27th 2008 6:06PM
Ouch
Mike10010100 @ Mar 27th 2008 6:06PM
This is terrific! We need more people like him finding out new ways to exploit computers so that they can be fixed. However, if he had been running noscript in firefox, i think this wouldn't have happened.
josh @ Mar 27th 2008 6:18PM
Noscript blocks javascript only. Very few script specific attacks result in breaking the browser so as to exploit the client machine but rather are targetted at things like stealing cookie information via XSS. Noscript is to protect against a compromised website rather than to protect against attacks against the browser (usually scripts are doing perfectly valid actions). For attacks against the browser you are typically exploiting a flaw in the browser, for example exploiting some default handler to invoke OS commands, embedding an attack in a media file that exploits a vulnerability in the media parser, in the case of safari getting it to automatically open .dmg files, etc.
Noscript does very little to protect against code or design flaws in the browser.
Mike10010100 @ Mar 27th 2008 6:22PM
You are correct. I apologize for my misunderstanding.
DarkAges @ Mar 27th 2008 7:56PM
@josh - regarding your NoScript reference (post 11292809), I think you must not have checked the specs lately. Here's the current NoScript description from the website ( http://noscript.net ) "this free, open source add-on allows JavaScript, Java, Flash and other plugins to be executed only by trusted web sites of your choice (e.g. your online bank), and provides the most powerful Anti-XSS protection available in a browser."
It now protects against far more than just JavaScript. However, I agree with the rest of what you said.
josh @ Mar 27th 2008 8:37PM
@DarkAges
Thanks, I hadn't looked at it recently. I tend to use IE 7 in Vista at home because the browser sandbox is protection no other browser can match (though Apple, seriously, you put apparmor on your mail app but not your browser? wtf) and I use the various internet zones with modified privileges to mimic noscript. It is much more a pain in the ass to enable script on a webpage (having to go add it to the trusted zone manually instead of clicking a button) but I really don't need to very often.
At work part of my job is pentesting company websites, so I sort of want scripts most of the time, even though firefox is my weapon of choice (tamperdata and Add n Edit cookies is way better than TamperIE). It is a bit harder to see if the alert('flaw found') successfully was inserted if I have to search the source rather than just getting the box to pop up.
That said, even with the additional content blocking, it still won't mitigate most attacks directed at a flaw in the browser. That will significantly protect users from vulnerabilities in third party apps like flash, the jvm, quicktime, etc, so it is still a very good feature.
Tynen @ Mar 28th 2008 3:21AM
All hail firefox and NoScript ;)
bravedeer @ Mar 27th 2008 6:07PM
Not impressive... He had physical access to the machine. He didn't hack into it.
Iain @ Mar 27th 2008 6:09PM
Read the article - he was only allowed to use software pre-loaded onto the machine.
All he did on the MBA itself was go to a website then it just bent over and let him in.
Dualboot @ Mar 27th 2008 6:18PM
He didn't touch the MBA. He only directed a user to go to the page that included the exploit code. This is not the same a having physical access to the machine, which of course is a gimme.
The fact is, whenever your box (regardless of flavor) is connected to the Internet, there is always a possibility it will be hacked (eventually). If you want to be really safe, you can live in a bubble and (dis)connect your network adapter whenever you need it...
tande @ Mar 27th 2008 6:19PM
Actually he never had physical access. On the second day they could instruct the user on the other computer to do simple things like go to a specific web site but that was it, he still didn't touch it.
retro77 @ Mar 27th 2008 6:23PM
Reading FTW...
Mike10010100 @ Mar 27th 2008 6:28PM
Maybe we have different definitions.
On the first day, people tried to do only a network hack. They failed. That to me proves that without any human interference, the computer was able to stand on its own. It was only when the stupid user comes along and goes to a specific web site that had pre-designated code on it that the computer failed.
Mark @ Mar 27th 2008 7:36PM
The Mac is flawless as long as no one uses it, right mike100101001?