After a week full of Red Bulls, Fruit by the Foot and dreams of In-N-Out, the mighty Sony VAIO loaded with Linux stood as the only machine unhacked by the end of the
PWN 2 OWN hacking contest at CanSecWest. As you're well aware by now, the MacBook Air on display was
seized in two minutes by the presumably well prepared Charlie Miller, and after two full days of work, Shane Macaulay and a few of his 1337 associates managed to crack the Vista rig on Friday. Reportedly, Shane and his pals weren't expecting to do battle with the extra protected SP1 version of Vista, and while the exact loophole won't be divulged, we are told that it was a cross-platform bug that "took advantage of Java to circumvent Vista's security." In the end, it was reported that some folks on hand had discovered bugs in the Linux OS, but many of them "didn't want to put the work into developing the exploit code that would be required to win the contest."
[Image courtesy of
TippingPoint]
posted March 29th 2008 2:48PM
Sorry, this was actually supposed to be a reply to the first comment.
you felt the need to write it again?
In the end, it was reported that some folks on hand had discovered bugs in the Linux OS, but many of them "didn't want to put the work into developing the exploit code that would be required to win the contest."
What, the Linux men were afraid to touch their almighty Linux. Come on guys we all know their is no such thing as a safe OS. Not Mac OS (better start beefing up security Steve, cause this wasn't exactly good news), Windows will remain the swiss cheese of the OS's and Linux is a hackers paradise, so how safe can that be?
Since when does one day and two minutes equal two minutes?
Since resetting the timer on the second day.
I would use Linux but i need to run programs and no longer live in my mom's basement at age 37.
I run linux and am able to use all kind of software that I need to use perfectly fine.
I am not 37 yet but my parents live in my basement.
And this is why I run Linux on both my laptop and desktop PCs. It is also why there have never - ever - been any major viruses for Linux that have actually spread. Yes, you can read that again. None. Ever.
I've been using Linux for almost a year now and while it was a pain in the arse to get running properly and to my liking (in fact the only hardware that's caused me any real problem is my graphics card - and that's down to ATi's driver support) I now have an extremely stable system that has no need for bloated software to sit and nanny it so that it doesn't fall over (read: UAC, third-party firewalls etc).
And as for the "I need to run apps" argument:
OpenOffice > MS Office, Amarok > Windows Media Player, aMSN > Windows Live Messenger, Firefox > IE, Thunderbird > Windows Live Mail & Outlook, Plus I can run games under Wine (application layer that makes apps behave as if they were run on Windows). I can also sync my Creative Zen Vision:M with Amarok's library (and you can also sync iPods as well - without the need for iTunes). I therefore don't need Windows - at all - and can quite happily survive without it. Both my desktop and laptop tri-boot between Fedora, XP and Vista because I provide support to people with those OS's and it's a hell of a lot easier to have the GUI in front of me.
And on a personal note, will someone please actually tell people that Ubuntu isn't the one and only Linux distro out there. Ubuntu has actually only recently surged to the top of the distro lists and - cynics might say - only because of some serious financial clout from a very generous multi-millionaire. I run Fedora rather than Ubuntu due to its RedHat server pedigree.
My Windows-to-Linux transition blog is here - if you're interested, take a look: http://www.cwatson.org/blog/2008/01/10/switching-to-linux-from-windows/
Linux isn't just for weirdy-beardies in their 40s you know...
You can run Vista and XP in virtual machines... save yourself a reboot! ;)
@Andir3.0: True, but I generally find OS's installed on VMs quite buggy - especially with Windows as the client OS - plus I like the idea of an OS running native, as you'll get the full performance out of the system rather than just what you decide to give it. Puts a lot less strain on the system as a whole :)
I've been using OO on my Vista boxes because I don't wanna pay the ridiculous price for Office 07 home. OO works OK, but... there is NO WAY you can say its better than MS Office, at least not the last two or three MS releases. OO is comparable to Office 2000 at best.
I tried to install Ubuntu on a P965/8800GTS box about a year or so ago, I had to give up after a couple of hours. The Nvidia drivers wouldn't even let me see the installation splash screen, and all the support recommendations I could find just didn't work.
@Spyvie
I prefer OO because of the native PDF-export function, but also because of cross-compatability. As of September this year, OO2.4 will be able to read/write MS Office 07 formats (.docx etc) as well as 2000/2003 (.doc) - as well as introduce PDF-edit functionality. In features, OO > MS Office, but granted it's all down to personal preference.
I also had graphics issues with Ubuntu (it would give me a maximum resolution of 1024x768 on my 1280x800 GMA950 laptop), I switched to Fedora, installed and it gave me 1280x800 out of the box with no problems. It's all about trial, error and research.
"there have never - ever - been any major viruses for Linux that have actually spread. Yes, you can read that again. None. Ever."
Same with OS X, of course it isn't free.
Although I don't endorse it, Apple doesn't make it hard for you to install new copies of it's OS on your Mac hardware without paying for it. Heh I saw a "McGruff the Crime Dog" commercial recently... must have been at least 12+ years since I've seen one, and it looks like the pulled out the old boy to do anti-computer piracy ads.
Heh I went to a bad link on mcgruff.org and saw "Apache/2.0.52 (Red Hat) Server at www.mcgruff.org Port 80", so at least he is smart (although it should have been a 301 code instead of a 300, I'm just glad he was able to escape lethal injection).
There is actually a patch to get OO to read .docx I got it off lifehacker but i'm sure google could find it
How short the memory; you must be a young pup. This arrogance is precisely what led to one of the most dangerous exploits in the history of computers when DoD UNIX systems were hacked some thirty years ago.
Of course, the real irony is that lists compiled by people who are actual experts in computer security have repeatedly found Windows is much more secure than Linux. In fact, only IBM's AIX was better and Sun Solaris just behind.
Stupid. Everyone knows 96% of people in the WHOLE world who uses a computer run Windows (WOOT!), 3% Apple, and 1% Linux. Of course any smart hacker would go for the 97%. And, seeing that there are soo many programs for Windows, there will be more bugs. But, who cares really? Get a good firewall and anti-virus on that shit and you'll be a happy camper! Windows 4 life! Ya digg?
"Stupid. Everyone knows 96% of people in the WHOLE world who uses a computer run Windows (WOOT!)"
The price money was just as big regardless of which OS they hacked. As they never intended to use their exploits to infect people's computers, what does it matter how many people are using each operating system?
I assume you are talking about consumers, and even then I'd be interested in your source. As far as the business world, Linux (and variations of) have come to rule, with Mac desktops coming in at almost every single design/animation/editing situation.
Outside of my business duties, at home I run a box with 1 gigabit in for the internet connection (I get nowhere that speed of course but it was a free sample =p) and a more important dual ethernet gigabit out card (one output to a switch, one to a wireless AP). As for the OSes, Vista Ultimate x64 (I wanted to keep running Windows 2000, but even though Microsoft will support it until 2010, many companies are not) and finally a dual boot of the latest version of Redhat Enterprise Linux. My main/most recent laptop is running Windows XP (because of some docking situations I find myself in) and the latest version of Fedora as well.
Oh btw, I just found some windows stats for Feb. 2008 and it seems like Windows XP has a 79% OS share with Vista coming in much lower at around 12%. Oh well, you weren't too far off (sadly, come on Apple, open up your software!). Please forgive any horrid grammar/spelling mistakes... I had a long day and my eyes are starting to close on themselves.
Quad-boot OSX,Linux,XP,Vista FTW!!! and stop arguing already all of them have their uses. Disk storage is so huge and so cheap nowadays that making four 100 GB+ partitions is possible.
I would LOVE to have OSX/Fedora/Vista all running from one box, even through virtualization or paravirtualization, but sadly you'd need an Apple setup for this and I could afford with paying back student loans atm would be a Mac Mini... which I don't think would be powerful enough.
Taking donations of Mac Pro/Xserve Octocores (hmm, reminds me of Metal Gear Solid) Systems. Save money on your energy bill, plus get a tax write-off!
No it is possible. The OSX86 project will help you in installing OSX on any x86 machine.
All you people whining about Linux...hopefully you don't use google, because the search engine uses Linux...oh the shame of it...ha ha ha!
Regarding why Linux was not hacked in the competition, there are several reasons.
First of all, we don’t want to hack Linux because we already own it. There is no us vs. them mentality when it comes to this OS. Do you think a Microsoft employee would hold back on an exploit to win some competition? Linux is everybody’s baby: there is a loving, caring relationship of hundreds of thousands of programmers which dissuades each and every one of them from exploiting their own code.
Next, Linux is better supported. This is a numbers game. MS or Apple will never be able to hire enough developers to match the brainpower devoted to Linux. As a result,
Linux is more thoroughly tested. White box testing is superior to black box. Because users can see the source, they will scrutinize it before introducing it to their environment.
Obvious weaknesses are caught sooner, so hackers can only take advantage of the obscure.
Finally, some of the competitors bragged they knew of an exploit, but it would take too much work to develop it. Why does it take so much work? Because when someone finds a weakness in Linux, they are obliged to make sure it is fixed. For the competition, in addition to developing the hack, they would have to fix it and make sure that it was tested all by themselves. How many people are going to risk being criticized in the community for not getting that right, and exposing their baby to harm?
safari is built on webkit which is open source. Its obvious the OS X hack was pre planned. Yes Linux is open source, but I think Linux is more secure because not only are a lot of people looking at the code; a lot of people are fixing it too.
Ha! The Mac isn't as secure as people thin it is and now some might believe this.
Yes, my Mac isn't as secure as I think it is. So go ahead, try to hack it. See how far you get. I mean, because you know, it's not as secure as I think it is, right?
I just wanted to point out that it's not as secure as the Mac users think it is and that some Mac users don't need to get all "oh I'm better than you 'cause I use a Mac".
Jesus, the foaming at the mouth mac zealots just don't get it do they? I guess that's why they buy the crap they do lol...
Yeah, no one wants a secure OS like Linux. Yeah I want a machine that can be hacked in under two minutes. Yeah, right!
Have you not been paying attention, or are you just stupid? Also, about the "foaming at the mouth zealot" thing - have you looked in a mirror lately? Pot, kettle, black?
Tell me how you would hack my Mac in two minutes. I want to see if you understand what happened at this contest.
guys just please shut up. if linux was easy to crack 60% of worldwide servers would go down as they use Linux. stop saying bullshit, we all know that linux is the most secure and stable OS (seen from a kernel point of view). it's not a linux vs mac vs windows. these articles are meant just to make fuss. I allready know that windows is easier to crack simply because it is not designed in a secure way (vista has changed a lot luckly).
also stop saying no one uses linux. that's pure bullshit. the only thing important to state here is that 99% of the times, open source software is drastically more secure than a proprietary one. I've never heard a windows system go down while using firefox, and you?
all network software should be open source,and that's all I have to say.
Why hack linux? Linux is created by "The People" and why hack it? I mean hacking it for the fun, that could work. Hacking it for the use of better protection is another story. I knew from the start that Windows + Mac OS X would be hacked easily, but I also knew that linux would be a lot harder to hack (primarly all hacking tools, at least what I have seen, use linux based platform).
Anyway, maybe the results of these hacks will be fixed?
Seems people are confused about whether it was Flash or Java that took down the Windows machine.
It wouldn't surprise me if it was Java. There are actually functions in Java that allow a programmer to perform direct reading and writing of system memory. When you have write access to the RAM, you have the computer.
I'm not surprised Linux wasn't hacked.
It was a room full of Linux fanboys.
100% Truth. And for those of you who didn't read this article, here's the important part again:
"In the end, it was reported that some folks on hand had discovered bugs in the Linux OS, but many of them "didn't want to put the work into developing the exploit code that would be required to win the contest.""
So Linux is no less hackable than any other OS, it's just that the hackers in question didn't *want* to hack it. They even found bugs and just didn't exploit them. Wow. Just... wow.
someone sounds bitter....
Spot on.
Or maybe it's just that I find it a tad irresponsible for hackers to find bugs and then not try to exploit them, despite the fact that they're in a contest that exists specifically to find exploits so that they can be reported and patched. Apparently, they're all either too lazy to do it or too proud to admit Linux is as hackable as anything else. Of course that's the really stupid part because these holes they found may or may not be patched now because they weren't reported, therefore making Linux more of a security risk than OS X, because at least the hole in OS X will be patched for sure.
Irony? You bet your ass.