Hack a Mac, get $10,000

Discussion in 'MacBytes.com News Discussion' started by MacBytes, Apr 20, 2007.

  1. macrumors bot

    #1
  2. macrumors 603

    gauchogolfer

    #2
    From the article:

    So, does this mean the firewall is turned on or off? It's normally on by default, but I'm not clear as to what they've done here.

    I'm interested to see how this pans out.
     
  3. macrumors 68000

    SPUY767

    #3
    I have a feeling that this will be a better conpetition than the last Hack my Mac competition which was BS. I mean, people aren't going to be throwing around 10G's lightly, unless of course it's an anti-marketing ploy by Microsoft to make it just hard enough that it takes long enough to get exposure, of course, in that case I would expect to see a side-by-side test with a vista machine.
     
  4. macrumors 6502a

    djstarrock

    #4
    The firewall isn't on by default it never has been.
     
  5. macrumors 603

    gauchogolfer

    #5
    Are you sure? When you go into Preferences and look at what ports are open by default, there are no boxes checked for anything. You have to manually set the Sharing preferences along with the Firewall ports to be open. At least this is how I remember setting up my machine at first.
     
  6. macrumors regular

    #6
    The services are all turned off by default, but that's not the same thing as having the firewall turned on.
     
  7. macrumors 68000

    mklos

    #7
    Exactly! The Firewall is its own seperate tab in the sharing system preference and its OFF by default.
     
  8. macrumors 68000

    mklos

    #8
    I like how they show MacBook Pros in the pictures of the original article and say they have MacBooks setup. :D

    And of course the story comes from Cnet, the most anti-Mac site out there!
     
  9. macrumors 603

    gauchogolfer

    #9
    Fair enough. I guess it's been so long since I've installed OS X that I forgot how it came 'out of the box'.

    Thanks.
     
  10. macrumors 601

    Diatribe

    #10
    Does anyone know whether the firewall is on by default in the Leopard beta? (If that doesn't break NDA)
     
  11. macrumors G5

    nagromme

    #11
    I always thought it was odd that the Firewall was off, since it seems harmless to have it on. But I know people with broadband already have a firewall in their router/modem anyway--protection that this contest doesn't seem to give the targets.

    Note that a human expert sitting down and spending time hacking into one particular Mac is MUCH easier (assuming it's possible) than making malware that does so automatically and spreads itself across the Internet, Windows-style. It's a first step, though.
     
  12. macrumors 6502a

    johnee

    #12
    This will be VERY interesting!

    sorry folks, but I believe someone will do it. There's a reason Apple provides Security updates!
     
  13. macrumors 68000

    SPUY767

    #13
    Simple fact is, this hack only applies if you're using on the same network with the hacker considering how it's set up. The last Mac Hack BS was set up on a static IP without a firewall of any sort. Fact is, most ISP's don't let your computer receive anonymous packets anyway in order to prevent people from hosting a website or the like. In addition, most home networks are going to be behind 2 firewalls, the one in the DSL/Cable modem and the one in the router that they are likely using. So unless the hack takes a half hour or so, it's pretty much irrelavent because most of the time you're not going to be on a public network for all that long.
     
  14. macrumors 6502a

    johnee

    #14
    You do make an excellent point. I think this competition is only open for 2 days, and it was announced in late march, so not sure if that's enough time, but we'll see!
     
  15. macrumors G5

    nagromme

    #15
    Regardless of whether any hacks would work in the REAL world or not, if they reveal some previously unknown bug that Apple can then fix, then the contest is good in my book! (And if nobody succeeds, that's cool in a different way :) )

    What exactly IS the timeframe? The only info I see online (which doesn't mention $10k) is:
    http://cansecwest.com/post/2007-04-19-12:30:00.Gentlemen_Start_Your_PWNing
     
  16. macrumors 68020

    winmacguy

    #16
    Here is an update article

    MacBooks survive day one in hacker jungle
    VANCOUVER, BC – Two tricked-out MacBook laptops have survived the first day of a 'PWN to OWN' contest that dared hackers to take control of default Mac OS X installations.
    The contest started around midday Friday Thursday, the second day of the CanSecWest conference here and triggered interest from hackers in attendance but it was not immediately clear just how many attempts were being made to break into the machines.

    Organizers say they have seen "some activity" on the network set up with the two new MacBooks — a 17" and a 15" — but details remained scarce when the day ended. According to a report, Tipping Point's Zero Day Initiative has added a $10,000 bounty to the first hacker who launches a successful attack with a new, yet-to-be-patched vulnerability.
    http://blogs.zdnet.com/security/?p=173
     
  17. macrumors 6502a

    johnee

    #17
    Yeah, that's where they announced the challenge, and I think the conf. was April 18 - 20, so today is the last day! There's two possibilities at the close of the challenge: no/little news of no successes or news all over the place of a success.
     
  18. macrumors 68020

    winmacguy

    #18
    According to the second article, they are going to lower the barriers to hacking the Macs on the second day if no one makes any progress. Sounds kinda lame if you ask me.
     
  19. macrumors G5

    nagromme

    #19
    They left these machines intentionally "vulnerable" in some ways, which is a good experiment to make.

    But it would be a better experiment if they left ONE machine vulnerable like that, and made the other one more of a common REAL world scenario--with the full $20k as prize :)

    The second machine would not give hackers the help this contest gives them:

    * Firewall off

    * No router/modem/gateway

    * Known IP address

    * Access given freely to a local network connected to the target

    * Both wired and wireless connections allowed

    I'm not an expert, but it seems to me that it would be more realistic (outside of hotspots) to make one machine a target where you have to find the IP address on your own, then get through OS X's firewall and a router/gateway like any broadband user has. No access given to the LAN, and no wireless (because that would require an attacker to be nearby).
     
  20. macrumors 68000

    mklos

    #20
    In the Leopard beta that I have its not enabled by default. Apple is not Microsoft and doesn't turn every possible option on by default. Apple believes in choice...
     
  21. macrumors 601

    Diatribe

    #21
    The last sentence is the most ironic I have heard in a while. :p
     
  22. macrumors G5

    nagromme

    #22
    I'll give you a MORE ironic one: "Microsoft believes in choice." :eek:
     
  23. macrumors G5

    nagromme

    #23
    This link explains how they are making the contest easier over time if nobody succeeds:

    http://blogs.zdnet.com/security/?p=173

    "On the second day, the barrier will be lowered a bit and the attackers will be allowed to put exploit code on a special wiki and launch drive-by exploits on the Mac's built-in Safari browser. If the machines survive this level, the attacker will be allowed to connect to over USB or Bluetooth."

    We're on the second day now I think. If they withstand this, then tomorrow we get attacks that require someone to be physically in the same room as the machine. Then on Sunday, I assume icepicks will be allowed :)

    We can be pretty sure it's not just attendees whose expertise is being used in these attempts: with $10,000 at stake, you can be sure people are reaching out to hackers around the world for ideas. (I just hope they admit it's for a contest and share the prize!)

    (Just imagined if they REALLY wanted to protect the file, and enabled OS X's File Vault.)
     
  24. macrumors 6502

    #24
    Bull.

    There are a vast number of people who have DSL flat rate and remain constantly connected to the internet at home, and of course all the business users on the net.

    I know of only one person who still uses dial up, (my sister who is on ISDN dial up).
     
  25. macrumors 603

    gauchogolfer

    #25
    I think the key in that phrase was 'public network'. You are describing someone on a private network, where they are behind a router.
     

Share This Page