Vista, MacBook Out--Only Linux Left in Hacking Contest

Mak 2.0

Mod...WAFFLES!?!?
Staff member
#1
With Vista hacked Friday, a Linux laptop remained uncompromised at the CanSecWest PWN 2 OWN hacking contest.

The MacBook Air went first; a tiny Fujitsu laptop running Vista was hacked on the last day of the contest; but it was Linux, running on a Sony Vaio, that remained undefeated as conference organizers ended a three-way computer hacking challenge Friday at the CanSecWest conference.

Earlier this week, contest sponsors had put three laptops up for grabs to anyone who could hack into one of the systems and run their own software. A US$20,000 cash prize sweetened the deal, but the payout was halved each day as contest rules were relaxed and it became easier to penetrate the computers.

On day two, Independent Security Evaluators' Charlie Miller took the Mac after hitting it with a still-undisclosed exploit that targeted the Safari Web browser. After about two minutes work, Thursday, Miller took home $10,000, courtesy of 3Com's TippingPoint division, in addition to his new laptop.

It took two days of work, but Shane Macaulay, finally cracked the Vista box on Friday, with a little help from his friends.

Macaulay, who was a co-winner of last year's hacking contest, needed a few hacking tricks courtesy of VMware researcher Alexander Sotirov to make his bug work. That's because Macaulay hadn't been expecting to attack the Service Pack 1 version of Vista, which comes with additional security measures. He also got a little help from co-worker Derek Callaway.

Under contest rules, Macaulay and Miller aren't allowed to divulge specific details about their bugs until they are patched, but Macaulay said the flaw that he exploited was a cross-platform bug that took advantage of Java to circumvent Vista's security.

"The flaw is in something else, but the inherent nature of Java allowed us to get around the protections that Microsoft had in place," he said in an interview shortly after he claimed his prize Friday. "This could affect Linux or Mac OS X."

Source
 
#2
Why dont they use any other OS?
Plus does the manufacturer have anything to do with the system being crackable or not?
As in would a Toshiba Vista be easier/harder than a Dell Vista?
But the Apple was beat. I mean 2 minutes is a bit too little. At least Vista gave a fight.
 

Mak 2.0

Mod...WAFFLES!?!?
Staff member
#3
What other OS would you like to hav seen? They used the most recent OS from each of hte major platforms.

As for your thought on if someone had any influence. No.

The machine was frormatted and installed with just the Operating system. No other stuff for the first day. They had to find a flaw in just that.

The 2nd day they had some other software. The 3day is when they can go all out.

So there would be no influence from a Dell over a HP since there was nothing from either company installed.
 
#4
hmmm interesting a hacking challenge but considering the face that now probably all the contestants or on the FBI watch list not worth the 20g
 
#5
YES!

Linux RULES!

thats so awesome!
 

Sarge

Active Member
#6
Linux FTW!

One day... when everything else is down... only linux will be up :tongueout: Kidding, but who knows...
 

mqudsi

Mostly Harmless
Staff member
#7
I have a nagging suspicion that Linux could have been the second machine.

An exploit in Adobe Flash was used to bring down the Vista machine. Most likely it would have caused some sort of problem on Linux running Flash applets as well - though I can't blame the hacker for going after the Windows PC.
 

Mak 2.0

Mod...WAFFLES!?!?
Staff member
#8
Yes it was Flash not Java that did it. The Flash exploit could have been used on any machine. They went after the Windows machine. Since they could not disclose how they had done it the Linux machine was left unhacked.
 

mqudsi

Mostly Harmless
Staff member
#9
Even if it were Java - that too runs on multiple operating systems.

But all of these (Flash, Java, .NET, etc.) are simply an API with code around it. If the same code was re-used, then there's a chance of it being exploited on multiple operating systems. But if the code was written from scratch around just the API, then it doesn't necessarily mean that it would carry over.