At this. year's CanSe.cWest conference, would-be crackers could try their skills on three separate laptops: One running OS X, one running Ubuntu, and one running Vista. At the end of the three-day security confe.rence in Vancouver, Can.ada, last. week, both t.h.e Mac OS X Leopar.d and Vista machines had been cracked, leaving only the Ubuntu box uncompromised. 杀毒
Sponsored by TippingPoint's Digital Vaccine Laboratories as part of their Zero Day Initiative program fo.r discovering .and reporting new bugs, the contest was ann.ounced. several wee.ks ago, with clearer rules and increased cash prizes announced just two days bef.ore the conference.. 健康
Participants had their choice of attacking any of three laptops:. a VAIO. VGN-TZ37CN running Ubuntu 7.10, a Fujits.u U.B810 running Vista Ultimate Service Patch 1, and MacBook Air runnin.g OS X 10.5.2. Each operating system was the latest version, and. was patched with the latest security updates availa.ble..
Durin.g the three .days of CanSecWest., would-be crackers could sign up to receive a random 30.-minute time slot to att.empt their exploit. To avoid confusio.n,. only one effort was allowed at a given .time. To win, contestants had .to use a zero-day attack -- that .is, one made through a previously unknown vulnerability -- to read a specific file on the laptop. The first to crack each laptop would receive the laptop and a cash prize. 外汇
To add tactical interest to the challenge, the rules progressively made exploits easier -- the cash prize progressively small.er. On the first day of the conference, only remote vulnerabilities that did not require any user interaction were permitted, and winners .would receive $20,000. On the second day, attacks could also be made via any app.licatio.ns, and could include phishing attacks in which users followed a link through email, instant messaging, or Web browsing, but .the prize was reduced to $10,000. Finally, on the third day, popular third-party appl.ica.tions would be added to each mach.ine that could be used in a.n attack, and the prize became. $5,000. This arrangement encouraged conte.stants to focus on t.he most potentially serious vu.lnerab.i.lities firs.t.教育
As each .machine was cracked, it would be removed from the .competition. Winners could tur.n their attention to the remaining machines, but could not use a cross-platform vulnerability. on. more than one machine. 建材
The successes
The first success came shortly after noon on the second. day of the confere.nce, when a team from Independent Security Evalu.ators .consisting of Charlie Miller, Jake Ho.noroff, and Mark Daniel used a vulnerability in the Safari Web brows.e.r to compromise the MacBook Air and win $10,000.服务器
The second victory was .claimed just before the end of CanSecWest at 6 p.m. on the th.i.rd day when Shane Macaulay of Security O.bjectives, with help from Derek Callaway and Alexander Sotirov. Macaulay., who was also on the. team that won last. year's competition, used a defect in Adobe Flash to claim the Vista laptop and $5,000. 女人
Shortly after. Macaulay's success, the conf.erence ended., leaving the Ubuntu machine the only one uncracked.[成人用品]
More details about the techniques used are unavailable, becau.se each winner is required to sign a non-disclosure agreement .and is limited in what he can say until the vuln.erability .is pat.ched. 建材
The winner's approach and mot.ivation. 女人
Macaulay was unavailable for comment during or after the. conference. However, Mil.ler s.poke to Linux.com at about th.e time that Macaulay was attempting his successful exploit. 美容
"On TV and stuff, the. .hackers sit down and they break into systems in sec.onds," Miller says. "But in real life what happens is t.hat they announced this contest a month ago, and me and my team of securi.ty guys .made a conscious decision that we wanted to enter the contest.虚拟主机
"We decided that we would try the Mac, just because it was the easiest target. We've sort of looked at all thes.e guys .in the past, a.nd every time we l.ook at the Mac, we find something. W.hen we've look at th.e other systems, .we've usually not been so lucky. So we figured we go with what we've found easiest in the past."外贸
According to Miller, for all the attention that the co.ntest receive.d, the reality is that only a few contestants .actually took the challenge.. "You don't enter the competition unless you ba.sically have something," Miller says. "All the people like us who decided three weeks ago to enter, .if they didn't find a weak point, they didn't enter, so you don't get a sens.e of how many people .tried and fa.iled. All you know is the .people who think they could do it." 电子
Miller's says that his motivations for entering Pwn to Own was a mixture of the challenge and the chance to help security. "I like to. compete," he says, "and I don't get much of a chance to do so. Also, of course, we ha.ve skills that help make th.ings more secure, and here is an op.port.unity for u.s to use those s.ki.lls in a positive manner. If it had.n't been for the competit.ion, we wouldn't have looked for bugs, and this bug wouldn't have got fixed." 女人
What. do the results mean? 杀毒
Considering the intense loyalty some users have to their operating systems, the Can.SecWest competition results are obvious fuel fo.r flame wars. "Linux is ki.ng!" procl.aimed one post on the Fedora .list while I wa.s writing this article, and other cheerleaders .and excuse-makers are starting to post on blogs across the Internet. 电子
Mac OS X and Vista supporters. will no doubt try to claim that the Ubuntu system remained uncracke.d simply because fewer .people are familiar with it. In turn, GNU/Linux users insist th.at the contest shows what they knew all along -- that their operating system of choi.ce is arc.hitectur.ally more secure.<性病>
However, neither c.onclu.sion seems completely justified, especially from su.ch a small s.ample of evidence. A simpler explanation may be that Ubuntu 7.10 was released six months ago, and so, presumably, has been .extensively tested and patched. By contrast, OS X 10.5.2 a.nd Vista's Service Patch .1 were both released only six weeks ago, .so their vulnerabilities have had less. time to come to light. 婚庆
Possibly, too, for. those who implem.ent security, the operating system victory is less im.portant than the fact that phishing and t..hird-party applications were the keys to success, rather than general system vulnerabilities.(广告)
Despite the temptatio.n .to se.e patterns, the co.ntest remains too s.mall. a sample from which to draw any conclusions.. What matters is not just that the contest succeeded in pinpointing a couple of bugs, but that it succeeded in focusing people's attention on security -- which was, after all, the subject of the conference..
