What bizarre rules! If "winning exploits must target a previously unknown vulnerability", then with the world+dog currently hacking Vista, there can't be that many exploits left undiscovered. And with few(er) targeting Linux and OSX, there's surely loads of exploits left to discover.

With the above in mind, I don't see how this "contest" will prove which is easiest to hack into. The results could be legitimately disputed against whichever way they go.

....is the one with the dumbest owner.

and all the MacMonkey Kool Aid Drinkers will faint from acute Denial Fantasy. The more and more evidence that it's OS X that's a POS, the deeper the Apple FanBoys stick their heads up their arses to escape reality.

Whoever hacks a laptop first gets to take it away with them?

So once they've proven how crap the OS is they get to keep the vista machine?

I suppose at least if they won the mac they could put any OS on it, whereas the vista/ubuntu machines you're limited to windows/linux(/dos/etc)

What's the betting that they have XP running within fusion on the mac? that'd double the vulnerabilities while still keeping to the rules of popular software.

It all depends upon who wants which box the most. I personally wouldn't want a MacBook air, I'd prefer a good ol' MacBook Pro. As for the PCs, I'd rather have a new Thinkpad so wouldn't bother attempting them. This is all pretty academic as I'm by no means some kick ass hacker.

Which of the three is the shiniest? Then that one will be targeted more than the others I guess!

Paris coz' she also can't separate economical logic from shinycity.

Will you put your Reg commenting privileges on it?

And I look forward to you eating your words... Care to make a real wager?

"with the world+dog currently hacking Vista, there can't be that many exploits left undiscovered."

O ye of little faith! There are literally million of lines of code in Vista; even Microsoft isn't aware of all the exploits.

Surely a known security hole that is still present in the most up to date patches is much more of a concern that a one-off homebrew hack by a pro? In the interests of exciting competition i can see the reasoning behind that rule, but it most certainly invalidates this as a test of the most secure OS.

It's funny. I don't own a Mac, don't use a Mac, and I think the MacBook Air is design for morons.

But I am absolutely certain that OS X is orders of magnitude more secure than any version of Windows; OS X doesn't come with Internet Explorer, and IE is *designed* to allow remote code execution.

"Winning exploits must target a previously unknown vulnerability; vulns that have already been reported to the affected software maker or a third party are not eligible."

That is horribly unfair, because Apple in particular fails to fix vulnerabilities even after they've been reported. This skews it horribly in Apple's favor. After all, what other company sits on a publicly disclosed security vulnerability for a year and STILL doesn't fix it?

yeah submit a previously unknown bug allowing code to execute for the price of a laptop PC - what a bargin - for them.

Watch out for a few hours into the competition the rules being relaxed to the point of uselessness so they can announce a 'winner'

"with the world+dog currently hacking Vista, there can't be that many exploits left undiscovered"

As Oscar Wilde said of second marriages "the triumph of optimism over experience".

Are you really suggesting that, after several years, XP has no vulnerabilities left undiscovered?

The advantage the linux hacker has, of course, is that he/she has full access to ALL the coding - which is why its hacked so much more often than Microsoft produts, isn't it?

It doesn't matter what the story is about, if it mentions Apple/MS/Linux or anything vaguely related, people write bad comments about it or the competitors.

Here's a quick template to save them coming up with something even vaguely original:

*Delete were appropriate

Apple/Microsoft* are awful, why does anyone use the overpriced stuff created by them? The should try using a proper operating system like OSX/XP/Vista/W2000/Ubuntu/OtherLinuxDistro*. I had a OSX/XP/Vista/W2000/Ubuntu/OtherLinuxDistro* system and it was awful, so many problems with it. In the end I got OSX/XP/Vista/W2000/Ubuntu/OtherLinuxDistro* and it works great. The Apple/Microsoft/Linux* fanboys should stop licking obs/Gates/Ballmer/Linus* by ignoring the failings and start using free/stable/flexible/innovative/intuitive/secure* stuff like me. Take your JesusPhone/Microshaft/Freetardware* and shove it!

just sell the vulnerability + exploit code and buy whatever they wanted this contest rule doesn't make any sense.

Quote: "Vista; even Microsoft isn't aware of all the exploits."

Waddya mean, "even"? Microsoft seems less likely than most to be aware of Windows exploits - or, rather, to admit they exist.

Your remark about IE's designed-in code execution is cock on.

Let us know how this turns out. I for one want to know which falls first though for all intents and purposes I think whoever tries the Vista box will get so frustrated with the UAC on Vista they will probably crack the laptop faster by hitting it with ol' trusty the sledgehammer. But let us know :)

If you're used to writing exploits for windows machines wouldn't you go for the Vista box as it'd be the easiest for you?

The counter to that people may avoid the Vista machine just for the sake of proving linux/mac isn't secure - as you're only allowed to target one machine you'd have to pick one.

Also the shiny aspect has been mentioned - butt ugly flakey fuji, sexy sony or sleek air?

All the air's and graces of a fair fight but still not cutting it - you can never get a fair balance due to the above, and other, circumstances.

How do you Apple FUDS account for that??

And as for the inane comment "Dumb prize", a computer is a computer whether it's a notebook or a desktop. The target is the OS, not the conveyance, dope. A MacBook Air is more attractive when it's free than having to buy the under-featured POS.

I'll have plenty of Catsup for you MacTards to eat your Crow with. Keep watchin.

John Doe got it right, the biggest security hole on any computer is the user.

If you really want to count security holes, you can always look at the CERT advisories. Over the years, the number of threats has been remarkably close to equal for Windows and Linux.

"That is horribly unfair, because Apple in particular fails to fix vulnerabilities even after they've been reported. This skews it horribly in Apple's favor. After all, what other company sits on a publicly disclosed security vulnerability for a year and STILL doesn't fix it?"

...erm... Microsoft?

Couldn't have said it better myself, nearly spat coffee all over my keyboard after reading that.

Well said that person!

Also, i was under the impression that the going rate for an unknown vuln was on the order or several grand anyway. so....

~£700 - £mackbook pro and 1337 glory. (and 10k prize for the last compo? nice! assuming you win...)

vs

fair bit of cash for selling expoit to legit people (no time limit)

vs

loadsa £££ for going black hat on peoples a$$es (both selling and using exploit) (no time limit)

besides, whats the point in finding a shiny new exploit when there are plenty of known ones that are not yet patched?

as paris might say:

glory is nice, cash is better. ;)

And here is the articles from last years:

http://www.theregister.co.uk/2007/04/23/mac_vuln_contest/

http://www.theregister.co.uk/2007/04/20/pwn-2-own_winner/

Way they're written suggest that is that Mac was the looser because it was the only contestent (can anyone confirm).... Gee Webster, hardly a fair fight if the other guy doesnt show up.

I would have thought that Fedora running SELinux would have been the harder Linux target. Zero remotely exploitable flaws to date.

My coat is the one with Mandatory Access Control.

that we were getting worried that Webster might be sick or have expired from excessive spleen. Back to his usual rabid form after all. If you don't want to buy something then don't buy it. No need to make it your mission in life to insult the item and anyone who does actually buy it.

What the hell kind of article is this, anyway? It seems more like an advertisement for the "contest" than an actual, objective, researched account of the event-to-be. You're implying that such a "contest" can *end* or serve to be a talking point for fans of one operating system over another? One commenter already pointed out that CERT numbers over the year are very close for Linux and Windows, there's no mention of how different the code bases are, how mature any of the individual products are at the time of the "contest," nor does it mention how absurd it is to call such a thing a fair competition at all. Sounds more to me like you either have no idea what you're talking about, you're one of those who actually thinks Fox News is "fair and balanced," and/or just wanted to plug the event and get another dollar for posting another article. Too bad the register doesn't pay for quality instead of quantity.

As for those who are wasting your time and ours touting the wonders of your operating system, hey, let's have an subjective argument about car brands next! How about shampoo! Because we've all had *exactly* the same amount of experience and training and marketing spewed at us for every brand of shampoo and every brand of car, so certainly we can form rational, logical opinions on which is the 'best' for every or any situation. Christ, people, flame wars were so last century. Stop wasting the bandwidth of those of us who want to use the internet for more than a giant circle jerk.

"I would have thought that Fedora running SELinux would have been the harder Linux target."

Agreed. I have enough trouble running things normally with SELinux installed. I wouldn't even know where to begin with a remote exploit.

... and my coat is the one next to it. The one with all the sleeves and pockets sewn up.

You forgot to include the (still unresolved) issue of whether valves are better than transistors.

Mine's the one with the 1968 Newnes Valve and Transistor catalogue sticking out the pocket.

i often find head and shoulder leaves my hair nice and managable where as herbal escences and pantenne make my hair feel frizzy. so head and shoulders ftw

i think the newer model fiesta look spiffy, but have never driven one.

ok ill bite

yes the article is obvious flame bait - sorry - "a thoughtful piece intended to encourage debate" but it hardly warrants your level of vitriol.

the contest is between the *people* and assuming the CERT metric makes all Os included "very close", then *it doesnt matter which system is hacked first*, only how fast the person is.

ahem

"Stop wasting the bandwidth of those of us who want to use the internet for more than..." looking down our noses at people who dare discuss things?

or to sum up

"Stop wasting the bandwidth of those of us who want to use the internet for more than..." Trolling

After they're done they might even get up the courage to talk to a real human girl!

No sorry, I'm just being daft now.

Its another attempt to demonstrate "Look, see, Windows is as good as OS-X and Linux!" (They might shoot for "better" but that's probably too ambitious.)

from the register itself

"We queried the United States Computer Emergency Readiness Team (CERT) database, and the CERT data confirms our conclusions by a more dramatic margin. When we queried the database to present results in order of severity from most critical to least critical, 39 of the first 40 entries in the CERT database for Windows are rated above the CERT threshold for a severe alert. Only three of the first 40 entries were above the threshold when we queried the database about Red Hat. When we queried the CERT database about Linux, only 6 of the first 40 entries were above the threshold."

looking at cert numbers alone is pointless.

Lucky Apple fixed 36 security issues yesterday :)

http://secunia.com/advisories/29420/

The problem of security holes is nearly pointless. Windows doesn't need to be attacked, it runs slower and slower each week from the minute you buy a new computer until it is so slow that it is worthless. Linux doesn't work with my printer or my wireless card, and the free freaks drop subsysyems that work for things that don't simply because they have more utopian licenses (sound and printing) OS X is worthless by itself without $$$ of purchased software and cost $$$ for every minor update and codebase patch.

I have all three, and an exploit would be refreshing, better than products that I pay good money for that in one way or another render themselvers inoperable.

They all suck.

F*cking Brilliant.

I wager the first system is broken when person A hits person B and C with brick and throws all three on floors, jumps on them, etc

Mines the windbreaker with the Commodore 64 behind it

The SOLE purpose of this event is to uncover new vulnerabilities which aren't yet known and obtain full disclosure of how they can be exploited. It has absolutely nothing to do with comparing different products.

personally, i think i think they shouldn't install third party software, just defaults with full patches.

The quicktime exploit last year would have also worked against windows, but the exploit writer was quoted saying he targeted mac on purpose 'because of smug attitude' (because i wanted to join the smug club)

Errm, the contest is IMHO mildly pointless for a variety of reasons:

(1) Skillset. As with any pen test (which is what this is), it only proves that at a certain point in time a certain operating system in a certain configuration was (not) hackable by a certain person with a certain skillset, and who was or was not entirely awake at the time. That's quite a few variables that can change and invalidate the result so ever if you get an OK it may only be valid for a second.

(2) Return on Investment. You assert that the idea is to find new vulnerabilities (which, incidentally, are by definition "not yet known" :-). The question you forgot to ask is just how useful that public announcement would be to the wannabee hacker. Not only could he get exposed as "a danger to society, better make him a terrorist" - remember, there are laws out there that make security research legally dangerous, from a pure return on investment point of view such an skilled individual may turn instead to use his knowledge in writing toolkits for organised crime if he's not too worried about the police (or is pressed into "service"). So he's not going to show up on the radar.

And don't get me started on the risk factor of discovering a zero day publicly so that the supplier doesn't get a chance to fix the problem before announcement. Could become quite an entertaining liability problem for the organisers..

The attacks on the Linux machine are going to focus on skype, a proprietary application or driver is not easy to secure or to test for security problems. I find the very idea of having skype on the linux machine to be unfair.

the above post is right, all operating systems suck; the question is what the hell are you doing about it punk.

Of course They had to choose Ubuntu, which is one of those excellently loaded distros that runs god knows what services by default. They should have thrown in some BSD just to make it interesting. And some machines that anyone would actually want to own (I mean have as personal property... not crack...).

Few problems as I see it..

1) Different hardware in each lappy. There may be a vuln available in one particular laptop that isnt available in the other 2. BIOS, manufacturer drivers etc

2) This is a test of stable OS. I dont know anything about OSX, but Windows you cant just "install the OS", where you can with any form of linux. When does it stop being a test of OS, and more a test of "which 3rd party dev writes the shittiest code?"

3) Last year it was won by hacking an application, Quicktime. This year, the Vista box could be hacked via Quicktime, or the Mac box hacked via Office for Mac. Do you honestly think Microsoft would spend as much time on stability/security on a product for a competitor compared to one for their own market. Think Apple would return the favour?

Mine the tartan trenchcoat with "Cyncial Prick" on the back.

Shouldn't the prize be the 2 computers that resisted hacking?

... given the competition permits a hardwire (cross-over cable?) link - we must assume that the target system is in the room... so the most effective tool for getting anything out of this system is a philips screwdriver.

In all honesty though, as we already know, the easiest system to hack is one that was designed or operated by any member of a british government agency.

"The advantage the linux hacker has, of course, is that he/she has full access to ALL the coding - which is why its hacked so much more often than Microsoft produts, isn't it?"

Kinda, there are lots of theoretical vulnerabilities that are patched regularly - as people can see the code and guess. But I hate to disappoint you - there are not that many real world exploits.

I think if you read the CERTs, you will find that a large number of the Linux vulnerabillities are theroetical, unexploited problems that have been identified by examination of the code. Do you really think that the buffer overrun security pronlems were all discovered by experimentation? Many of these problems have not even got example exploit code published.

So, which do you trust more. The code that has been examined and found that there may be theoretical problems (which are fixed reeeal quick), or the code that has definite exploits published, and may not get patched for months. Just imagine how many problems are likely to be found in Windows if the code was open, if there are this many discovered by experimentation.

Please don't just count the exploits, examine them in detail, and you then won't compare apples and oranges.

The reason that they will be running Ubuntu is that it is probably the most popular/mainstream Linux that regular people would try.

Fair enough if some other distro is more secure "with no known exploits" but if a regular person like myself can't install it becuse you need and command line stuff then we would just go with OSX, Vista or Ubuntu.

This is a comp to find the flaws in the biggest/latest distros of each and not a competition of which version of an OS has the most secure version.

I'm sure someone could write a Linux distro that was 100% remote secure but if an everyday user can't use it easily then it is useless for everyday people. Thats also why they are having common apps installed on all of them, because people use them. If you had a OS with no apps then it kind of serves no point except to heat and light the room slightly!!

I don't get it.

If you have a fully patched machine without viruses or trojans etc, and you have a Norton / McAfee / TrendMicro etc. type firewall with all the ports except internet and email locked down, are you still vulnerable to be taken over completely from the Internet?

What about if you also have a modern router with an ADDITIONAL firewall?

Surely that must be safe? Or is this competition not using firewalls and third party security products?

are the posts pointing out that the real weak point is the WetWare. I'd wager that 90% of *real world* inappropriate disclosure of computer data (which is what actually matters in the end) and creation of botnets comes down to social engineering.

Even on the notoriously hackable XP/2000 + IE combo I reduced real world infections by Malware by about 99% by finally separating users from the admin rights which they'd historically become accustomed to believe they were entitled to have and run with - admittedly, at the time when the only remote mass configuration options we had were NetWare login scripts, which run as the user logging in, this was pretty much true. But I digress.

A better use of time than this contest would be finding the writers of software who expect the user to have admin rights on Windows boxes and putting them up against the wall. Mind you, they'll be out of a job soon anyway because their shite won't work on Vista with UAC.

The contest doesn't end when a computer gets hacked. People can still try and get the other two (and claim the bounty on finding the exploit which compromises that computer as well).

As people above have pointed out it isn't about which platform is the "most secure" but about finding possible vulnerabilities for the major plaforms with a fairly standard hardware/software setup for each platform.

Spot on! I am so tired of FanBoy wankers and their skewed opinions

Well done that (wo)man, well done indeed.

... It could include a 'user' sat at each laptop who you would have to trick into installing your malware/exploit to make it more like reality (alongside attacking just the machine itself). I reckon if you got some 'uninitiated' regular users to act as the 'marks' the competition would be over in minutes. :o)

> What bizarre rules!

I think the "rules" are more about comparing hackers than comparing operating systems.

Read it like this "Tired of arguments over which machine is best for games? At this years quakecon quake 4 players will be fragging on linux, macs and PCs. The winner takes home his machine.." Now, clearly the competition is about how good a player is at playing the game and little else...but spun into some flamebait, fanboy and press-friendly format to make it look like it's comparing mac, windows and linux :)

Similarly, this competition seems to be "3 laptops, mac, linux, windows" the winner is a /person/ not an OS - one who can zero-day hack one of them...and he or she takes the laptop.

So, if you think it's easy to hack the $<whatever_os> one, there you go, free laptop...but if you think Linux is the only laptop of the 3 to own, and also too secure to get, you'll be so outta luck then :)

This isn't about how dumb users are [the machine is fully patched after all, and, although they'll visit a site with a browser of the hacker's choice, they won't click links] nor is it about which OS is the best.

Perhaps the story would have been better with the spin added that which ever laptop loses [assuming they all don't fall], clearly it's the one that hackers want to own the most...:)

...of arguing which is the most secure. Realy that is only a small part of why you chose an OS. Personaly I think the best OS, and probably one of the most popular (I have 3 computors running it) is the Bosch engine Managment system :-)

Very very true...

Email: Please click the link below to see naked pictures of [insert celeb here]

celebpics.jpg.exe

"The first person to remotely run code on each one gets to take the machine home"

The competition should be for the first person to remotely run code as the "administrator/root" as this would demonstrate that the machine has been fully compromised.

There is plenty of the usual fanboy rubbish being spouted on here... even the first comment is excusing windows. People can't just wait and see based on the rules supplied, they have to get in there already and justify their view.

Personally i would expect someone with real skill to get into any of the three. However since its going to be pros who are likely to win, i still feel more secure using a unix based OS (i.e. both the non-vista machines).

Also for you windows fanboys, dont take it too personally, windows really is crap.

Whats with all the rants? Someone has decided to run a competition to give people the chance to win a computer if they can develop a hack. Where's the harm?

want all the hackers / crackers to target the apple laptop first. The reasong behind this is that apple claims to be more secure than windows. I'm not a MS fanboy but I absolutely detest the over-priced under-spec'd systems that Apple puts their badge on. Since the apple laptop (yes the mac air, mac book pro, mac whatever IS a laptop / PC) will be the first one to fall, surely then it'll be less secure than windows? I use the reasoning that a bank vault is pretty secure even if unlocked as long as no one wants to break into it. But that same bank vault will be less secure if an army of umpa lumpas used molten chocolate to fight their way in.

Flame: because I really want apple to burn.

running fully patched DOS 6.21 to anyone that can hack into it using either a wireless connection or crossover cable.

That'll prove once and for all that DOS is the most secure of them all !

Mine's the one with the two 360K single sided 5 1/4 floppy drives. ...

wouldn't a fair contest be when all the contestants try to hack one OS at a time. with the OS running with out on 3rd party software. this would mean that the hackers would all have the same target with the same problems.

...it's not a scientific study or some kind of cracker world championship, it's a publicity stunt aimed at raising the profile of security on all platforms (as well as the profile of the people who are running it). Which is a good thing, right?

Anyway, how are you supposed to pronounce 'pwn' - I always assumed you said 'own' but that would make the name of this competition sound like the name of a former cheapskate mobile operator as rendered by a non-English speaker, which can't be exactly what they had in mind.

"Flame: because I really want apple to burn"

Neither my Mac, nor my Ubuntu box can be owned merely by going to the wrong WEBPAGE! The Only way Vista will win this is if Microsoft is sponsoring the contest.

Smile: Because even 90% of Windows people know Vista is utter trash.

If all it's doing is sitting on the 'net - and not being used - XP SP2 is pretty secure - the firewall may not be very powerful but it's up to the job of stopping unsolicited incoming connections, until the spyware you pick up off some dodgy website punches large holes through it, at least. I can't imagine Vista is much different.

Conversely, Ubuntu comes with no firewall configured. The blessing and curse of linux - configurability - means that it doesn't come with, say, firestarter, because some people (like, er, me) like to hand-hack their iptables scripts, and some other people don't want a firewall at all. (Funny how the blessing and curse of linux is the curse and blessing of windows, eh?)

Personally my gut instinct (that and a second mortgage will get you a cup of coffee at Kosta) is that a well-tuned ubuntu box is more secure than windows, that ubuntu is not tuned specifically for security out of the box, that ubuntu is easier to tune than windows, and that windows is fairly well tuned out of the box.

The question is, how are most net-connected machines out in the wild configured?

Fantastic!

I laughed so hard I nearly fell off my chair!!!

Mac fanboys really do get on my wotsits.........

Security by obscurity doesn't work......What a surprise.........

The fact that it lost last year makes it all the more amusing!

...it only takes ONE (count 'em ONE) exploit to compromise any OS. Just ONE. Forget the 50,000+ vulnerabilities you've patched in whichever OS you develop, it only takes a single unpatched critical hole and your previous efforts are for naught.

Does nobody remember this? Reminds me of the Terry Pratchett book with the fight between the little dragon and the massive monster that was King of Ankh-Morpork for a whlie.

The little dragon had to be lucky every single time the big dragon attacked. The big dragon only had to be lucky *once*...

We're asking for humans to create perfection. Isn't going to happen.

Paris, because she's a pretty girl.

..aside from the obvious point that any box is secure as the owner makes it..

surely having seperate people attempting the task makes it an unfair test immediately

they should have 2 "competitions"

one to find the most skilled sys admin, having one winner for all three platforms. and another to find the most skilled hacker, once again having one winner for all three platforms

present the three computers to the sys admin winner and ask him to secure them as best he can

ask the hacker to break into them as required, timing each attempt and also looking at his/her methods

even then it wouldnt be a fair test.

bah

i disagree with all of it.

pessimism ftw.

it looks like you think if any muppet can't use something it must be flawed in some way.

If a 'regular person' like yourself can't do something, how about you maybe put a little effort into it instead of demanding that everyone else cater to the lowest common denominator?

-consider that it's at least plausible you are not in fact 'an everyday user', but a lazy twat who expects others to solve their problems, whilst telling them how wrong they are about everything.

"If you have a fully patched machine without viruses or trojans etc, and you have a Norton / McAfee / TrendMicro etc. type firewall with all the ports except internet and email locked down, are you still vulnerable to be taken over completely from the Internet?"

A firewall inspects all the packets of data arriving from or going to a network interface, and then decides what to do with each on according to a list of rules. A firewall can reject a packet, ignore it, forward it, redirect it, log it or some combination of the above.

Send whatever you like at my telnet port, and you will not achieve anything useful - even if the firewall leaves the port open - as I have nothing listening on the telnet port. Setting the firewall to blocking outgoing packets with a destination of port 80 can make a machine more secure at the expense of making it difficult to access the internet.

The competition is based on cracking computers that have (more than) enough software working to make them useful, so the firewall rules have to be quite lax.

"What about if you also have a modern router with an ADDITIONAL firewall?"

A second firewall is only going to do the same thing as the first firewall, and is only of value if you think the first firewall is defective.

Once some data is past the firewall, it is up to some application to treat all the data from the network as suspicious. Some applications do a worse job than others. Any bug in an application that causes network data to be trusted without rigorous checking is is a weakness that can be exploited. A badly designed application will give the exploiter root/admin access at once. A better design gives the cracker only the authority that the application needs, so she need a local elevation of privilege exploit to get root/admin rights.

As far as I know, Norton / McAfee / TrendMicro antivirus software is more than just a firewall. They also examine files and processes for clues that they are not a virus/trojan/worm/root kit. This adds an extra hoop to jump, but as I have not used windows for over a decade, I have not bothered to find out if it is a significant barrier.

"Surely that must be safe?"

Safe from what?

If you get access to my desktop machine, you can change what TV programs I record. I have not made a huge effort to secure it is not worth anyone's time to crack it. It is acceptably safe for me.

If you crack my laptop, add a key logger without me catching on, get my gpg password and my encrypted password file, you could play with my bank accounts. Find a gullible mule to launder the money for you, and you get a few thousand. I have added enough personalised security to make this not worth your time. Again, it is acceptably safe for me.

An individual installation of XP/Vista/Linux/OSX/BSD may not guard much value, but when a single image is installed on thousands of machines, the budget available to crackers will be far in excess of what any individual is prepared to spend on defending the machine. I would not use a large mass produced software image to defend anything that I could not easily replace. Other people have different opinions on what is safe. If I had ten years of experience securing XP, I might have different opinions too.

In answer to why there is no BSD linux laptop, there is its the OSX one as OSX is just a proprietary version of BSD. Have a look at http://www.bsd.org/ top of the flavors of BSD is Apple OSX.

To make things fairer, why not start with blank hard drives and deduct the time taken to install the OS from the time taken to find the first exploit?

I still think the penguin will win wings down...

I agree that they should allow a more real world challenge. Known valnerabilitys should be allowed, afterall, if they are known then surely they should be fixed.

The fact that the attacking computer has a user and the victim does not have a user seems a bit unfair. Also the use of a crossover cable seems a bit limiting. Perhaps a hub might make things more interesting, for that matter a router would be even better. Everyone in the world could hack and defend against everyone. It would be just like the real Internet. Hang on....

Whats easiest to hack, ubuntu virtualized in vista virtualized in OSX on a macbook air, or solaris virtualized in vista virtualized slackware. Or we could put red hat inside an XP pro box inside a.....

The same vulnerability can't be used against more than one box - how can that give a balanced result. The results will be skewed by the attractiveness of the platform for the hacker to hack, something which the organisers say is specifically intended not to happen.

Always thought you were just trying to make other people (fanboyz of whatever kind) angry because your comments were so ridiculous they had hardly any insight or knowledge. Just provoking. Nice to see some self-criticism from your side, makes me easier to tell that I'm a Mac Lunatic (aka idiot) ever since I was touched by this dark side (at the age of 5)

But I think you should get a real life some time, because there's only so much to say about any platform without repeating yourself ;)

That said - grow up you fanatics

There's no such thing as: One OS to rule them all. Every OS has its uses.

LG

... it is a time-limited competition - whoever cracks whichever machine first, wins. Therefore, what point is there in allowing attack of known vulnerabilities? It would just turn into a competition to see who could install and run their pre-rolled (prior to the competition) exploit the fastest.

Excuse me while I roll my eyes at the fricking morons who continually post here at the Register.

What would make this particularly interesting to me is if the sponsors had some way of tracking the number of discrete attacks on each machine during the contest.

That is, at the point that laptop "A" gets pwned, I'd like to know what number of attacks it sustained, compared with "B" and "C".

I don't suppose that it would really make a difference, I'd just find it interesting to see it graphed out, since it would presumably imply something about the contestants' mindset - which one they felt they were likeliest to be able to get into.

On the other hand, it might be really amusing if some attacker managed to "piggy-back" on another's work - either intentionally or inadvertently - an independent attack by attacker "X" that strikes right after attacker ""Y" has caused a buffer overflow, say, but before "Y" can follow up on it... I'd suggest a Texas-Cage match to see who gets to take the laptop home, in that case.

Of course, if someone were REALLY devious, they could spend the duration of the event trying to subvert all of the other contestants' machines on the network while they are all busy frantically trying to break in to the "official" target boxes. That way, the "winner" might go home with a new laptop, but the REAL winner would "go home" with fifty!

That all you can install on a PC is Windows, Linux or DOS? Where have you been for the last three years?

Paris because the poster responsible for that piece of info is having a blonde day

"CanSecWest's Pwn2Own contests are useful because they allow us to isolate the technical strengths and weaknesses of a given platform from its popularity."

Kinda... I have a hunch, from my own uninformed guts, that a skilled hacker will be able to target and own any "regular" system hooked to the net. Also, I think that that's is fundamentally very different from the automated exploits, worms, whatever in the wild. That's more of a concern to me: which system is less vulnerable to the script kiddies? Because I have no reason to fear being targeted by a skilled hacker. But anyone who connects to the net is automatically and fully exposed to the automated stuff, so that's what's much more worrying.

Can't they devise a competition to check for that instead?

I admit that Vista is completely rubbish hence why I haven't installed it even though I have a MSDN license. The reason why I want Apple to burn is bacause MS doesn't come out with some dodgy advert about the naughty step. Couple that with apple products being over priced, under spec'd, over sexed up, and shamelessly being the bimbo of the computing world, and you get a huge friggin explosion.

Flame: cos I want apple to burn, I want the mac brand to burn, I want the ipod brand to burn, and I want Jobs to burn. Actually scratch the last part. Instead I want jobs to march the apple fanboys off a cliff and then march off after them as well.

The heart has been repurposed for this post...

Quite impressive...15 times Anonymous appears.

The string "tard" only appears 3 times in this page (until this post). And one of those was Bastard. I think this might be a good sign.

Fanboy (or variants fanbois, fanboyz) appears 10 time (again, +1).

Not *very* creative.

I think the Reg's comments pages are becoming chatrooms for the pairing of "trolls" and apologists.

Maybe a dating service could be established...or "no-holds barred" mud-wrestling match to be webcast from the Reg website. In the latter case, my prediction is that more so-called fanboys will show up than "trolls". "Trolls" usually seem to like the cover of anonymity – or am I playing a troll with that last comment? Also, I predict the first whining will be heard from the "fanboys". But, in my experience, trolls are also prone to wingeing.

In any case, I favour the dating service. Then they can all look meaningfully (and contemptuously) into one-another's eyes and breeding a new generation of American corporate CEOs, leaving room in the comments pages for any really meaningful and thoughtful commentary.

Cheers,

Matthew

"I admit that Vista is completely rubbish hence why I haven't installed it even though I have a MSDN license"

I always here this shit. "Vista is completely rubbish" then you ask them "How long you been running it", then they usually say "I'm not running it" or "I installed it, didn't like it, then installed XP again". Oooo, scary change!!!

Do we really have to do this EVERY time something new comes out!

Tosser!

Why don't they do it with something that has actually been written with security in mind.

Single user no network OSes with multiuser capabilities hacked on will always lose.

You can argue about Apple being over priced, but under spec'd? The MacBook Pro is one of the fastest Vista notebooks available. Stand Apple models up against decent brand name Wintel kit and they compare pretty well. It's not until you get to the bespoke or kit-built boxes with nutter bastard cooling and go-faster stripes that you can significantly out-perform them.

We're all going to die, so life/everything is just a giant circle ..... so get used to them. In the meantime, this looks like a fun contest for anyone who doesn't regularly get paid more for exploits, or want's to pad their resume with some publicity. And it's fair if you look where they're comming from. They want 0-day, that's why they have the prize. Using know exploits would just be boring, Joe Turk doesn't get bonus prizes for defacing websites regularly!

They set them up with some common apps, some default settings. Sounds fair to me. Own a box to own the box.

One running Vista with SP1. It won't even boot!

"Fair enough if some other distro is more secure "with no known exploits" but if a regular person like myself can't install it becuse you need and command line stuff then we would just go with OSX, Vista or Ubuntu."

Command line stuff. Because It's all so scary. Amateur.

"I'm sure someone could write a Linux distro that was 100% remote secure"

100%. Totally, completely and utterly. I could do that now, including a pair of wirecutters and my ethernet cable.

"if an everyday user can't use it easily then it is useless for everyday people. "

No sh*t, sherlock. And if an everyday user can't use it they shouldn't be using a computer in the first place.

I'd like to see the results, even if the contest is a little screwy. I think they should allow use of known bugs, because a large majority of attacks are from known bugs.

And I'd rather see something like Gentoo.

"I always here this shit. 'Vista is completely rubbish' then you ask them 'How long you been running it', then they usually say 'I'm not running it' or 'I installed it, didn't like it, then installed XP again'. Oooo, scary change!!!

Do we really have to do this EVERY time something new comes out!

Tosser!"

You're absolutely right, if not a bit harsh.

However, I've been running Vista Home Premium for about 5 months now, so I speak from experience when I say that it definitely shipped before its time. In fact, Vista just crashed this morning and refuses to boot at all (even booting to the "recovery partition" won't work). I know this isn't a hardware problem because I can boot Ubuntu just fine and mount (and access every part of) the NTFS Vista partition.

I guess it's time to dig out those recovery CDs... At least I can use Ubuntu to save off my documents and other important files to a USB drive or something.

Commenting on the poster who said a secure OS was the only way to go. Sure, use CP/M! No networking=no networking attack vector! Absolutely uncrackable remotely.

I win... (laughing)

I thought the main attractiveness of UNIX (and thus LINUX, the free copy) was that it was coded with multiple simultaneous users in mind, ie I thought it was not like Windows where they took a single user system and hacked multiuser capability (kinda) into its backdoor.

I'm positive that I have read this from multiple credible sources.

My , My , the flames are high today !

Let the games and the flames continue !

The setup is completely unrealistic.

First of all you may only use unknown security problems. Keep in mind that companies like Microsoft are horribly bad at patching them even if they are known. Internet Explorer, for example still has ActiveX support althought it's a known security hole for about a decade now.

Second not all machines are patched equal. Windows machines barely get patched because of various reasons. One is that the typical fix for a broken Windows system is to reinstall it. The install-medium automatically sets it back to the unpatched version.

So the realistic test would be to just clone some random boxes from companies and individuals.

Of course, one also has to include the user. For example the simplest way to get your code executed on a Windows box is to set up a website offering a "free download", or bundling it with a crack to a popular software programme. Windows users essentially will run any .exe-file they get ahold off. And the typical way of searching for software is typing "name free download" into a random search engine and clicking the first link.

Windows and MacOSX just make dangerous things to simple. That is the reason why I currently wouldn't give my parents such a box.

I mean, who wants any computer with Vista on it???

"You're absolutely right, if not a bit harsh.

However, I've been running Vista Home Premium for about 5 months now, so I speak from experience when I say that it definitely shipped before its time. In fact, Vista just crashed this morning and refuses to boot at all (even booting to the "recovery partition" won't work). I know this isn't a hardware problem because I can boot Ubuntu just fine and mount (and access every part of) the NTFS Vista partition."

Well in your case I'll allow the criticism! All these other sheep though, they get right on my tits.

"Brimful" is definitely a tosser though, I stand by that.

some one made ac64 web server.

http://www.vnunet.com/vnunet/news/2118399/commodore-back-web-server

try hacking that,

the perfect story...., put a prebuilt Phorm box on that table and you guys can then tell us just how secure that really is going to be ;)

www.badphorm.co.uk have had some interesting answers to questions they posed to Phorm (see

page http://www.badphorm.co.uk/page.php?16 )

*Q8. Are Phorm's servers within the ISP prebuilt (OS & software wise) by Phorm, or are they built

by ISP technical groups following instructions given by Phorm?*

A8. Prebuilt by Phorm.

*Q9. Is all Phorm proprietary software delivered in unobfuscated source form to the ISPs and

compiled by trustworthy employees of the ISP?*

A9. No, ISPs don’t get access to the source code.

Well I tried Vista Ultimate, but gave up and went back to WinXP. Not because Vista was a security nightmare (UAC was a pain), but rather that it performed badly compared to WinXP and openSUSE 10.3.

BUT it was very pretty and i do seem to spend a lot of time trying to make Suse look prettier (!)(=slower?).

So with WinXP, and SUSE 10.3. I _suspect_ SUSE is more secure because there is less crap that I know about is running on it, whereas, XP probably has stuff I don't know about running on it.

So *nix = I know about (ish) and can fell happy that its ok, but

Windows = know less about and so have to rely on Microsoft efforts to keep it safe (they do issue a lot of patches dont they).

Which would I trust? *nix because of my background........

:-(

The value of the test? Not which O/S is best, but rather which exploit can be found that can then be fixed.

(Penguin because its not a tart)

> I agree that they should allow a more real world challenge. Known valnerabilitys should be allowed

No. For the people the competition is aimed at this probably wouldn't even be testing if they could use google, as many will be more than aware of the existing stuff.

For the rest, I'd suggest /anyone/ could win a laptop if you only had to hack it with a known vulnerability. [Indeed, it seems likely that the machines could be hacked trivially via firewire if they have it...but what would be the point?]

So, obviously they have a set of rules to eliminate the trivial and pointless [and to simulate a remote attack, rather than a local one]

You may as well say you think "guess the weight of the cake competitions" should let you use scales because in the "real world" most people have scales in their kitchen. Fine, but if you have 2000 entrants to said competition you'll win a handful of crumbs when the prize is split.

Worse, if you think the guess the weight of the cake competition is finding out which cake is the best....

Anyway, the usual internet ignorance about security seems to have at a least settled on the idea that the end user is the most insecure part of an OS, despite the fairly obvious evidence to the contrary, sometimes mentioned in the same post [I guess it's good way of kidding yourself that your computer is secure because, like driving, everyone probably thinks /they/ are above average when it comes to using / configuring their computer] However, it seems a self-evident conclusion that Macs must be the most secure because they don't have any users :)

I'm not going to read or skim all 100+ comments, but here's what I've got to say:

Are you fucking kidding me? You'd want me to give up 0-day exploits for a fucking laptop? Not that you should, but a 0-day to the right people can be worth 30 of these crap laptops.

only 30 times E;rond, to a whitehat perhaps, but it must be assumed if a Blackhat had just one 0-day for the Phorm interception for profit boxes mentioned above in presumably jest, then that would be priceless?