One year after launching a controversial Macintosh hacking contest, the promoters of the CanSecWest security research conference are thinking about giving hackers another shot at cracking the Mac. Only this time, they’re looking to broaden the field.
Last year, show organizers invited attendees to hack into a Macintosh laptop, with the successful hacker winning the computer and a cash prize. But this year they’re talking about giving attendees three targets to choose from. “We’re thinking of having a contest where we have Vista and OS X and Linux … and see which one goes first,” said Dragos Ruiu, the principal organizer of CanSecWest.
Last year, security researcher Dino Dai Zovi spent a sleepless night hacking his Mac in order to take the prize at the show’s first PWN to OWN contest. Dai Zovi found a QuickTime bug that allowed him to run unauthorized software on the Mac once the computer’s browser was directed to a specially crafted Web page.
Dai Zovi split the contest prize with a friend at the show, Shane Macaulay, who helped him pull off his attack. Macaulay got to keep the MacBook Pro while Dai Zovi pocketed the $10,000 put up by 3Com’s Tipping Point division in exchange for technical details on the bug.
It turned out that the QuickTime bug affected the Windows operating system too, but Ruiu said that Dai Zovi’s hack helped change the way the industry thinks about the Mac OS, which has a reputation for being far more secure than Windows. “We were trying to point out that there was a security issue with Mac stuff here, and everybody was trying to play ostrich.”
Ruiu and Dai Zovi say that last year’s contest helped kick off a flurry of Mac-related security research, but according to TippingPoint Manager of Security Response Terri Forslof, it also illustrated a security industry truism: “Given enough time and motivation, everything can be broken,” she said. “When TippingPoint agreed to purchase whatever vulnerability was used to win the contest for $10,000, it added an appropriate level of motivation. That’s how it works.”
Shortly after last year’s contest, Gartner published a research paper warning that such challenges are “risky endeavors” that could put sensitive vulnerability information out in the public domain.
That hasn’t stopped CanSecWest from pressing forward with this year’s event.
Ruiu isn’t certain that he’ll run the three-way hacking contest this year. That’s because he also has a grander, top-secret hacking contest idea that may or may not pan out, he said.
Either way, he promised “an interesting spectacle.”