14 DAY TRIAL // After the first 24 hours of the ''PWN to OWN' contest, seeing as how the machines remained untouched, the attack base was expanded. In just under three hours, the first MacBook had been breached.
A lot of the talk and dispute regarding this competition revolves around the 'changing of the rules.' Despite this move being heavily criticized by many as lowering the bar, this had been the plan of the CanSecWest contest organizers all along. True enough, the drive-by attack that involved following a link to a malicious web-site through which the computer's security was compromised mimics the normal usage of computers today. However, just how far does normal usage extend? The organizers went on to expand the field of attack to the point where access to the USB ports of the machines was allowed. Is it normal practice to have unknown people poking and probing around your USB slots? If it is, then Macs are fatally flawed since they can be used as an external drive via FireWire, making the entire contents of the computer available.
As for the actual hacking of the MacBook, such browser based attacks are common, across all platforms and certainly there have been similar vulnerabilities discovered in OS X before. In this particular case, the issue is actually Java related, Matasano Chargen, so not just Safari users are exposed. However, the impact of the exploit itself has been blown out of proportion. Nancy Gohring, reports for InfoWorld: "The URL opened a blank page but exposed a vulnerability in input handling in Safari, Comeau said. An attacker could use the vulnerability in a number of ways, but Di Zovie used it to open a back door that gave him access to anything on the computer, Comeau said." Why would Sean Comeau, one of the organizers of CanSecWest, say that this vulnerability could be used to give 'access to anything on the computer' when according to the CanSecWest reports, the exploit had only granted user access. Of the Two MacBooks in the challenge, only one was compromised, the easier one, that did not require root access.
How exactly does user level access equate to 'access to anything on the computer' is unclear. The exploit happened, nobody is contesting that, however, the implications of it seem to have been blown hugely out of proportion. Just what constitutes normal usage of the computer, and does it include giving unknown people access to your USB ports? If so, why not include FireWire, other than the fact that it would have rendered the entire competition pointless.
Lastly, it is rather disconcerting that before each and every of these security challenges, we have statements about how the purpose of them is to show Mac users that they are not safe. Dragos Ruiu, the principal organizer of security conferences including CanSecWest, said: "You see a lot of people running OS X saying it's so secure, and frankly, Microsoft is putting more work into security than Apple has." If that is the case, why did Ruiu forget to put up two Linux boxes and two Windows boxes beside those Macs? Is a secure system defined as one that is impervious to any and all outside tampering? If so, each and every operating system out there is insecure. Is security defined as a system of precautions taken to prevent outside tampering? If so, how can you judge the effectiveness of such a system except by comparison? Is Apple's platform less secure because it has been spending less time plugging up holes? If that is the case, it would be only logical to state that Windows 95 and 98 were both more secure that OS X currently is, because Microsoft sure put a lot more work into making them secure than Apple has done so far with OS X.