, SecurityFocus 2007-04-19
Vancouver, CANADA -- As security gurus talk tech at the front of an oblong conference hall at the Renaissance Vancouver hotel, two brushed-silver MacBook Pros sit on a round table pushed far to the side of the room.
Few attendees appear to pay any mind to the Apple hardware. A conference staff member sits at the table occasionally glancing at the screen of a third laptop on which lines of green text scroll past -- evidence of probes, scans and attack attempts against the two Macs.
"Pretty slow right now," the monitor says, turning back to watch the presenter.
A day late and without much fanfare, the "PWN to Own" hack-a-Mac contest kicked off at the CanSecWest conference just before noon on Thursday. The contest allows security professionals at the show a chance to attack the systems. The MacBook Pros are not just the target but the prize as well: Anyone who compromises a system and follows the instructions of the target file found on the desktop, takes home the computer.
The only problem is that the gift of a tricked-out MacBook does not seem to be attracting a lot of potential attackers. A few people wander over to the side table throughout the afternoon, connecting to the physical network to virtually poke at the systems. (Others undoubtedly use the overtaxed wireless network to deliver their own attacks.) For the first six hours, no one realizes that Apple had just released a major update to close 25 security holes in its operating system. By the time a group of researchers decide to try and exploit the vulnerabilities, the conference staff have patched the systems.
The response is decidedly underwhelming, said CanSecWest organizer Dragos Ruiu.
"People have pointed out that the financial motivation is not there," Ruiu said.
The math is simple. A remotely exploitable vulnerability in the Mac OS X can sell for anywhere between $5,000 and $20,000. A MacBook Pro sells for less than $3,000.
Yet, Ruiu's original idea to host the contest depends on members of the security community putting pride before profit. Between Apple's TV commercials boasting that Macs have better security than PCs and the strident assertions of extremely vocal Mac users that the systems are nigh unbreakable, some researchers have become irked with the unshakable -- and they would argue, unreasoning -- faith that some users have in the platform.
Data shows that the Mac OS X has had its share of vulnerabilities. In 2006, Apple had to fix 137 flaws according to the National Vulnerability Database. So far this year, the company has fixed more than 80 flaws in four patches for the operating system. The update on Thursday, which coincided with the "PWN to Own" contest, fixed vulnerabilities ranging from the ability to bypass the login window to using malformed names to run code from the installer.
Yet, history may not be a good gauge of the future.
At 6:30 p.m., Ruiu announces that TippingPoint, a division of networking company 3Com, has decided to up the ante: The company will buy the first zero-day attack that compromises a Mac for $10,000. The price is in line with the bounties the company pays for other flaws as part of its Zero Day Initiative (ZDI).
"We heard a rumor that no one is interested in hacking the Mac," Terri Forslof, manager of security response for TippingPoint, told attendees. "So we are offering $10,000 for a zero-day attack that succeeds."
An hour later, as the conference moves into the evening's lightening talks, the staff member keeping company with the MacBook Pros nods.
"There's seems to be a bit more interest now."