×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Safari/MacBook First To Fall At Pwn2Own 2011

samzenpus posted more than 3 years ago | from the weakest-link dept.

Safari 492

recoiledsnake writes "A team of security researchers from the French pen-testing firm VUPEN successfully exploited a zero-day flaw in Apple's Safari browser to win this year's Pwn2Own hacker challenge. The hijacked machine was running a fully patched version of Mac OS X (64-bit). Bekrar's winning exploit did not even crash the browser after exploitation. Within five seconds of surfing to the rigged site, he successfully launched the calculator app and wrote a file on the disk without crashing the browser. Apple has just released Safari 5.0.4 and iOS 4.3 a few minutes before the Pwn2Own contest in an attempt to save face (a last minute patch for Chrome was also released) but failed."

cancel ×
This is a preview of your comment

No Comment Title Entered

Anonymous Coward 1 minute ago

No Comment Entered

492 comments

Simple (2, Insightful)

Anonymous Coward | more than 3 years ago | (#35440976)

It's called "Pwn2Own": the hackers win the machines they hack.

Everyone wants Macs. They hack them first. The other computers come down minutes later.

Re:Simple (-1, Troll)

clang_jangle (975789) | more than 3 years ago | (#35441042)

Yes pretty much, but the average slashdotter is always looking for opportunities to vent displaced rage and Apple is it lately.

What's that rumbling sound I hear? Ach mein gott, it's the stampede of anti-apple trolls with their one-dimensional stereotypes, flaming straw men, and tired, old memes!

Re:Simple (-1, Troll)

MrHanky (141717) | more than 3 years ago | (#35441180)

FYI, you should get paid for that kind of PR work. Making pre-emptive excuses for Apple and all. "Oh, Apple is only losing cuz they're the best, and now we'll get trolls cuz haterz gunna hate!" Perhaps your kind is the reason why Apple is hated. You disgust me.

Re:Simple (0, Troll)

clang_jangle (975789) | more than 3 years ago | (#35441200)

Perhaps your kind is the reason why Apple is hated. You disgust me.

Thanks for illustrating my point with your blind, irrational, displaced rage.

Read it again troll, this time thinking about the fact that I'm a gentoo and freebsd user. :P

Re:Simple (1)

MrHanky (141717) | more than 3 years ago | (#35441222)

I just pointed out that it's neither blind nor irrational. The first dozen or so comments to this story were Apple apologists trying to spin it.

Re:Simple (-1, Flamebait)

clang_jangle (975789) | more than 3 years ago | (#35441264)

Not one word of apology is present in my post nor the post with which I expressed agreement. You're very emotional, which has made you irrational. Now that you have blurted out your little troll you have to try to defend it rationally, which is of course a doomed prospect. You have no leg upon which to stand. You have simply attached your emotional baggage inappropriately, and reacted hysterically. Perhaps you can rationalize it away to yourself, but it won't wash with anyone paying attention.

Re:Simple (2)

MrHanky (141717) | more than 3 years ago | (#35441336)

Excusing Apple from being hacked is by definition (2) [google.com] an apology. Being emotional (something which is only your imaginative interpretation of my rather terse writing, btw) does not negate being rational, on the other hand. You're attacking my comments with false logic and false propositions. Good work for someone pretending to be the rational one.

Re:Simple (1)

clang_jangle (975789) | more than 3 years ago | (#35441382)

Excusing Apple from being hacked is by definition (2) [google.com] an apology

Oh FFS, no-one "excused Apple from being hacked". Facts were presented, you don't like the facts, sucks to be you.

Re:Simple (-1, Troll)

BasilBrush (643681) | more than 3 years ago | (#35441516)

Being emotional (something which is only your imaginative interpretation of my rather terse writing, btw)

The fact that you wrote "You disgust me" is not in his imagination. That is a very clear statement of your emotional reaction.

I'm afraid, Mr Hanky, you're just proving yourself to be exactly what you were described as by the other poster.

Re:Simple (4, Informative)

C_amiga_fan (1960858) | more than 3 years ago | (#35441304)

>>>Apple is it lately.

I don't have a problem with Apple.

I have a problem with the *owners* who act as if owning an "unhackable" Apple was like being married to the most beautiful wife on the planet. ("Why would anybody choose a different partner/ manufacturer???") Apple's personal computers are still..... just PCs. Just like Acuras/Lexuses are just Hondas/Toyotas.

Re:Simple (-1)

theaveng (1243528) | more than 3 years ago | (#35441340)

Hey Commodore_amigo! Shut the hell up!

Haha, don't make me laugh with your threats. What are you going to do, make some more sockpuppet accounts on Slashdot and flame me?
LOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLO

Re:Simple (1, Insightful)

clang_jangle (975789) | more than 3 years ago | (#35441370)

I have a problem with the *owners* who act as if owning an "unhackable" Apple was like being married to the most beautiful wife on the planet. ("Why would anybody choose a different partner/ manufacturer???")

Who cares? Besides, for the non-geek, and for the multimedia professional it's true -- there is nothing that can touch OS X and the software available for it. It's an idiot-proof, user-friendly *nix.

Yes, it's limited, dumbed-down, locked-down, and has an aggravating tendency to try to force users into doing things "the Apple Way". In that regard, it's just as frustrating to me as windows. But it's still got the power of bash out of the box, and is every bit as capable as linux or any other BSD in many key ways. I can understand why people pay the premium, if the money isn't an issue it's a no brainer for lots of people.

Apple's personal computers are still..... just PCs. Just like Acuras/Lexuses are just Hondas/Toyotas.

Custom PCs with custom mobos running commodity chipsets, with an OS tuned, tested, and optimized for the hardware. It's a completely reasonable choice for people who like what Apple offers. The security isn't "all that", but it certainly beats the hell out of windows for the average user. The whole applehatred thing is weird, like racism or religious zealotry..

Re:Simple (4, Interesting)

SuricouRaven (1897204) | more than 3 years ago | (#35441440)

Ideological differences. Slashdotters like such princibles as open source, patent-free technologies, and the right to do as you wish with hardware you buy even without the manufacturer's approval. They hate DRM and any anti-tamper measures. This means they will be in conflict with Apple, in the same way they are in conflict with Microsoft. Both companies behave in ways (Like requiring code-signing to run any software on an iPod/phone/pad) which are in very strong opposition to the openness and right to tinker that most geeks love.

Re:Simple (2)

clang_jangle (975789) | more than 3 years ago | (#35441502)

Yes I understand all that, but the thing that trips me up is that I always hope that these discussions will be somewhat rational and fact-based. Whenever Apple comes up it's as if most people here completely lose their intelligence through emotional overload or something. Between the haters and the fanbois one can hardly participate without being assigned a "side" and painted as a one-dimensional stereotype. Factual observations expressed with attempted humor get modded "troll", trolls get modded "insightful"... Reminds me of that original Star Trek episode about Landrew and the Red Hour . "You are not of the body!".

Re:Simple (5, Insightful)

BasilBrush (643681) | more than 3 years ago | (#35441542)

Slashdotters like such princibles as open source, patent-free technologies, and the right to do as you wish with hardware you buy even without the manufacturer's approval. They hate DRM and any anti-tamper measures.

That should read "Some Slashdotters..." there certainly isn't universal agreement on those. Particularly those who make a living by developing and selling software very often won't agree with that entire list.

Re:Simple (1)

C_amiga_fan (1960858) | more than 3 years ago | (#35441530)

>>>with an OS tuned, tested, and optimized for the hardware.

While that's true, I prefer hackable hardware like the Ataris, Commodores, and Amigas I grew up with. Even Macs used to be hackable, until Steve Jobs locked them down with his NeXT OS (10.x). I like pushing things to the limit.

I also like using a standard format that is widely supported. Good luck trying to run Mentor Graphics or ModelSim or Utorrent or "2xAV" (double speed) or Final Fantasy 11/13 on a mac.

Re:Simple (4, Insightful)

Dunbal (464142) | more than 3 years ago | (#35441496)

But you have to understand the psychological aspect. I mean if you had paid twice as much for a brand and a look, found out that for your money you weren't getting much else, and watched the software you thought unhackable fail so miserably when you thought you were paying for security, you would be in denial too and rush to their defense. It's not Apple he is defending, it's his own feeling of foolishness that he's trying to cover up.

Re:Simple (2)

V!NCENT (1105021) | more than 3 years ago | (#35441190)

Where's the Mandatory access control feature on the iMac? Will you help me find it for me please? I'm thinking about making the switch because NT6.1 doesn't have it.

Re:Simple (3, Insightful)

N1AK (864906) | more than 3 years ago | (#35441290)

What's that rumbling sound I hear? Ach mein gott, it's the stampede of anti-apple trolls with their one-dimensional stereotypes, flaming straw men, and tired, old memes!

Wow. Using 'straw men' in your creation of a straw man argument, my hypocrisy detector nearly blew a fuse.

Re:Simple (0)

Anonymous Coward | more than 3 years ago | (#35441378)

That's not a straw man argument. ftfy.

Re:Simple (5, Insightful)

TheRaven64 (641858) | more than 3 years ago | (#35441084)

I think this is the important point. It doesn't matter that the Mac failed first, it matters that it failed at all. The order isn't important - all of the exploits took a small amount of time, and all were done just by making the machine visit a malicious site. Which one was tried first is not the important bit.

The most embarrassing thing for Apple is that OS X has included a mechanism for applying fine-grained sandboxes to applications since 10.5 which Safari doesn't use. It would only be a couple of weeks worth of work for an engineer to create a sandbox policy, test it, and ship it with Safari. For some reason, Apple has decided not to invest this effort.

Re:Simple (5, Informative)

clang_jangle (975789) | more than 3 years ago | (#35441154)

I think this is the important point. It doesn't matter that the Mac failed first, it matters that it failed at all. The order isn't important - all of the exploits took a small amount of time, and all were done just by making the machine visit a malicious site. Which one was tried first is not the important bit.

Exactly. It might have been far more interesting if we'd had a summary that at least made an effort to tell the whole story, [zdnet.com] rather than just the one-sided flamebait we got...

Re:Simple (-1, Flamebait)

C_amiga_fan (1960858) | more than 3 years ago | (#35441390)

They are saving the "sandboxed" feature for the Pack-in Safari included with OS 10.7. It will be used by marketers to explain why owners should spend (another) $100 to replace the OS 10.6 they just bought two years ago.

It's like having to buy a whole new Windows release, but every other year instead of just one per decade (approximately).

Re:Simple (1)

Anonymous Coward | more than 3 years ago | (#35441432)

OS X 10.6 was only $30 when it came out.

Re:Simple (1, Insightful)

C_amiga_fan (1960858) | more than 3 years ago | (#35441552)

>>>OS X 10.6 was only $30

That was a sale price. The previous 10.x releases (and future release) cost $130 plus $10 shipping. It really was like buying a whole new Windows OS every 1-2 years.

Which is fine if you have the money to spend.
I don't.

Re:Simple (0)

Anonymous Coward | more than 3 years ago | (#35441104)

Excuses, excuses. Your Mac is an insecure piece of shit.

Re:Simple (-1, Troll)

Anonymous Coward | more than 3 years ago | (#35441182)

It seems rather apparent that you're the insecure piece of shit.

Re:Simple (5, Insightful)

DrXym (126579) | more than 3 years ago | (#35441142)

I assume these developers would need a Mac and extensive knowledge of its inner workings in order to develop and test an exploit. Therefore it make no sense to say this is just some hacker after the nicest prize. They're after the prize they know how to obtain and have spent a considerable amount of time researching.

It may well be that other computers fall thereafter and I expect in those cases they fall from people who similarly have knowledge of those respective systems.

So basically it sounds like you're making excuses.

Re:Simple (0)

Jeff DeMaagd (2015) | more than 3 years ago | (#35441344)

It might be making excuses, but wouldn't the Safari vulnerabilities also be found on the Windows version? After that, starting a program or writing a file might not be so difficult. Either way, it sounds like Apple needs to fix their software and their security focus.

Re:Simple (5, Interesting)

Anonymous Coward | more than 3 years ago | (#35441158)

Lies. Several times now they've had to allow more access to the machine before Windows was hacked. One year, before they stopped including Linux, it made it through the entire competition without being hacked despite everyone's best effort.

At some point, you're going to have to accept that OS X just isn't that secure. It has a poor, inconsistent implementation of ASLR and DEP, Apple tends to be very slow at patching vulnerabilities, they don't prioritize security or safe coding practices, and it has absolutely nothing that compares to SELinux. It's 2011, being Unix doesn't magically make you secure.

Re:Simple (5, Insightful)

mikael_j (106439) | more than 3 years ago | (#35441184)

Actually the reason Safari went down first was because it was the first target. Followed by IE8 which also went down. The researcher who was going to go after Chrome never showed up and Firefox is next in line...

Re:Simple (2)

aliquis (678370) | more than 3 years ago | (#35441246)

Mac reta... err.. users always got an excuse!

I doubt it's got much to do with everyone actually wanting a mac but rather more than people either shooting for the mac because of the fame and extra publicity or because of Apples (and their users) arrogance.

Re:Simple (0)

Anonymous Coward | more than 3 years ago | (#35441294)

I would target it purely for the last reason. Linux often deserves the same treatment. It's bizarre how religion has managed to infiltrate daily thought, especially when dealing with computers.

Re:Simple (5, Insightful)

dotwhynot (938895) | more than 3 years ago | (#35441392)

It's called "Pwn2Own": the hackers win the machines they hack.

Everyone wants Macs. They hack them first. The other computers come down minutes later.

First one wins 15k$ cash. You are saying they risk this by not going after the easiest target first because they so desperately want a Mac?

Re:Simple (2)

andydread (758754) | more than 3 years ago | (#35441506)

wow thats a different apologist twist on the issue that Macs are the least secure operating systems and get hacked first. wow.

Re:Simple (1)

mwvdlee (775178) | more than 3 years ago | (#35441538)

Or maybe they already had Macs so they could research the exploits and they started with the Mac just to piss off those annoying "OS-X is so much more safe than Windows" apple fanboys. Someday apple fanboys will realize that their "security" really was "security through obscurity" all along, and on that day many apple fanboys will have to reformat their harddrives.

And I just got my first Imac... great!! (0)

Anonymous Coward | more than 3 years ago | (#35440988)

...First

Bias in pwn2own (0)

Anonymous Coward | more than 3 years ago | (#35441008)

Pwn2own is clearly bias, because the security researchers are obviously going to try harder to pwn the machine they want to own.
(Not the mac)

Re:Bias in pwn2own (1)

Anonymous Coward | more than 3 years ago | (#35441256)

So let me get this right. In a contest where you win $10,000, the thought of getting a $2,000 laptop for free is somehow of paramount concern. Never mind that most of the winners are certainly not broke and already have equal or better hardware.

Re:Bias in pwn2own (0)

Anonymous Coward | more than 3 years ago | (#35441454)

So let me get this right. In a contest where you win $10,000, the thought of getting a $2,000 laptop for free is somehow of paramount concern. Never mind that most of the winners are certainly not broke and already have equal or better hardware.

shsss.. you are disturbing the RDF bliss. (the price this year was $15,000 btw)

cool (0)

Anonymous Coward | more than 3 years ago | (#35441012)

it will also be the first patched...

Chrome was updated (0)

inpher (1788434) | more than 3 years ago | (#35441014)

Why was Chrome allowed to be updated but other browsers not? What did Google do to deserve such special treatment?

Re:Chrome was updated (3, Informative)

Nerdfest (867930) | more than 3 years ago | (#35441086)

I believe Apple released 50+ patches a few minutes before the contest. No special treatment for Google that I'm aware of.

Re:Chrome was updated (1)

Anonymous Coward | more than 3 years ago | (#35441136)

Apple has just released Safari 5.0.4 and iOS 4.3 a few minutes before the Pwn2Own contest in an attempt to save face(Chrome and Safari also released last minute patches) but failed."

Safari is a browser and was allowed to be updated same with Firefox, so what special treatment are you reffering too? Also since Google up the reward for owning Chrome OS by $20,000 with their own money I would they might be deserving of some special treatment although that is not what happened here.

Le pwn? (2)

gtch (1977476) | more than 3 years ago | (#35441016)

How does one pronounce 'pwn' in French?

Re:Le pwn? (0)

Anonymous Coward | more than 3 years ago | (#35441032)

I pronounce it like "pawn".

Never been an issue before (5, Funny)

Anonymous Coward | more than 3 years ago | (#35441088)

No one knows. Up until now the French have never had reason to use the word. You can't pwn someone and surrender at the same time.

Re:Le pwn? (1)

Anonymous Coward | more than 3 years ago | (#35441178)

I usually say "poune" / "pounaide!" (pwnd), but "pône" is also ok :)

Firefox/Linux (4, Interesting)

sakdoctor (1087155) | more than 3 years ago | (#35441026)

Firefox and Linux are under represented in pwn2own as usual.
I'm not complacent, just saying it's nice.

Re:Firefox/Linux (3, Informative)

Anonymous Coward | more than 3 years ago | (#35441054)

Re:Firefox/Linux (4, Interesting)

Anonymous Coward | more than 3 years ago | (#35441144)

Quoting from the link: "Linux is not an operating system that has widespread use with any one particular distribution, flavor or configuration," Portnoy said. "In general Linux is still a server-based operating system, people do use it on the desktop, but you can't go to BestBuy and buy Linux with a specific distro on it that everyone uses that has widespread market share"

To me this like a combination of two classic arguments: one that Linux doesn't have enough market share to warrant our attention, two that it given the diversity of Linux, which is one of its security strong points, it might be too difficult to crack it and even if we did, we can't make as big of a media spectacle about it. If I recall correctly, Ubuntu was included in this test a year or two ago and was the only one that was not cracked.

Re:Firefox/Linux (2)

georgesdev (1987622) | more than 3 years ago | (#35441068)

sure, who would want to pwn Firefox or Linux, and get to own a free download ;) ...

Re:Firefox/Linux (1)

somersault (912633) | more than 3 years ago | (#35441250)

Safari and IE8 are free downloads too, what's your point? It's the hardware they get to own, an OEM OS license is pretty insignificant next to that.

Re:Firefox/Linux (1)

sakdoctor (1087155) | more than 3 years ago | (#35441132)

Yeah, fine forget linux. It's been tested in the past but not this year.

...it's nice to see firefox under represented in pwn2own.

Re:Firefox/Linux (0)

Anonymous Coward | more than 3 years ago | (#35441224)

When Linux grows up and becomes a serious desktop contender it will get it's shot...

For now the desktop platforms such as GNOME are just not good enough as Jon Larimer showed us at ShmooCon. You can just read the source, find a nice unchecked buffer (of which there are a lot) and write an exploit.

Don't get me wrong, I'm not a Linux hater - it's an awesome server OS, but as a desktop platform it's still very young.

Re:Firefox/Linux (1)

jcupitt65 (68879) | more than 3 years ago | (#35441274)

Ubuntu was in Pwn2Own in 2008 and was not hacked in the three-day contest:

http://www.theregister.co.uk/2008/03/29/ubuntu_left_standing/ [theregister.co.uk]

(though it sounds like they might have been able to break out of flash given a bit more time, who knows)

Re:Firefox/Linux (0)

Anonymous Coward | more than 3 years ago | (#35441350)

That really just shows they didn't try hard or study hard enough. GP was right. Linux on its own is quite secure usually. Add in these massive software platforms like KDE and Gnome which are a complete mess of code submissions and you have a total security nightmare.

If you don't believe me, start reading the sources to these projects and you'll soon be crying. Literally.

Re:Firefox/Linux (1)

jcupitt65 (68879) | more than 3 years ago | (#35441536)

But this contest is about exploiting via a browser (and perhaps email? I forget if they allow that).

Holes in GNOME aren't really relevant. Once you get some code running in the firefox process you co do whatever you like to the user's account.

Hilarious (5, Insightful)

theolein (316044) | more than 3 years ago | (#35441056)

I'm a Mac user and fortunately not a mindless one (honest, promise!). That Apple has been extremely lucky in not being overrun in exploited machines has more to do with the normal target area for exploiters being windows due to marketshare, but Macs have a big enough marketshare these days to make it worthwhile for crackers. I'm pretty sure that the time will come when Macs will be running dubious AV products like most Windows people do.

It is slowly ramping up (5, Interesting)

Sycraft-fu (314770) | more than 3 years ago | (#35441116)

We've had a few Macs (Macs that were administered by the person, not by IT) at work owned. In one case it was pure user stupidity, a world writable FTP. They couldn't see what was wrong though because "Macs can't get hacked!" In another case it was a virus that seemed to use the speech synthesizer to read ads. Was really funny.

It is rare, compared to Windows, but growing. The real problem is, as I mentioned, the "But Macs are safe!" people. They really do think that running a Mac absolves them from any security responsibility. I think there are going to be some nasty awakenings and users will have to accept that no matter what you do, you need to have good security practices. A virus scanner is a good idea as well, since it can help catch things if you slip up (and we all slip up).

Re:It is slowly ramping up (1)

Anonymous Coward | more than 3 years ago | (#35441280)

A virus scanner is a good idea as well, since it can help catch things if you slip up (and we all slip up).

A virus scanner won't necessarily catch user error and security software often ends up being more intrusive than malware, burrowing itself deep into the OS and making removal difficult. Who in their right mind would want garbage like Norton on a Mac?

Re:It is slowly ramping up (0)

Anonymous Coward | more than 3 years ago | (#35441430)

You know, I share that opinion for Windows and OS X, but only because they're closed off. AV solutions on those platforms are almost inevitably half-assed and poorly integrated (the last is somewhat understandable). But on a platform with a fully open kernel, AV could be much cleaner and less intrusive than we're used to.

...it occurs to me you could replace all instances of AV with DRM and it'd still be true. DRM would lose its effectiveness though.

Re:It is slowly ramping up (1, Interesting)

coopaq (601975) | more than 3 years ago | (#35441312)

I know. That argument is annoying. If they would just say they like the machine build quality, Unix like underpinnings and user interface better it would make it easier to listen to them.

As for your antivirus comment. Well you must be a sys admin to love such crapware.

Seriously in the middle of doing an install of Fedora 14 on my corporate laptop since McAfee is sucking the IO life out of my Windows install. I can jump through hoops to sometimes avoid it, but is company policy. 100000 files in my project and doing a simple copy to an external esata drive takes forever with McAfee cock blocking IO bullshit.

No such trouble or company gripes with Linux.

Re:It is slowly ramping up (1)

smash (1351) | more than 3 years ago | (#35441380)

If they would just say they like the machine build quality, Unix like underpinnings and user interface better it would make it easier to listen to them.

This is exactly why i am buying Macs (I also have Windows and BSD boxes). I consider no desktop OS to be secure, so i don't browse dodgy shit without using a VM, and run a firewall in front of it.

Re:It is slowly ramping up (0)

Anonymous Coward | more than 3 years ago | (#35441354)

Secure config > OS Choice.
 
More after these words.

Re:Hilarious (0)

Saint Gerbil (1155665) | more than 3 years ago | (#35441134)

What a refreshing change most mindless fanbois claim that its because it is the most coveted system it was the main focus and therefore the first to fall, regardless of which system it is on.

Is that so... (1)

Anonymous Coward | more than 3 years ago | (#35441092)

From TFA:

He said the creation of a reliable exploit was “much more difficult” than finding the vulnerability.

“There are many WebKit vulnerabilities. You can run a fuzzer and get lots of good results. But it’s much more difficult to exploit it on x64 and to make your exploit very reliable,” he said.

If the vulnerabilities are so easy to find, why doesn't Apple just use a fuzzer itself and fix the vulnerabilities?

no surprise there (0)

Anonymous Coward | more than 3 years ago | (#35441114)

Well you get to keep the computer that you hack and no offence but I'd rather get a MBA rather than a cheapo windows/linux machine. Plus they did say that the exploit was not at all easy to develop. Oh and did you notice the new Safari update released yesterday ...

Re:no surprise there (5, Informative)

somersault (912633) | more than 3 years ago | (#35441268)

They had a VAIO with Ubuntu on it in 2008, which nobody hacked. VAIOs are certainly not "cheapo".

Not even surprised (0)

Anonymous Coward | more than 3 years ago | (#35441118)

I am not surprised at all that the Mac/Safari would collapse. Apple has boasted for years that it was more secure than PCs since they never get malware...or viruses, oh wait, never mind.

genetically challenged nazi mutants, 1 agenda (-1)

Anonymous Coward | more than 3 years ago | (#35441130)

there is no plan b. upstairs they're referred to as 'the walking dead'. they 'appear' in a midst of hoopla (flags, weird symbols, dominance, gunfire etc...) telling us how we're doing.

no matter? there's plenty of opposing intentions to their madness. for example; one could align themselves to any of the scheduled million baby+ play-dates, conscience arisings, georgia stone editing(s), & a host of other life promoting events. if you are unable to attend in person, your regards will do just fine. guaranteed to activate all of your senses at once. it's all about us, but not exactly as it's been presented thus far?

Holding back exploits to score quick victories? (4, Interesting)

jo_ham (604554) | more than 3 years ago | (#35441146)

Given the financial incentives involved here (for example, the guy who gave up an almost certain $15,000 because he reported a bug to Google rather than keep it under wraps until he could clean up at Pwn2Own, how many bugs on all of the major platforms are kept "secret" to be used in contests like this?

I understand the nature of the event is to demonstrate the issues of security and code vulnerability, but sitting on exploits is surely counterproductive here?

Re:Holding back exploits to score quick victories? (1)

kangsterizer (1698322) | more than 3 years ago | (#35441228)

it's a business. at least you get some bugs fixed that way. they'd keep it for other people if other people paid more (and some do!)
so yeah, it's just business. most businesses aren't very moral for that matter.

Re:Holding back exploits to score quick victories? (1)

gl4ss (559668) | more than 3 years ago | (#35441238)

they're not exactly secrets. a secret is something someone else couldn't stumble upon by accident or by purpose, these flaws are there or they aren't and everybody has practically the access to the same running code to examine at their leisure.

maybe google should up the rewards and cut the paychecks of their useless academics to make it a non issue. they could just make their bounties a bit less of a joke, a thousand dollars is like 1/120th of the money it takes to employ their average guy who SHOULD HAVE FIXED THE BUG EARLIER.

Re:Holding back exploits to score quick victories? (1)

Frosty Piss (770223) | more than 3 years ago | (#35441244)

I understand the nature of the event is to demonstrate the issues of security and code vulnerability, but sitting on exploits is surely counterproductive here?

You don't understand the mind-set of hackers, do you....

Re:Holding back exploits to score quick victories? (1)

jo_ham (604554) | more than 3 years ago | (#35441332)

Well, given the information in the article it was non-trivial to write a working exploit of this bug, so the guy clearly put a lot of effort into it. However, if bugs like these were reported more as a matter of course then it would leave the *really* esoteric ones for contests like this, which would be a security win for everyone, since more difficult bugs would be exploited and squashed for money.

I think the people involved here are relatively altruistic in terms of security (ie, "white hat"), but I can't help thinking it's low hanging fruit that they have hidden behind a curtain, to be revealed in the day of the contest (for all platforms involved, not just Safari on OS X).

Re:Holding back exploits to score quick victories? (0)

Anonymous Coward | more than 3 years ago | (#35441282)

Why the hell should he do Apple's job of finding/fixing bugs in their products? Is Apple going to reward him for increasing the security of their

Re:Holding back exploits to score quick victories? (4, Insightful)

jo_ham (604554) | more than 3 years ago | (#35441352)

I'm not talking just about Apple - note that I was talking generally, and even specifically mentioned Google as an example - it's right there in my comment. I am talking about the contest as a whole, including all of the operating systems and browsers involved, but feel free to ignore my point and just have an Apple bash. After all, we are on slashdot.

Also, talking about this specific bug, it was an exploit in WebKit - so are you now saying that WebKit is an Apple product? After so many years of "Apple just took KHTML and rebranded it and claimed all the credit" posts on slashdot, now suddenly it *is* an Apple product? You can't have it both ways.

My original point was referring to all browsers and operating systems involved, both with OSS components and closed code.

The pen industry (1)

Noam.of.Doom (934040) | more than 3 years ago | (#35441226)

Am I the only one who thinks that it's strange for a firm that tests pens to hire security experts and participate in this competition?

Sandbox (3, Insightful)

Mr_Silver (213637) | more than 3 years ago | (#35441232)

The most interesting and disappointing thing about Pwn2Own for me was that all the recent development of sand-boxing in browsers suggested that they were going to herald in a new era of browser security.

In actual fact it turns out that, thanks sloppy implementations, they aren't very good at their job.

Re:Sandbox (1)

MoeDrippins (769977) | more than 3 years ago | (#35441412)

It doesn't matter how good the idea is if the execution is sloppy. I do suspect browsers are more secure, and at least partially due to the sandboxing idea, than in the past, no?

Re:Sandbox (0)

Anonymous Coward | more than 3 years ago | (#35441544)

Really? I think you're imagining things here. Chaining three exploits to best IE is no simple feat. It still didn't gain admin access (though that's the second easiest part).

And Chrome still hasn't been beaten. While I'm not impressed by Google's coding standards, it's my understanding that Chrome's sandboxing architecture is a bit more complex than IE's total reliance on MIC.

conscience unavailable to nazi mutants? (-1)

Anonymous Coward | more than 3 years ago | (#35441272)

that's both good & bad. believing that anyone has the task of deciding who dies, requires a psychosis, that has plagued this population since the strain was introduced into our previously perfect genes.

however, the resulting lack of conscience, leaves the mutants unable to commit to anything, or act/feel in the ranges of compassion, & the understanding of what really matters, other than on an entirely superficial level.

many of us were created to offset this 'glitch' in our journey to being ok, or much better, with each other, & our genuine gifts (& we're losing them (dead), by the way?). the 'acceptable' loss; 0. the cost so far? better not to dwell. thanks

misleading title on /.? never! (3, Informative)

risinganger (586395) | more than 3 years ago | (#35441324)

Well that headline is misleading at best I'd say. I suggest reading pwn2own day one: Safari, IE8 fall, Chrome unchallenged [arstechnica.com] in which it states that both Safari and IE fell at the first attempt, clearly it was a matter of nothing more than the ordering. Apologies for disturbing all the anti-apple ranting but both systems are weak.
 
Please feel free to resume posting uninformed comments now.

Re:misleading title on /.? never! (2, Insightful)

Anonymous Coward | more than 3 years ago | (#35441520)

Well that headline is misleading at best I'd say. I suggest reading pwn2own day one: Safari, IE8 fall, Chrome unchallenged [arstechnica.com] in which it states that both Safari and IE fell at the first attempt, clearly it was a matter of nothing more than the ordering. Apologies for disturbing all the anti-apple ranting but both systems are weak. Please feel free to resume posting uninformed comments now.

There is something strange about how this is worded, as the first hacker - taking down Safari/MacOS - won 15k$. It sounds really strange if that price was decided just by the ordering of attempts.

did we 'allow' hitler to depopulate continents? (-1)

Anonymous Coward | more than 3 years ago | (#35441384)

not on purpose of course, as time 'flies' when babys are exploding? that holycost story still looks pretty shaky right about now? are we doing it again/worse? yikes

fortunately, the creators are participating, & have initiated the prime directive...AGAIN. seems we're predominantly self-extincting, by their 100% accurate at all times, measures. that's not at all how we were designed? there's a catch (ain't it always)? if we fail to participate in our rescue, it might fail at this time. the losses will mount. on & on it goes. we have a choice. you can bet EVERYTHING FOREVER that this depopulation (by murder) stuff is totally bogus/completely evil. guaranteed. see you there?

extortion (0)

Anonymous Coward | more than 3 years ago | (#35441406)

Sitting on some damaging knowledge until you are paid to reveal it is plain extortion. Why there isn't law which allows the "winner" of these sorts of contest to be immediately arrested is beyond me. Fortunately, the way our government is going, it'll only be a matter of time until such people are dealt with.

Lets face it : Apple got served. (1, Insightful)

unity100 (970058) | more than 3 years ago | (#35441414)

There is no other way of putting it. When you get served, you get served. and apple, has got served. much better for apple and its fans to take lessons from it, accepting the result, to better their stuff, than to try to spin and defend it.

Webkit (0)

Anonymous Coward | more than 3 years ago | (#35441470)

If the flaw is in Webkit, wouldn't that mean that any browser, including a webkit-backed Epiphany on Linux, would also easily fall?

I feel a disturbance (3, Funny)

Dunbal (464142) | more than 3 years ago | (#35441504)

I feel a disturbance in the Force, as if a million Apple users suddenly cried out in terror, and were pwn3d.
Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Sign up for Slashdot Newsletters
Create a Slashdot Account

Loading...