Beta

×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Chrome Hacked In 5 Minutes At Pwn2Own

samzenpus posted more than 2 years ago | from the what-took-so-long? dept.

Chrome 169

Skuto writes "After offering a total prize fund of up to $1M for a successful Chrome hack, it seems Google got what it wanted (or not!). No more than 5 minutes into the Pwn2Own cracking contest team Vupen exploited 2 Chrome bugs to demonstrate a total break of Google's browser. They will win at least 60k USD out of Google's prize fund, as well as taking a strong option on winning the overall Pwn2Own prize. It also illustrates that Chrome's much lauded sandboxing is not a silver bullet for browser security."

cancel ×

169 comments

Sorry! There are no comments related to the filter you selected.

Obviously they were just waiting to start (5, Interesting)

msobkow (48369) | more than 2 years ago | (#39282815)

I think it's pretty clear they had their exploits worked out and ready to go for some time, and were just waiting for the contest to start to unleash them.

Still, kudos on what has to be almost world-record-time penetration of a "secure" system.

Re:Obviously they were just waiting to start (5, Informative)

SpanglerIsAGod (2052716) | more than 2 years ago | (#39282843)

I think that's how most of the successful hacks have been going in this contest. Someone finds a few vulnerabilities, hordes them until the contest, and then goes public with them.

I'm not sure that I like that, but I guess it gets some vulnerabilities fixed.

Re:Obviously they were just waiting to start (5, Interesting)

GameboyRMH (1153867) | more than 2 years ago | (#39283233)

I'm not gonna lie, with my modest 3rd-world income I'd probably do the same thing for $60k. Giving out these massive prizes at annual competitions could turn out to be a double-edged sword.

Re:Obviously they were just waiting to start (4, Insightful)

kcbnac (854015) | more than 2 years ago | (#39283965)

Then perhaps they need to start doing them more often than yearly? Do them quarterly?

Re:Obviously they were just waiting to start (5, Interesting)

Anonymous Coward | more than 2 years ago | (#39283985)

I wonder if it would be worthwhile for a committer to intentionally introduce a bug (passing code review, of course), then split the bounty with a buddy who enters the competition?

Re:Obviously they were just waiting to start (3, Interesting)

Anonymous Coward | more than 2 years ago | (#39284053)

$60k is considerably more than my "1st-world" annual income. I imagine you'd have to be rich or a little goofy not to do that, if the opportunity presents itself.

Re:Obviously they were just waiting to start (1)

genik76 (1193359) | more than 2 years ago | (#39284605)

By "little goofy" you mean honest, I guess.

Re:Obviously they were just waiting to start (0)

notb666 (1863678) | more than 2 years ago | (#39284645)

+1 for your sig.

Re:Obviously they were just waiting to start (-1)

Anonymous Coward | more than 2 years ago | (#39283849)

~hoards, not hordes

I'm just going to start fixing these damn errors I see, if nobody else has commented on them first.

Re:Obviously they were just waiting to start (1)

Anonymous Coward | more than 2 years ago | (#39284031)


I'm not sure that I like that, but I guess it gets some vulnerabilities fixed.

More importantly, it's something that anyone can point to to demonstrate that browsers have vulnerabilities and how they work. My idiot co-worker (who's himself supposed to be an IT person) kept telling me up and down that people got infected by malware from browsers ONLY when the user gets tricked into downloading and installing software. He shut the hell up relatively quickly when I pointed him towards pwn2own. Some people are dumb enough, and confident enough in their own knowledge that they'll only believe something if you can readily demonstrate it. You can't fix stupid, only distract it.

Re:Obviously they were just waiting to start (5, Insightful)

Anonymous Coward | more than 2 years ago | (#39282849)

I think all of the Pwn2Own exploits are discovered beforehand and then shown at this event. They could report it and get sued... or they could hold on to it, hope its not patched out or publicized and grab money and swag.

Re:Obviously they were just waiting to start (3, Insightful)

Anonymous Coward | more than 2 years ago | (#39282867)

Every major sports team comes into the contest with a scouting report and a plan to win.

These guys did their scouting and executed their plan.

Well done !

Re:Obviously they were just waiting to start (5, Insightful)

93 Escort Wagon (326346) | more than 2 years ago | (#39282869)

I think it's pretty clear they had their exploits worked out and ready to go for some time, and were just waiting for the contest to start to unleash them.

I think it's pretty clear this has always been the case in these pwn2own contests, whether the browser is Safari, Internet Explorer, or Chrome. This latest crack just makes it a little more obvious that it's a question of motivation more than anything else - and money is a powerful motivator, probably more so than notoriety (in sufficient quantities, anyway).

Re:Obviously they were just waiting to start (2, Insightful)

Anonymous Coward | more than 2 years ago | (#39282983)

It's pretty obvious how the tone of the first handful of up modded posts differs from when IE or Safari are first down.

Re:Obviously they were just waiting to start (5, Funny)

Anonymous Coward | more than 2 years ago | (#39283035)

That's because when other browsers are cracked first it shows they are insecure, while when it's Chrome it is only an experimental error.

Re:Obviously they were just waiting to start (-1)

Anonymous Coward | more than 2 years ago | (#39283021)

My cock is an insanely powerful motivator that many women attempted to paw to own.

But I generally limit each girl 1 cumshot per lifetime.

Re:Obviously they were just waiting to start (1, Funny)

Runaway1956 (1322357) | more than 2 years ago | (#39283725)

Well, I'm sure that your imagination is insanely powerful.

Re:Obviously they were just waiting to start (5, Insightful)

Anonymous Coward | more than 2 years ago | (#39283057)

I think it's pretty clear this has always been the case in these pwn2own contests, whether the browser is Safari, Internet Explorer, or Chrome. This latest crack just makes it a little more obvious that it's a question of motivation more than anything else - and money is a powerful motivator, probably more so than notoriety (in sufficient quantities, anyway).

And is that such a bad thing? For the white hats, the money's just a bonus.

But $1M is pretty cheap to increase the odds that those who might otherwise be tempted to join the black hats can still gain public recognition, still make some money, and because their hat can remain white, they don't even have to worry about prosecution.

In exchange for the coin, developers get responsible disclosure of lots of bugs (that might have otherwise remained under wraps, or might have been discovered first by black hats) in a controlled environment.

Win-win situation in my books.

Re:Obviously they were just waiting to start (2, Interesting)

Anonymous Coward | more than 2 years ago | (#39283295)

It also illustrates that Chrome's much lauded sandboxing is not a silver bullet for browser security.

There is not and never has been a "silver bullet" for anything much less security. Stop acting surprised.

I mean I could understand it if there ever once was and now you want to have that again. But there never was. There isn't. There's not going to be. There is only hard work and diligence and learning from experience. Stop acting so shocked you dumb fucks! Seriously.

Re:Obviously they were just waiting to start (4, Funny)

haruchai (17472) | more than 2 years ago | (#39283461)

You've clearly never read a press release from a software company

Re:Obviously they were just waiting to start (3, Funny)

Anonymous Coward | more than 2 years ago | (#39283713)

There is not and never has been a "silver bullet" for anything much less security. Stop acting surprised.

Not true that there are no silver bullets for anything. There are silver bullets for killing werewolves.

Re:Obviously they were just waiting to start (4, Funny)

GigaplexNZ (1233886) | more than 2 years ago | (#39283923)

There is not and never has been a "silver bullet" for anything much less security.

Except, of course, for an actual bullet made of silver.

Re:Obviously they were just waiting to start (-1)

Anonymous Coward | more than 2 years ago | (#39283513)

OMFGBBQ that is so interesting. +11.

OMFGBBQWTFROTFMAO (-1)

Anonymous Coward | more than 2 years ago | (#39283647)

OMFGBBQ that is so interesting. +11

OMFGBBQWTFROTFMAO !!!

Re:Obviously they were just waiting to start (3, Insightful)

hairyfeet (841228) | more than 2 years ago | (#39283665)

Can someone please explain which OS it was running, which version, any AV, you know, more details than a fricking tweet? I know we don't generally actually READ TFA but hell this might as well have been "Chrome got pwned by a man doing a thing" for all the lack of details!

Now as for Chrome getting hacked well anything CAN be hacked if you have enough of a reason to go after it and i think Google made themselves a nice juicy target on purpose to get the data before any blackhats so kudos to them and the hackers. i know anecdotes aren't data but at least for myself and my customers and family the combo of Comodo Dragon (Chromium based) with either Avast Free or Comodo IS and Win 7 has been pretty much hack AND idiot proof, no small task. Just for shits and giggles i tried to infect a machine I was gonna wipe anyway, threw it at every topsite and crapsite and junksite I could find and...nothing, nada zip zilch. of course that wasn't just Chromium protecting it it also had Win 7 and low rights mode with DEP and ASLR, it had Comodo SecureDNS filtering known malware dumps, it had the sandboxing that is built into Avast and Comodo IS (tried both to make sure and they seem about equal on everything from protection to RAM usage so its more a taste thing or if you need to protect a business as Comodo is free for business use) and finally ABP blocked many of the ads that are the biggest source of malware, at least from what I've seen.

So a little more info would be nice, I'd like to know if there is something I need to tweak in my system or not.

Awarding this the most apologetic post of the day (4, Insightful)

Anonymous Coward | more than 2 years ago | (#39283743)

saying "I know anecdotes aren't date" followed by "but insert anecdote here" doesn't excuse you from confirmation bias. There is no evidence presented by you that your practises wouldn't keep you just as safe with Opera or Gecko-based browsers.

Re:Obviously they were just waiting to start (0)

lbft (950835) | more than 2 years ago | (#39284071)

Don't expect too many details until a patch is out.

Re:Obviously they were just waiting to start (1)

westyvw (653833) | more than 2 years ago | (#39284207)

I agree with the post that I want to know what the expoloit was.
However I must say that you sure work hard to try and keep your computer safe from the internetz. Is windows land really that bad that you have to go to all that effort just to feel free to browse the web?

Re:Obviously they were just waiting to start (0)

Anonymous Coward | more than 2 years ago | (#39284445)

Avast 7 has an extremely low detection rate when it was in beta. One youtube video showed it had a 10% detection rate. But was great at domain blocking.

Shields are not everything. Java is one of the most biggest secure holes and for years Sun said it was secure because it is and was sandboxed so well.

Re:Obviously they were just waiting to start (2)

rrohbeck (944847) | more than 2 years ago | (#39283991)

What, you can't disassemble and grok 60-some MB in 5 minutes? Wimp.

5 minutes? (4, Insightful)

Anonymous Coward | more than 2 years ago | (#39282833)

I guess this means they went in knowing exactly what they were going to do. This means that it has been known for a while which means there could be many more people who know and are exploiting this.

Re:5 minutes? (5, Insightful)

v1 (525388) | more than 2 years ago | (#39282911)

Nobody shows up at one of these contests and cracks their knuckles and starts looking for holes. They always show up with a premade bag of polished and practiced zero-days.

Funny though how they get so much media attention every time this happens OMG safari got owned in six minutes! Chrome got hacked in 5 minutes! They must beg gods! no, not really.

There's really no reason they couldn't be doing this once a month really. I'd wager that the winners this round had 4-6 different exploits in their bag of tricks, and are strategically submitting them.

It would be in google's better interest to hold such contests monthly with smaller prizes. It'd just be paying for bugs, but the way they're doing it here is just moving a lot slower than it really should.

Re:5 minutes? (3, Interesting)

Anonymous Coward | more than 2 years ago | (#39283031)

All the browsers except for IE pay for bug bounties...

It is probably more the fame of winning the event...

Re:5 minutes? (4, Insightful)

artor3 (1344997) | more than 2 years ago | (#39283413)

That depends how much they pay. Google, for example, pays the cute but relatively small sum of $3133.70 for the most severe bugs. These Vupen guys could have reported their bugs and pocketed at most ~$6k (maybe less, if Google failed to recognize the severity of the bugs), or they could do as they did, keep the bugs to themselves until Pwn2Own came around, and earn ten times that amount.

I doubt they care so much about the fame. The extra $54k, on the other hand...

Re:5 minutes? (0)

Anonymous Coward | more than 2 years ago | (#39284137)

Every month I see the same few guys racking up multiple lots of the 'relatively small' sums. Adds up to quite a bit; comparable to a *very* decent wage, if not better (but not as predictable).

Re:5 minutes? (0)

Anonymous Coward | more than 2 years ago | (#39284251)

And what about all the other people? The problem with paying small amounts of money for exploits is that it's more profitable to submit the simple ones and sell the more complex ones.

Re:5 minutes? (1)

westyvw (653833) | more than 2 years ago | (#39284215)

A full Chrome exploit will net you $60,000 from Google. They now have 3 pay ranges and offer substantialy more then they used to. I do think they upped this price after they pulled out of pwn2own in February.

Re:5 minutes? (0)

Anonymous Coward | more than 2 years ago | (#39283813)

Google is known for arrogance, which you may discover if you get to know their employees. If they had smaller prizes, it would go against the very foundation of the company. They pursue a quixotic replication of older software, which makes proof of their achievements a requirement.

Re:5 minutes? (4, Insightful)

Shavano (2541114) | more than 2 years ago | (#39283101)

And that brings up an even more troubling thought. Are the pwn2own incentives creating a perverse incentive to conceal vulnerabilities?

I think so. If this is how Google will find and fix its flaws, exploiters are basically safe between events.

If you want flaws and exploits identified and fixed fast, pay on a first-to identify basis and never announce what the exploits found were. Just quietly fix them as fast as you can and distribute patches regularly.

Re:5 minutes? (1)

Brian Feldman (350) | more than 2 years ago | (#39283717)

You don't understand software. Fixing things quietly is just as good as announcing them for a project that develops in the open.

You always could google pwn2own... (1)

Anonymous Coward | more than 2 years ago | (#39282845)

...now it seems you can also pwn2own google!

Re:You always could google pwn2own... (2)

Torodung (31985) | more than 2 years ago | (#39282885)

You forgot "In Soviet Russia..."

Re:You always could repeat a dumbass meme... (-1)

Anonymous Coward | more than 2 years ago | (#39283331)

You forgot "In Soviet Russia..."

You're such an ass-licking nigger. See that gaping goatse guy's asshole? Yeah your tongue has been in there.

I like competitions with prizes (-1)

TWX (665546) | more than 2 years ago | (#39282851)

I think that a lot of people will put an awful lot of work in for a shot at money. It worked for the X-prize foundation, after all.

Of course, I don't think Bill Gates would be one of the richest men in the world if Microsoft had adopted the same policy as Google did with Chrome...

Re:I like competitions with prizes (0)

Anonymous Coward | more than 2 years ago | (#39282893)

me not grok your second comment? Are you suggesting that if BG had done the same thing, it would have embarassed the MS OS into not being the moneymaker it is? I seriously doubt that.

Re:I like competitions with prizes (1)

bbecker23 (1917560) | more than 2 years ago | (#39282977)

They'd have paid out so much in "bug bounty" that he'd be broke by now. That's what GP is going for, anyway.

Re:I like competitions with prizes (1)

TWX (665546) | more than 2 years ago | (#39283279)

Essentially. Not broke per se, just not multibillionaires.

Why even mention the time? (5, Insightful)

Anonymous Coward | more than 2 years ago | (#39282873)

This isn't Swordfish. They had plenty of time to prepare their attack.

It's impressive they exploited Chrome. But the preparation took more than 5 minutes.

Re:Why even mention the time? (4, Funny)

Brad1138 (590148) | more than 2 years ago | (#39283103)

You mean they weren't getting BJ's as they hacked Chrome? What kind of contest is this anyway?

Re:Why even mention the time? (5, Funny)

binarylarry (1338699) | more than 2 years ago | (#39283195)

It's not called pwn2groan!

Re:Why even mention the time? (1)

geminidomino (614729) | more than 2 years ago | (#39284311)

That comment, on the other hand, would have won if it was.

I cringed a little, too.

Re:Why even mention the time? (2)

Billlagr (931034) | more than 2 years ago | (#39283235)

pwn2blown! In under 5 minutes no less

Re:Why even mention the time? (2, Insightful)

mikael_j (106439) | more than 2 years ago | (#39284333)

Well, every year when Safari was the first browser to be targeted and thus also the first to be broken the fandroids and the anti-Apple crowds would scream on and on about how this proved Safari was the shittiest browser in existence and by extension Apple was a horrible horrible company.

I guess it's Google's turn this year.

And no, I don't use Safari, I just find it interesting that when previous stories like this have been about Safari the first dozen or so posts weren't about how the reporting was biased...

still more cost effective (5, Insightful)

Bananasdoom (1701440) | more than 2 years ago | (#39282901)

Handing out 2mill of prize money is still more cost effective that standard R&D, you get more professionals testing it for the chance of wining some prize money than Google could ever employ and the people they chose not to employ.

Re:still more cost effective (2)

Shavano (2541114) | more than 2 years ago | (#39283371)

No it's not. It's Ann incentive to create and CONCEAL cracks while drawing attention to Ans glorifying crackers.

Re:still more cost effective (2)

Ambiguous Coward (205751) | more than 2 years ago | (#39283411)

I'm dying to know what (assumedly mobile) OS is autocorrecting you An this way. :)

Re:still more cost effective (2)

westyvw (653833) | more than 2 years ago | (#39284223)

Shirley the next name I am going to use in my next kids book will be Ann Incentive. I can see her leading the way.

Re:still more cost effective (3, Interesting)

gweihir (88907) | more than 2 years ago | (#39283431)

Unfortunately, wrong. First, you get only as much of their vulnerability stock that they need to maximize their profit. Then, you do only get what was easiest to find for them. A real security review looks at architecture, design, coding style and other things as well, which are completely absent at these competitions.

Basically, this is a show with very little actual security benefits.

Conflated competitions? (5, Interesting)

Anonymous Coward | more than 2 years ago | (#39282927)

The posting says that one of the teams in Pwn2Own will win at least USD 60K from Google. But Google aren't putting up any Pwn2Own prize money. Last I heard Google are running their own competition with different rules. The participants in Pwn2Own may well not enter the Google competition because their exploit (if it escapes the sandbox) will be worth much more than USD 60K. My understanding is that the Pwn2Own entrants are not required to reveal their sandbox exploits before receiving the prize money because sandbox exploits are worth much more than the prize money that is available while Google will require full disclosure before handing over their money.

Re:Conflated competitions? (5, Informative)

Anonymous Coward | more than 2 years ago | (#39283139)

The Pwn2Own twitter account actually talks quite a bit about this.

Additionally, it appears that Vupen has already announced they won't be participating in Google's competition.

Re:Conflated competitions? (0, Redundant)

Anonymous Coward | more than 2 years ago | (#39283161)

> The Pwn2Own twitter account actually talks quite a bit about this.

In 140 character burps

How does this go (2)

eyenot (102141) | more than 2 years ago | (#39282965)

I haven't used Chrome for months. It was behaving errratically and made me nervous during a yime I was looking for a secure browser out of immediate necessity. I eventually managed to use an old version of firefox portable that settled things. I forgot pwn2own was even happening by the time I noticed Chrome zipped in my archives folder and deleted it as useless just two days ago.

But this stuff has me wondering: suppose this goes on and Chrome eventually has all of the exploits worked out of it. A theoretical possibility. Suppose, then, that some new features are requested. Now it seems to me that if I recall correctly, every time revisions are made to software, new exploits appear. This leads me to my first question: what is getting screwed up, learned, forgotten then screwed up again in the coding process that this always seems to be the case?

My second question is, by extension of the first, what are the major weaknesses of browsers? Their implementation of a half-finished "standard" like dHTML? The coders borrowing classes or libraries that would introduce flaw.X to any programmers including them or using them with the program? Programmers being clumsy and trying to force data types to do things they aren't meant to like fit four bytes through an argument that's two bytes wide, and instead of backtracking both directions and setting them both to te same width in planning, just over-riding some compiler warning and supressing runtime halts and sending it to market?

Re:How does this go (1)

Anonymous Coward | more than 2 years ago | (#39283059)

All code libraries etc makes assumptions about what sorts of data they will handle. The problem is that these browsers (and all software larger than Hello World) is so complicate that it is impossible for a developer to anticipate every interaction and use every api exactly as it was intended in all possible cases. In essence in order for there to be no exploits introduced when a new feature is added, that feature and every possible interaction of that feature with every other feature must be vetted.
Saying you want no exploits in a large piece of software is equivalent to saying that you want an incredibly complex system to be constructed perfectly the very first time. This is not feasible to do at the rate that users want new features and at the rate that new more efficient hardware and algorithms are invented/discovered. Bugs can be * incredibly* subtle and may only trigger under very very specific circumstances, they can persist for years/decades with no one ever finding them.

Re:How does this go (-1, Flamebait)

MichaelKristopeit420 (2018880) | more than 2 years ago | (#39283097)

Now it seems to me that if I recall correctly, every time revisions are made to software, new exploits appear.

if you recall correctly? if you recall what? the time an idiot lied to you?

what if i revised your version of firefox portable software and changed the text string of the application name to "a moron uses me"... what new exploit could possibly appear?

you're an idiot.

Re:How does this go (-1)

Anonymous Coward | more than 2 years ago | (#39283351)

I love you Michael. You're my favorite douchebag troll nigger! Most of the other dedicated troll niggers act reasonable at least some of the time, but no, not you. You're the most dedicated of them all.

I know you have so many of them .. so very many, but I also enjoy your MichaelKristopeit420 username. The 420 makes me think of marijuana. Delicious marijuana. Mmhmmhhmmmmmmm... good stuff.

No meat to the story (0)

Anonymous Coward | more than 2 years ago | (#39282981)

Without vulnerability details there really is no story. Without knowing what exactly is going on here we can't know what precautions to take or whether there is any likelihood of other software (even our own) being affected. Or if there's even a real story here.
I mean, it's nice they're going to win a price an all, but there's nothing here for us that we can act upon. Without knowing any details we can't even really know whether we're any safer if using another browser.

I use Chromium (1, Troll)

cpu6502 (1960974) | more than 2 years ago | (#39283047)

It doesn't have any of those annoying Google spying/tracing code built-in.

Re:I use Chromium (1)

cpu6502 (1960974) | more than 2 years ago | (#39283155)

Modded Troll??? Why? I was stating a truth (I don't use Google Chrome; I use the open source chromium).

Chromium LINK - http://www.softpedia.com/get/PORTABLE-SOFTWARE/Internet/Browsers/Portable-Google-Chrome-Chromium.shtml [softpedia.com]

Re:I use Chromium (2)

Calos (2281322) | more than 2 years ago | (#39283309)

Yeah, that truth, that's not why people were modding your post. I think you know that.

And people are probably modding it troll because most of us haven't seen any legitimate proof of these claims. Most of us see a fair amount to the contrary.

By all means, if you know something and can show it or have some links with substantiated evidence - please post them, so people can make the choice to switch if they desire.

Otherwise, all you're doing is raising the noise floor. And moderators are seeking to lower it.

Re:I use Chromium (3, Insightful)

causality (777677) | more than 2 years ago | (#39283373)

Modded Troll??? Why? I was stating a truth (I don't use Google Chrome; I use the open source chromium).

Chromium LINK - http://www.softpedia.com/get/PORTABLE-SOFTWARE/Internet/Browsers/Portable-Google-Chrome-Chromium.shtml [softpedia.com]

The one time the Slashdot groupthink is actually against Open Source code and privacy and software freedom ... is when it makes a statement against Google.

Since this particular statement cuts to the core of how Google makes its money, namely through acquiring marketing data from mostly hapless and unsuspecting users who have no idea how much information they are "contributing", and wouldn't if they did, it's too fundamental of a comment to be tolerated by the fanboys.

So you're being punished by the more impotent and bed-wetting type of mods for telling the truth. That's a badge of honor.

I mean, it's not like they were going to take you on with facts and explain why you're completely mistaken. They can't. So, like all other cowards, they lash out the only way they can. That's all. Nothing hard to understand about it.

Re:I use Chromium (0)

Anonymous Coward | more than 2 years ago | (#39283801)

Maybe because you keep linking to third party sites which are about Windows-only builds?

How about next time just linking to the real source? [googleapis.com]

Re:I use Chromium (0)

TheInternetGuy (2006682) | more than 2 years ago | (#39283217)

Using very strict judgement, uncharacteristic to Slashdot, the parent may be off topic, but Score:0, Troll? I guess mods woke up on the wrong side of the bed today.

Re:I use Chromium (1)

Anonymous Coward | more than 2 years ago | (#39283305)

Oh come on, we all know Google is perfect and can do no wrong and anyone that says anything negative against them is clearly a paid shill.

Re:I use Chromium (0)

Daniel Phillips (238627) | more than 2 years ago | (#39283303)

Googlers should know that expressing disagreement via mod points is not Googly. Or is it now?

Re:I use Chromium (1)

Daniel Phillips (238627) | more than 2 years ago | (#39283455)

Googlers should know that expressing disagreement via mod points is not Googly. Or is it now?

Oh right, I forgot, the "don't be evil" already left the building.

Google's PHD Coders??? (1)

BoRegardless (721219) | more than 2 years ago | (#39283219)

Tell me that Google couldn't do a better job than that.
5 minutes? What sort of coding knowledge does Google have anyway.

Re:Google's PHD Coders??? (3, Insightful)

Daniel Phillips (238627) | more than 2 years ago | (#39283319)

Tell me that Google couldn't do a better job than that.
5 minutes? What sort of coding knowledge does Google have anyway.

Not as much as the combined wisdom of the community, a fact that permeates slowly through some of the thicker skulls in the land of Oz.

Re:Google's PHD Coders??? (0)

Anonymous Coward | more than 2 years ago | (#39284239)

I think saying it's "the combined wisdom of the community" is correct but misleading. Google employees have to implement X number of features in Y time while trying to make everything perfect, while hackers' time is limited only by themselves and their task is simply to find imperfections while doing work whose quality only has to be good enough to not fail on its own. I believe Google isn't nearly as bad as Apple in how hard it drives its employees into the ground with unrealistic time frames, but even so it's reasonable assume that the quality of work is at least slightly compromised while having a much higher burden of quality than the work of people looking for exploits. (I am, of course, not addressing whatever in-house hackers Google has, since I don't even know if they exist. If they do, then of course they failed in comparison with the people who found the exploits.)

Re:Google's PHD Coders??? (1)

Anonymous Coward | more than 2 years ago | (#39284715)

I think saying it's "the combined wisdom of the community" is correct but misleading. Google employees have to implement X number of features in Y time while trying to make everything perfect, while hackers' time is limited only by themselves and their task is simply to find imperfections while doing work whose quality only has to be good enough to not fail on its own. I believe Google isn't nearly as bad as Apple in how hard it drives its employees into the ground with unrealistic time frames, but even so it's reasonable assume that the quality of work is at least slightly compromised while having a much higher burden of quality than the work of people looking for exploits. (I am, of course, not addressing whatever in-house hackers Google has, since I don't even know if they exist. If they do, then of course they failed in comparison with the people who found the exploits.)

Exploits will happen no matter how much time you give your developers.

Think about all the code in a web browser. Parsers for HTML, XML, Javascript, CSS, SGML, etc. Image and video decoders for a dozen formats. Software of that complexity will have bugs. If it is performant, it is written in a language where some of those bugs are exploitable.

If you don't understand why this is hard, try it yourself. Go read the source of a library that decodes an image format, such as libpng or libjpeg-turbo. How long would you have to look at it to be 100% sure it is bug-free?

Chrome's sandbox is a great way to mitigate some of the risk of exploits in the renderer, but the sandbox is a complex beast. The API windows provides for this is SACLs and DACLs on kernel objects, but not all interesting objects enforce the limitations they need. For example, drawing requires HWNDs, and HWNDs under a single desktop object can not be isolated using DACLs. They have to do some heroically complex things to make isolation work. Complex code written against an API not designed to do what they need will have bugs.

The arrogance of some comments here is amazing. Chrome's sandbox team has dramatically raised the bar for browser security. It was done in a general way, and open sourced, so that others could use it. Making snarky comments about this work because a bug was found is silly. Think this stuff is easy? Write a patch for a real bug and I will consider the possibility that you are right.

As an analogy, suppose that a bug in the Linux kernel allowed a process to modify the private memory of another process. Would you conclude that Linux developers are stupid, lazy, or under time pressure from their employer? Would you make snarky comments about how, with bugs like this, UNIX style memory protection is useless, and the DOS/Mac OS 9 style memory management (where every process can read/write every other process's memory) is clearly just as good?

Re:Google's PHD Coders??? (0)

viperidaenz (2515578) | more than 2 years ago | (#39283347)

60x more than those at Apple? Since Safari was hacked in 5 seconds at the last pwn2own.

Re:Google's PHD Coders??? (2)

gweihir (88907) | more than 2 years ago | (#39283435)

The time is completely irrelevant. These are pre-packaged exploits that run as fast as possible.

Re:Google's PHD Coders??? (0)

Anonymous Coward | more than 2 years ago | (#39283551)

Tell me that Google couldn't do a better job than that.

Of course Google could do a better job, if they actually cared to. But chrome doesn't make a whole lot of money for Google.

Yo Dawg I heard you liked sandboxes (2)

flappinbooger (574405) | more than 2 years ago | (#39283281)

So I run chrome inside of a sandbox so I can be sandboxed while Chrome's sandbox is being hacked.

Nice salary (4, Funny)

Daniel Phillips (238627) | more than 2 years ago | (#39283289)

That's $12 million/hour, more than Larry and Sergey combined :-)

Re:Nice salary (2)

viperidaenz (2515578) | more than 2 years ago | (#39283357)

I get paid $26 million/hour. If I only look at the 1 second it takes for my pay to appear in my account every fortnight.

Nice Linking (5, Funny)

rudy_wayne (414635) | more than 2 years ago | (#39283397)

5 minutes into the Pwn2Own cracking contest team Vupen exploited 2 Chrome bugs [twitter.com] to demonstrate a total break of Google's browser.

Thanks for linking to a complete useless, pointless and content-free Twitter post.

Re:Nice Linking (1)

Voyager529 (1363959) | more than 2 years ago | (#39284303)

Thanks for linking to a complete useless, pointless and content-free Twitter post.

I thought redundancy was picked up by the lameness filter.

But what very did they try to exploit? (-1)

MtViewGuy (197597) | more than 2 years ago | (#39283419)

Currently, the latest release vesrion of Chrome is 17.0.963.66. Let's see the hackers try that exploit with this version and see if they succeed. :-)

Re:But what very did they try to exploit? (2)

anubi (640541) | more than 2 years ago | (#39284151)

I just saw some stuff on youtube that, well for me, was quite scary.

http://www.youtube.com/watch?v=fxri6DDYAdM [youtube.com]

It was about dangerous sites on the internet. Youtube has lots of links to other similar postings.

A question for fellow slashdotters... how much truth is in this? Or are they playing games with me to scare the hell out of me?

Comments invited.

Re:But what very did they try to exploit? (1, Insightful)

Billly Gates (198444) | more than 2 years ago | (#39284531)

Common sense. With 100 million users there are many bad sites and these are not games. It is a dangerous place.

Yes there are many bad websites and legit ones that have been compromised with ads or hacked to serve javascript exploits. Wordpress seems to be a popular legit series of sites that hackers keep injecting bad ads and malware to infect users who browse.

Go Google Norton Safe web and click the top 10? It changes everyday.

If you are really freaked out use an anti virus package that has cloud updates that blocklists bad sites and prevents them from opening. Avast Free is a popular one which updates every 8 minutes and blocks any browser. Commodo Dragon is a Chromium/Chrome based browser that has built in website blocking from bad domains as they make Commodo IS (haven't used it but has good ratings, though slows down your computer).

If you go to www.openDNS.com you can use the IP addresses in your DNS settings and it will provide filtering too (not as quick to block as other AV products I listed above).

Use a great Anti Virus product and do not got wierd unknown sites. Do not listen to the slashdot geeks who claim you do not need AV products and that they are not infected. 90% are and all it takes is one bad or flash exploit ... keep flash up to date too by going to Adobe or www.filehippo.com. The new one will auto update. Good luck keeping secure

repeat exploit gets no prize (0)

Anonymous Coward | more than 2 years ago | (#39283573)

If I was sitting on an exploit for a competition, I would practice it many times in advance. There is no award for same exploit done in 6 minutes.

Kudos to Google (0)

Anonymous Coward | more than 2 years ago | (#39283583)

The prize isn't a lot of money by Google standards, but it's a lot of money by most people's. Kudos to Google for putting up enough money to get some serious hack attempts to come out of the woodwork.

Re:Kudos to Google (0)

Anonymous Coward | more than 2 years ago | (#39283755)

Mod me troll, but it is probably cheaper to give some money away and get some positive publicity than to employ lots of people to find these holes. And while the holes are found, google is data mining the contestants for all they are worth. So, no Kudos to Google...

Re:Kudos to Google (1)

Pi Is A Rational (1106177) | more than 2 years ago | (#39284003)

:D

A Market for Bugs? (1)

BenJCarter (902199) | more than 2 years ago | (#39283937)

What if Google set up a market protocol to buy Chrome bugs? $1k each, with strict disclosure and delivery terms. We might just deplete the entire Chinese exploit arsenal in 3 months... Or at least boost the knowledge-base of Chrome using CS students everywhere.

Re:A Market for Bugs? (0)

Anonymous Coward | more than 2 years ago | (#39284177)

Why would Google's market work any better than the actual market which existed several years ago, where hackers could sell their vulnerabilities to the highest bidder?

http://wslabi.com/

If anything, a fixed price is a much worse idea, because you can make considerably more money for good exploits on the black market. Not only can you get better prices, you can make multiple sales.

Yes you can break it. Can you build it? (1)

russbutton (675993) | more than 2 years ago | (#39284093)

For all the bad dudes out there who can do this, remember that it's a lot easier to break something than to build it.

Re:Yes you can break it. Can you build it? (0)

Anonymous Coward | more than 2 years ago | (#39284381)

Writing exploits for a modern browser like Firefox, where they have a good process and use static analysis tools to eliminate most possible exploitable bugs, or a browser like Chrome that has decent engineering but a hardware-assisted sandbox, is probably the hardest thing in all of computer science. Only a tiny few can do it these days. Building a browser just takes time and effort, exploiting it takes doing the 'impossible'.

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?
or Connect with...

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>