Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Pinkie Pie Earns $60K At Pwn2Own With Three Chromium 0-Day Exploits

timothy posted more than 2 years ago | from the omg-pwnies! dept.

Chrome 148

Tackhead writes "Hot on the hooves of Sergey Glazunov's hack 5-minutes into Pwn2Own, an image of an axe-wielding pink pony was the mark of success for a hacker with the handle of Pinkie Pie. Pinkie Pie subtly tweaked Chromium's sandbox design by chaining together three zero-day vulnerabilities, thereby widening his appeal to $60K in prize money, another shot at a job opportunity at the Googleplex, and instantly making Google's $1M Pwnium contest about 20% cooler. (Let the record show that Slashdot was six years ahead of this particular curve, and that April Fool's Day is less than a month away.)"

Sorry! There are no comments related to the filter you selected.

Who? Did what? For HOW much? and WHY? (-1, Offtopic)

NotQuiteReal (608241) | more than 2 years ago | (#39315613)

This will make sense if it is first post or not, so there.

Re:Who? Did what? For HOW much? and WHY? (2)

crutchy (1949900) | more than 2 years ago | (#39315639)

your nick should be NotQuiteAwake

Re:Who? Did what? For HOW much? and WHY? (-1)

Anonymous Coward | more than 2 years ago | (#39315727)

The one thing we can all be sure of: none of these hackers are black.

Re:Who? Did what? For HOW much? and WHY? (1)

pushing-robot (1037830) | more than 2 years ago | (#39316255)

Wait, I thought pink was the new black.

Re:Who? Did what? For HOW much? and WHY? (0)

Anonymous Coward | more than 2 years ago | (#39316633)

he said hackers. he didn't say anything about the damn pony.

reading comprehension: it's hard when you're stupid!

Re:Who? Did what? For HOW much? and WHY? (1)

Anonymous Coward | more than 2 years ago | (#39315993)

You missed the key issue.

A browser exploit is just that - an browser (application) flaw.

Did any OS allow this to become an actual exploit, and if so, which OS?

Re:Who? Did what? For HOW much? and WHY? (1, Informative)

Anonymous Coward | more than 2 years ago | (#39316659)

You missed the key issue.
A browser exploit is just that - an browser (application) flaw.

You're missing the key issue- the browser is just the attack vector.

The article is talking about one guy who used a chain of 3 Chrome-only exploits (not using any 3rd party addons/plugins and not using any OS bugs/exploits) to fully escape the sandbox which means this is not an OS specific exploit.

To answer your question- if you consider the ability to take any and all actions as if you were the user running the browser to be an exploit, then yes all of them.

Re:Who? Did what? For HOW much? and WHY? (2)

realityimpaired (1668397) | more than 2 years ago | (#39317065)

You didn't read the article, did you? The Chrome bugs were used to break free of the sandbox, and run arbitrary code on the operating system, which was a fully patched and up-to-date Windows 7.

Re:Who? Did what? For HOW much? and WHY? (4, Insightful)

TheRaven64 (641858) | more than 2 years ago | (#39317209)

The phrase 'the sandbox' is the unclear bit. Chromium (and therefore, presumably, Chrome) implements sandboxing in five different ways:
  • chroot
  • SELinux
  • Capsicum
  • Windows ACLs
  • Mac sandbox APIs

The question is whether the flaws are in one of these implementations, in the OS APIs that these depend on, or in the higher-level code that's shared among all platforms. The Windows sandboxing implementation is the most complex (about 20KLoC, while the Capsicum implementation is the simplest at around 100LoC) so it presents the largest attack surface.

Re:Who? Did what? For HOW much? and WHY? (0)

Anonymous Coward | more than 2 years ago | (#39317087)

An browser? Is that the program an hero would use to view webpages and stuff?

Re:Who? Did what? For HOW much? and WHY? (2)

tepples (727027) | more than 2 years ago | (#39317365)

Apart from your joke about an imageboard meme related to someone who was cyberbullied into suicide:

Not everybody was brought up speaking English. Other languages' articles (e.g. een, ein, un) don't drop the N before a vowel. I bet grandparent's English is better than your Tlingit.

You know what this calls for? (5, Funny)

LiroXIV (2362610) | more than 2 years ago | (#39315635)

A PARTY!!! (sorry bronies, couldn't resist)

Re:You know what this calls for? (4, Funny)

ShadowBlasko (597519) | more than 2 years ago | (#39315689)

Deploy The Party Cannon!

Re:You know what this calls for? (1)

Anonymous Coward | more than 2 years ago | (#39315729)

Wait, who invited Star Swirl the Bearded?

He's always such a downer!

Re:You know what this calls for? (2)

Ihmhi (1206036) | more than 2 years ago | (#39316057)

Assume the party escort submission position!

Re:You know what this calls for? (2, Interesting)

Anonymous Coward | more than 2 years ago | (#39316253)

You know what this calls for?
Deploy The Party Cannon!

Well, since [youtube.com] you [youtube.com] asked [youtube.com] nicely [youtube.com] , allow me to deploy the Party Cannon like a boss [youtube.com] . PARTY [youtube.com] HARD [youtube.com] ! I'm pony and I know it [youtube.com] !

OK. Virus Alert! [youtube.com] now over, and while we're waiting for the patch, let's watch the Dead Parrot Sketch [youtube.com] , chug a mug o' mead and back to Skyrim [youtube.com] , Portal [youtube.com] , TF2 [youtube.com] , or whatever else you're playing tonight.

And I found all that stuff within ten minutes of random youtube surfing. My brain is full of pinkie pie [mylittlefacewhen.com] , and I love it.

It's like the goddamn Cambrian explosion of Internet culture.

Re:You know what this calls for? (1)

XaneNightwing (1724110) | more than 2 years ago | (#39315843)

it's cool. I appreciate the sentiment.

Re:You know what this calls for? (2, Funny)

Anonymous Coward | more than 2 years ago | (#39316863)

This is your singing telegram I hope it find you well
I found a browser exploit and it's working pretty swell

Chrome's in version seventeen, but its sandbock's not complete
I bought myself a vic'try cake, it hope it really sweet

There will be massive patching i'm sure in a day or three
And when you've downloaded the fixes, send some thanks to me

No need to write a check, mr google's was enough
But hacking not about the cash, but out stuff

The hole's just in the browser, they'll patch it before too late
but please oh please don't be a jerk, keep your OS up to date! /faints

Re:You know what this calls for? (5, Funny)

pushing-robot (1037830) | more than 2 years ago | (#39316971)

Pinkie Pie Earns $60K At Pwn2Own With Three Chromium 0-Day Exploits

Oh, sure, we're laughing now... but this should be a wake-up call.

While at first glance they seem almost indistinguishable from us, there is actually a vital difference between Ponies and ourselves—educational systems.

Pony schools are far more intense than ours, especially in the maths and sciences. If you're familiar with the so-called "math" taught in our primary schools, you will agree that this image is disturbing. [imgur.com] Young fillies (and colts, though their society is strongly gender-biased) are also taught a tremendous work ethic and social responsibility virtually from birth; in fact, they are expected to demonstrate exceptional talent and plan a career even before they reach adolescence. Furthermore, Ponies are even taught to take responsibility for the world around them. Their town, their environment...hell, the Sun, Moon and skies might as well be in their charge. They possess a drive that we fail to instill in our own children.

None of this is particularly surprising when you consider that Equestria is an autocratic state whose leader has a singular fixation on education. While our leaders focus on populism and pork, Equestria sinks more and more resources into teaching even while its infrastructure and government services seem positively primitive.

What does this mean for us? In the short term we'll continue to maintain our dominance in industry, but farther out...simply put, we're fucked. While our children fall farther and father behind, their foals dash ahead. They're already pumping out incredible individuals and technologies that defy belief. I fully expect that the first footprints on Mars...will be hoofprints. But that's not the worst of it. In the next decade, a pony will likely take your job. Soon they'll be running our entire country.

I know what you're thinking right now: "Oh my god...Ponies, rule?". But the answer is yes, and I can't put too fine a point on it: It's only a matter of time before Ponies totally and completely rule everything. That is—unless you do something about it today. Write to your representatives. Tell them unless we all want to start singing Pony anthems, they can no longer claim to be strong on education while cutting budgets and shirking responsibility.

Tell them that starting tomorrow, their actions must match their words.

Tell them they must stop this hippocracy.

Hippocracy (4, Funny)

tepples (727027) | more than 2 years ago | (#39317377)

Tell them they must stop this hippocracy.

This might be the first time I've seen a misspelling of "hypocrisy" used as a legitimate pun (hippo=horse, cracy=government). And it isn't even a copypasta (or at least one indexed by Google). Bravo.

Re:You know what this calls for? (0)

Anonymous Coward | more than 2 years ago | (#39317105)

Congrats to being whatever your consider being a grownup

WebKit (4, Interesting)

93 Escort Wagon (326346) | more than 2 years ago | (#39315649)

It's interesting that the article implies the flaw is in WebKit rather than, say, JavaScript or Flash. So there'll need to be a similar patch made for Safari (which the article also briefly touches on).

Re:WebKit (3, Funny)

Anonymous Coward | more than 2 years ago | (#39315673)

Frankly, that's impossible.

Safari is perfect, like everything else Apple makes.

Re:WebKit (1)

MobileTatsu-NJG (946591) | more than 2 years ago | (#39316407)

I've heard you lot say that countless times, but I've never actually heard a Mac fanboi say it. Way more annoying.

Re:WebKit (0)

Anonymous Coward | more than 2 years ago | (#39317339)

I've heard you lot say that countless times, but I've never actually heard a Mac fanboi say it. Way more annoying.

You are kidding right? Of course they don't say that sentence, that is a barb at what they do, but if you have actually managed to avoid all the people that come out and defend Apple when critizied, you must be using a different Internets than me..

Re:WebKit (0)

Anonymous Coward | more than 2 years ago | (#39317147)

Apple fail security? That's unpossible!

Re:WebKit (1)

Billly Gates (198444) | more than 2 years ago | (#39315695)

Not just webkit but also Google's Sandbox.

One of the reasons I use Chrome and IE 9 is because of sandboxing. Firefox still does not support it, but there are ways around it. Java had sandboxing too from day 1 and we all know how well that turned out to be the last few years security wise.

Re:WebKit (2)

VortexCortex (1117377) | more than 2 years ago | (#39315845)

One of the reasons I use Chrome and IE 9 is because of sandboxing. Firefox still does not support it, but there are ways around it. Java had sandboxing too from day 1 and we all know how well that turned out to be the last few years security wise.

Such is the case when you compile data to machine-code at run-time, then flag it as executable and run it.

Re:WebKit (1)

Billly Gates (198444) | more than 2 years ago | (#39316521)

Dont all browsers do this?

Php is amazing fast as it is not pure interpretative. It is, but it simply calls DSO objects already compiled via Apache so the rendering engine itself is inside the server software at native C++ speeds.

Couldn't javascript do this ... or is that what makes it insecure?

Re:WebKit (0)

Anonymous Coward | more than 2 years ago | (#39316787)

Dont all browsers do this?

Php is amazing fast as it is not pure interpretative. It is, but it simply calls DSO objects already compiled via Apache so the rendering engine itself is inside the server software at native C++ speeds.

PHP does all of this on the server side, not the user agent side, so... what in the blue hell was your point, again?

Re:WebKit (2)

MisterMidi (1119653) | more than 2 years ago | (#39316909)

Let me tell you, PHP is pretty fast for an interpreted language, but nowhere near any native language's speed. Try doing some simple string operations 1,000,000,000 times in a loop. While you're waiting, you can write, compile and run the equivalent in C++. And have a cup of coffee. As for the Dynamic Shared Objects (or Apache modules), I don't think you know what they are and what they do; you're probably confused with PHP's runtime. Also, I don't know how you got the idea that the rendering engine is inside the server software. The browser is the rendering engine. Unless you're using PHP to render images of course.

Re:WebKit (1)

Lennie (16154) | more than 2 years ago | (#39317627)

No PHP does not compile to native code, it would be faster if it did. Instead it is compiled to bytecode.

Pretty much no1 except for Facebook compiles PHP to native code, they have 2 projects. One which compiles it as a single binary, which they probably use now and a newer project which tries to the it at runtine. But that project isn't done yet.

Re:WebKit (1)

JBMcB (73720) | more than 2 years ago | (#39317347)

This is why, for general web browsing, I use Firefox in a stripped-down VM. A bit extreme, but my main machine has never been infected by anything, and the VM only got hit once. Reverted to a backup image and I was back in business. I hear Sandboxie is nearly as effective as this setup, too.

Re:WebKit (2)

hairyfeet (841228) | more than 2 years ago | (#39315777)

One thing I can't seem to find in these things is this: did they have ANY kind of AV installed? if so what kind? i know they use the latest version of the OS with all current patches installed (although someone pointed out the other day it looked to be Chrome 11 from the screencaps at pwn2own) but it would be nice to know if it had an AV like virtually every desktop on the planet or if they give them a machine clear of AV or antispy.

Re:WebKit (5, Insightful)

garaged (579941) | more than 2 years ago | (#39315821)

I "see" a lot of linux boxes on daily basis (yeah, that was right) and NONE of them has AV, some of the do have some kind of "enterprise protection", but unless you are talking about an email server, on linux you usually do not have any kind of AV running, and yet I (on daily basis again) use chrome and firefox a lot for fun and profit, so, an exploit for them is important for me, AV or not involved.

Re:WebKit (0)

Anonymous Coward | more than 2 years ago | (#39316569)

Cute opinion. Obviously you never had to have any of your servers PCI DSS certified for credit card processing.

Re:WebKit (2)

icebraining (1313345) | more than 2 years ago | (#39317263)

Do you run Chrome on a PCI DSS certified server? If not, then how the hell is that relevant?

Re:WebKit (1)

Anonymous Coward | more than 2 years ago | (#39316071)

AV's sweet spot is spotting known exploits by scanning files for signatures. Everything else is mostly just snake oil. You pay them money and they make you feel better with their elixir.

AV software won't work well for Linux viruses because Linux exploits are mostly remote exploits. The AV software can't scan it and match any signatures, and once an exploit gets root access it quickly hides itself. It works better on Windows because the vector is usually attachments.

Re:WebKit (0)

Anonymous Coward | more than 2 years ago | (#39317345)

One thing I can't seem to find in these things is this: did they have ANY kind of AV installed? if so what kind? i know they use the latest version of the OS with all current patches installed (although someone pointed out the other day it looked to be Chrome 11 from the screencaps at pwn2own) but it would be nice to know if it had an AV like virtually every desktop on the planet or if they give them a machine clear of AV or antispy.

(Posting as AC because I get tired of all the Mac Hate around here).

My OS X box sits barenekked on the internet, "on" 24/7 since 2005 (minus the occasional reboot for this or that. No anti-anything. Oh, and I run Darwin Streaming Video Server and an ftp server with Anonymous (read-only) access, which access is publicly advertised on a website. That machine sits in my router's DMZ, so no help from the Router, either. That machine also happens to be my "main" computer, and the one on which I am typing this message.

And on my other "always on" Mac, I run a WebDAV server with external access, and an internet-facing video surveillance system.

Many have tried, all have failed. In fact, there are probably people trying in vain to escape my Anonymous jail right now...

And it isn't like I run a fully-patched and up-to-date version of OS X, either. One machine (the first one) runs 10.4.11, and the other runs 10.5.8. And if anyone's interested, I use Safari as a browser almost exclusively. Chrome won't even run on my PPC Macs.

BTW, not one of my several longstanding OS X-using friends, acquaintances, or clients runs AV software.

OTOH, my fully patched Windows 7 "work" laptop spends half its CPU cycles running Avast, which I installed after I browsed to a "tech info" site with a ".ru" TLD (using a fully-patched version of IE9), and was INSTANTLY pwned (JUST for entering the site)... I STILL have vestiges of THAT little experience running around the laptop.

Re:WebKit (1)

Lennie (16154) | more than 2 years ago | (#39317659)

If the developer can create a zero-day exploit why would he/she ship a payload which is already recognised by the AV ?

Also a lot of malware just gets a new version every 15 minutes by the push of a button. The AV vendors can't keep up. Detectionrates are going down.

Just a few days ago someone asked me to look at a Windows machine which had malware, I uploaded the binary to virustotal and virscan and they both mentioned things like: 7 out of 34 scanners recognise it. Most of the virusscanners that did recognise it, I had never heared off.

Re:WebKit (3, Informative)

Anonymous Coward | more than 2 years ago | (#39316101)

Well, I don't know which of the linked articles *you* read, but the one I read clearly stated that the first attack vector was a flaw in the Flash plug-in. Chrome's sandbox apparently was then unable to protect the system against the haywire Flash plug-in. So not a flaw in WebKit, to all probability, but three others in Chrome. The article didn't state whether they counted the flaw in the Flash plug-in, but even if they did there are probably at least two flaws in the sandbox.
As it stands, it confirms what people have been saying for years: Flash shouldn't come pre-installed on computers, websites shouldn't rely on it (offer alternative functionality such as downloads or HTML 5 video) and even if you have it installed you should make sure it's turned off by default to minimise your exposure to Flash vulnerabilities. At this point Chrome does deserve credit because that is in fact possible in Chrome: menu - options - advanced - privacy - content - plugins - block all. As evidenced by that instruction, Chrome's options screen is the worst in history. It's nested too deep and a lot of things are in the wrong section to start with. Why should plug-in blocking be in the privacy section?
Note however that like last time this appeared on /. still no vulnerability details have been provided; this is failing in /. and people should have waited shoving this out until there was more substance to the story.

Re:WebKit (3, Informative)

Mr Z (6791) | more than 2 years ago | (#39316325)

Putting "Flash" under "Privacy" makes sense if you understand how much of the Flash out there really gets used. Flash apps can store a fair bit of data locally on your HD without setting a normal HTTP cookie, [wikipedia.org] which makes tiny, invisible Flash apps handy for tracking purposes.

While the average web surfer doesn't think about Flash in that way, it's not too surprising a company that makes its fortunes on ad revenue and customer profiling understands its real role on the Web.

This is why I run flash-block, and only unblock the very occasional app and/or game I care to interact with, and not the half dozen other ones on the same page that don't seem to do anything interesting to me.

Re:WebKit (1)

drkstr1 (2072368) | more than 2 years ago | (#39316559)

Umm, no. Access to a SharedObject is restricted by the application domain, and would make absolutely no sense for it to be used in this way, even if you could. Cookies are used for tracking. The only thing an SO is good for is storing larger amounts of data in a binary format (like a saved game, for example).

Re:WebKit (2)

Mr Z (6791) | more than 2 years ago | (#39316643)

And just how exactly does that stop FooCompany.com from tracking me on their website even if I have cookies disabled? The answer is: it exactly allows FooCompany.com to track me more thoroughly. In fact, Bank of America uses one of these Flash apps to identify the computer I'm logging in from. It will skip some of the extra authentication steps it normally does.

The main use model I've heard is for these flash apps to store backup copies of cookies you might have blocked or deleted. Alternately, you can use this to throw some additional metadata into a URL or an http POST request, and you can now propagate this information across domains too. The main website hosts "tracker.swf" in their own domain (perhaps on an ad server that shares the domain but not the IP address), but it phones home via http to some other domain.

Re:WebKit (1)

Anonymous Coward | more than 2 years ago | (#39316673)

Well, I don't know which of the linked articles *you* read, but the one I read clearly stated that the first attack vector was a flaw in the Flash plug-in.

http://pwn2own.zerodayinitiative.com/status.html

The specific exploits which were demonstrated as working are:

Internet Explorer 8:

        CVE-2010-0248 : Microsoft Internet Explorer item Object Memory Corruption Remote Code Execution Vulnerability
        CVE-2010-3346 : Microsoft Internet Explorer HTML+Time Element outerText Remote Code Execution Vulnerability

Firefox

        CVE-2009-3077 : Mozilla Firefox TreeColumns Dangling Pointer Vulnerability
        CVE-2010-2752 : Mozilla Firefox CSS font-face Remote Code Execution Vulnerability

Webkit:
(Chrome on Windows & Safari on OSX)

        CVE-2010-0050 : Apple Webkit Blink Event Dangling Pointer Remote Code Execution Vulnerability
        CVE-2011-0115 : Apple Safari WebKit Range Object Remote Code Execution Vulnerability

These all allow the execution of arbitrary code on the user's machine, with at least the same access level as the user running the browser.

Re:WebKit (1)

TheRaven64 (641858) | more than 2 years ago | (#39317223)

These all allow the execution of arbitrary code on the user's machine, with at least the same access level as the user running the browser.

Which is the point of the sandbox. The rendering process does not have the same level of access as the user running the browser, it has a severely limited subset of access. The original question made sense, because Chrome and Safari both implement sandboxing, but they do it in different ways.

Vector animations and games (1)

tepples (727027) | more than 2 years ago | (#39317751)

websites shouldn't rely on [Flash Player] (offer alternative functionality such as downloads or HTML 5 video)

For a vector animation or a game that was made in Flash or another SWF-making tool, what would such "downloads" be, other than the SWF itself? A vector animation such as "Badger Badger Badger" would become ten times bigger in bytes if automatically converted to WebM or MP4, and a game would become a playthrough video.

HAHAH TIME FOR PONIES!! (0, Offtopic)

Anonymous Coward | more than 2 years ago | (#39315651)

Cupcakes for ALL!

As the Slashdot Front Page Said at One Time... (3, Insightful)

Scarletdown (886459) | more than 2 years ago | (#39315657)

OMG!!! Ponies!!!

Re:As the Slashdot Front Page Said at One Time... (4, Funny)

sixtyeight (844265) | more than 2 years ago | (#39315803)

Ugh, pwnies.

Life imitates pun.

Re:As the Slashdot Front Page Said at One Time... (1)

Mr Z (6791) | more than 2 years ago | (#39316257)

Hey, folks, where's the screenshots at? Here's mine... [spatula-city.org]

Soon (-1)

Anonymous Coward | more than 2 years ago | (#39315663)

The pony meme needs to die.

Re:Soon (1)

binarylarry (1338699) | more than 2 years ago | (#39315713)

OMG Pwnmemes?

Re:Soon (4, Insightful)

Deus.1.01 (946808) | more than 2 years ago | (#39315849)

Its not a meme...we're just celebrating the fact that we live in a universe were we can watch a MLP franchise without being unironic as fuck.

Re:Soon (2)

Deus.1.01 (946808) | more than 2 years ago | (#39315907)

and the unintentional double negative means, good night.

Re:Soon (2)

Anonymous Coward | more than 2 years ago | (#39316163)

Its not a meme...we're just celebrating the fact that we live in a universe were we can watch a MLP franchise without being unironic as fuck.

This.

We live in a universe in which the creators of the cartoon can put the equations that explain time dilation [wikipedia.org] (at constant acceleration) into a 2-second cameo (at 14:22 into Season 2, Episode 20 - "It's About Time") that leads into a character coming to the conclusion that she has to stop time [youtube.com] . Every equation on that blackboard is real. (The thing that looks like a percent sign is a gamma-sub-zero, etc.)

And in which we can have it all hashed out and documented within 12 hours of the show being aired this morning.

When we were in college, we had to explain to our parents why we still loved Bugs Bunny, and then, why we loved Futurama. Now it's a new generation's turn to explain to us why we think MLP is funny.

Obligatory Hack: Pinkie Pie? In my computer? [youtube.com]

Re:Soon (1)

ChromeAeonium (1026952) | more than 2 years ago | (#39316367)

Huh, that's a pretty neat catch. That's got to be one of the cooler Easter eggs I've seen in a while. I'm always a bit baffled by how much some people can find in that show...I have a hard enough time just trying to find Derpy...and I usually can't even do that until I see a screenshot pointing it out.

Re:Soon (0)

Anonymous Coward | more than 2 years ago | (#39316483)

Huh, that's a pretty neat catch. That's got to be one of the cooler Easter eggs I've seen in a while. I'm always a bit baffled by how much some people can find in that show...I have a hard enough time just trying to find Derpy...and I usually can't even do that until I see a screenshot pointing it out.

The first one jumped out at anyone who ever took first year physics (or even AP physics in high school if they were lucky). The other lines were trickier.

Punchline: That particular bit got sussed out a few hours ago on The Imageboard That Shall Not Be Named. Yes, that one. With the four, and the ch, and the an. And the /mlp instead of the /second-letter-of-the-alphabet. Thread was /res 513617

Re:Soon (0)

Anonymous Coward | more than 2 years ago | (#39316937)

It would be nice if every children show used the real equations, in the spirit of promoting STEM education and hiring some additional people from the field to the entertainment industry.

Re:Soon (0)

Anonymous Coward | more than 2 years ago | (#39316801)

I cannot believe how many retards with mod points are into little ponies. I don't give two shits that the time dilation equations were in some episode.

Re:Soon (1)

blind biker (1066130) | more than 2 years ago | (#39316961)

celebrating the fact that we live in a universe were we can watch a MLP franchise without being unironic as fuck.

I am guessing you meant to write "without being ironic as fuck"

Brohoof?

Re:Soon (0)

Anonymous Coward | more than 2 years ago | (#39317183)

>unironic as fuck
'sincere'?

Re:Soon (0, Offtopic)

Anonymous Coward | more than 2 years ago | (#39315921)

You can't fix stupid. The pony meme will continue until the next braindead fad thing grabs their attention.

Re:Soon (1, Insightful)

flimflammer (956759) | more than 2 years ago | (#39316157)

It's not a meme.

Re:Soon (0)

Anonymous Coward | more than 2 years ago | (#39317089)

Listen to this guy, he's got the right of it: we've got opportunity in this very community...

Re:Soon (2)

ChromeAeonium (1026952) | more than 2 years ago | (#39316229)

There's a difference between an internet meme from a fandom. Lolcats, advice animals, or rage comics are memes. Browncoats, Trekkies, Whovians, ect. are clearly not. Guess where ponies fall?

We like a particular show. That isn't much different than any other fan group.

Fandom vs. meme (1)

tepples (727027) | more than 2 years ago | (#39317795)

Browncoats, Trekkies, Whovians, ect. are clearly not.

But are Browncoats, Trekkers, and Whovians a decidedly different demographic [tvtropes.org] from the one that the series' producers originally targeted?

We like a particular show. That isn't much different than any other fan group.

Milhouse is not a meme. "The Simpsons has a fandom" is not a meme. "MLP:FIM has a periphery fandom" is not a meme. But constantly making in-jokes that only "bronies" (the periphery fandom of MLP:FIM) would get is a meme.

Better April Fools Idea (1)

Billly Gates (198444) | more than 2 years ago | (#39315683)

Be Creative!

Why don't you have a banner that says "Optimized for IE 6! Enjoy the new support the best browser available. [saveie6.com] . Link a whole bunch of articles including the one at arstechnica that showed IE 6 usage jumped last month.

Go dig up some CSS from Slashdot 2002 era from slashcode. Let us officeworkers use it for a day or need to click "compatibility mode" for IE 8 and 9. You have the code?

Maybe put the blue colors of XP mode in its colors.

Pwn2Own rocks. (3, Insightful)

LordLimecat (1103839) | more than 2 years ago | (#39315719)

The best thing about Pwn2Own is that it can be a shot of reality for anyone who gets overly confident in how awesome their favorite OS or browser is. Im a huge fan of Chrome and was hoping it would stand up without any 0-days, but its great that Pwn2Own brought to light the reality that there is no "secure web browsing experience" outside of Lynx (and Im willing to bet that could be 0-day'd too).

Re:Pwn2Own rocks. (5, Interesting)

Billly Gates (198444) | more than 2 years ago | (#39315781)

One downside is many are reporting on ZDNet, that the IE 9 exploit that was shown yesterday has new trojans already working for it.

Since it is a 0 day exploit it is undetectable by any anti virus scanner yet and all you need to do is search under Google Image and you are instantly infected without clicking on anything.

Google at least patched the last one in 24 hours, but I do not trust other browsers or users to patch that quick.

Re:Pwn2Own rocks. (0)

Anonymous Coward | more than 2 years ago | (#39315973)

Now if MS went with Deny All by default instead of trusting every god damn piece of code on the net, IE might be secure enough to never have needed to be fixed. Anyone who leaves the doors open and actually invites everyone and their brother into the house is an idiot.

Re:Pwn2Own rocks. (1)

Billly Gates (198444) | more than 2 years ago | (#39316015)

IE 9 is a good browser. Running everything is so IE 6 pre XP SP 2. Even IE 8 only runs signed activeX controls on intranets only. THe only downside is its sandbox is prone to memory corruption and is exploitable. FF does not even have a sandbox. IE 10 will fix this.

It doesn't I reran the test at zdnet and I did not find any .exe in my %appdata/roaming folders.

My guess is if it is not a flash exploit but a javascript one.

Re:Pwn2Own rocks. (1)

cyber-vandal (148830) | more than 2 years ago | (#39317285)

Cool IE10 will fix Firefox not having a sandbox. Shame we'll have to wait bloody ages for it. Wouldn't it be nice if Microsoft released some minor updates to its browser sometimes, like improving developer tools for those of us unfortunate enough to have to use it exclusively for debugging.

Re:Pwn2Own rocks. (0)

Anonymous Coward | more than 2 years ago | (#39317031)

google went high profile with their bounty - they have to patch immediately or the entire marketing scheme is shot to hell

Re:Pwn2Own rocks. (3, Insightful)

Teckla (630646) | more than 2 years ago | (#39315923)

...but its great that Pwn2Own brought to light the reality that there is no "secure web browsing experience"...

It seems to me there must be fundamental problems with the web browser technologies themselves. The web has been extremely popular for a long time now, and it seems no company, no matter how talented, no matter how serious, no matter how security focused, no matter how well staffed, no matter how much money, can make a secure web browser. This is getting ridiculous!

Yes, I'm seriously thinking web technologies themselves are to blame. Overly complex? Over engineered? Fundamentally flawed? Complexity is the enemy of security. It's time for a re-think.

What do other people think? Is it time to trash the old and invent something new, something mere mortals can embrace, and actually create secure implementations?

Re:Pwn2Own rocks. (1)

Anonymous Coward | more than 2 years ago | (#39315991)

Not so sure about the technologies, as the pace of browser development. Security, I think, takes time and thought, which the designers and programmers are not allowed in the interests of getting the next release with new features out.

Re:Pwn2Own rocks. (4, Insightful)

Anonymous Coward | more than 2 years ago | (#39316021)

As AC above hinted at, and I believe I quote from some famous computer book or another, "If the structural properties of steel changed 20% every ten years, then Civil Engineering as a discipline would look a lot different."

Point being, you can have breakneck advancement or inherently secure code, but not both at the same time.

Re:Pwn2Own rocks. (3, Interesting)

bloodhawk (813939) | more than 2 years ago | (#39316095)

Is it time to trash the old and invent something new, something mere mortals can embrace, and actually create secure implementations?

The funny part about your post is your idea of a solution is actually the current problem. Technology is changing so fast that No one can have a modern popular functional end user browser while being secure. Security IS HARD, No matter how good a programmer you are you can't possibly imagine every possible type of new exploit technique that will be created tomorrow, next week or next year. It is even harder if every few years you have to rewrite everything, your idea would just bring about a raft of new security issues..

Or maybe, just maybe (4, Insightful)

Sycraft-fu (314770) | more than 2 years ago | (#39316565)

You can to accept that virtual security is the same as physical security and cannot be perfect in the real world.

See with physical security, we've known this forever. You can't design the unbeatable system. No matter what you design, someone can figure out a way to overcome it, through brute force if necessary. You can't secure something to perfection. So you don't try, you design security to repel any likely threat you you rely on defense in depth so that if one layer fails, the whole system doesn't fail.

However many geeks seem to have talked themselves in to the idea that you can have perfect virtual security. Just use browser X on OS Y and there is no way anything evil can get you, kind of thing. Well I think that is false. You can't have perfect virtual security. Instead, you just have to make it as good as you can against the threat you are likely to face, and then have defense in depth.

Patch your OS and browser, run an on access virus scanner, run a client firewall, have a network firewall, run as a deprivileged user, use things like ASLR and DEP, be safe about your browsing, monitor your system, etc. Don't rely on a single thing to keep you safe, rely on many. Realize that all your layers have defects. Fix them when found, but understand there is no perfection.

This whining that nobody can build something perfect is just stupid. No, they can't, we never have, never will. Deal with it. We don't move out of our houses because they aren't perfectly secure, we aren't going to stop using our computer because they aren't perfectly secure. Get good layered defense and stay on top of it. That is all you can do, all we've ever been able to do.

Re:Or maybe, just maybe (1)

Anonymous Coward | more than 2 years ago | (#39317009)

It's impossible to get perfect security in the real world because of practical limits that result from physical laws. In a computing environment, we choose the laws that underpin it! We should be able to come up with technologies to provide a web experience which also allow a simple, perfectly secure browser to exist.

This may require some sacrifices. For example, we might have to prohibit embedded scripts in Turing-complete languages like Javascript (or just about anything else), so that a browser can analyse them to determine whether they will halt. We might have to give up flash widgets, or blink tags. But we ought to be able to write a damn document-display system that doesn't treat malformed data as executable code, and run it.

Re:Or maybe, just maybe (1)

icebraining (1313345) | more than 2 years ago | (#39317289)

You can, but no one will want to use it. Security doesn't trump features for most people's use cases for the web. Including mine. Particularly since you'd have to give up images too.

Re:Pwn2Own rocks. (1)

wintermute1974 (596184) | more than 2 years ago | (#39316777)

You need to change your basic premise: There is no possible way to prove that software is bug free. The best you can do is to test a piece of software and then fix the problems that you find. Software verification and validation are tough problems.

Re:Pwn2Own rocks. (3, Insightful)

Wrath0fb0b (302444) | more than 2 years ago | (#39316945)

Yes, I'm seriously thinking web technologies themselves are to blame. Overly complex? Over engineered? Fundamentally flawed? Complexity is the enemy of security. It's time for a re-think.

Complexity is required to perform arbitrary tasks in a dynamically programmable fashion -- which is essentially what modern HTML/Javascript essentially provides. You can't take something like that are "re-think" it into something less complex than some fundamental measure of the complexity of the application for which it is intended. Either the browser has to be able to perform those functions or users are going to have to accept a web with drastically limited capabilities.

In a broader sense, this is a symptom of the annoying idea that some combination of clever engineering and design decisions can destroy complexity and replace it with something simple. This is superficially true but really what's happening is not that complexity is destroyed, only that it is hidden away -- it's a sort of "conservation of complexity": you can shuffle it around between various layers and (hopefully) hide it from the end user but it's still got to be there somewhere. Consider a cell-phone, it's an insanely complex system involving a all kinds of RF, some arcane protocol, software running on the mobile device, software running the backhaul -- just thinking about it for a second is enough to give you a headache. What the user sees when they dial a number isn't complex not because we've made all those things easy, only because we've relocated it somewhere else.,

The same thing happens in the case of a browser -- I log into gmail and Google dynamically instructs my computer ("over the wire") how to create an entire GUI program that interacts with their server. That's nothing short of amazing and when you say "browsers are overly complex and over-engineering" what you are essentially saying that they should not be able to do that because that complexity came fundamentally and inexorably from the statement of the required functionality. No simple system could every do that ....

Re:Pwn2Own rocks. (0)

Anonymous Coward | more than 2 years ago | (#39317185)

Well, we could always just go back to newspapers, mail in envelopes with stamps, and broadcast radio/TV. That's how it was when I was a kid, and I don't recall a single browser exploit.

Re:Pwn2Own rocks. (2)

c++0xFF (1758032) | more than 2 years ago | (#39315957)

But, at least now we know there are three fewer 0-day exploits than before. That's something, isn't it?

Re:Pwn2Own rocks. (1)

utkonos (2104836) | more than 2 years ago | (#39317417)

You're new to the intertubes, huh? Lynx has been as unsafe as any browser from time [exploit-db.com] to time [juniper.net] .

Firewall (0)

Deus.1.01 (946808) | more than 2 years ago | (#39315835)

DAMNIT!

SHE BROKE THE WALL AGAIN!

*yeah that really makes no senze but I've had two fingers of single malt so stay with me on this one*

Re:Firewall (0)

Anonymous Coward | more than 2 years ago | (#39316073)

I actually got the reference so I must be AT LEAST as drunk as you are.

Sandboxed? Without hardware VM support? Riiiight. (5, Insightful)

VortexCortex (1117377) | more than 2 years ago | (#39315841)

The code isn't in a sandbox if it can escape.

A lot of (desktop) hardware supports virtualization at the hardware level -- This doesn't mean executing a different set of opcodes, it means running an OS inside of an OS. We need hypervisory control at the application level. As long as your application code is running in the same environment as everything else with no hardware supported barriers, then it's not actually in a sandbox.

We compile sections of JavaScript to machine code in data memory, mark the resulting data as code and execute it. It only takes one well placed buffer overflow to get some of your memory corrupted, before data is executed as code. The corruption need not result from JavaScript to affect the JS engine. Additionally, if said JavaScript or HTML or ANY untrusted source of data is being used by native code at the same security level as the application then any bug in that native code (eg: flash, SVG, HTML5 rendering, video/sound codecs, etc) can be an open door out of the "sandbox". This is similar to how such a bug in kernel level code can give you kernel level access... Such is the case for application level code as well.

Data Execution Prevention (DEP [wikipedia.org] ) can be used to prevent executing data as code (eg to prevent buffer overflow data from being executed), but since the design of JavaScript makes implementations so slow and we're trying to do so much with it we actually need to execute the data as code. To gain performance we forfeit one of best tools that a "sandbox" can have.

Many that gloat over their browser performance benchmarks wilfully trade security for speed, leaving other more sensible individuals (who may instead throw hardware at a speed issue) without an option... Better browser code can't execute "faster". The hardware runs at the same speed. It can only execute less. That is: more efficiently... More speed requires better hardware, not software.

I would welcome a slower software only VM option (no just in time compiling to machine code), this way hardware DEP could be used to enforce sandboxing more strictly. Until then: My browser runs in its own OS within a hardware supported VM. I start from a fresh known-good VM image before I do anything important on the web. THAT'S a sandbox. Consequently, these restrictions mean I won't do anything important on today's mobile devices...

P.S.
Security researcher red-flags bolded for your convenience.

Re:Sandboxed? Without hardware VM support? Riiiigh (2, Insightful)

Anonymous Coward | more than 2 years ago | (#39316083)

It's also possible to break out of hardware VMs. Why? Because there's no such thing as a hardware VM. There's hardware-enhanced VMs, but there's still driver and other code which has to interact with the guest OS, thus opening vectors for attack with a much larger attack surface than between two discrete boxes. There have been such exploits published, there are no doubt many unpublished, and there will be more in the future.

Sorry to rain on your parade.

Re:Sandboxed? Without hardware VM support? Riiiigh (3, Informative)

jdogalt (961241) | more than 2 years ago | (#39316137)

To further rain on the "VMs, even hardware ones, aren't exploitable" parade, the history of hacking the PS3 is always a fun read-

http://wiki.ps2dev.org/ps3:rsx [ps2dev.org]

"
FIFO workaround

The hack consists of asking the Hypervisor to return without waiting for a blit to end. After the Hypervisor returns there is a small length of time during which the FIFO or FIFO registers can be modified before the GPU has finished reading the command. This will occur when a large blit is decomposed into many smaller 1024×1024 blits by the Hypervisor. The last operation pushed to the FIFO by the Hypervisor is a wait for the GPU engine to go idle. By skipping this operation, it is possible to enqueue more commands to the FIFO for the GPU to execute. So the hack consists in either patching the last operation with a NOP, or changing the FIFO write pointer to stop earlier.
"

Re:Sandboxed? Without hardware VM support? Riiiigh (1)

TheRaven64 (641858) | more than 2 years ago | (#39317235)

Wow, you wrote a very long post to say 'I don't know what I am talking about'.

Every process is sandboxed in a hardware VM. It is using a different instruction set which is restricted from doing anything related to I/O. No process can do anything other than touch its own memory and issue system calls. If it wants to open a socket or access the filesystem, it must issue a system call and then the kernel decides whether to permit this.

Modern browsers (including Chrome) make use of this by running the rendering process - including the JavaScript - inside a separate process that has a restricted set of rights. Typically, this means no access to the filesystem. As such, even if the JavaScript engine has an arbitrary code execution vulnerability, all that the attacker can do is run code inside the process - any system calls that try to touch the rest of the system will just return failure. You also need to find a bug in the sandbox, meaning either a vulnerability in the OS, or a flaw in the policy defined by the browser.

Pwn2Own? (0, Offtopic)

Anonymous Coward | more than 2 years ago | (#39316003)

Wasn't the word "pwn" derived from "own" to begin with? That would make "Pwn2own" seem to be a bit redundant, i.e. that is to say somewhat unnecesarily superfluous and verbose; lacking in the concise.

Re:Pwn2Own? (1)

flimflammer (956759) | more than 2 years ago | (#39316167)

The name comes from the fact you get the device you "pwn". So you "pwn" the device in order to literally own it.

Re:Pwn2Own? (1)

Fatalis (892735) | more than 2 years ago | (#39317207)

This is the etymological fallacy: confusing the etymology of a word (where the word came from) with its meaning. "Pwn" is derived from "own" but has a different meaning.

Re:Pwn2Own? (1)

allo (1728082) | more than 2 years ago | (#39317741)

no, it does not. either i owned you, or i pwned you, same thing, but fat fingers.

only 60k? (0)

Anonymous Coward | more than 2 years ago | (#39316103)

really?
no wonder why the black market is flourishing
they should really increase the rewards
if they want to stay ahead of the curve

More importantly (1)

lanner (107308) | more than 2 years ago | (#39316399)

That guy just got himz a j-o-b.

yay ponies!! (1)

prettything (965473) | more than 2 years ago | (#39317179)

finally : )
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?