Beta

Slashdot: News for Nerds

×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Last Year's CanSecWest Winner Repeats on Vista, Ubuntu Wins

CmdrTaco posted more than 6 years ago | from the tough-nut-to-crack dept.

Security 337

DimitryGH followed up on the earlier news that the MacBook Air lost CanSecWest by noting that "Last year's winner of the CanSecWest hacking contest has won the Vista laptop in this year's competition. According to the sponsor TippingPoint's blog, Shane Macaulay used a new 0day exploit against Adobe Flash in order to secure his win. At the end of the day, the only laptop (of OS X, Vista, and Ubuntu) that remained unharmed was the one running Ubuntu. How's that for fueling religious platform wars?"

cancel ×

337 comments

What kind of exploit? (2, Insightful)

Anonymous Coward | more than 6 years ago | (#22904890)


Shane Macaulay used a new 0day exploit against Adobe Flash in order to secure his win. At the end of the day, the only laptop (of OS X, Vista, and Ubuntu) that remained unharmed was the one running Ubuntu. How's that for fueling religious platform wars?"


It depends what kind of exploit that was.

Re:What kind of exploit? (1, Interesting)

brassman (112558) | more than 6 years ago | (#22905476)

I find the timing odd, in that all my copies of Firefox updated themselves from 2.0.0.12 to .13 the day before the contest. Wonder what would have happened if the contest had been started two days sooner... or two days later, for that matter?

Or is 2.0.0.13 comparable in any way to Safari 3.1?

Security (is|as) a moving target....

Popcorn anyone? (5, Funny)

cizoozic (1196001) | more than 6 years ago | (#22904894)

How's that for fueling religious platform wars?
Should do quite nicely. Check back on this thread in a few hours - I'll bring the beers!

Re:Popcorn anyone? (4, Funny)

garett_spencley (193892) | more than 6 years ago | (#22904914)

"Should do quite nicely. Check back on this thread in a few hours - I'll bring the beers!"

What kind ?

And if you say a light North American lager I'm going to smite you in the name of the almighty beer lord!

Re:Popcorn anyone? (5, Funny)

tzot (834456) | more than 6 years ago | (#22905062)

(What kind of beer?) And if you say a light North American lager [snip]
He said he'd bring the beers, not that he would make love in a canoe ;)

Re:Popcorn anyone? (4, Informative)

MikeDX (560598) | more than 6 years ago | (#22905120)

How on earth is this offtopic?

The Monty Python joke goes along the lines of, "This lager is like making love in a canoe - it's fucking close to water"

Re:Popcorn anyone? (1, Insightful)

billcopc (196330) | more than 6 years ago | (#22905472)

Proof that we're getting too old for Slashdot.

Get these n00bs off my lawn!

Re:Popcorn anyone? (2, Interesting)

nofrak (889021) | more than 6 years ago | (#22904922)

To celebrate the winner, may I suggest free beer [freebeer.org] ?

Re:Popcorn anyone? (0, Redundant)

MT628496 (959515) | more than 6 years ago | (#22904946)

Make mine a Guinness :)

Re:Popcorn anyone? (0, Redundant)

bondjamesbond (99019) | more than 6 years ago | (#22905006)

You, sir, have outstanding taste in beer. And I'll take a pint.

Re:Popcorn anyone? (0, Redundant)

CastrTroy (595695) | more than 6 years ago | (#22905478)

Guinness FTW.

Re:Popcorn anyone? (5, Insightful)

call-me-kenneth (1249496) | more than 6 years ago | (#22905026)

What's the betting that the Linux and MacOS versions of Flash are also vulnerable to this 0day? It's rare for a Flash issue to affect only one platform (the same is true of the Acrobat reader and other typical cross-platform browser plug-ins.) Let's wait for the Adobe advisory before jumping to conclusions, shall we? (Disclaimer, I'm a Linux user.)

Re:Popcorn anyone? (3, Insightful)

SpzToid (869795) | more than 6 years ago | (#22905168)

I am not a software engineer or hacker, but from what I understand, while it may be likely the vulnerability exists across platforms, typically it is the Microsoft box that often allows elevated access, once the Flash exploit has been used. This isn't so easy to manage for a hacker, with the *nixes, (which includes OSX).

So by not using Windows, users are made more secure by not being such a targeted pool in the first place, (as influenced by marketshare). But the design of the OS helps too.

Re:Popcorn anyone? (4, Informative)

Zero__Kelvin (151819) | more than 6 years ago | (#22905314)

"What's the betting that the Linux and MacOS versions of Flash are also vulnerable to this 0day? It's rare for a Flash issue to affect only one platform (the same is true of the Acrobat reader and other typical cross-platform browser plug-ins.) Let's wait for the Adobe advisory before jumping to conclusions, shall we? (Disclaimer, I'm a Linux user.)"
It depends upon what you mean by "Flash issue." If you mean a bug in the rendering or stream processing, or GUI etc. then yes it is likely that the same bug would be found on all three platforms.

The question isn't "Is Flash vulnerable?", but rather does a vulnerability at the application layer allow you to hack into the OS. It is entirely besides the point if Flash is flawed in the same way, thought there is a reasonable likelihood that it is not in this case. There are significant differences in code compiled for the various platforms. We Software Engineers call that "conditional compilation."

Re:Popcorn anyone? (2, Informative)

domatic (1128127) | more than 6 years ago | (#22905484)

Ubuntu 8.04 will include AppArmor by default. I don't how much of a difference it will make in a pressure cooker like a hacking competition though.

Re:Popcorn anyone? (1)

Foofoobar (318279) | more than 6 years ago | (#22905566)

Well on Windows, sandboxing of permissions is different. There might still be the exploit but the level of vulnerability would most likely be higher on a Windows system as a result of IE running at a SYSTEM level permission rather than a USER level like in Mac or Linux. Change to a different browser like Firefox on Windows and you will be safer.

Re:Popcorn anyone? (1)

X0563511 (793323) | more than 6 years ago | (#22905226)

Suggested tag: attackofthetrolls
or... whentrollsattack

Re:Popcorn anyone? (1)

popmaker (570147) | more than 6 years ago | (#22905346)

I'll make the popcorn!

Re:Popcorn anyone? (0)

Anonymous Coward | more than 6 years ago | (#22905444)

Sorry to disappoint you, there will be no flamewar because after this everybody knows that Umbongo is the best desktop OS, period.

Re:Popcorn anyone? (4, Funny)

phantomfive (622387) | more than 6 years ago | (#22905508)

There's no religious war here. Ubuntu is clearly the best.

Twofo is dying is dying (-1, Offtopic)

Anonymous Coward | more than 6 years ago | (#22904896)

Twofo [twofo.co.uk] is Dying is Dying

It is official; GNAA [www.gnaa.us] confirms: Twofo is Dying is Dying

One more crippling bombshell hit the already beleagured slashdot trolling community when Google confirmed that Twofo troll posts had dropped yet again, now down to less that a fraction of 1 percent of all slashdot posts. Coming hot on the heels of a recent usenet survey which plainly states that Twofo trolling frequency has fallen, this news serves only to reinforce what we've known all along. Twofo trolls are collapsing in complete disarray, as fittingly exemplified by failing dead last in a recent digg.com comprehensive trolling test.

You don't need to be one of the Slashdot moderators to predict Twofo Trolling's future. The writing is on the wall: Twofo trolling faces a bleak future. In fact there won't be any future at all for Twofo trolls because Twofo trolling is dying. Things are looking very bad for Twofo trolls. As many of us are already aware, Twofo trolling continues to decline in popularity. IP bans flow like a river of firewall rules.

"Twofo is Dying" trolls are the most endangered of them all, having lost 93% of their core posters. The sudden and unpleasant departures of long time trolls Daz and xyzzy only serve to underscore the point more clearly. There can no longer be any doubt: Twofo trolls are dying.

Lets keep to the facts and look and the numbers.

Twofo Trolling leader Echelon states that there are about 7000 "twofo is dying" trolls. How many "Zeus sucks cock" trolls are there? Let's see. The number of "Zeus sucks cock" trolls versus "Twofo is dying" trolls on slashdot is roughly in the ratio of 5 to 1. Therefore there are about 7000/5 = 1400 "Zeus sucks cock" trolls. "Fuck twofo" posts on slashdot are about half the volume of "Zeus sucks cock" posts. Therefore there are about 700 trolls specialising in "Fuck twofo". A recent article put "destroy twofo" at about 80% of the twofo trolling community. Therefore there are about (7000+1400+700)*4 = 36400 "destroy twofo" trolls. This is consistent with the number of "destroy twofo" slashdot posts.

Due to the troubles at Twofo, abysmal sharing, ITS, lack of IP addresses and so on, "destroy twofo" trolls stopped posting altogether and were taken over by "Zeus sucks cock" trolls who specialise in another kind of slashdot posting. Now "Zeus sucks cock" trolls are also dead, their corpses turned over to yet another charnel horse.

All major surveys show that Twofo trolls have steadily declined in slashdot posting frequency. Twofo trollers are very sick and their long term survival prospects are very dim. If Twofo trollers are to survive at all it will be among hardcore slashdot posters, hellbent on Twofo's destruction. Twofo trolls continue to decay. Nothing short of a miracle could save Twofo trolls from their fate at this point in time. For all practical purposes, Twofo trolls are dead.

Fact: Twofo trolls are dying

Re:Twofo is dying is dying (1)

Skeetskeetskeet (906997) | more than 6 years ago | (#22904918)

Zeus sucks cock???? To quote Burgess Meridith...."BY THE GODS!!!"

Software sucks. (5, Interesting)

Anonymous Coward | more than 6 years ago | (#22904900)

A 0-day exploit in Flash. What does Flash do? It paints to the screen. It has no need to communicate with other applications or write anywhere on the system except perhaps in a single configuration file. Why is this software not bullet proof? The thing is only a couple hundred kbytes small, for heaven's sake!

Re:Software sucks. (-1, Flamebait)

Anonymous Coward | more than 6 years ago | (#22905034)

Congratulations! You've won the "Dumbest comment in the universe by an AC" award!
No laptop, but you do get these awesome "Overrated" mod points!

Hey! (4, Funny)

spectrokid (660550) | more than 6 years ago | (#22904906)

it was Adobes fault, not Microsoft! Let's all switch to Silverlight and we will be OK!!!!

Re:Hey! (1)

AioKits (1235070) | more than 6 years ago | (#22904992)

it was Adobes fault, not Microsoft! Let's all switch to Silverlight and we will be OK!!!!
Done and done!
...
Errr, know of any site using Silverlight for something useful?

Both vulns are Mac-centric (2)

EraserMouseMan (847479) | more than 6 years ago | (#22905084)

It's interesting that the 2 vulnerable attack vectors are from the 2 companies that have the largest Mac user-base. Apple (Safari) and Adobe (Flash).

Re:Hey! (0)

Anonymous Coward | more than 6 years ago | (#22905104)

I don't see why the test includes third party software.
 
BTW, what happened, they set up each laptop with a web browser open that constantly refreshed a site that would display whatever the "hackers" were sending to it? Cause that's just a browser security test. I thought we were testing OS security here...

Re:Hey! (5, Informative)

calebt3 (1098475) | more than 6 years ago | (#22905152)

I don't see why the test includes third party software.
Because nobody managed to crack it with it just sitting on the network all day, and only the Mac got cracked doing web browsing/email.

Re:Hey! (1)

PRC Banker (970188) | more than 6 years ago | (#22905256)

I don't see why the test includes third party software.

Because nobody managed to crack it with it just sitting on the network all day, and only the Mac got cracked doing web browsing/email.


Because a 0day exploit is potentially worth a lot more than $10,000?

Those that could really crack the system have a lot more in rewards than a sticker.

Newsworthy? (4, Insightful)

MisterFuRR (311169) | more than 6 years ago | (#22904908)

I don't see how a script kiddy running 0day exploits on a box is in any way related to the total end point security, or security of the OS. Seems all he did was take inventory of the box -- realize flash was vulnerable and exploited it. Could've happened to any OS -- Ubuntu included -- that provides its end users with insecure software. Seems like trivial marketing fluff -- setup to spur stupid religious wars.

Re:Newsworthy? (5, Insightful)

call-me-kenneth (1249496) | more than 6 years ago | (#22905004)

Hint: script kiddies don't tend to have 0day in the real world.

Re:Newsworthy? (3, Informative)

tolan-b (230077) | more than 6 years ago | (#22905192)

They created their own exploits.

Re:Newsworthy? (5, Informative)

kripkenstein (913150) | more than 6 years ago | (#22905222)

I don't see how a script kiddy running 0day exploits on a box is in any way related to the total end point security, or security of the OS. Seems all he did was take inventory of the box -- realize flash was vulnerable and exploited it. Could've happened to any OS -- Ubuntu included -- that provides its end users with insecure software. Seems like trivial marketing fluff -- setup to spur stupid religious wars.
Hmm, I disagree.

First, this wasn't some script kiddie applying a known exploit. It was a new exploit that the winning team came up with. It isn't trivial to do.

Second, no, this "could have happened to any OS" is wrong. A well-crafted browser (in this case, the browser is part of the OS) can in theory prevent browser plugins from accessing anything of importance. However I don't think any existing browsers do that - but they should.

Second, and perhaps more important, the existence of 3rd party software on different OSes isn't the same. For example, most Windows users use Adobe Acrobat to view PDFs, whereas many Linux users use FOSS PDF viewers (Evince, KPDF). It might be the case - and I am guessing that it is - that Acrobat has far more exploits against it, both because it has far more code (what with all the functionality 99% of users don't need), and that it isn't open source. In general Windows users tend to have lots of 3rd party apps that are closed source and of dubious quality. That isn't the case on Linux.

Furthermore, even if two OSes run the same app - Flash, say - that doesn't mean they are equally vulnerable. Flash isn't identical between the platforms; if I am not mistaken on Linux Flash uses Alsa for sound (or some other Linux sound system). So if Alsa is more secure than Windows' sound system, that would be one difference.

I'm not saying this competition is a great test of OS security. It isn't; it's an anecdote. But it isn't worthless either. In fact the results are pretty much what I would have expected from the beginning: OS X is a great OS but security has never been a top priority (there wasn't as much of a need for it, so why bother). Windows has focused on security recently but is hobbled by having lots of closed-source 3rd party apps. Linux was always security-focused (starting as a server OS), and has the advantage of most of its software being FOSS and arriving from a repo under the control of the distro (in this case Ubuntu).

Re:Newsworthy? (5, Funny)

Anonymous Coward | more than 6 years ago | (#22905342)

In general Windows users tend to have lots of 3rd party apps that are closed source and of dubious quality. That isn't the case on Linux.
Yeah, they're open source and of dubious quality.

Re:Newsworthy? (1, Interesting)

Anonymous Coward | more than 6 years ago | (#22905404)

I couldn't find answers to my questions on the links, although I'm probably not looking hard enough.

The aim of the contest was to read a specific file on the system. What I was wondering is what permissions that file had? Was it only readable by root? I'm assuming not, but if so what are default settings like in Vista (I've never used it)? Does it by default make the user not run as administrator? After all Linux's claim to be immune from malware stems from the idea that the user has such restricted access and if root is not required in this competition it's perhaps a realization that for a desktop user a lot of damage can still be done as only the user.

Obviously this will result in a lot of Microsoft and Apple bashing, and as a long time Linux fan I'm rather smug, but I think it's worth noting that Adobe Reader is cross platform so there is a chance that the vulnerability is not unique to Windows - it may not be Microsoft's fault at all.

To be honest I think this says less about the security of various platforms (after all we have to be slightly impressed Windows lasted so long), but more about the security of open source versus closed source. The operating systems themselves didn't seem to be at fault as much as extra apps (although Safari may be an exception here). Perhaps because most of Ubuntu's apps are open source more vulnerabilities are spotted by the good guys which would be especially important in a competition like this where 0day exploits are the aim?

On a positive note I think it's a good thing to note that the days of a clean install being exploited in a few minutes once connected to the internet seem to be fading.

Re:Newsworthy? (0)

Anonymous Coward | more than 6 years ago | (#22905420)

More concisely, this wasn't a test or proof of security, it was a test/proof of insecurity. The result is not "Ubuntu Linux is secure"; the result is "MacOS X - not secure; Windows Vista - not secure; Ubuntu Linux - no result".

Re:Newsworthy? (5, Interesting)

Henry V .009 (518000) | more than 6 years ago | (#22905426)

Second, no, this "could have happened to any OS" is wrong. A well-crafted browser (in this case, the browser is part of the OS) can in theory prevent browser plugins from accessing anything of importance. However I don't think any existing browsers do that - but they should.
Irony alert: IE7 is the only browser on the block that does this. I imagine that the vulnerability was accessed through the open-source alternative: Firefox.

And no, it's not because IE7 is part of the operating system. It's because IE7 uses Microsoft's secure API to achieve sandbox mode. Firefox really needs to start taking advantage of this API. Otherwise their "most secure way to surf" bullshit is going to be called into question real soon.

Re:Newsworthy? (0)

Anonymous Coward | more than 6 years ago | (#22905306)

Could've happened to any OS -- Ubuntu included

It's no surprise that the Microsoft box got pwned.

What is surprising is how the volume and shrillness of their online apologists increases in direct proportion to their decline.

Newsworthy. (1)

Just Some Guy (3352) | more than 6 years ago | (#22905350)

I haven't found the 3rd-party list yet, but was Flash also installed on the Ubuntu laptop?

Re:Newsworthy? (2, Insightful)

gbickford (652870) | more than 6 years ago | (#22905406)

This small focus group of participators are not script kiddies. They publicly represent the people that do not want a public representation and do not want their unknown exploits exposed to the public eye for the mere price of a laptop or even a $10,000USD cash prize. The lurkers want bot nets and relay servers. The unseen want to be able to bend the entire internet. This information is only worth money if people do not know it.

The people that participate in this are like magicians selling their secrets at a bus stop.

This isn't like a McAfee vs Norton contest. The "the total end point security" which you reference is no where near contextual. This is a how much are black hats willing to give up for chump-change contest.

Re:Newsworthy? (1)

CastrTroy (595695) | more than 6 years ago | (#22905506)

I believe that a lot of people would be happy to slap that on a resume. It could be quite useful in getting nice job.

What did you expect? (3, Insightful)

lilomar (1072448) | more than 6 years ago | (#22904924)

So Linux is more secure than Windows? What else is new?

Re:What did you expect? (1)

X0563511 (793323) | more than 6 years ago | (#22905212)

Apparently it's also more secure than OS:X.

Personally, I don't give a damn, as anything that I personally own and use is going to be secured regardless. I know better than to trust out-of-the-box security. I have a squishy thing in my head I've heard some call a brain - as weird and unusual as it sounds, I use it.

You try hard enough, you can lock Windows down. Linux - even easier to do so. OS:X - I assume so, but not having used it more than passingly, I can't say for sure.

It is becoming more clear every day (2, Interesting)

zappepcs (820751) | more than 6 years ago | (#22904926)

that GNU/Linux is actually more than a competitor to MS in the niche hacker/power user arena. It is in fact quite usable and *CAN* replace Windows. (Car analogy) It's like seeing Kia in a road rally, sort of surprizing but after a couple of years competing people begin to just accept that they have the balls to keep it up and to compete.

Or perhaps it's more like a dedicated sports fan seeing his team make the playoffs after 40 years of ridicule ?

Re:It is becoming more clear every day (5, Funny)

ketilwaa (1095727) | more than 6 years ago | (#22905108)

Are you comparing GNU/Linux to Kia? Kia?!? KIA?!? If I see you on the road I'll be slamming into you with my Ubuntu Yugo, so watch out!

Re:It is becoming more clear every day (1)

zappepcs (820751) | more than 6 years ago | (#22905140)

If I could mod you funny I would LOL... didn't mean to compare to kia, just that the juxtapositions of both in their respective arenas is similar

Re:It is becoming more clear every day (1)

fast turtle (1118037) | more than 6 years ago | (#22905548)

Go right ahead and we'll see how many of the big 3 Windows boxes crash with you and don't forget the odd Pinto that explodes, the Explorer the rolls over and such

I think it is most fitting... (4, Funny)

Provocateur (133110) | more than 6 years ago | (#22904930)

...that we christen the unharmed laptop 'Cowboy Neal'

Re:I think it is most fitting... (1)

X0563511 (793323) | more than 6 years ago | (#22905264)

Can we name one of the broken ones "Cowboy'ed by Neal?"

Let me get this straight (-1, Troll)

CSMatt (1175471) | more than 6 years ago | (#22904976)

If you can exploit a laptop in this contest you get to keep it? Why would you want a laptop that you know is insecure?

Re:Let me get this straight (4, Informative)

calebt3 (1098475) | more than 6 years ago | (#22905012)

It comes with $20,000, $10,000, or $5,000, depending on what day you hacked it. The guy who cracked the Mac got $10,000 and the Vista machine came with $5,000 since it was cracked later. And you can always install *nix.

Re:Let me get this straight (5, Funny)

Anonymous Coward | more than 6 years ago | (#22905016)

For some time now OS of personal computers does not reside in ROM and can be changed to a different one with ease. The miracles of technology!

Re:Let me get this straight (3, Informative)

ceejayoz (567949) | more than 6 years ago | (#22905020)

The laptop isn't insecure, the attacks are taking place against the operating system (and in all three cases, against specific applications - none of the three were hackable without the user taking certain actions).

Re:Let me get this straight (4, Funny)

spectrokid (660550) | more than 6 years ago | (#22905022)

If you can exploit a laptop in this contest you get to keep it? Why would you want a laptop that you know is insecure?
Euuuuh.... to install Linux on it?

Re:Let me get this straight (1)

SargentDU (1161355) | more than 6 years ago | (#22905024)

When you get it, you secure it. Sheesh, you should know that already. What is with your silly question? You do not want it, give it to me and I will secure it.

Re:Let me get this straight (0)

Anonymous Coward | more than 6 years ago | (#22905032)

...so you can put Ubuntu on it?

Re:Let me get this straight (0)

Anonymous Coward | more than 6 years ago | (#22905058)

They're all x86 laptops, so you can just install Ubuntu on whichever one you win.

Re:Let me get this straight (0)

Anonymous Coward | more than 6 years ago | (#22905060)

Please send all your insecure belongings to me. It might be hard to move the house but if it's nice you can just send me the keys and the adress and I might move in. I'll take good care of your insecure car(s), bicycle(s) and computer(s).

Re:Let me get this straight (1)

Ripit (1001534) | more than 6 years ago | (#22905070)

If you can exploit a laptop in this contest you get to keep it? Why would you want a laptop that you know is insecure?


You forgot the part where you link to a laptop that's secure. I'll be waiting right here.

Re:Let me get this straight (1)

Killerchronic (1170217) | more than 6 years ago | (#22905160)

Because then you could put an OS on it that was secure!
Doesn't state you have to keep the OS that came with it.

Know this: no one uses linux on desktop, no softwa (-1, Troll)

Anonymous Coward | more than 6 years ago | (#22904996)

Know this: no one uses linux on desktop, no software to exploit. Good news if you want a server in a corner, but nothing new if you want to do real work with it. Second-rate software may appeal if it comes at no cost, but life is too short to waste and second-rate (at best) software wastes too much of it. And besides, why not just pick up the machine and run off with it. puh! Put that in your zero-day pipe and smoke it!

Re:Know this: no one uses linux on desktop, no sof (3, Funny)

Zedekiah (1103333) | more than 6 years ago | (#22905124)

No-one? I hope you realise that you've just caused me an existential crisis!

Re:Know this: no one uses linux on desktop, no sof (2, Insightful)

calebt3 (1098475) | more than 6 years ago | (#22905326)

No-one uses Linux, and No-one is perfect. So we should try to follow in No-one's footsteps.

Re:Know this: no one uses linux on desktop, no sof (5, Insightful)

ricegf (1059658) | more than 6 years ago | (#22905130)

Know this: no one uses linux on desktop,

The really fun thing about absolute statements is that one counter-example disproves them. I use Linux on desktop. See? You're wrong. :-)

Of course, so does my wife (who majored in fashion merchandising), and my 88 year old father, and the exchange student who stayed in my house last year, and roughly half of the thousand people at PyCon two weeks ago (just from snooping screens during the plenaries), and about 4% of the desktop users world-wide. True, that's small compared to Windows' 85% share and a bit below Mac's 8%, but it's certainly not "nobody".

And note that the market share leader Windows survived the Mac by a day (though, my friend the Mac-fan said that only proves the Mac was so much more desirable than the other two laptops - touché! :-)

Well, anyway, sorry to have fed the troll.

Re:Know this: no one uses linux on desktop, no sof (2, Funny)

Oktober Sunset (838224) | more than 6 years ago | (#22905436)

Well, anyway, sorry to have fed the troll.
As long as you don't feed the squirrels.

Know this: people use linux on desktop (2, Insightful)

tomhudson (43916) | more than 6 years ago | (#22905214)

Know this: no one uses linux on desktop

Really? So this must be some magical post I'm making ...

Second-rate software may appeal if it comes at no cost, but life is too short to waste and second-rate (at best) software wastes too much of it

I agree, which is why I don't "do" Windows.

I use linux at home, and linux + bsd at work.

My sister switched to an iMac, and "once you go mac, you never go back."

People routinely remote into another linux box at work when they want to get "real" work done in a more powerful graphical environment like kde, or need to do stuff that Windows just can't do without a lot of work ...

Even web developers no longer need to keep a Windows box handy "for compatability testing" - IE 7 runs fine under linux.

Re:Know this: people use linux on desktop (1)

Nomen Publicus (1150725) | more than 6 years ago | (#22905284)

I stopped using Windows when Windows 98 was released and I couldn't make it do things my way. I switched to Linux, then Solaris and now both of my laptops run OpenSolaris.

I see no reason whatsoever to return to the small, shuttered prison cell that is Windows.

Re:Know this: people use linux on desktop (1)

ScrewMaster (602015) | more than 6 years ago | (#22905554)

I see no reason whatsoever to return to the small, shuttered prison cell that is Windows.

Yes, but as small, shuttered prison cells go ... it is comfortably furnished.

Something is Fishy (5, Informative)

ThinkFr33ly (902481) | more than 6 years ago | (#22905078)

If the person on the Vista laptop was running IE 7 with the default configuration (protected mode [msdn.com] / UAC on), this should not have happened.

Flash, like all other plugins, run within the security context of the low-rights user used by protected mode. Even if the flash plugin had an obvious buffer overflow or other exploit, it would only be able to access the data accessible by that low rights user, NOT the user running IE. That's the point of protected mode.

For a flash plugin to allow for a hacker to access personal files of the user it would not only have to have a buffer overflow (or some other exploit) in flash itself, but also take advantage of a privledge elevation exploit in Windows simultaneously.

I didn't see them specify in the article what browser than were using. Since they said it was an issue with flash, and not Windows, they couldn't have been using IE. My guess is that it was Firefox, since they said they loaded "popular" 3rd party apps.

Futhermore, the file in question must have been accessible to the user running Firefox (or whatever non-IE browser) since that would also require a privledge elevation in Windows.

So I'm not really sure how you can blame this on Vista or even Microsoft. If they had been using IE, it wouldn't have happened, regardless of the flaws in Flash. This says absolutely nothing about Vista security. The exact same thing would happen on every other OS. If you have an app with an exploit, and that app is running as User A, the hacker using that exploit has the same rights as User A.

I suppose one could argue that various defensive techniques like ASLR [msdn.com] should have stopped this, but without knowing the details, that's impossible to say. A buffer overflow can just as easily be used to call APIs exposed by the exploited application as it can to call OS APIs, and since ASLR only applies to Windows APIs (indeed, many of these techniques only apply at the OS level), this wouldn't be a fair characterization either.

Indeed, I find it strange that they didn't mention mitigating factors. I realize they're trying to be responsible as far as reporting, but telling people that users running IE on Vista aren't affected isn't exactly giving anything away... aside from the fact that Vista did its job as best it could.

Re:Something is Fishy (1)

Utopia (149375) | more than 6 years ago | (#22905132)

As I understand, UAC/protected mode only protects critical areas like windows system areas and program files.
I am guessing the file for the contest was stored in a non-critical area.

Re:Something is Fishy (4, Informative)

ThinkFr33ly (902481) | more than 6 years ago | (#22905276)

That is not correct. Protected Mode's low rights user has virtually no access to the system.

Unless that file was specfically marked readable by the low rights user (which would be obvious cheating), or unless it was placed in a directory accessible by that user (temp directory, for instance), they could not have been using IE.

Re:Something is Fishy (1)

Utopia (149375) | more than 6 years ago | (#22905386)

Really? I was under the impression that protected mode does allow user file reads even in low-rights mode; but prevents writes or directory traversal etc. (So you have to know the filename & path beforehand to read it)

Re:Something is Fishy (4, Informative)

ThinkFr33ly (902481) | more than 6 years ago | (#22905564)

No. The low rights user has access to a limited number of registry entries, isolated storage (temp directory a few others under the user's profile), but has absolutely no access to virtualy anything else... especially the user's documents.

A broker service is used when reading or writing to user files (such as when they save a file to their desktop, or upload a document to a web site). This isolates the potentially dangerous code into a very small (~10k lines) application that is far easier to audit. This application runs as the normal user, and essentially accepts requests from the low rights IE process when actions need to be performed on user files.

Re:Something is Fishy (3, Insightful)

Rary (566291) | more than 6 years ago | (#22905362)

This says absolutely nothing about Vista security.

Actually, the fact that Vista held its own against every attack the contestants attempted against it for days, and only finally fell when the contest organizers modified the rules to allow exploitable third-party applications in, says a lot about Vista security. It's just that what it says about Vista security is opposite to what most Slashdottians would like it to say.

Re:Something is Fishy (5, Informative)

benjymouse (756774) | more than 6 years ago | (#22905514)

Flash, like all other plugins, run within the security context of the low-rights user used by protected mode. Even if the flash plugin had an obvious buffer overflow or other exploit, it would only be able to access the data accessible by that low rights user, NOT the user running IE. That's the point of protected mode.


You are right that plugins by default runs under the special low-rights "ieuser" account. Unless the plugin uses tricks to circumvent this security for some reason.

And that is exactly what flash does. It uses a special "broker process" which runs as a daemon/service. The restricted plugin then talks to this brokerprocess and thus breaks out of the sandbox.

The flash API indeed has methods for creating/deleting/reading files and even executing applications (Would you believe that?). Although Adobe/Macromedia have tried to ensure that flash actionscripts can only use these in a "safe" way; I believe it is probable that the exploit was somehove connected to a vuln in the broker process; quite possibly in some of these API functions. Using a broker process to break out of the sandbox can circumvent any security precautions taken by the browser.

Given that Flash vulns are often cross-platform I think it is quite likely that this also is a problem on Linux. Now, if the special file which the contestants had to retrieve required *admin rights* the yet another level of security had been broken (UAC). But at this time we can't really determine.

Re:Something is Fishy (0)

Anonymous Coward | more than 6 years ago | (#22905534)

WOW. I absolutely hate flash and refuse to use it and you've just given me even more proof that I made the right decision. Thanks.

If what you say about Flash's architecture is correct then these people need to be taken out back and beaten with a rubber hose. This is so obviously a crap idea.

General Linux (1)

buchner.johannes (1139593) | more than 6 years ago | (#22905094)

Is there anything Ubuntu-specific about the results or can this be extrapolated to other distris?

Re:General Linux (0)

Anonymous Coward | more than 6 years ago | (#22905236)

other distris


Man I sure hope that's a typo.

Re:General Linux (1, Funny)

Anonymous Coward | more than 6 years ago | (#22905288)

Man I sure hope that's a typo.

No, it's a typi.

1 day later. (3, Insightful)

Lulfas (1140109) | more than 6 years ago | (#22905096)

Isn't it amazing that they couldn't exploit a Vista box with stock software, but they could do the Mac? It required them to install 3rd party software (Although extremely common 3rd party software, to be fair). Security through obscurity is dead.

Re:1 day later. (2, Insightful)

maskedbishounen (772174) | more than 6 years ago | (#22905136)

Or rather, security through obscurity takes longer. Which is kind of the whole point.

Re:1 day later. (1)

LLKrisJ (1021777) | more than 6 years ago | (#22905352)

Although it may be true that the Ubuntu machine remained unharmed I remain with a question;

What about flash player for Linux??? The Vista machine was hacked trough a flaw in flash player, but wouldn't that same flaw potentially make the Ubuntu machine vulnerable as well???? Was flash installed on the Ubuntu machine?

This kind of info is important to judge these kinds of results.

Also, I think it is a pitty that the contest didn't restrict itself to the stock OS intsallation without 3rd party apps. Now it's just comparing apples and pears and no real statements can be made about the relative security amongst these OS's

Just my two cents...

Re:1 day later. (1)

Lulfas (1140109) | more than 6 years ago | (#22905468)

The first two days did exactly this. On the third day, they brought in the 3rd party apps.

Re:1 day later. (1)

LLKrisJ (1021777) | more than 6 years ago | (#22905560)

Yes, I noticed now, but correct me if I'm wrong then, but isn't it then useless to compare (and judge) the security these three OS's, because in the end they topple over because of 3rd party aps...

I don't know about a religious platform war .... (5, Insightful)

LaughingCoder (914424) | more than 6 years ago | (#22905102)

... but it certainly confirms my strong aversion to putting anything Adobe on my machines. Seriously, who hasn't noticed how invasive and hoggish Adobe's stuff is? I cringe when I click a link to a PDF in a website, causing Adobe reader to launch inside the browser. It brings any machine to its knees as it consumes every available resource while rendering a simple document. And Adobe Elements (that's their "lightweight" photo product) takes the better part of a minute to start up on my dual core, 2GB box (non-RAIDed SATA drive). I guess it shouldn't surprise me that they have security problems as well ... slow software is usually sloppy software, and sloppy software is usually insecure software.

Re:I don't know about a religious platform war ... (1)

TobyWong (168498) | more than 6 years ago | (#22905172)

Hey good for you, some of us work in industries where adobe products are the standard and running anything else will result in lost business.

Re:I don't know about a religious platform war ... (1)

LaughingCoder (914424) | more than 6 years ago | (#22905190)

I will hasten to point out the same holds true for Windows. Of course that doesn't necessarily mean it's great stuff -- just that it's managed to become a defacto standard.

Re:I don't know about a religious platform war ... (1)

SuperBanana (662181) | more than 6 years ago | (#22905188)

. And Adobe Elements (that's their "lightweight" photo product) takes the better part of a minute to start up on my dual core, 2GB box (non-RAIDed SATA drive). I guess it shouldn't surprise me that they have security problems as well .

Given that it takes about 10 seconds to launch Adobe Photoshop CS3 (that's their heavyweight" photo product) on my dual-core laptop with "non-RAIDed SATA" laptop drive), and PDFs don't bring my system to its knees...

...I'd say there's something wrong with your laptop (or the configurations/state of its operating system.)

Re:I don't know about a religious platform war ... (0)

Anonymous Coward | more than 6 years ago | (#22905210)

That's what so brilliant about linux. Evince ftw.

Re:I don't know about a religious platform war ... (1)

popmaker (570147) | more than 6 years ago | (#22905496)

xpdf? Hey, at least it's easy on the PC!

You want FoxIt Reader. (1)

davemw (1240610) | more than 6 years ago | (#22905492)

I gave up using Adobe Reader a while back, after finding Foxit Reader [foxitsoftware.com] , which despite a few small annoyances, is about a million times faster at startup and rendering. It has no browser plugin, but in this day and age I see that as a good thing (you *do* remember the Acrobat javascript vulnerability from last year, don't you? :)

Re:I don't know about a religious platform war ... (2, Insightful)

Fweeky (41046) | more than 6 years ago | (#22905526)

It brings any machine to its knees as it consumes every available resource while rendering a simple document
Not seen that. I did try FoxIt Reader when I found a rather complex pdf of a world map of submarine optical fibre connections was rendered painfully slowly, but FoxIt was even slower. I upgraded to Adobe Reader 8, and now it's actually fairly smooth; something that'd take FoxIt or Adobe Reader 7 a good 3-10 seconds to render will take under a second and once drawn, scroll smoothly.

At the same time, I've not seen it go beyond about 150MB of memory, and more commonly manages a third of that. Startup time was rubbish a couple of years ago when it'd sit there loading about 20 different plugins for no particular reason, but that's not been a problem for a while now.

Not about the OS? (0, Informative)

ClickWir (166927) | more than 6 years ago | (#22905110)

So it was a Flash exploit.... which would mean that each of the machines would be vulnerable?

I don't know the details about the sploit so I don't know if it's OS specific even though it is Flash.

Hierarchy of Desirable Laptops? (0, Troll)

dvase (1134189) | more than 6 years ago | (#22905116)

Order in which they were taken home:

First (ie. Most Desirable): MacBook
Second (ie. Somewhat Desirable): Vista
Unclaimed (ie. I'd rather not): Ubuntu

Re:Hierarchy of Desirable Laptops? (0)

Anonymous Coward | more than 6 years ago | (#22905146)

Congratulations, you win the dumbest apple fanboy of the year award.

Re:Hierarchy of Desirable Laptops? (0)

Anonymous Coward | more than 6 years ago | (#22905202)

Yeah wanting a really nice computer and probably the most expensive out of the batch is SO DUMB.

Re:Hierarchy of Desirable Laptops? (2, Insightful)

Wavebreak (1256876) | more than 6 years ago | (#22905290)

No, trying to hack only the most desirable one would be dumb, seeing as how either of the other two are worth quite a bit on their own, and there's a rather substantial cash price in it for you as well. This gets repeated constantly, and people *still* bring the same goddamn stupid point up. No wonder you're posting as AC tbh.

Do we need to define troll? (1)

OMNIpotusCOM (1230884) | more than 6 years ago | (#22905530)

This is a troll because it's true? The winner took home the lappy they cracked. I'm guessing it went in order of resale and/or pure value. Sometimes "Desirability" and "value" are the same. If it's a troll from the "I'd rather not", fine, but I still don't think that negates the overall value of the comment.

Ahem... (1)

TheDarkener (198348) | more than 6 years ago | (#22905280)

"How's that for fueling religious platform wars?"

Wow. I guess the story posters here really *do* like all of the "X OS is sooooo better than Y OS" comment threads. =p Flame on, SD community. Flame on.
Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Create a Slashdot Account

Loading...