Login

JEBB · 03-20-2009, 12:35 PM

What is going on here? Have the bad guys figured out how to screw up our Macs?

Partial quote:
"Charlie Miller, the security researcher who hacked a Mac in two minutes last year at CanSecWest's PWN2OWN contest, improved his time Wednesday by breaking into another Mac in under 10 seconds."

deckeda · 03-20-2009, 12:50 PM

What's going on is that it's a contest with rules and goals that permit and encourage the following:

Contestants show up having already identified the vulnerability, developed and tested the exploit. The fact that they exploited the computer in seconds doesn't sound as impressive when you realize all they're doing at that point is walking up to it and pressing a button or two. Translate all that into the real world and then ask yourself if you're actually concerned still with this "news."

Mike Sellers · 03-20-2009, 12:56 PM

deckeda wrote:
What's going on is that it's a contest with rules and goals that permit and encourage the following:

Contestants show up having already identified the vulnerability, developed and tested the exploit. The fact that they exploited the computer in seconds doesn't sound as impressive when you realize all they're doing at that point is walking up to it and pressing a button or two. Translate all that into the real world and then ask yourself if you're actually concerned still with this "news."

Everyone who clicks on links in spam is vulnerable.

deckeda · 03-20-2009, 01:07 PM

Totally agree. But I also think that exploits that rely on social engineering are essentially harmless with a minimum of user education. When Miller hacks a legitimate popular website that makes Macs vulnerable I'll worry. Not saying it can't or won't be done, but until it is... I just don't consider this something for users to get freaked out about.

He found a problem, it gets reported and sent to Apple. Yay. I feel no less comfortable using Safari on my Macs today. What does make me feel better is his buddy Dino, who's a Mac user who find vulnerabilities in his spare time and donates his work to Apple, who he says is responsive and gives him attribution. Miller on the other hand has only reported 2 --- two --- Safari vulnerabilities in 2 years because he gives nothing away and waits for the contest to sell his work. To each his own, but I take issue when I hear about guys like Miller who try to come off as doing security work for some greater good. His low productivity speaks for itself.

Mike Sellers · 03-20-2009, 01:13 PM

Sorry, I forgot my sarcasm emoticon. Yeah, this is yet another mountain from a molehill.

deckeda · 03-20-2009, 01:16 PM

I've pledged to consume only one cup of coffee in the morning. But sometimes I fall off the wagon. (Looks around for actual work to do, at work ...)

Doc · 03-20-2009, 01:21 PM

The kid who had handy exploits for Safari, IE and Firefox walked away with $15k.

Not bad for a day's work.

Mike Sellers · 03-20-2009, 01:37 PM

Doc wrote:
The kid who had handy exploits for Safari, IE and Firefox walked away with $15k.

Not bad for a day's work.

As deck pointed out, it was a lot more than one day's work.

IronMac · 03-20-2009, 01:47 PM

Wasn't he already sitting on that exploit for a year?

As for the comment about user education...that's laughable. Good luck consoling yourself with that sort of pablum.

Mike Sellers · 03-20-2009, 02:08 PM

IronMac wrote: As for the comment about user education...that's laughable. Good luck consoling yourself with that sort of pablum.

And people who make their living off of tech support are eternally grateful.

Login
Username:
Password:	Lost Password?
	Remember me