Slashdot Mirror
MacBook Hacked In Contest Via Zero-Day Hole in Safari
EMB Numbers writes "Shane Macaulay just won a MacBook as a prize for successfully hacking OS X at CanSecWest conference in Vancouver, BC. The hack was based on a Safari vulnerability found by Dai Zovi and written in about 9 hours. CanSecWest organizers actually had to relax the contest rules to make the hack possible, because initially nobody at the event could breach the computers under the original restrictions. 'Dai Zovi plans to apply for a $10,000 bug bounty TippingPoint announced on Thursday if a previously unknown Apple bug was used. "Shane can have the laptop, I want the money," Dai Zovi said in a telephone interview from New York. TippingPoint runs the Zero Day Initiative bug bounty program.'"
The machine couldn't be hacked, so they relaxed the rules so it could be? I wish they'd been more explicit as to what 'relaxing the rules' meant. But maybe that would've spoiled the story.
I am a believer of momentum and curves.
From one Mac user to (presumably) another, please get your head out of the sand. These "stupid people" to whom you refer you might otherwise know as "The Rest of Us." It doesn't matter how technically competent you are, we are all "stupid" every now and then—or do you only ever visit the same two or three well-known sites every day? Even if you do, how can you be sure they haven't been compromised by, say, some sort of injection attack? Or even by an unscrupulous advertiser in an iframe?
And why on earth does it make a difference whether the user account was admin or regular? If an intruder has access to your personal documents, you're just as fucked either way.
Make Slashdot readable! See journal.
Okay, maybe a black hat tendency, but there might be alternatives.
There are plenty of security companies out there legitimately trying to sell their software, plenty of people who would love to be the only ones who have a defense against some secret hack. If you want me to spend time finding a vulnerability and then into writing an exploit, my time would not come cheap. I'm not even talented in that direction. Imagine that you're a security researcher who gets paid for your time investigating and resolving potential security breaches, what kind of payoff makes it worth investing your time in that gamble? It has to be a pretty penny or else you're better served doing what you do for a living.
"Give me the money" is a legit response when you've invested your time and effort into something with that as your goal. If he'd said "I don't hack for fun or evil, I only did this for the contest and expect to be given what I was promised" then I don't think you'd have the same take. There is a good chance that is exactly what he meant too. You might be shocked to learn that a lot of us who are considered computer geeks are not the world's foremost verbal communicators.
I love my job, but I won't work here long after they stop paying me.
B) Eliminate all the stupid users. This is frowned upon by society.
In other words, nobody was able to remotely hack the machine, so they allowed for local exploits, which someone used in a Safari URL.
Expect Apple-haters and other FUDmeisters to completely ignore the difference, like InfoWorld did yesterday in their breathless headline about "remotely breaking in."
"Sufferin' succotash."
(1) FileVault won't help you here, since an intruder gaining Safari's privileges (e.g.) has access to everything Safari has access to, namely, your entire home directory. Besides, do you encrypt your entire home directory?
(2) You don't need root to launch an application (like a bot) or even install a keylogger (suid isn't set for KeyboardViewerServer, for example).
Make Slashdot readable! See journal.