Slashdot Mirror
MacBook Air First To Be Compromised In Hacking Contest
Multiple readers have written to let us know that the MacBook Air was the first laptop to fall in the CanSecWest hacking contest. The successful hijacking took place only two minutes into the second day of the competition, after the rules had been relaxed to allow the visiting of websites and opening of emails. The TippingPoint blog reveals that the vulnerability was located within Safari, but they won't release specific details until Apple has had a chance to correct the problem. The winner, Charlie Miller, gets to keep the laptop and $10,000. We covered the contest last year, and the results were similar.
Ah, the pride of 0wnership.
the sound of a million fanbois as they screamed Nooooooooooooo i sense i disturbance in the reality distortion generator set comments to flamebait and activate the extra moderation modules captain taco
Safari browser has massive security hole.
It's funny how they turned a huge hole in the Safari browser into a commercial for the Mac Air.
"Small size, big holes"
They're nearly perfect mirrors of one another. Really the only difference between this year and lasts was the word "Air."
There goes their geek cred. Hey, at least they still sell a metric crap load of iPods!
Part of the game I think. Make it easier as time goes on, but also less prize money. Not at all something that wasn't unplanned game rulewise.
Pretty much says that a laptop widely meant for home users was only compromised when allowed access to some of the most widely used applications? I'm not sure what you're trying to say (or not, rather) but a hole in safari is a bit of an issue; unless of course you're just concerned with that server running on your Air ;).
Well. Big shock there. These days, most vulnerabilities require the user to be at the helm.
Good to see that social engineering is still all it requires to compromise something.
Depends if it was a "view this page and you're 0wned" exploit or a "view this page, click accept through some requests, etc" exploit as to how dangerous it is.
.. will be using FF for a while until apple patch ;)
But as a mac user
"The winner, Charlie Miller, gets to keep the laptop and $10,000."
You mean like when your airplane flight is cancelled and the airline offers you a free ticket. Or when the food at a restaurant is crappy and they give you a coupon to eat there again.
Uhh what? The Air has nothing to do with it. All fully patched machines running OS X with the latest Safari 3.1 are vulnerable to this exploit. And you mean a exploit targeting fully patched Vista SP1 or Ubuntu 7.10 won't make headlines? Think again.
This space for rent.
Seriously... Microsoft can't even pay people to take it, let alone get them to put in effort to get one.
Yes. The totally unbiased facts from a guy with "Mac" in his username.
This space for rent.
All Apple products cause herpes.
Sorry it's worth the troll mod. Come on guys the Mac/Apple bashing articles are really getting silly. You might as well add it to the Slashdot logo, "We Love Microsoft and Hate All Things Apple." Honestly look at the numbers of articles pro and against each product line. Then check the postings. Say something pro Mac and you'll get shot down. Say something pointing out issues with PCs and you'll get Trolled. Yes go ahead and troll me but you're just killing the messenger and looking petty doing it.
But the issue is really not which is more vulnerable, it is that you can't run a secure browser and a convenient browser unless they are two separate browsers.
It's time to abandon the general purpose browser. It's also time to quit surfing as your log-in user. You need a browser for surfing that you run (sudo or something) as a strictly limited privilege user without log-in capabilities.
Computer memory is just fancy paper, CPUs just fancy pens with fancy erasers; the 'net is just a fancy backyard fence.
or safari is just a buggy piece of shit
Looking at the details of the competition, found by following a link in the article, it appears that the competition does not finish after one machine is cracked, but if this were a vulnerability that could be used to also compromise another machine (through say the way they run safari in windows) it is not a valid vulnerability to use to attack the other machine. Also, the guy who won the MacBook Air and the cash can't try for the other laptops as well.
To me, a web hack to worry about (on any platform/browser) is one that can just be triggered by viewing a compromised page (like happens to most unpatched Windows machines that get nailed by drive-bys). I'm not nearly as worried about ones that require user intervention - clicking on a link, button, or something of the sort.
So if the Mac was tagged by just loading a page that delivered the hack, that's bad. Quite bad. If he had to click and download something (and perhaps defeat the auto-quarantine they use), that's not so much a big deal, though still a hole that needs patching.
One of the things about vulnerabilities on all platforms is that a significant part of the magnitude depends on how difficult it is to exploit. Remote connections to a system that avoid/defeat a firewall are really dangerous. Attacks that require the user to do something stupid are inevitable, but far less dangerous.
Thus far most of the Mac vulnerabilities have been the second type. Luckily.
-- Josh Turiel
"2. Do not eat iPod Shuffle."
If you look at their blog it seems the Vista and Ubuntu laptops are still not hacked yet at the end of day 2:
http://dvlabs.tippingpoint.com/blog/2008/03/27/day-two-of-cansecwest-pwn-to-own---we-have-our-first-official-winner-with-picture
Um, wtf does Safari have to do with HP (or anything but Mac)? Nobody uses Safari except Mac users. Nobody.
I know... it shocked me that installing software often didn't require any sort of authentication what so ever...
lol... I think you know what's wrong with that.
you could look at it this way: cracking anything Windows is pretty much nothing special, it's being done on a massive scale botnets and zombies considered- what is perhaps a ncier target is a 2,000 dolalr macbook that claims to have a lot higher security than windows. motivation being the biggest security danger of them all.
Sigs are too short to say anything truly profound so read the above post instead.
(as more than one person mentions above,) ... that the attack on the mac was the first attempted hack under the relaxed rules. I think it's clear that the hacker wanted the mac, especially since there are known open vulnerabilities that could have been used on MSIE, and some highly probable directions fairly well known on Firefox.
We know that the browser is vulnerable. Anyone who thinks general purpose browsers are invincible is living in a dream world.
Computer memory is just fancy paper, CPUs just fancy pens with fancy erasers; the 'net is just a fancy backyard fence.
the security flaw was in Safari- probably a buffer overflow allowing arbitrary code to be executed. had safari been on any other OS with that flaw the other OSes would be fscked as well no questions asked. something like SElinux or Apparmor on the *nixes can help defend against things like that to a point but it won't stop them all. bottom line: the OS is a big chunk of the problem but software flaws and help from PEBKAC makes things a whole lot worse.
Sigs are too short to say anything truly profound so read the above post instead.
and sometimes not even then (Firefox user here)
I was referring to the fact that other laptops were available to be hacked in the competition mentioned in TFA (which I know nobody reads). With some of the talk which is seen about Macs being more secure or not needing anti-virus software installed on them, having a Mac hacked before a Sony/Fujitsu machine running Windows (which is well-known as a rather vulnerable OS) would be bigger news than if the Windows machines were hacked first.
Crushing dreams at the speed of sarcasm
This space for rent.
You're going to have to ditch that line of reasoning in porportion to the market share that Macs get. Windows machines are now heavily battle tested. Macs not battle tested and it is now becoming apparent.
So it is just coincidence that Apple are now pushing an unsafe Safari to Windows users (http://apple.slashdot.org/article.pl?sid=08/03/27/129236)?
;)
Or am I being a conspiracy nut?
--I thought I was wrong once, but I was mistaken.
It's Twitter imitating Macthorpe.
sudo (especially, M$'s patented snake-oil version of sudo) all by itself isn't enough.
You have to have single-purpose browsers, and they can't be just parameterized instances of the general purpose browser (and, no, the current MSIE is not even such a parameterizable browser).
Computer memory is just fancy paper, CPUs just fancy pens with fancy erasers; the 'net is just a fancy backyard fence.
The Mac was hacked 2 minutes into day 2. After day 2 was over no other OSs or browsers had been hacked. Period. Give it up. Safari sucks. The web is a jungle. Tame it by not using Safari on your Mac.
I haven't RTFA but from the surface it sounds like a fair exploit test, and sure it only fell over with user interaction, but it still fell first. So good on them, they'll enjoy their prize of a macbook air and a sweet $10k.
Wow, at +4 already for just quoting the summary and tossing in a vague and meaningless sentence.
So anyway, what exactly is it saying? The only thing I see there is that a completely passive attack (that is, absolutely no user interaction, like many well-known worms worked) failed. Once this part of the test was passed they allowed interactive attacks (where the user must assist the attacker in some way). Since this is how nearly all malware and malicious software spreads these days, I don't see anything wrong with this. Aside from just attaching hardware to the network, a web browser and email client are the two applications with the most Internet "surface area". As all major operating systems come bundled with a primary browser (IE, Safari, Firefox) a flaw in the browser essentially amounts to a flaw in the OS. It seems natural and obvious to put them to the test.
"What do you despise? By this are you truly known." --Princess Irulan, Manual of Muad'Dib
/)
Sudo runs things as the super user, hence the name......this is not what you want if you are going for higher security.
I think you are advocating mandatory access control, not separate user logins or separate browsers. Running a program under a separate user helps nothing if that 2nd user has the exact same access to the system as your own user. There is no difference. Even a less privileged user isn't a good security method. In Vista there is some protection for IE7 because the browser runs in the low integrity level (vista has "integrity levels", medium is the default).
I'm also not quite sure what you mean by a 2nd browser, you mean one specifically for visiting sites you don't trust? Care to explain how you have condensed every site on the internet into a list of sites you trust and sites you don't? Or perhaps how you intend to limit the contact this ultra secure browser has to any location on the internet but what you intended?
This space for rent.
According to secunia Vista has 2 minor vulnerabilities unpatched, Ubuntu 0, and OS X 6 vulnerabilities.
Sudo runs things as the super user, hence the name......this is not what you want if you are going for higher security.
Actually "su" stands for "switch user". You can just as easily sudo to _any_ user.
as it says in the article.
2nd day was default Apple apps.
Encouraging that the Ubuntu box survived the second day (Sony VAIO VGN-TZ37CN), surprising that the Vista box did, as well. (Fujitsu U810, 800 MHz iNTEL A110, but it does have 1G RAM. 40G HD isn't all that interesting.)
I really think sony doesn't want to sell laptops to people who know anything about them. Finding information on that VAIO on sonystyle.com is like pulling teeth.
Computer memory is just fancy paper, CPUs just fancy pens with fancy erasers; the 'net is just a fancy backyard fence.
Agreed. I can't live without Firefox, no matter what OS I'm on.
There's no conceivable way that the exploit was discovered and attack code written in two minutes. Hell, I could barely write a slightly sophisticated 'hello world' app in that time (maybe I'm just a slow typist, or he's an android.)
From what I've seen, (correct me if I'm wrong) the rules stated that no previously disclosed vulnerabilities could be used. So, if this guy kept quiet for a few weeks, he could have used exploit code he had already developed.
There Vista system didn't have Nvida graphics cards. . . NVida's whoas
Memory is deceptive because it is colored by today's events. - Albert Einstein
What the parent was suggesting is to create an account with very limited access and to run the browser as that account using something like: `sudo -u sandboxaccount browserbin`.
The contest was also sponsored by the likes of Google, Cisco, Adobe, some security folk... They must all have it in for Apple, oh no Apple is screwed! Plus if you read how the contest was run, it's hard to make the case that this was all pro-MS.
Get the facts... Up to the point where they support your agenda and then punt.
try doing that when you don't have physical access to the machine in question. It seems that Safari is Mac's equivalent of Internet explorer in that it can be a major security problem. it's something Apple really needs to get under control lest they actually become as fubared as Windows often is. It's inevitable as it stands as Mac gets more popular and its users less knowledgeable about how to secure their systems.
Sigs are too short to say anything truly profound so read the above post instead.
Given that the Mac was using Safari and now he has the Air he knows to use Firefox, I would say that he is very happy. OK, I admit to being a FB and I know which one I would have wanted to take home.
I love stacking my barbecues in the shed at the end of summer - you can't beat a bit of grill on grill action.
I think he's trying to say that since the Mac was not compromised on Day 1, it's secure and was only hacked under the relaxed rules. But that logic falls on its face once you consider that the rules were relaxed for the other two OSes as well.
This space for rent.
1.2 GHz, but Core 2 duo, 2G RAM, 100G HD.
So the Vista box is the cheap one. But it's still small and lightweight, so a worthwhile prize even if not the top prize.
If it were in my neighborhood, I might go by and pick one or the other up (if no one beat me to it). I want a lightweight portable to take on the train.
Computer memory is just fancy paper, CPUs just fancy pens with fancy erasers; the 'net is just a fancy backyard fence.
This space for rent.
Sigs are too short to say anything truly profound so read the above post instead.
I'm typing this on a Macbook Pro running Safari, and I'm happy about the results of this competition. As Apple computers (slowly?) gain market share, they will eventually be forced to significantly adjust their terrible attitude in terms of security.
I would rather have Apple "shamed" into providing me (and other OS X users) a more secure web browser/operating system than gain some pathetic "my system is more secure than yours" bragging rights.
Ownership (no pun) was the key to understanding this. I real contest would have let the winner (the first to hack in) keep one of the computers they did not break. The contest doesn't measure much when the competitors target the one they want to win: the sexiest machine so they attack it.
Instead if they had a choice they would attack the weakest machine and you'd see people voting with their feet as to which machine was the weakest. An actually measurement.
instead you got a beauty contest. Which apple apparently won.
Some drink at the fountain of knowledge. Others just gargle.
Are you for real? Did you bother reading that article and seeing the fine print? The laptops were tested in parallel all day and Mac fell first, the other two were tested for the rest of the day and weren't hacked so they go to the next round with relaxed rules(3rd party s/w installed). It's extremely funny that you did exactly what you're accusing others of doing. Nice self-pwnage.
This space for rent.
In other words, the first to hack it gets it! Who wants a Vaio or a Fujitsu anyway? Given a choice between the three, I'm sure everybody wanted the MacBook Air. Naturally, the only machine getting the pounding is going to be the first to crack.
... Zzzzzzzap.... couldn't.... Zzzzzzzzzap. ... agree... Zzzzzzzzzzap.... more. ;)
Yes, that sounds logical, if your genitals are hooked up to a car battery.
The winner got to keep the unit AND 10,000. So OBVIOUSLY they should crack the easiest unit, flip it on ebay, and then buy whatever they actually want, while pocketing the remaining 8-9 grand...
So... the moral of this story? Never underestimate the ability of an Apple fan to rationalize how the Mac could be the first to fail, yet still be the finest computer in the competition. d(^_~) [Thumbs up!]
I
Yeah. A Laptop is safe, even connected to a network, provided you make no contact with the network as the user.
Like my car - very very safe as long as you don't back it out of the garage.
Do it yourself, because no one else will do it yourself. [beta blockade 10-17 Feb]
> And there's part of the reason why MSIE under Vista has given us a number of admin-level vulnerabilities, in spite of this security model.
If you turn off UAC, PIE gets turn off as well. So if there is a MSIE vuln and UAC is turned off - here you go, admin-level vulnerability in Vista.
I'm not interested in Vista. Vista seems to be struggling to get a foothold in the market place.
But:
Security doesn't seem to be its problem. Compatibility and performance are. I don't know why people are surprised whenever Vista performs reasonably well in some security evaluation or another - other than a reflexive dislike of Microsoft, I haven't seen anything that would incline one to assume Vista would lose this sort of contest.
You're right. With a stricter firewall, the browser wouldn't have been able to fetch anything over the internet at all.
That's basically the point.
As long as the browser has the ability to be re-directed to any site but the site it was defined for, you're going to have spoofing.
As long as you have spoofing, you're going to be losing your tokens.
Yeah, I know that having multiple single-purpose browsers that a general-purpose browser can invoke opens loopholes, but that's also part of what running as a separate user is for.
sudo isn't a sandbox, but it can put some walls up between a browser user and the log-in user.
Computer memory is just fancy paper, CPUs just fancy pens with fancy erasers; the 'net is just a fancy backyard fence.
But I am wondering what the difference between the CNB and CNP is. Color?
Computer memory is just fancy paper, CPUs just fancy pens with fancy erasers; the 'net is just a fancy backyard fence.
Only vulnerabilities which were not previously released were allowed. There are un-patched vulnerabilities (8 of them) for IE7. There are no known un-patched vulnerabilities for Safari 3. This means that discovering a new vulnerability for Safari (which has 8 total advisories for the two most recent versions) is bigger news than discovering one for IE (which has 148 for the two most recent versions). Obviously, if more exploits are discovered, then it will be less of a big deal.
One should not draw the conclusion that Macs are less secure than PCs from the results of twenty people going at them in a room for a day.
it was all due to a flaw in safari. if anything safari sucks.
Sigs are too short to say anything truly profound so read the above post instead.
I am an apple fan and enjoy a lot of their products.
There is no way any system can be perfectly secure, but this is a significant hole. While they probably won't get me to click that stupid link, they might get my mom or any number of the other avg everyday users.
At least now we can get beyond the macs can't be hacked BS and move on to securing my favorite OS and keeping it that way.
Now lets see how long it takes for apple to post a patch, that is really where the rubber meets the road.
Sounds a little fishy to me. Its not surprising that an exploit that affects a Mac's native browser doesn't affect native browsers on Ubuntu or Vista, and I can't imagine that surprising anyone else. Likewise, I wouldn't expect an exploit of Vista's native browser to affect Ubuntu or Mac. What is fishy (and seemingly incidental) is that the Mac exploit came first, likely because its the more desired result: to win the MacBook Air. Why weren't all 3 laptops MacBook Air's, I wonder? One running Leopard, one Vista, and one Ubuntu? Seems like that would be a level the playing field. But if there is only one MacBook Air, obviously, cracking that is first prize.
The Admin and the Engineer
They implemented the Biba Integrity model, which isn't exactly slapped together. The idea is that the data that comes from the web is untrusted, and therefore is of low integrity. Data from the system itself is trusted, and thus of high integrity.
A low integrity process cannot write to a high integrity process, so bad information (like malware) cannot get to the system. Likewise, it cannot write to any medium integrity objects (windows, files, processes, etc.), such as those owned by the user running the browser. This means that a buffer overflow exploit in a plug-in will not allow the code to write to the filesystem outside its sandbox, nor will it be able to do things like hijack your homepage.
Of course no security system will prevent you from entering your CC# into a fraudulent online store, so it still has to have a phishing filter.
dom
"Super user do", sounds better than "switch user do", so from here on, that's what it's going to stand for. I'm also changing the G in GNU to stand for GNU *is* Unix. Good day to you.
This space for rent.
This space for rent.
Particularly stack based buffer overflows are well protected nowadays.
Not sure how many of these OSX has, though could just be my ignorance on the matter.
Well, there's some truth to that.
... there was one unusual rule. Only non-published exploits could be used. So, for example, if there was a published but still unpatched vuln in vista or ubuntu, those couldnt be used.
However, there's also a $10,000 prize for today.
And despite that, neither the vista box nor the ubuntu box were hacked at all on day 2.
Day 2 allowed user interaction (like browsing to a website) but only allowed targeting software that ships with the product.
That being said
So part of this was timing or withheld disclosure. For example, it seems to me that a security company could find a hole and then sit on it and never disclose and save it until cansecwest.
Can't we admit that, for whatever reason, the Air/Safari was easier hacked than Vista/IE7? I know this is an unpopular bandwagon to be on, especially on Slashdot, but it seems there's no two ways about it. I refuse to believe that it was a conspiracy and that every hacker was actually just trying to hack the Air and make Ubuntu and Vista pass, that's stupid. If I were a hacker, I'd totally hack the EASIEST one simply to get the $10k and the laptop. And if there were known or open vulnerabilities, it should have fallen in what, 30 seconds?
Seriously, it's not a huge deal. If we, like good open source cronies, admit that there was a problem with *gasp* part of the Apple software/laptop combo (whether it was Safari or the OS or whatever), then maybe it will be fixed. Isn't that the main idea here? I thought the point of these things were to discover vulnerabilities so that they could be fixed, not to place bets on Microsoft falling and go up in arms if it doesn't.
Unless, of course, we really aren't interested in open source software or good software at all, but are more about claiming a company name as our own.
If a Vista machine had been first there would be a 'haha' tag on this article, as well as on yesterday's article talking about how MS issues patches faster.
Just sayin...
You can buy 4 Macbook Airs for $10,000. Or 25 iPhones. So if it were easier to crack Ubuntu or Vista, people would've definitely gone for it. And the prize for cracking on the first day was $20,000 each. The people who tried to go for the Macbook Air while sitting on Linux and Windows holes would be really stupid.
This space for rent.
This space for rent.
It is difficult to get a man to understand something when his job depends on not understanding it.
Parents are still in safe browsing grade school. Let me help you get right to the PhD level of safe browsing - http://www.tssci-security.com/archives/2008/03/25/security-and-safe-browsing-for-firefox/
Horns are really just a broken halo.
This space for rent.
This space for rent.
No other exploit came at all today. There's still thousands of dollars to be won. The motivation for the entire day less two minutes was fully on Windows or Ubuntu. But they didn't crack yet.
It's not a guarantee that the first to fail is the weakest, there's definite elements of chance and some complex interactions. But it was done with Safari, which is part of the default distribution of a Mac and it's not exactly easy to not use Safari for at least long enough to download Firefox.
You seem to forget that the Apple people survive on diets of Starbucks Skinny Lattes and Skinny Blueberry muffins and have spent so much on their MBAs that they can only afford a maximum of one each per day as they sit in an appropriately placed chair such that everyone who walks into the store gets the reflective glint of the Apple logo directly in their eyes as they walk in.
Ultimately, this miniscule diet, along with sitting about and posing all day without any form of exercise, results in extreme muscle wastage eventually making it impossible for the Mac user to even attempt to try and carry something as big as a Dell XPS.
As it happens, this is part of Apple's own marketing strategy because as muscle wastage continues, even the MBA becomes too heavy so the unfortunate MAC owner then needs to buy something even lighter in order to continue to enjoy its computing experience - thus the way is paved for an even lighter machine to be released.
Gentoo Linux - another day, another USE flag.
I was pretty surprised when Dell finally started putting some effort into their laptop designs. For example, take the XPS m1330 that came out last year. It's actually really nice. I wanted an near-ultra-portable but *powerful* Ubuntu laptop and was within a hair's breadth of getting a macbook pro. (The air is a slick design, but the power just isn't there.) Then I found out I could get something every bit as powerful as a high-end macbook pro in the form-factor of a 13" macbook, only lighter, and for less money. (Caveat to follow.) Then I found out that the design actually looked nice. Nicer than the macbooks to my tastes. (Seriously, it's time for a design update Apple.) On top of that, the m1330's design makes a fair bit of ergonomic sense too. The laptop tapers down towards your wrists, rather than the tendinitis-inducing edge on macbooks.
Even more surprising, the m1330 is really well supported in Ubuntu. (Dell actually sells the m1330 with Ubuntu pre-installed, although the discount is rather pathetic.) More things just work in a default install of Ubuntu on the m1330 than in Vista! (The only thing that doesn't work as well in Ubuntu as it does in Vista is the fingerprint reader, but that's just because biometric password support in Linux, and KDE especially, sucks dingo balls at present.) And yes, if I bought a macbook I probably would have tossed the OSX disks and reformated the drive first thing. I've had to develop under OSX and, while I don't mind it, I definitely prefer Ubuntu.
Caveat time. Dell's customization options are still royally borked. You can pick up a lot of accessories, like bluetooth mice, fairly cheap when buying a laptop, but other components are just insanely expensive. Anyone who maxes out the memory on a Dell while ordering it and then complains about the price is an idiot. Upgrading the memory on a Dell won't void the warranty. You want 4GB? Get 1GB from Dell and, toss it, and buy a couple 2GB sticks yourself. You'll save at least a couple hundred dollars. If Dell would smarten up about that kind of thing I'd have no complaints.
Still, one thing is pretty clear. You can no longer mindlessly slag Dell for epitomizing bland and crappy laptop designs. They do still have ultra-cheap crap and bland bricks built like tanks for the corporate types, but they're also gunning for the sexier end of the market now.
Actually, "su" does indeed stand for "super user". Originally, it could only switch to root. The capability to switch to arbitrary users was added later, and "switch user" is a backronym.
While we're on the subject, guess what "dd" stands for? It's not "direct dump" or "disk destroy". It's "character copy".
Write your own Choose Your Own Adventure. http://www.freegameengines.org/gamebook-engine/
LMAO.. I think you got everything right except the last question:
Why is the sky blue? Do I look like Einstein? Apparently the sky is blue because of some phenomenon called Raman Spectroscopy. I tried real hard to understand it while studying physics and ended up with a headache.In other words this guy most likely found a security bug in Safari, but instead of reporting it directly, made an exploit and waited for a hacking contest to get a monetary benefit out of it. A real hero. Or maybe he was just quick. Which seems more plausible?
I demand the Cone of Silence!
Many people in this thread keep praising privileges restriction (be it UNIX user management, IE7 sandboxing, virtual machines, or anything else) as the ultimate solution to desktop security.
While this can reduce the chance of being "totally r00ted", you can still get "pwned" pretty badly. As long as you use your sandboxed browser daily, and have any kind of permanent storage for bookmarks / cache / saved files / etc, you still risk to become a botnet zombie, spam machine, DDOS node, pr0n/warez share, whatever. Who cares if that all works under restricted privileges.
So, by all means, manage your privileges, but beware the fake safety feeling that gives you.
-
Mac, Windows, Ubuntu. Whatever. Vulnerabilities have been found in all 3 in the past and will continue to be found. All 3 can be 0wned.
-
The config of these 3 machines and the list of installed apps was published a couple weeks ago. People had time to research and prepare exploits in advance. This is what Charlie Miller did.
-
Someone in possession of a Windows exploit would know its value is worth more than the prize of $10k offered in this contest. Some big companies or govt agencies would offer at least $50k+.
-
However due to the smaller market share of Mac and Ubuntu, the street price of a vuln for these platforms is probably comparable or lower than the $10k contest prize.
-
Therefore the prize was worth it and Mac or Ubuntu was bound to be the first platform 0wned in this contest.
-
Charlie Miller chose to attack Mac instead of Ubuntu for no specific reason: randomly, or had a preference for Mac/Safari, or wanted a Mac Book Air, or found first interesting results on the Mac while fuzzing both...
He is likely capable of 0wning the 2 of them anyway.
Although I find the contest fun, it adds some entertainment value to CanSecWest, nothing can be concluded from it. New 0-day in Safari ? Wow big news. Film at eleven.Yes, the walk of shame with a $3,000 laptop that's highly ebay-able and $10,000 in prize money. I wish someone shamed me like that.
The World's Worst Webcomic!
It's CanSecWest, not CamSecWest. Or is that country now called Camada? I guess, there, everyone is a Camedian...
$nice = $webHosting + $domainNames + $sslCerts
Perfect is the enemy of done.
Yes, a good thing, but there is of course no guarantee that it wasn't already discovered by someone else also...
"Give me six lines of C++ code written by the most competent programmer, and I will find enough in there to hang him."
After all why spend so much money to develop walware or virus for a system that is being used by one half of the 5% of population who happen to surf to a website.
Costs include Apple Developer's Program, buying a Mac to develop and Test (and everyone knows its not as easy as Visual C++), and assorted tools.
Too much effort for a reasonable payoff.
And secondly Mac users tend to be richer, well-studied and well-off, so the chances of them getting angry and respond with a lawsuit is more.
"Doing what i can, with what i have." ~ Burt Gummer
I am worried that Apple is assuming too much about the security of the Mac OS X operating system. I am a long time user (since first beta) and it has been an incredible ride, but I'd really like for Apple to "step up" and take this bull by the horns and let the world know that they are very serious about security and eliminating *any* means of intrusion, either automated or user driven... and not just rely on the FOSS community to remedy the security problems in the software that they have incorporated into the OS.
Just as long as they don't implement some Vista like "Allow or Deny?" crap... God that would drive me *nuts*!
"To make a mistake is only human; to persist in a mistake is idiotic." Cicero
That exploit is exclusive to Safari for Windows, which the laptop running OS X would not be using. The OS X/Safari combination is what's being tested, not Safari for Windows, which, I imagine, almost no one uses (except when they've accidently installed it thanks to Apple's "surprise" update).
I'm not saying "OMG anything which implies that Macs are insecure is FUD", I'm saying that the results of twenty people trying to crack things in day's work is not a very good indicator of overall security. Especially when any previously known exploits are not allowed.
It's not that OS X is completely bereft of security holes. However, there is less OS X malware than it's market share would indicate, which suggests that it is at least a little harder to create malware for OS X. If Mac users are usually richer, then that would make a more tempting target for malware, since the personal information that could be gleaned would be more valuable.
Also, Apple's XCode development suite is free. The developer program gets you things like OS seeds, tech support, hardware discounts, and extra resources. One does also not need to buy a Mac to run OS X, but can merely run OSx86 on a PC.
While the quick win makes for a perfect headline and reflects the Hollywood image of "hackers" that twiddle on a keyboard and almost instantly "access the mainframe" while a counter runs in the background, a more intelligent question is: why did the Mac get hacked first, and why was the attack so quick?
CanSecWest and Swiss Federal Institute of Tech Deliver Attacks on the Reality of Mac Security
Personally, I'd have headed straight for the Windows machine to try for the $10,000.
Probably the former - the rules state that they judges will only visit a malicious webpage. I'm pretty sure they used to explicitly say that they wouldn't even click on any links on that web page - I'm not sure if this has changed, or if there are more detailed rules elsewhere.
The trouble is, they didn't implement the Biba security model - they only implemented part of it. More specifically, they implemented the "no write up" rule which prevents low integrity processes writing to high integrity stuff (well, most of the time - I think there are ways for low integrity process to talk to high integrity ones). However, they didn't implement the "no read down" rule at all - high integrity apps can and do read low integrity data.
Why does this matter? Well, suppose you have something like the WMF vulnerability, which can be exploited if you preview the file in Windows Explorer. All a website has to do is to download the file into the sandbox and trick the victim into previewing it.
Unfortunately, the proper Biba integrity model is probably totally impractical for desktop use.
Ah, the pride of pwnership.
there, fixed that for ya...
the significance of a signature is insignificant
Social engineering does more damage than you can undo with whatever vista+IEwhatever can undo. My lawyer is going to click yes if the bait looks good enough to her.
The only way to get in the way of that is to get in the way of that: Special purpose browsers that don't have a place to plug in a URL. And even that is not good enough, but it's better than trying to use ACLs to build walled gardens like this "integrity levels" thing Vista has.
Computer memory is just fancy paper, CPUs just fancy pens with fancy erasers; the 'net is just a fancy backyard fence.
Safari has an unpatched security issue Safari sucks. Safari is still a great browser, now it needs a security patch. Tame that jungle by checking out what you're clicking.
.... for the mac fanboys to cover all the flames heading their way. reap what you sow kids.
If you mod me down, I will become more powerful than you can imagine....
You fanbois are embarrassing, the second day prize was $10,000. I know inside your reality distortion field people will give up 4+ Macbook Air's worth of prize money just to get a single Macbook Air, but the rest of us aren't rabid fanbois so we find this logic a little thin.
thats a fucking weak defense even for a maccie
If you mod me down, I will become more powerful than you can imagine....
Dude, you post this link in every article, but you are not funny. Please stop.
You are forgetting the mobile users with S60-phones (http://www.s60.com/), it's a fork from the same webkit-core as Safari uses for it's browser-engine.
Ofcourse we don't know if the problem is in the engine or the interface. It could still be Safari specific.
New things are always on the horizon
No one is going to be interested in the fact that it required user-assistance and can't be executed remotely (which are by far the most worrisome.)
Nice.
That's going to be hard to manage, though.
Still prefer special purpose browsers, though. If we could get them, and some way to at least parameterize an instance so that it would skip the domain name servers and go direct to the bank and to the bank's watchdogs, and shut down if the bank or the watchdogs failed to provide the correct tokens.
On the other hand, if the banks get to the point where the insurance companies can't keep up with the phishing, maybe we can all agree that money shouldn't be that valuable anyway. (Yeah, I know that's a huge social re-engineering project I'm suggesting. Just daydreaming.)
Computer memory is just fancy paper, CPUs just fancy pens with fancy erasers; the 'net is just a fancy backyard fence.
none of the machines got compromised. Including the Vista and Ubuntu machines.
This essentially means "at that moment in time, there were no available* 0-day remote vulnerabilities for those systems".
*I actually mean "no available 0-day remote vulnerabilities worth <=~20,000"
The thing I enjoy most about the responses to this article is the rather predictable "Ha, so Apple DOES suck!!! Take that fanbois!" responses. It's certainly true that this is an important find and that an exploit in the wild is something to be concerned about. But the point of this is really that there's no such thing as a secure OS yet (and there probably never will be). Not unless you've removed the power source from your system, encased it in concrete and sunk it to the bottom of the sea.
The perceived general level of security in a system can be directly correlated to the most recent compromise of that system. The fact that the Linux and Windows systems involved in this contest have not yet been compromised does not indicate that they are more or less secure in a general sense than the Mac. It does indicate that no one has found the vulnerability that inevitably lurks within the kernal or a piece of installed software on those system. But rest assured, the exploits are there.
"FireFox is more secure than IE", you say on Monday. Then Slashdot posts "HUGE FRIGGING HOLE FOUND IN FIREFOX: DOOM!!!" on Tuesday. And suddenly the absolute statement you've made sounds silly.
If you don't believe this is true, try this: get hold of a system exactly like the ones currently considered "unhackable" in the contest and disable any automatic updates (and don't install any manually). Wait three months and then compare that system against one with the most recent updates. You're sure to find that your unhackable system is now full of known exploits and security holes.
The systems we rely on today are very complex and in a very real sense cannot be completely understood. There are techniques that can make them generally more secure and all of the OS developers are working to bring these features online every day. Some are better than this than others (or so it seems), but they all do it. Even Microsoft. But the thing about security is this: the bad guys only need one hole and the good guys have to cover all the bases.
The only real security in a system comes from user practices, not software. If you don't install updates on your system, it will be vulnerable. If you don't consider HOW and where you use your system, it will be vulnerable. In other words, the core component in a secure system is YOU.
It's probably true that there is a "most" secure OS and a "least" secure OS right at this moment. Take a guess which is which and you might even be correct. But there's no absolute answer that will be true tomorrow. We need to stop with the absolutes and "MY FLAVA ROCKS YER FLAVA" hyperbole and start to think more like real security experts do. The next big hack for your favorite OS is just around the corner. And there's no doubt about that.
You forget that the people with all the windows exploits can make far more selling them to russian hackers and/or bot herders.
With windows it's much more lucrative to remain quiet with what you've found.
No, I think it's more like saying walled gardens don't prevent date-rape.
You do understand that the butler, or your date's little brother, or some random passerby is going to be peeping through the hole in the wall?
Yeah, yeah, allegories. Here's another:
Saying purpose specific browsers would have prevented the web from taking off is kind of like saying that nobody used the web until Microsoft put MSW95 and IE 3 out. MSW95, complete with its default world read/write permissions.
We don't all have to have our hands in each others' pants to dance.
You take your machine off the internet. One less trojaned box isn't much, but every little bit helps.
Computer memory is just fancy paper, CPUs just fancy pens with fancy erasers; the 'net is just a fancy backyard fence.
I don't know what the hole was, but Safari has had a problem since it was launched. In LaunchServices.
Apple followed Microsoft's insane design of using the same set of bindings for local and remote contents. Apple needs to either split LaunchServices in two, or allow applications registered with LaunchServices to specify on a PER APPLICATION basis (not a PER BINDING basis) whether they are prepared to handle untrusted content or not. If an application is not registered as a handler for untrusted content then Safari, Mail, and any other web application would NEVER use it as a handler for content from an untrusted source.
Oh, and no web page or email message is a trusted source, no matter how the content is signed or where it comes from. The source that is untrusted is "this is a web page" not "this is a document on the local machine".
Oh, and sorry, they have already started using the "allow or deny" crap. That was their first response to the problem. When that didn't work they at least stopped making 'Open "safe" documents after downloading' off by default. Not they have to take the logical next step.
My earlier comments on this.
I'll disagree with the statement, but I will agree that layers are an important aspect of security.
As such, I'd really like to see a sandbox for firefox. I'll go a step further, and how about a "network sandbox environment" for Linux. In essence, I'd like a jail and into that jail put firefox, thunderbird, plugins, and various helpers. I want security without having to compromise usability, and I don't think it's an impossible goal. Sure, a compromise in the jail could lose everything in the jail, but nothing more. As an aside, the jail should be something like unionfs, with a RW ramdisk and RO hard drive. Some mechanism, possibly automatic, possibly manual, would be needed to copy downloaded files to the hard drive and/or get them out of the jail.
None of this sounds like rocket science, and jails are reasonably secure as long as you restrict what's inside them. (no setuid, etc)
The living have better things to do than to continue hating the dead.
The source that is untrusted is "this is a web page" not "this is a document on the local machine".
Should read: "The source that is untrusted is "this is a web page" not "this is a document on a remote machine"."
When that didn't work they at least stopped making 'Open "safe" documents after downloading' off by default.
Should read: "When that didn't work they at least stopped making 'Open "safe" documents after downloading' on by default."
Apologies, I should have used preview.
You can do that - no "if" and "could" required. If you have trouble authenticating to the X server when starting the browser under another UID, read the manpage for 'xauth'.
If they had hacked the Vista box yesterday, the prize was 20k. Throw the Vista box in the trash, but a MacBook Air, and pocket at least $15k. Obviously this is a better economic outlook and obviously it didn't happen. You have to believe people were trying and not just resting on their laurels to day 2.
Do you people really have that much difficulty in visualing the possibility that other people out here have absolutely no interest in the colour, shape or logo on a device but prefer to buy something based upon how well it is built, how well it meets our needs and its price?
I personally have absolutely no need for status symbols. I am quite confident that when people meet me, they will make up their own minds about me based on how I talk to them and my general bearing and if they do need to see some kind of status symbol to make a judgement about me, then they're probably such shallow minded individuals that I have no interest in knowing them either.
If you personally feel that you need to display some kind of corporate logo to get on in life, then that can only mean you have personality failings elsewhere due to a lack of confidence in yourself in being able to win people over purely by who you are.
Yes, I own a mass-produced Dell laptop that runs Linux and XP that works perfectly fine and does all I need it to. And by all means, if you see me using it in a public place then come sit near me and get your jollies by sneering down at me for not being a corporate whore - I won't notice a damn thing because I'll be too busy working on something that is actually important in my life.
Gentoo Linux - another day, another USE flag.
True, but which is better, 4 MacBook Airs or 5? In order to control the variables, the same person should be allowed to win all the laptops, otherwise what if someone is just much better than everyone else?
"Wise men talk because they have something to say; fools, because they have to say something" - Plato
Does it really matter if it's been discovered by someone else, as long as Apple knows about the flaw and is (presumably) working to patch it?
"Growing old is inevitable; growing up is optional."
However I'd imagine using only FireFox would (at the very least) remove that 1 major hole they found. Of course it would probably create a bunch more.
Except the easy one works backwards. Nobody wants to ride a different car just to go the the bank.
Better analogy, but still not so great because of ATMs: Should your bank be housed in the same building as your hamburger joint?
A little more to the point: Do you want an ATM in the neighborhood pusher's hip pocket?
The car is the computer, not the browser. Just like you drive up to an ATM to do bank business, you should launch a restricted function browser to go to the bank. You don't give the gal at Wendy's or Walmart your paycheck and ask her to deposit it for you. Okay, Okay, some banks put branches in department stores. And you do give the clerk at the register your credit card, if you believe in plastic money. I even once cashed my paycheck from a part-time job at a discount shop. But you still don't give the clerk your paycheck and ask him or her to deposit it for you.
And the general purpose browser is more like the attendant at the information desk than like the clerk at the register, anyway.
Computer memory is just fancy paper, CPUs just fancy pens with fancy erasers; the 'net is just a fancy backyard fence.
--- I am known for the ones who want to find me on the net. Is that a privacy risk or a privilege? One might wonder..
Are you sure that Reality Distortion Field is turned on ?
--- I am known for the ones who want to find me on the net. Is that a privacy risk or a privilege? One might wonder..
My sister can't.
And I couldn't get it to run very well the last time I tried it.
But since you suggest it, I'll try it again. Sometimes things work better when I've had a little time to digest the manpages.
Could be really cool.
Computer memory is just fancy paper, CPUs just fancy pens with fancy erasers; the 'net is just a fancy backyard fence.
My teenage son can demolish any PC in an afternoon of unsupervised surfing. My neighbor's Vista box barely runs; God knows what they've got on it. (Unlike the Ubuntu box I let them borrow for two years before they bought their new Dell 3 months ago.) The Mac mini my son uses to surf (when he's allowed) runs as well as it did two years ago and I haven't even run software updates on it. (No sense mentioning it has no antivirus software either.)
I don't care if it's spyware, adware, a virus, a tray icon, or or even just a simple browser toolbar or homepage or search-engine hijacking; or if it's installed manually or via drive-by methods--whether its due to small market share, inherent (UNIX) security, or something else, I will continue to argue that Mac and Linux are the better platforms, IN PRACTICE, for the average user.
Dear Slashdot: next time you want to mess with the site, add a rich-text editor for comments.
Yeah, that part isn't solved by getting xauth to work.
But if I can get xauth and xdm to work with sudo, I may be able to figure out how to set up a restricted user for the banks and a separate one for surfing. That would be getting close.
Computer memory is just fancy paper, CPUs just fancy pens with fancy erasers; the 'net is just a fancy backyard fence.
Not trolling -- this is an honest question:
Which browser would you recommend on a Mac? I don't know how to objectively and meaningfully compare the security records of the various browser choices, and any input would be appreciated.
I was referring to Einstein finally proving it in 1911. It was one of the papers that came between special and general relativity. He didn't invent the theory, but he did prove it, so I figured that giving him credit in a short joke wasn't too bad.
Ever hear of DNS Catch Poisoning?
Sometimes you can't always control where your browse goes.
Of course the web is a jungle! Why do you think they called their browser Safari?
P.S.: I'm replying via Safari and I don't see any pro@@%$@#CR~~NO CARRIER
I think what this guy is saying is that he doesn't want to connect to the bank with the same browser he uses to hang around youtube or facebook or whatever.
And, of course, that would be of no help if both browsers were running as the same user.
You really think phishing filters work? That the end result is not just a continued escalation of workarounds until the black hats get smart enough to cover their tracks?
It's not that hard to get a certificate, and it's not that hard to get a certificate into a browser, and certificates really aren't very standard about specifying what they're good for, yet.
Wouldn't you rather have both the money and the Macbook Air?
Potato chips are a by-yourself food.
dd was a term used on mainframes for defining a file name. A data definition I think.
Look at some of the JCL here and see all of the DD scattered everywhere. The name after the // on the left of a DD is being tied to the Data Set Name (DSN=) on the right of the DD in the JCL.
I always thought it was in common usage even before unix, but I was a wee child back then and was probably assuming what was not true.
The bank's server has to have a certificate. So do the watchdog servers, which the browser knows how to contact.
And the dedicated browser comes with the bank's certificates pre-installed, and since it never sees any site but the bank's, it never has any phishing site's certs installed. (Unless the user allows his buddy to install that cool app, which we can build yet another roadbump against using the user separation idea, and so it goes. But I think it's a better set of methods than the walled garden approach.
Problems with distributing the dedicated browser -- you can't really do that over the web. Has to be on a CD you get at the bank, or something similar. And when you have to retire a certificate, things get a little tricky, but you can circumvent those problems, for instance, with redundancy in the watchdogs, one-time pads generated at the bank (which basically means that when you go get a CD, you have to wait while the account representative burns you a CD), that kind of thing.
Computer memory is just fancy paper, CPUs just fancy pens with fancy erasers; the 'net is just a fancy backyard fence.
I'm also pretty sure that the hack wasn't about getting root level access, just access to a user account from outside caused by the user doing something they would normally do on the internet. And the bottom line is that this is how virtually ALL Windows malware finds its way onto PCs. And the user account is where all the juicy data is anyway!
So today, all OS X users can breath a sigh of relief that we're not yet a big enough target for hackers to pay much attention to. Or for sure we'd be in trouble!
I look forward to finding out what the details of this hack were, after Apple have fixed it and the info is released. I wonder if it's got anything to do with some of the dumb choices that Apple make for default OOTB security settings on OS X. Like: "Allow all incoming connections" on the Firewall, and automatically "Open safe files after downloading" in Safari. The latter is particularly stupid. Safe files are only safe until someone finds a way to make them un-safe. Then 90% of your entire user base who don't disable this are screwed! Someone at Apple should get fired for making that decision!
Maybe, but I won't waste my time trying to hack it if it was more difficult to hack than the other two laptops. I would straight away go for the easier ones.
This space for rent.
I am a Mac user and I think this is fine. Find the bugs, squash the bugs. Even better he got rewarded for it.
I'd rather have software freedom and the practical benefits of allowing everyone the same freedoms I enjoy. This way I'm not relying on a proprietor to be shamed into acting (ostensibly but unverifiably) on my behalf. So on my personal computers at home I not only choose free software browsers, I choose free software operating systems too. Whenever I can I favor hardware that runs on free software as well.
Digital Citizen
That is really going to be determined what the consumers priority is. If your computers primary use is something other than browsing, and you occasionally use a browser, then this makes sense.
If on the other hand, your computers primary use is browsing but you occasionally do something else. Then protecting your computer and dismissing all browser vulnerabilities could make things much worse, instead of better.
Example, most people use the same password for many purposes. Once any part of your computing security is lost, regardless it being in a separate user space, your just slowing down the rate at which the consumer loses. So in a environment where the user becomes aware of the problem, and is also smart enough to isolate the possible damage quickly, this helps.
Browsers need to be made secure, or browsers will have to go-away as a option for interface to any data of value. So if as you seam to claim that browsers cannot be made secure, then online banking, online web access, online applications will have to be ended. Or I guess a separate application be made for access to these. But that is basically saying we have to make obscurity our security because we can't make a general use application secure.
A new exploit appears during an annual contest with prize money. No problem accepting that, it is a legitimate problem. That it is the result of two minutes of work? I think this is very unlikely.
I am curious: how long the exploit discoverer keep his discovery a secret in order to enter it in the contest? Several weeks? A few months?
I'm also curious whether Safari for Windows suffers from the same exploit. Would Vista also fall inside of the same two minutes?
At one time Microsoft, made a big deal of having its browser seamlessly integrated with the rest of Windows. Now after they've suffered from years of countless exploits, they have gone to great lengths to constrain unexpected access to the OS from the browser.
I think Apple will continue to improve its development techniques to preempt exploits, and to fix 'em when they appear on Apple's radar. There are corporate interests out there that are extremely cautious about bringing Macs officially into their business environment because they think Mac OS X doesn't appear to have enough active defenses.
$10000 will buy any laptop you want. You don't need to flip anything. Besides, why flip it when that's the computer he and everyone else wanted? Your argument is totally irrational. d(^_~)
IYou think that's cute, yet I'll bet you wonder why the world hates America.
Since nearly 10% of the computers being sold today have an Apple logo on it, your logic would dictate that nearly 10% of the malware out there is Mac-oriented. Yet for some odd reason, the number of in-the-wild malware packages for OSX --as a percentage of the whole-- are (literally) orders of magnitude smaller (as in, almost statistically zero).
Methinks the answer lies somewhere other than where you and the GP were both looking...
Quo usque tandem abutere, Nimbus, patientia nostra?
I wonder if this is a side-effect of Dell buying Alienware.
Wow, you are scary. Please tell me you don't own any weapons.
1st Day ->
:) ...
M: Hey there! I am a Mac! How are you today!
P: I'm a PC.
M: How are you PC! Why are you looking all stuffy and bored. Look at my shiny toys and wonderful application! You need to lighten up a little heh. ^_^
P:
2nd Day ->
P: Hi.
Politicians and Pedophiles: Two groups of exploitive bastards who are most dangerous when they're thinking of children.
There is a difference between status symbol and design aesthetics, you know.
I hate brands. But I like things that are designed well and are attractive. I don't want to live in a strictly utilitarian environment - ultimately, that leads to nihilism.
$10000 will buy any laptop you want.
Precisely. So you should do anything you can do to win the fastest, and that would be to break the EASIEST computer. Taking even an extra 10 seconds to break into the mac means someone else might win the 10k and you get nothing.
You don't need to flip anything. Besides, why flip it when that's the computer he and everyone else wanted?
I was just suggesting a possible use for the computer you won if it -wasn't- the one you wanted. ie... if you wanted the Mac but broke the Vista box because it was faster you could flip the vista box.
You think that's cute, yet I'll bet you wonder why the world hates America.
That's a bet you'd lose. I'm not an American. Rather, I'm part of that 'the world' that thinks America has its head up its ass.
Hmm.. good point! :)
Nothing like a 'why is the sky blue' tangent to remind me what got me hooked to this site
Yeah 12 whole volts of zip zap, scary! I take it you have never touched an actual car battery and realized to your great dismay, it did not shock you at all ;)
It's easier to fight for one's principles than to live up to them.
This coming from anonymous coward? Post with your slashdot username. :P
Julie Moult is an idiot.
I RTFA even though I steer clear of blogs... but what I didn't find was information on whether those boxes had the most recent updates on them.
If they were connected to the net or had an ISO down loaded for OS installation I would say yes they were updated. If they were all updated then yes this is something that needs to be addressed as soon as possible...
I do not find it hard to believe that an Unbutu box is still standing and I am rather disappointed if the Mac really did get owned. But I have a damn hard time believing that a Windows box is still standing... unless something else was done to it to make it more hardened.
-- What's this '-r *' file doing here? -- Oh well, a simple 'rm' should do the trick.
I remember sigs. Oh, a simpler time!
Yeah 12 whole volts of zip zap, scary! I take it you have never touched an actual car battery and realized to your great dismay, it did not shock you at all ;)
Don't you worry I'll bring the coil too and step it up to 40,000 Volts.
I tried to find the page that I originally read about UNIX acronyms, but couldn't. I found this one, though: http://roesler-ac.de/wolfram/acro/credits.htm
It has multiple possibilities for dd: "copy and convert" "dataset definition" and device, disk, and dump in various combinations. The answer isn't as clear as either of us thought.
Write your own Choose Your Own Adventure. http://www.freegameengines.org/gamebook-engine/
The one factor that everyone has glossed over is that only an undisclosed attack could be used. It's like saying a screen is air tight if you don't count the old holes.
Knowledge = Power
P= W/t
t=Money
Money = Work/Knowledge so the less you know the more you make
And no one wanted the $10000 and laptop they would recieve if they hacked the Vista and Ubuntu systems. Addtionally, hacking a linux box will not earn that person any press coverage at all and will force that person into bankruptcy. See? it all makes sense why OSX is the most secure operating system despite these results!
No patch is out yet. If the someone else out there that found it was malicious, then it could matter.
In the interest of fairness, the amount of time required to hack them doesn't matter much. It's not like that hack was made up on the spot. It was waiting for that day in the contest and was probably developed weeks ago over the course of several days. After everyone's prefab exploits were tested in the first 20 minutes, THEN people started plinking on the keyboards for the next 6 hrs in desperation hoping to get lucky on something new.
I work for the Department of Redundancy Department.
I thought DD stood for "data duplicate" ?
I work for the Department of Redundancy Department.
Lars T.
To the guy who modded me down from perfect to terrible Karma - Apple haters still suck
hackers haven't stolen the code for vista yet, just wait until they get part of all of vista's source code, they'll have dozens of undisclosed vulnerabilities that can be accessed inside software already running in vista.
on the plus side, this means that vista at the moment is the only version of windows hackers aren't ready to crack with just a url or an e-mail(using only the default software on vista).
if they had had an xp machine, it would have gotten cracked most likely on the first day (when they could only use network attacks)
https://www.gnu.org/philosophy/free-sw.html
Yea, but changing the user doesn't gain you much security, probably none at all. Presumably you weren't running as root anyway, so what changes?
the sandbox user doesn't have access to any files that aren't needed to run the browser. It can't access any files in your home dir for example.
Your description sounds like you should just use online banking software instead of a website with a crippled browser.
Justice is the sheep getting arrested while an impartial judge declares the vote void.
The Ubuntu laptop was a Sony Vaio, and was the most expensive, and way more powerful that the macbook air.
What if Tetris was invented by Nazis?
Now Apple should employ Charlie Miller, and then do an update a week or so before the competition next year.
A more informative competition would be to add an extra day which would allow the same conditions as Day 1 but any base install over the previous year (that was around for more than 2 weeks or something). So Macs could be attacked with 10.5.0 installed, and Windows with non-XP1.
It would be more significant for an attack to succeed on Day 1 conditions for a system that was around for over 1 year than to succeed only on Day 2 or 3 for a system that has just come out.
I'm not him, but agree with him. I've noticed that the reaction of this entire thread has been on the fact they hacked a MacBook Air (running OSX as a footnote). I'm wondering who is having a hard time following the thread in this instance. At a minimum, you don't have to be so rude to shoot down an otherwise clearly formed observation.
Off topic, but I'll chime in. I use Safari primarily, with Firefox and Camino (less-and-less these days). Safari is faster and more stable; as in rock-solid stable...as in never crashes. I keep going back to Firefox because Slashdot tells me I should, but after the third crash per day, I give up and go back to Safari. I find myself not worrying so much these days and just using Safari most of the time. I can't log into my work time-card with Safari though (stupid Microsoft) so I keep Firefox around. Camino is an interesting Mac-centric product, but come on, a browser is just a browser and I really don't see the need to hoard browsers.