All Five Smartphones Survive Pwn2Own Contest

← Back to Stories (view on slashdot.org)

All Five Smartphones Survive Pwn2Own Contest

Posted by Soulskill on Wednesday March 25, 2009 @01:41AM from the can't-hit-a-mobile-target dept.

CWmike writes "Although three of the four browsers that were targets in the PWN2OWN hacking contest quickly fell to a pair of researchers, none of the smartphones were successfully exploited. TippingPoint had offered $10,000 for each exploit on any of the phones, which included the iPhone and the BlackBerry, as well as phones running the Windows Mobile, Symbian and Android operating systems. 'With the mobile devices so limited on memory and processing power, a lot of [researchers'] main exploit techniques are not able to work,' said TippingPoint's Terri Forslof. 'Take, for example, [Charlie] Miller's Safari exploit,' referring to Miller's 10-second hack of a MacBook via an unpatched Safari vulnerability that he'd known about for more than a year. 'People wondered why wouldn't it work on the iPhone, why didn't he go for the $10,000?' she said. 'The vulnerability is absolutely there, but it's a lot tougher to exploit on the iPhone.'" Chrome was the only browser at the contest that was not successfully exploited. We previously discussed day one of the contest, and a summary of day two is available as well.

144 comments

All 5, eh? by jav1231 · 2009-03-25 01:50 · Score: 2, Insightful

They name the iPhone and Blackberry and 3 OS's. Poorly worded much?
1. Re:All 5, eh? by The+Wooden+Badger · 2009-03-25 02:40 · Score: 1
  
  Exactly what I was thinking. I went to the article to see what the 5 were and didn't really glean much more information out of it than what was in the summary.
  
  --
  Heroscape, it's like legos combined with anachronistic wargames.
2. Re:All 5, eh? by Anonymous Coward · 2009-03-25 03:13 · Score: 1, Informative
  
  From the 3rd link in TFS:
  
  This year's PWN2OWN also features a mobile operating system contest that will award a $10,000 cash prize for every vulnerability successfully exploited in five smartphone operating systems: Windows Mobile, Google's Android, Symbian, and the operating systems used by the iPhone and BlackBerry.
3. Re:All 5, eh? by vux984 · 2009-03-25 04:47 · Score: 2, Informative
  
  Exactly what I was thinking. I went to the article to see what the 5 were and didn't really glean much more information out of it than what was in the summary.
  I had no trouble identifying the five that were tested:
  iphone, blackberry, windows, symbian, android.
4. Re:All 5, eh? by More_Cowbell · 2009-03-25 05:53 · Score: 1
  
  I think you are missing the GP's point that they only named two of the five devices...
  "windows, symbian, android" gives no indication of the phones they were running on.
  
  --
  Experience teaches only the teachable. -AH
5. Re:All 5, eh? by wealthychef · 2009-03-25 06:04 · Score: 1
  
  It's not clear from the pwn2own website, but there is this:
  After much appreciated feedback from the contestants, weâ(TM)ll be sure that such details as version numbers of the OS and exact hardware specs are made available well in advance.
  HTH
  
  --
  Currently hooked on AMP
6. Re:All 5, eh? by vux984 · 2009-03-25 06:07 · Score: 1
  
  I think you are missing the GP's point that they only named two of the five devices...
  Oh, I see.
  But if that's the case, what were the two -devices- they did name? I only see one.
  I mean, techically there are a couple different iphone models, but assuming a current model, the only difference between them is flash capacity, so I'll give you that one.
  But what's a "Blackberry"? Bold? Storm? Curve? Pearl...? Blackberry doesn't really tell me anything more specific than 'an Android phone'.
7. Re:All 5, eh? by More_Cowbell · 2009-03-25 06:15 · Score: 1
  
  Yeah, you certainly have a point. And hey, I could be wrong, it was just how I read the GP's comment (probably because I wanted to know about the hardware myself).
  
  --
  Experience teaches only the teachable. -AH
8. Re:All 5, eh? by More_Cowbell · 2009-03-25 06:23 · Score: 1
  
  Now that I've actually RTFA (or one of them anyway)...
  
  For example, Forslof said that one researcher had prepared an exploit for a vulnerability on a BlackBerry Touch emulator, but the BlackBerry model used in the contest was the Bold. "There was enough difference [between the two] that his exploit wasn't working," said Forslof.
  So, like I said earlier, you had a point, and I think you are right to assume the current iPhone.
  Still wondering what the other three were.
  
  --
  Experience teaches only the teachable. -AH
9. Re:All 5, eh? by KahabutDieDrake · 2009-03-25 14:25 · Score: 1
  
  The Iphone may be considered a single platform...However, the Blackberry is hardly a single device, it's a class of devices. It's not even a unified OS.
Not any tougher on iPhone according TFA by Shatrat · 2009-03-25 01:53 · Score: 4, Informative

Apparently the safari exploit

"should work on the iPhone but the bug couldn't (be) used twice in the competition."
So the iPhone should be quite vulnerable, but wasn't compromised because it wouldn't have been eligible for the award since it was the same exploit used against OS X in the first day.

--
09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0
1. Re:Not any tougher on iPhone according TFA by scorp1us · 2009-03-25 02:51 · Score: 0, Troll
  
  The iPhone does not use Safari. The iPhone uses a rebranded mobile browser from another vendor. This vendor also makes the browser for other smart phones.
  
  --
  Slashdot's rate-of-post filter: Preventing you from posting too many great ideas at once.
2. Re:Not any tougher on iPhone according TFA by Goaway · 2009-03-25 02:53 · Score: 1
  
  What
3. Re:Not any tougher on iPhone according TFA by Anonymous Coward · 2009-03-25 02:58 · Score: 1, Funny
  
  At least you had balls to make fool out of yourself without being anonymous coward :-)
4. Re:Not any tougher on iPhone according TFA by Jedi_Master_SS · 2009-03-25 02:59 · Score: 5, Informative
  
  The iPhone uses a modified version of WebKit (see webkit.org) which is the same engine behind Safari and quite a few other things not just from Apple but other sources as well.
5. Re:Not any tougher on iPhone according TFA by linhux · 2009-03-25 04:05 · Score: 1
  
  It's quite possible for Mobile Safari in iPhone to be vulnerable without that making the phone pwnable. For example, one reason could be that the iPhone OS kernel is only able to execute signed code - unless the phone has been pwned and the signing restrictions disabled. There are probably ways around this from userland, too, but I guess they are pretty hard to find and even harder to exploit. And also, owning Mobile Safari would only give you a uid 501 process, from there you'd have to find some way to escalate your privileges to root.
6. Re:Not any tougher on iPhone according TFA by neoform · 2009-03-25 04:31 · Score: 1
  
  Chrome is built using WebKit.
  Which raises the question, why is Safari less secure than Chrome?
  
  --
  MABASPLOOM!
7. Re:Not any tougher on iPhone according TFA by Anonymous Coward · 2009-03-25 04:57 · Score: 2, Funny
  
  Chrome is built using WebKit.
  Which raises the question, why is Safari less secure than Chrome?
  Safari was developed by Apple therefore security was overlooked for style and usability.
8. Re:Not any tougher on iPhone according TFA by Anonymous Coward · 2009-03-25 05:05 · Score: 1, Insightful
  
  Which raises the question, why is Safari less secure than Chrome?
  It might not be, it might just have been how the content was set up.
  On day 1, the targets were IE, Firefox, and Safari. All three browsers got compromised, some more than once.
  On day 2, the targets were Chrome and the mobile phones, although contestants were allowed to attack the other 3 browsers again, provided they did not use the same bug to do so. None of the browsers had a successful (new) attack against them, and none of the phones did either (although only 2 attempts were made against the total of 5 phones I believe, one against the Blackberry Bold and one against a Symbian phone).
  Chrome very well might be just as vulnerable as Safari is, but since they were attacking Chrome on day 2, they couldn't use the exploits that worked against Safari on the previous day.
  If they had Chrome on day 1 and Safari on day 2, we might be reading that Safari was the only browser that was not compromised. I'm not sure why they structured the contest that way, but I'm thinking that's the primary reason that Chrome was not exploited.
9. Re:Not any tougher on iPhone according TFA by oldr4ver · 2009-03-25 05:44 · Score: 1
  
  Because Google employs experienced, quality developers who would rather see something functional versus something that a bunch of flashing lights and shiny outer layer.
10. Re:Not any tougher on iPhone according TFA by mail2345 · 2009-03-25 06:04 · Score: 1
  
  Simple.
  
  Implementations can be different from the actual idea/code.
  
  OpenSSL/Debian fiasco RNG mess up, netscape RNG mis-implementation so it only uses the PID, ect.
11. Re:Not any tougher on iPhone according TFA by Lars+T. · 2009-03-25 06:22 · Score: 1
  
  Apparently the safari exploit
  
  "should work on the iPhone but the bug couldn't (be) used twice in the competition."
  So the iPhone should be quite vulnerable, but wasn't compromised because it wouldn't have been eligible for the award since it was the same exploit used against OS X in the first day.
  That makes two things apparent:
  A) Miller only had one fault left (and didn't find a new one since he found it a year ago).
  B) He wanted the MacBook Air more than an iPhone and $10,000 in cash. Or he was so scared that somebody else had found the bug that he drew fast. Or the fucking bug does not work on the iPhone.
  Okay, only one of these is apparent, that would be A)
  
  --
  Lars T.
  To the guy who modded me down from perfect to terrible Karma - Apple haters still suck
12. Re:Not any tougher on iPhone according TFA by Anonymous Coward · 2009-03-25 06:22 · Score: 1, Informative
  
  Chrome was a target on day 1, not just day 2.
  Also, if you read Charlie Miller's comments, you'll note that he explicitly said Chrome wasn't compromised because its sandbox makes renderer bugs more difficult to exploit. i.e. Chrome is, in fact, somewhat more secure.
  Disclosure: I am a Chromium developer.
13. Re:Not any tougher on iPhone according TFA by slick_shoes · 2009-03-25 07:29 · Score: 1
  
  I read pretty much this same story on another site (which escapes me at the moment) claiming that Safari-Hack Guy DID have an iPhone exploit but wanted more than $10,000 for it, not because it was ineligible.
14. Re:Not any tougher on iPhone according TFA by Anonymous Coward · 2009-03-25 08:03 · Score: 0
  
  Read the (f'ing) link:
  http://blogs.zdnet.com/security/?p=2941
  He explains pretty well why Safari (especially on OSX, to my suprise) is much less secure than Chrome. In summary, Chrome has a sandbox feature that Safari is lacking, and OSX has fewer anti-exploit features than Windows.
15. Re:Not any tougher on iPhone according TFA by pete-wilko · 2009-03-25 11:15 · Score: 1
  
  WTF? Chrome was a day 1 target... time for some serious meta-moderation...
16. Re:Not any tougher on iPhone according TFA by Anonymous Coward · 2009-03-25 12:55 · Score: 0
  
  Chrome did contain the webkit vulnerability, but apparently the sandbox prevented exploitation. It still will have to be fixed.
  Hooray for playing nicely in the sandbox!
17. Re:Not any tougher on iPhone according TFA by aliquis · 2009-03-25 19:02 · Score: 1
  
  It has been covered in the browser thread, but basicly since the part which interpret the HTML, CSS and so on isn't all of the browser.
  The javascript engine is different, the loading of plugins is different, the allocation of resources and freeing them up again is different, the network code is different, the presentation is different, and so on.
18. Re:Not any tougher on iPhone according TFA by ivan256 · 2009-03-26 07:01 · Score: 1
  
  Because clearly it's the developers that set those goals, and not the management.... I wish I lived in your world....
  Seriously, the management gets to take all the credit for the shiny. Why not the blame too?
A Symbian with a browser? by Anonymous Coward · 2009-03-25 02:00 · Score: 5, Funny

I saw one of them Symbian's on the internet once. But I didn't know it could have a browser. I thought it was used more for content production.
1. Re:A Symbian with a browser? by noobsauce · 2009-03-25 03:28 · Score: 1
  
  The Nokia E71 is a kick-ass phone with a kick-ass browser also based on WebKit. Yes, I have one and love it. :-]
Chrome only browser ... by Thornburg · 2009-03-25 02:05 · Score: 4, Interesting

Chrome was the only browser in the contest that was not successfully exploited... why didn't they include Opera, or any of the non-webkit open source browsers other than Firefox? (Ok, they may be fairly obscure, but surely Opera is well known enough, right?)
1. Re:Chrome only browser ... by Anonymous Coward · 2009-03-25 02:08 · Score: 5, Funny
  
  They didn't want to give Opera any more ammunition against the other browsers.
2. Re:Chrome only browser ... by pxlmusic · 2009-03-25 02:14 · Score: 5, Insightful
  
  as someone who recently gave Opera another go, i can see why.
  i would appear that i've been missing out
  
  --
  "If for any reason you're not satisfied with our service, I hate you."
3. Re:Chrome only browser ... by n1ckml007 · 2009-03-25 02:29 · Score: 2, Funny
  
  yeah I tend to sing Opera's praises.
4. Re:Chrome only browser ... by worip · 2009-03-25 02:36 · Score: 3, Insightful
  
  Chrome is also one of the newest browsers in the market. The longer a browser is out there, the longer the time someone can develop a hack for it. I bet for the next contest, presuming that Chrome will still be around, there will be a few Chrome hacks to go around.
  
  --
  A picture is worth exactly 1024 words.
5. Re:Chrome only browser ... by Anonymous Coward · 2009-03-25 03:12 · Score: 0
  
  point is that everyone had a year to work on the exploits, not 3 days.
  so everyone came with their exploits ready-to-go.
  so since chrome came out this year, most people didn't bother trying to find an exploit for it the past year...
  and since phones, well, cost a lot and arent as easy as computer programs to debug/etc, most people also didn't work on them the past year
  THATS THE FUCKING POINT.
  PWN2OWN proves NOTHING like "this is more secure than that". NOTHING.
6. Re:Chrome only browser ... by FredFredrickson · 2009-03-25 03:37 · Score: 1
  
  Thanks, I was about to comment on this, but you beat me to it.
  
  It's poor reporting, really. Make Chrome look like a hero, when there are other browsers that just weren't tested at all... (and would most likely pass).
  
  [posted from opera]
  
  --
  Belief? Hope? Preference?The Existential Vortex
7. Re:Chrome only browser ... by Actually,+I+do+RTFA · 2009-03-25 03:48 · Score: 3, Insightful
  
  Chrome was the only browser in the contest that was not successfully exploited... why didn't they include Opera
  For the same reason high school sports teams don't play NFL teams; it just would be disheartening to the players.
  My guess is that Opera never really got the attention because it never had a big company pushing it (MS, Apple, Google, and Firefox had the whole Mozilla/FOSS thing).
  
  --
  Your ad here. Ask me how!
8. Re:Chrome only browser ... by Kamokazi · 2009-03-25 04:44 · Score: 2, Insightful
  
  I switched to Opera when FF was in version 2, because Opera was considerably faster in most cases. Now that FF is up to speed with Opera, I'm still with it because I'm more familiar with it...and it feels more 'complete' out of the box to me...no need for extensions. For someone who uses it regularly on four different machines (and irregularly on several more), that's important.
  Sure, it's not open source, but I'm concerned about free beer more than free speech (not to say that it's unimportant, I just have my priorities...as far as my browser is concerned, open vs closed is not nearly as important as it is with OS or production stoftware).
  But Firefox has changed the browser 'market' more than any other I think, and in a very good way. They were striving to make a good free browser when no one else seemed to care about the web browser as much, as long as it worked. Opera was the only one really trying, and to compete they dropped the ads and became completely free. MS actually tried with IE7 (still failed), and...I know I will catch crap for this...have actually did a pretty damn good job with IE8. Chrome came out, obviously, and Apple has shown more interest in improving Safari.
  So while Opera is my browser of choice, I know I owe a lot to FF for setting the bar higher.
  
  --
  As our way of thanking you for your positive contributions to Slashdot, you are eligible to disable Slashdot 2.0.
9. Re:Chrome only browser ... by Tubal-Cain · 2009-03-25 07:42 · Score: 1
  
  Please, I beg you: STOP!
  --Your next-door neighbor
10. Re:Chrome only browser ... by LingNoi · 2009-03-25 09:04 · Score: 1
  
  Maybe Opera refused to take part? Who knows..
11. Re:Chrome only browser ... by Anonymous Coward · 2009-03-25 17:43 · Score: 0
  
  I need AdBlock. Without AdBlock I can't survive on the internet, my tolerances have gone way down.
  I tried the JS/CSS/UrlFilter's/etc, but it slowed the browser down too much and bricked too many sites. The best option was the CSS since you can turn it off under View -> Styles, but it still wasn't the same.
  Quite annoying since the rest of the browser is quite good.
  It's also the same reason why I don't use Chrome except for GMail and GCal.
12. Re:Chrome only browser ... by Hal_Porter · 2009-03-25 19:43 · Score: 1
  
  Market share may be down to but it ain't over until thecounter sings.
  http://www.thecounter.com/stats/2008/January/browser.php
  
  --
  echo -e 'global _start\n _start:\n mov eax, 2\n int 80h\n jmp _start' > a.asm; nasm a.asm -f elf; ld a.o -o a;
13. Re:Chrome only browser ... by Hal_Porter · 2009-03-25 19:53 · Score: 1
  
  You have to wonder if it isn't a virtuous cycle. Opera has, as far as I can tell, been pretty good about fixing vulnerabilities. That said if it were more popular I'm sure the bot herders and password stealers would have found holes in it and exploited them.
  Right now, if it isn't hyped like Firefox, the market share will be low, people will ignore it in surveys and hackers won't bother to target it.
  
  --
  echo -e 'global _start\n _start:\n mov eax, 2\n int 80h\n jmp _start' > a.asm; nasm a.asm -f elf; ld a.o -o a;
14. Re:Chrome only browser ... by hkmwbz · 2009-03-26 07:01 · Score: 1
  
  How can Opera refuse to take part? It's not like their permission is required to download the browser.
  
  --
  Clever signature text goes here.
15. Re:Chrome only browser ... by hkmwbz · 2009-03-26 07:04 · Score: 1
  
  They do find holes in Opera. So it's not like they aren't trying. It's just that Opera generally seems to have quite decent security. They are really paranoid. They have blocked all sorts of stuff like local access for remote servers, and while many users are screaming about it because it limits them, it has saved Opera's ass a lot of times. When others have scrambled to fix serious security problems, Opera has been unaffected because of their strict security model.
  
  --
  Clever signature text goes here.
16. Re:Chrome only browser ... by hkmwbz · 2009-03-26 07:06 · Score: 1
  
  Market share is down? Opera's user base has doubled in two years. Clearly, TheCounter is only counting stuff in the US, and not in strong Opera markets like Europe and Asia. Heck, Opera has 35% market share in Russia!
  
  --
  Clever signature text goes here.
17. Re:Chrome only browser ... by Hal_Porter · 2009-03-26 15:15 · Score: 1
  
  I pretty much only use Opera these days. Still there's a difference between being something I like and something which has a high market share.
  
  --
  echo -e 'global _start\n _start:\n mov eax, 2\n int 80h\n jmp _start' > a.asm; nasm a.asm -f elf; ld a.o -o a;
18. Re:Chrome only browser ... by hkmwbz · 2009-03-29 23:50 · Score: 1
  
  The point is, Opera's market share is not going down.
  
  --
  Clever signature text goes here.
Re:Apple security by Rayban · 2009-03-25 02:11 · Score: 3, Funny

[citation needed]

--
æeee!
Re:Apple security by Anonymous Coward · 2009-03-25 02:17 · Score: 0

Steve Jobs' attitude is focused on usability and looks, not security. Apple has more than one employee, and I also bet there's more than one person assigned to software security.
Economics by Anonymous Coward · 2009-03-25 02:23 · Score: 0

Maybe there's just too much money to be had selling phone hacks. Miller has already said that $10,000 was well below the market value of some of the exploits used in the contest.
1. Re:Economics by n1ckml007 · 2009-03-25 02:35 · Score: 1
  
  I wonder if crackers get annoyed when one of their "tools" gets a zero-day.
I still wouldn't call it a "hack"... by Anonymous Coward · 2009-03-25 02:26 · Score: 0

Call me crazy but I still wouldn't call it a true "hack" when it requires someone to click on a link. No browser can protect against human gullibility.
I look at it as the difference between pushing past an old lady and robbing her after you told her you were from the electric company as opposed to a cat burglar "tip toe in and tip toe out and they don't realize they were robbed until you're long gone".
Both are bad, mind you, but only one of them actually requires skill.
1. Re:I still wouldn't call it a "hack"... by morgan_greywolf · 2009-03-25 03:22 · Score: 1
  
  Well, that's where the whole concept of 'honor among thieves' comes from. Cat burglaring and pick-pocketing are truly artforms. Knocking over old ladies is just plain thuggery.
  
  --
  My blog
2. Re:I still wouldn't call it a "hack"... by Anonymous Coward · 2009-03-25 03:25 · Score: 0
  
  If a bad webpage can own your box by nothing more than you visiting it, it could just as easily do so while presenting a semi-legit looking page. You wouldn't necessarily be aware of the fact that you'd been rooted.
3. Re:I still wouldn't call it a "hack"... by Anonymous Coward · 2009-03-25 06:35 · Score: 0
  
  Also, all it would take is an insider admin at a place like Google, Yahoo, to compromise millions of computers. Or somebody with access to the graphics department at a corporation with a large online presence or at an advertising agency.
Reboot when deleting pictures bug? by n1ckml007 · 2009-03-25 02:33 · Score: 1

http://discussions.apple.com/thread.jspa?messageID=9193300&tstart=0 I'm suprised this bug hasn't be used as a "toe hold" for an exploit.
1. Re:Reboot when deleting pictures bug? by Jesse_vd · 2009-03-25 02:45 · Score: 1
  
  ha i always thought that was just because i was using picasa. it broke somewhere around 2.1. luckily we have iphonebrowser
2. Re:Reboot when deleting pictures bug? by n1ckml007 · 2009-03-25 02:56 · Score: 1
  
  Does http://code.google.com/p/iphonebrowser/ work on locked iPhones?
3. Re:Reboot when deleting pictures bug? by Jesse_vd · 2009-03-25 03:08 · Score: 1
  
  locked yes, non-jailbroken, no.
4. Re:Reboot when deleting pictures bug? by Jesse_vd · 2009-03-25 03:16 · Score: 1
  
  but i think that alone is a good enough reason to jailbreak. and if you need about 20 more, just look here http://thebigboss.org/why-jailbreak-iphone/
Hmm by LizardKing · 2009-03-25 02:42 · Score: 4, Funny

Miller's 10-second hack of a MacBook via an unpatched Safari vulnerability that he'd known about for more than a year.
Definitely a black hat then, as I'm assuming if he'd reported the vulnerability when he'd found it even Apple would have patched it by now.
1. Re:Hmm by Yamamato · 2009-03-25 03:08 · Score: 5, Interesting
  
  No, it's because he's not going to do free work for Apple.
  
  Did you consider reporting the vulnerability to Apple?
  
  I never give up free bugs. I have a new campaign. It's called NO MORE FREE BUGS. Vulnerabilities have a market value so it makes no sense to work hard to find a bug, write an exploit and then give it away. Apple pays people to do the same job so we know there's value to this work. No more free bugs.
2. Re:Hmm by Chaos+Incarnate · 2009-03-25 03:11 · Score: 2, Informative
  
  That's a bad assumption. Apple tends to sweep security problems under the rug as much as possible.
  
  --
  Benford's Corollary to Clarke's Law: "Any technology distinguishable from magic is insufficiently advanced."
3. Re:Hmm by Yamamato · 2009-03-25 03:17 · Score: 3, Informative
  
  Plus he added a few more funny things about OSX.
  
  Why Safari? Why didn't you go after IE or Safari?
  
  It's really simple. Safari on the Mac is easier to exploit. The things that Windows do to make it harder (for an exploit to work), Macs don't do. Hacking into Macs is so much easier. You don't have to jump through hoops and deal with all the anti-exploit mitigations you'd find in Windows.
  
  It's more about the operating system than the (target) program. Firefox on Mac is pretty easy too. The underlying OS doesn't have anti-exploit stuff built into it.
  
  With my Safari exploit, I put the code into a process and I know exactly where it's going to be. There's no randomization. I know when I jump there, the code is there and I can execute it there. On Windows, the code might show up but I don't know where it is. Even if I get to the code, it's not executable. Those are two hurdles that Macs don't have.
  
  It's clear that all three browsers (Safari, IE and Firefox) have bugs. Code execution holes everywhere. But that's only half the equation. The other half is exploiting it. There's almost no hurdle to jump through on Mac OS X.
  Looks like all that supposed security you hear about in Mac OS X is really just a huge joke.
4. Re:Hmm by LizardKing · 2009-03-25 03:22 · Score: 5, Interesting
  
  No, it's because he's not going to do free work for Apple.
  That's precisely the attitude of a black hat. A responsible hacker notifies the vendor or author of the issue, giving them a reasonable amount of time to release a fix. If the fix is forthcoming in a timely manner, the hacker should be thanked in the release notes and is then free to post a description of the issue along with a proof of concept exploit if they like. If a fix is not forthcoming in a timely manner, and no reasonable explanation given by the vendor or author, then the hacker releases the description in the knowledge that they've adhered to the widely acknowledged good practice. This is responsible full disclosure.
  A black hat doesn't notify the vendor in order to gain some kind of material benefit - be it selling the exploit or using it directly for personal gain. Funnily enough personal gain is what this guy did it for, making him a scumbag black hat hacker.
5. Re:Hmm by LizardKing · 2009-03-25 03:25 · Score: 1
  
  Apple tends to sweep security problems under the rug as much as possible.
  Their track record has been a bit variable, but by his own admission this guy didn't contact Apple. He sat on the exploit, in the knowledge that it could be used for no good by others, making him little better than the really bad guys. He then used the exploit for personal gain. Classy.
6. Re:Hmm by Yamamato · 2009-03-25 03:30 · Score: 3, Insightful
  
  No, he's just not an idiot. BTW Apple pays people to report verifiable bugs to them. Does that make all those people black hats too? You never actually mentioned why he should do free work for Apple when they pay others to do the same thing.
  
  You talked earlier about the value of vulnerabilities. Was it a surprise that he (Nils) basically gave up three "high-value" bugs for $5,000 each?
  
  It's clear he's incredibly talented. I was shocked when I saw someone sign up to go after IE 8. You can get paid a lot more than $5,000 for one of those bugs. I've talked to a lot of smart, knowledgeable people and no one knows exactly how he did it. He could easily get $50,000 for that vulnerability. I'd say $50,000 is a low-end price point.
  
  For the amount of time he spent to do what he did on IE and Firefox, he could have found and exploited five or 10 Safari bugs. With the way they're paying $5,000 for every verifiable bug, he could have spent that same time and resources and make $25,000 or $30,000 easily just by going after Safari on Mac.
7. Re:Hmm by RussellSHarris · 2009-03-25 03:33 · Score: 1
  
  I beg to differ.
  urbandictionary:
  
  1- A Hacker (Or rather cracker, but that's a different discussion) who uses his abilities for malicious purposes.
  2- Anything relating to malicious use of the internet.
  wiktionary:
  
  A malicious hacker who commits illegal acts.
  other relevant definitions from google: (disregarding the ones about actual hats, westerns, search engines, and judaism)
  
  Black hat is used to describe a hacker (or cracker) who breaks into a computer system or network with malicious intent. Unlike a white hat hacker, the black hat hacker takes advantage of the break-in, perhaps destroying files or stealing data for some purpose.
  A malicious hacker who exploits - or publicises - a security weakness before informing the affected organisation.
  Nowhere was "personal gain" mentioned. "Black hat" was always applied to individuals with "malicious" motives and/or whose actions are "illegal". Winning the prize money in a contest is neither of those.
8. Re:Hmm by mkiwi · 2009-03-25 03:35 · Score: 1
  
  Vulnerabilities have a market value so it makes no sense to work hard to find a bug, write an exploit and then give it away.
  Emphasis mine. The very quote you mentioned clearly states he uses exploits for profit. The GP is completely right- this guy is a black hat.
9. Re:Hmm by Anonymous Coward · 2009-03-25 03:38 · Score: 0
  
  Unless he was worried that the exploit would be discovered by malicious crackers, sitting on the exploit was no risk.
  How dare he use his technical skills for personal gain. Wait, what do you do for a living? Yeah, real classy. You should work for free, society deserves to leech off you...
10. Re:Hmm by Yamamato · 2009-03-25 03:46 · Score: 2, Interesting
  
  Emphasis mine.
  There is no emphasis...
  
  The very quote you mentioned clearly states he uses exploits for profit.
  
  No it doesn't. He said he's not going to go through the trouble of finding and bugs and writing an exploit and then giving it away to Apple for free when they pay others money to do the exact same thing.
  
  The GP is completely right- this guy is a black hat.
  Sorry, the GP is wrong unless you have some information of him actually using any exploits for malicious use which I doubt you have.
11. Re:Hmm by Anonymous Coward · 2009-03-25 03:55 · Score: 0
  
  he uses exploits for profit. The GP is completely right- this guy is a black hat.
  Oh really? Profiting from an exploit means you're a black hat?
  white hat hacker: (emphasis mine)
  
  A hacker who is ethically opposed to the abuse of computer systems.
  A hacker who is legally authorized to use otherwise illegal means to achieve objectives critical to the security of computer systems, for example, someone hired to execute a penetration test upon a network to produce a report for its administrator about vulnerabilities and solutions to the networks security.
  Hired? You mean HE PROFITED FROM IT? Isn't that EVIL?
  ZOMG, WHITE HAT HACKERS ARE NOW BLACK HAT HACKERS! The world is coming to an end!
12. Re:Hmm by Anonymous Coward · 2009-03-25 04:33 · Score: 0
  
  So, he's a mercenary, then. He could try to help others fix the damn thing, but instead he's hoarding it for his own personal gain (yes, personal gain, unless you can think of another reason he mentions the "market value" of the vulnerability).
  Fucking self-absorbed prick.
13. Re:Hmm by LizardKing · 2009-03-25 04:34 · Score: 1
  
  BTW Apple pays people to report verifiable bugs to them.
  So your original point is moot - he could of been paid by Apple for finding and reporting issues. The fact he didn't makes it even more suspicious that he had something else in mind, perhaps selling to someone prepared to pay more. I wonder who that someone might be? Surely not someone with less than entirely innocent intentions? To be honest though, all this talk of people paying tens of thousands of dollars for an exploit sounds more like a black hat's imagination running riot, which fits with the sad sack fantasists calling themselves "hackers" that I've encountered.
14. Re:Hmm by Anonymous Coward · 2009-03-25 04:34 · Score: 0
  
  Why would you give something away for free when you can make a few bucks off it? It makes alot more sense to use that information to make some money, especially in this economic climate.
  Software experts and professional hackers are trying to make a living in a legal way and deserve to be paid well for the expert work they do.
  I don't think it's greedy of him to do this. Why I think it's greedy for a rich company like Apple to not be rewarding people who report legitimate bugs. Why should Apple get his hard work for free when they over charge for everything?
15. Re:Hmm by bostongraf · 2009-03-25 04:36 · Score: 1
  
  A responsible hacker notifies the vendor or author of the issue, giving them a reasonable amount of time to release a fix.
  I think this is putting too much responsibility on the hacker. I would argue that the only responsibility the hacker has is to not use the exploit in a malicious manner. And asking for payment from the vendor for the work done by the hacker is not malicious. It is business.
  
  The "personal gain" you reference should be limited to the enjoyment of investigating and engineering the exploit in the first place. If the exploit is released in any way, then I am on your side, and they become scumbag black hat. But if it never leaves the basement, and is discovered with the sole intent being to sit in a personal library of code, then there is no foul. Nor is there any onus placed on the hacker.
  
  I do think that the exploit contest itself is an interesting grey area. But if the vendors are willing to put their systems up to that kind of scrutiny, then it can not be called malicious.
16. Re:Hmm by CannonballHead · 2009-03-25 04:39 · Score: 1
  
  But Macs are pretty and EVERYONE knows that Windows is bad, so as long as we keep up the Microsoft critique about their security, we can ignore Macs... especially since so few people use them, it's not worth it (except in contests) to exploit them...
17. Re:Hmm by LizardKing · 2009-03-25 04:41 · Score: 1
  
  Unless he was worried that the exploit would be discovered by malicious crackers, sitting on the exploit was no risk.
  How does he know that others haven't discovered the exploit (unless he believes he's more l33t than anyone else).
  How dare he use his technical skills for personal gain.
  As others have pointed out, Apple pay for verified bugs. By sitting on it he simply made it more likely someone else would get paid for it, unless he thought there was a more profitable use for the bug. And I wonder what those would be?
  Wait, what do you do for a living?
  Something a damned sight more productive than this cracker, which is probably why I don't have to fuck about to get paid.
  You should work for free, society deserves to leech off you...
  Oh do fuck off you anonymous twat.
18. Re:Hmm by LizardKing · 2009-03-25 04:44 · Score: 1
  
  There's this subtle difference (well it must be too subtle for you) between where you get your payment from. Apart from the vendor, Apple in this case, I struggle to think of any other source of payment for an exploit that isn't, well, dodgy. Although I seem to recall from my days on the security mailing lists that there were plenty of people for whom the kudos of their peers was payment enough.
19. Re:Hmm by hldn · 2009-03-25 04:46 · Score: 1
  
  next time you need to pay a bill, just give them some kudos from peers instead of cash and see how that goes over.
  
  --
  http://www.accountkiller.com/removal-requested
20. Re:Hmm by Anonymous Coward · 2009-03-25 04:50 · Score: 0
  
  But he also said it wouldn't be such an easy target if they'd randomize the address space and execute-protect stack and heap like other OSs do. OpenBSD was the first I've ever heard of doing this, then Linux distros and Windows XP SP2 and higher started doing it.. Is it true that Darwin does not?
21. Re:Hmm by FLEABttn · 2009-03-25 04:59 · Score: 1
  
  You should work for free, society deserves to leech off you...
  Oh do fuck off you anonymous twat.
  What's the problem? We were planning on thanking you in the release notes...
22. Re:Hmm by huge · 2009-03-25 05:07 · Score: 0
  
  That's precisely the attitude of a black hat.
  No, that's hard-core capitalism - supply and demand; all that jazz. Apple doesn't see any value in his product (exploit) so they aren't willing to pay. Somebody else could be willing to pay for what he has so he could sell it to them instead.
  Normally when there is much more supply than demand then manufacturer needs to start advertising to make sure that the potential buyers are aware that product exists. When there is more demand but almost no supply, then potential buyers will advertise to every potential manufacturer (or author in this case) that they are willing to pay for certain product, if anybody has it.
  
  --
  -- Reality checks don't bounce.
23. Re:Hmm by Anonymous Coward · 2009-03-25 05:14 · Score: 0
  
  unless he believes he's more l33t than anyone else
  Maybe he does.
  
  As others have pointed out, Apple pay for verified bugs
  Maybe he wanted the notoriety that winning the contest would provide.
  
  he thought there was a more profitable use for the bug. And I wonder what those would be?
  He entered a contest. He won $5000 for the exploit (which is undoubtedly far less than he could have got for the exploit* if he had actually been a black-hat cracker as you claim). Apple now has the exploit, so they can fix the hole**. What's the big problem again?
  
  Something a damned sight more productive than this cracker, which is probably why I don't have to fuck about to get paid.
  You believe that your job is more productive than a guy who has provided several large companies with invaluable information about undiscovered flaws in their products which would potentially have a global effect if ever exploited by a malicious person or persons? Oh...
  
  Oh do fuck off you anonymous twat.
  Posting anonymously to avoid un-doing moderation. You cleverly avoid my point: what makes you think this guy should work for free? He provided a valuable service; he deserves to be compensated for his hard work.
  --
  * According to this guy, whom I have no reason to doubt.
  ** From the 2008 Pwn2Own rules:
  
  All winning exploits will be handed over to the affected vendors at the conference through the ZDI, with the appropriate credit given to the contestant once the vendor patches the issue. Until then, the actual vulnerability will be kept quiet from the public. This is a required condition of entry into the contest; all entrants must agree to the responsible disclosure handling of their vulnerability/exploit through the ZDI.
24. Re:Hmm by Fnord666 · 2009-03-25 05:19 · Score: 1
  
  and also
  
  I could get more than $5,000 for it but I like the idea of coming here and showcasing what I can do and get some headlines for the company I work for (Independent Security Evaluators).
  
  Because everyone wants to hire a security firm that employs morally bankrupt people. I'm sure his employers are so proud.
  
  --
  'The tyrant will always find pretext for his tyranny.' - Aesop's Fables
25. Re:Hmm by Anonymous Coward · 2009-03-25 05:36 · Score: 0
  
  Looks like all that supposed security you hear about in Mac OS X is really just a huge joke.
  One has to wonder if user friendly exploits were an intended part of their "It just works!" campaign :)
26. Re:Hmm by Anonymous Coward · 2009-03-25 05:38 · Score: 0
  
  He's not "morally bankrupt". He took $5k, a low-end price, for the exploit – and by entering the contest he agreed to give the exploit to the affected vendor so they could get it fixed. How is that anything less than noble?
27. Re:Hmm by maztuhblastah · 2009-03-25 05:43 · Score: 1
  
  No, he's just not an idiot. BTW Apple pays people to report verifiable bugs to them.
  Interesting. Since I (and perhaps others) have never heard of this, perhaps you could corroborate your story with a link to Apple's policy on this?
  
  --
  The real litigious bastards...
28. Re:Hmm by jomuyo · 2009-03-25 05:44 · Score: 1
  
  I agree with LizardKing's post. To know about a security venerability and not tell anyone for more than an year is completely immoral and wrong. The attitude that one should only report security vulnerabilities for some type of payment is a dangerous precedent. If this type a behavior made it into the FLOSS community, it would be a disaster. Say I found a venerability in Firefox. Should I go to the Mozilla Foundation and demand payment for finding this bug? Of course not, that is like asking for a ransom. If you want to get paid for finding security vulnerabilities. Go work for a security company like the other security researchers out there.
29. Re:Hmm by maztuhblastah · 2009-03-25 05:48 · Score: 1
  
  Looks like all that supposed security you hear about in Mac OS X is really just a huge joke.
  Not really. The ASLR can be bypassed, and the NX support is indeed quite incomplete in Leopard (it's heap only IIRC), but the real strength of OS X's security comes from the Unix permissions model. It's still very tricky to write malware that, say, turns a Mac into a zombied warez server. It's still difficult to get root, which would be necessary to do most of the useful things you can do with a compromised box.
  On Windows, once you've got access to a user account you've got root, since 9 times out of 10 the person won't have the patience to fight with all their legacy software (and Windows poor UI) and run as a limited account.
  Ask yourself this: if Mac OS X's security is such a joke, why haven't any of the millions upon millions of Macs out there been part of a botnet? Yeah, I know... marketshare, etc... but if the security really is as you're making it out to be, isn't it kinda odd that there aren't *any* zombied Macs? Surely with several million trivially exploitable machines, somebody would have taken advantage of them, right?
  
  --
  The real litigious bastards...
30. Re:Hmm by AndersOSU · 2009-03-25 06:08 · Score: 1
  
  And asking for payment from the vendor for the work done by the hacker is not malicious. It is business.
  
  You've got to be careful though, it could also be blackmail.
31. Re:Hmm by brkello · 2009-03-25 06:19 · Score: 1
  
  How do you know that none of them are zombies? Show me a citation on that. And I have been saying for years once Mac's get more popular, you will see a lot more exploits for them. They still aren't near enough to be as tempting as windows boxes. But really, it's this smug attitude that OS X is this bastion of security and you don't need to run firewalls or AVs that is going to make you all sitting ducks someday.
  
  --
  Support a great indie game: http://www.abaddon360.com
32. Re:Hmm by bostongraf · 2009-03-25 06:21 · Score: 1
  
  You've got to be careful though, it could also be blackmail
  Absolutely.
  
  Of course blackmailing the vendor would 1)be malicious and 2)involve releasing the exploit. Both of those would go far beyond the stance I am defending.
33. Re:Hmm by weicco · 2009-03-25 06:27 · Score: 1
  
  I would consider system which requires root access to send data to internet a) not very secure b) not very usable. And I really much doubt that you need root access to connect to internet on Mac OS X. UNIX permission model doesn't help shit in this kind of situation.
  
  --
  You don't know what you don't know.
34. Re:Hmm by AndersOSU · 2009-03-25 06:39 · Score: 1
  
  It doesn't involve releasing the exploit per se - simply telling the vendor that you have an exploit and want to be paid could qualify. The implication is that you possess damaging information about the vendor - who knows what happens if money doesn't change hands. Even if you don't release it, you might be able to give your buddies hints on where to look.
35. Re:Hmm by Phroggy · 2009-03-25 06:44 · Score: 3, Funny
  
  Looks like all that supposed security you hear about in Mac OS X is really just a huge joke.
  A lot of it is, yes. And, some of that supposed security in Windows Vista... really is improved security, not a joke.
  From the average user's perspective, Macs are more secure right now, because they're not targeted. I don't run any antivirus software on my Mac, because I'm confident that I won't encounter a Mac virus. In general, the people writing viruses don't know how to write for Macs, and the people writing for Macs don't want to write viruses. There used to be a handful of Mac viruses back in the 90s, but those have all gone away. Every once in awhile we hear about a new proof of concept, but nothing ever really comes of it.
  But there's nothing inherent about the way Mac OS X works that guarantees this situation to remain true. As Macs gain marketshare, they'll gain mindshare among malware authors. As buying a Mac becomes a more attractive option to regular people, it will become a more attractive option to malware authors, and once they have a Mac to play with, they'll start writing malware for it.
  Meanwhile, everybody says Vista is a joke; they'll upgrade when you pry XP from their cold dead fingers. People who have never even tried Vista bitch about "Cancel / Allow" dialogs. They say Microsoft completely dropped the ball by breaking compatibility with older software. While I'll be the first to agree that UAC's UI leaves much to be desired, I do leave it turned on*, and I generally know when to expect a prompt. For the thing in the system tray that needs Administrator privileges, I went to the trouble of working around UAC by adding it as a scheduled task that runs on login - this is far too complicated for normal users, and obviously either the software that needs this needs to be updated, or UAC needs an "always allow" option.
  Microsoft broke compatibility because they had to in order to improve security. Every once in awhile an argument breaks out on Slashdot that goes something like this:
  1) Windows sucks, because normal user accounts have Administrator privileges, which is just like running as root on Linux, which nobody ever does.
  2) That's because if you don't have Administrator privileges, half your applications won't run.
  3) Windows sucks, because Linux apps run just fine without needing root privileges.
  4) It's not Microsoft's fault, it's the application developers' fault for designing their app with the expectation that it will always have Administrator privileges.
  5) It is Microsoft's fault, because those app devs designed their app to work on Win98, which had no concept of per-user security, so apps could reliably expect to have unfettered write access to C:\Program Files. Microsoft shouldn't have allowed this.
  6) Macs are awesome!
  7) It's the year of Linux on the desktop!
  8) Shut up, both of you.
  Microsoft knew the status quo was broken, and that brokenness isn't sustainable. Their only long-term choice was to break compatibility by forcing applications to conform to new security standards. They've done that, and everyone bitched, but the apps have been fixed. Nobody realizes the apps have been fixed, because everybody switched back to (or stayed with) XP, but Windows 7 will be hugely popular (Microsoft is also fixing some of the real problems with Vista).
  
  --
  $x='S24;r)>63/* h@<5+oZ)32"5cz';$me='phroggy'x$];
  $x=~y+ -xz+\0-Tx+;print$_^chop$me for split'',$x;
36. Re:Hmm by bostongraf · 2009-03-25 06:53 · Score: 1
  You are trying to find a workaround on a very static point.
  
  The static point is that if you find an exploit, you are under no obligation to inform the vendor. You are not evil if you do not inform the vendor.
  
  What would make you evil includes, but is not limited to:
  
  Hinting that you will release the exploit if they do not pay you.
  Hinting to your buddies where to look for the exploit.
  Releasing the exploit to the world.
  Abusing the exploit for "personal gain"
  I agree that there are far more ways to be evil, than not. But that does not mean that you are obligated in any way to do anything. And it does not mean that you are a scumbag if you do not report something that you have found.
  
  Effectively, you are a scumbag if you do anything other than:
  
  Nothing
  Ask for compensation from vendor while you work with them to resolve the problem
  Provide free services to the vendor while you work with them to resolve the problem
37. Re:Hmm by Lars+T. · 2009-03-25 06:56 · Score: 1
  
  Unless he was worried that the exploit would be discovered by malicious crackers, sitting on the exploit was no risk.
  Ohh? So you agree that the exploit wasn't easy to find. Wouldn't that mean that OS X is actually pretty safe?
  
  How dare he use his technical skills for personal gain. Wait, what do you do for a living? Yeah, real classy. You should work for free, society deserves to leech off you...
  Somebody should check his files whether he thinks artists should work for free.
  
  --
  Lars T.
  To the guy who modded me down from perfect to terrible Karma - Apple haters still suck
38. Re:Hmm by Anonymous Coward · 2009-03-25 07:27 · Score: 0
  
  If this type a behavior made it into the FLOSS community, it would be a disaster. Say I found a venerability in Firefox. Should I go to the Mozilla Foundation and demand payment for finding this bug?
  Good question. And the answer? Well, simple... since Firefox was one of the browsers in this competition, your exploit would have been worth $5,000 if nobody else beat you to it.
39. Re:Hmm by Bill_the_Engineer · 2009-03-25 08:04 · Score: 1
  
  The fact he didn't makes it even more suspicious that he had something else in mind, perhaps selling to someone prepared to pay more.
  Or maybe he wanted to win Pwn2Own? I mean it is a sport right?
  He didn't release his vulnerability, TipPoint secured the rights to the exploit, and a Apple representative was there to witness the exploit and to get the details.
  So where is the conspiracy?
  
  --
  These comments are my own and do not necessarily reflect the views or opinions of my employer or colleagues...
40. Re:Hmm by snowwrestler · 2009-03-25 08:06 · Score: 1
  
  The difference is that I have prior relationship with my employer--aka "a job"--and if this dude wants to get paid by Apple he should get a job with them. My employer and I know ahead of time that I'm going to get paid to build a Web site. I don't go around building Web sites with companies' names on them in my free time, and then complain when they don't pay me for my work.
  
  --
  Build a man a fire, he's warm for one night. Set him on fire, and he's warm for the rest of his life.
41. Re:Hmm by Anonymous Coward · 2009-03-25 09:19 · Score: 0
  
  Kind of like how the US waited till the very last minute to enter WW2 and now they won't stop whining about "how we'd all be speaking german if it wasn't for us".
42. Re:Hmm by dvhh · 2009-03-25 17:40 · Score: 0
  
  I'll choose number 5 and still think that MS best OS is still w2k (as a dev point of view, I admit it sucked for multimedia creation ).
43. Re:Hmm by Hal_Porter · 2009-03-25 19:59 · Score: 1
  
  To be honest though, all this talk of people paying tens of thousands of dollars for an exploit sounds more like a black hat's imagination running riot, which fits with the sad sack fantasists calling themselves "hackers" that I've encountered.
  Those sad sacks are actually androids. The real hacker is in a private moonbase or submarine somewhere with a load of fembots.
  
  --
  echo -e 'global _start\n _start:\n mov eax, 2\n int 80h\n jmp _start' > a.asm; nasm a.asm -f elf; ld a.o -o a;
44. Re:Hmm by Hal_Porter · 2009-03-25 20:02 · Score: 1
  
  It's only blackmail if you sell it to the vendor. If you sell it to someone else, there's no problem.
  
  --
  echo -e 'global _start\n _start:\n mov eax, 2\n int 80h\n jmp _start' > a.asm; nasm a.asm -f elf; ld a.o -o a;
Grammar Nazi alert by Linker3000 · 2009-03-25 02:44 · Score: 2, Funny

"none....was..." puhleeze!

--
AT&ROFLMAO
Phones by Anonymous Coward · 2009-03-25 02:48 · Score: 2, Informative

A quick Google Pulled up the Phones as:
Phones (and associated test platform)
* Blackberry(TBA)
* Android(Dev G1)
* iPhone(locked 2.0)
* Nokia/Symbian(N95-1)
* Windows Mobile (HTC Touch)
1. Re:Phones by Thornburg · 2009-03-25 02:53 · Score: 3, Informative
  
  A quick Google Pulled up the Phones as:
  Phones (and associated test platform)
  * Blackberry(TBA)
  * Android(Dev G1)
  * iPhone(locked 2.0)
  * Nokia/Symbian(N95-1)
  * Windows Mobile (HTC Touch)
  The Blackberry was apparently a "Bold", at least, that's what one of the related blog posts refers to.
2. Re:Phones by petehead · 2009-03-25 04:05 · Score: 0, Troll
  
  A quick Google Pulled up the Phones as: Phones (and associated test platform) * Blackberry(TBA)
  * Android(Dev G1)
  * iPhone(locked 2.0)
  * Nokia/Symbian(N95-1)
  * Windows Mobile (HTC Touch)
  
  I have the HTC Touch. It has a built in security feature: It will crash whatever you are running to try to exploit it. If anyone here figures out how to exploit it, please tell Microsoft. Not so that they will patch it, but so they can use it as an example to developers for how to code.
Symbian by troll8901 · 2009-03-25 02:56 · Score: 0, Redundant

I missed the joke. Can someone tell me?
Oh, I keep mixing up the Symbian and the Sybian.
Final Score (From DVLabs blog) by Deathlizard · 2009-03-25 03:00 · Score: 4, Informative

Browsers
Chrome: 0***
IE8: 1**
Firefox: 1(1)*
Safari: 2(1)*
Mobile Browsers
Android: 0
iPhone: 0
Nokia/Symbian: 0
Windows Mobile: 0
Blackberry: 0****
*Numbers in parenthesis indicate Successful exploits that fell outside the contest criteria and therefore could not be rewarded.
**Exploit Confirmed by MS
***Chrome was impacted by one of the flaws, although exploit was not possible using any current known techniques.
****The Blackberry was attempted and resulted in "Something Interesting", but not an exploit.

--
In Soviet Russia, Trojan exploits YOU!
Re:Apple security by aliquis · 2009-03-25 03:04 · Score: 1

no.
opera mini by Anonymous Coward · 2009-03-25 03:40 · Score: 0

According to these guys, opera mini is the second most used mobile browser No idea if these are accurate stats, just what I found with a quick search.
Not likely... by denzacar · 2009-03-25 03:43 · Score: 1

After all... As TSA states - there is a world market for maybe five smartphones.

--
Mit der Dummheit kämpfen Götter selbst vergebens
Re:DIE HACKER DIE by petehead · 2009-03-25 03:58 · Score: 3, Funny

DIE HACKER DIE
Your German is unintelligible to me.
Re:DIE HACKER DIE by Anonymous Coward · 2009-03-25 04:11 · Score: 0

He says, to a message board of hackers, owned and operated by hackers...
Be seeing you. :)
Lack of Perfection Doesn't Make You a Joke by geoffrobinson · 2009-03-25 05:01 · Score: 1

I don't think anyone claimed that OS X was or would be going forward perfect. That doesn't mean that it is not well ahead of Windows in terms of a secure design.

--
Except for ending slavery, the Nazis, communism, & securing American independence, war has never solved anything.
1. Re:Lack of Perfection Doesn't Make You a Joke by drinkypoo · 2009-03-25 05:36 · Score: 1
  
  I don't think anyone claimed that OS X was or would be going forward perfect. That doesn't mean that it is not well ahead of Windows in terms of a secure design.
  The quote makes it clear that in fact, OSX is well behind Windows in terms of secure design. It doesn't have NX (or similar) support, and it doesn't have address randomization, and that's fucking pathetic because both technologies predate OSX considerably*, but neither predates Windows XP.
  * I don't think literal NX bit support predates OSX, but the idea is older and does not require hardware support to implement, although hardware support improves things considerably. You can still have support for non-executable memory. Out of the major three operating systems anywhere near a desktop today, OSX is the only one which doesn't have it. OSX's famed "security" is indeed a joke. Windows does indeed get hit more than OSX only because it is the dominant platform. Linux has these features, though not all distributions activate them (they might be defaults now.)
  
  --
  "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
2. Re:Lack of Perfection Doesn't Make You a Joke by pyrbrand · 2009-03-25 05:43 · Score: 1
  
  Isn't that explicitly what the GP is pointing out - that it is light years behind Windows in terms of secure design?
3. Re:Lack of Perfection Doesn't Make You a Joke by Chutulu · 2009-03-25 05:45 · Score: 1
  
  don't you know how to read?
4. Re:Lack of Perfection Doesn't Make You a Joke by Lars+T. · 2009-03-25 06:51 · Score: 1
  
  So if Mac OS X is so damn unsecure and Windows XP is so fucking secure, why are there far more exploits out for XP? Marketshare?
  
  --
  Lars T.
  To the guy who modded me down from perfect to terrible Karma - Apple haters still suck
5. Re:Lack of Perfection Doesn't Make You a Joke by Anonymous Coward · 2009-03-25 10:15 · Score: 0
  
  It would appear so, you fucking retard.
6. Re:Lack of Perfection Doesn't Make You a Joke by Lars+T. · 2009-03-25 10:30 · Score: 1
  
  So criminals would rather attack the huge mass of "Windows and not much else" owning people instead of the rather big group of wealthy Mac owners? Why exactly?
  
  --
  Lars T.
  To the guy who modded me down from perfect to terrible Karma - Apple haters still suck
7. Re:Lack of Perfection Doesn't Make You a Joke by Kalriath · 2009-03-25 13:31 · Score: 1
  
  I believe that's exactly what he's saying. I make no statement as to whether I can agree or not though.
  
  --
  For a site about things like basic rights, Slashdot users sure do like to censor "dissent".
8. Re:Lack of Perfection Doesn't Make You a Joke by Anonymous Coward · 2009-03-25 16:57 · Score: 0
  
  big group of wealthy Mac owners?
  Wealthy Mac owners? I thought you said Macs were comparably priced to other PCs.
9. Re:Lack of Perfection Doesn't Make You a Joke by Lars+T. · 2009-03-26 00:30 · Score: 1
  
  They are. Thanks for agreeing. What does the price have to do with income however? It's well known Mac owners make more money.
  
  --
  Lars T.
  To the guy who modded me down from perfect to terrible Karma - Apple haters still suck
10. Re:Lack of Perfection Doesn't Make You a Joke by Anonymous Coward · 2009-03-26 09:47 · Score: 0
  
  No, no, no - you've got it all wrong; it's well known that mac users are shallow. Often goes with money - so I understand your confusion.
Re:DIE HACKER DIE by Anonymous Coward · 2009-03-25 06:18 · Score: 0

DIE HACKER DIE
Your German is unintelligible to me.
I'll translate that to English for you:
The Hacker The
Re:DIE HACKER DIE by Anonymous Coward · 2009-03-25 06:53 · Score: 0

Your German is unintelligible to me.
I think he's talking about a female hacker... we all know there are no girls on the internet, so he truly makes no sense.
The equipment survived nothing. by iminplaya · 2009-03-25 07:35 · Score: 1

The guys are holding out for "maximum market value" for their talent.
"Vulnerabilities have a market value so it makes no sense to work hard to find a bug, write an exploit and then give it away." - Charlie Miller

--
What?
You are under obligation to inform the vendor by snowwrestler · 2009-03-25 07:49 · Score: 2, Insightful

The static point is that if you find an exploit, you are under no obligation to inform the vendor. You are not evil if you do not inform the vendor.
I couldn't disagree more. If I walk by a house and see that the door is standing wide open, and then I see the owner on the street a couple minutes later, the ethics are clear. I should tell the guy he left his door open. I'm under no legal obligation but I should because it is the right thing to do. If he gets robbed later I should feel bad because I could have helped prevent it.
Well maybe you say, no, they're a business. Doesn't matter. If I'm in a jewelry store and see that a clerk forgot to put away a diamond ring, which is the more ethical choice of action: ignore it and walk away, or remind the clerk to put it away?
It is NOT ethical to go through life just ignoring what you perceive. Copping out is a choice too. Didn't you see Spiderman??
It's particularly bad if you go around LOOKING for open doors or unlocked jewelry cabinets. You want to try to convince me that it's ok to spend a lot of time and effort looking for flaws, then just walk away when one is found? That seems like a ridiculous argument to me. Who goes through a bunch of effort and trouble to find a weakness, and then just blithely does nothing?
Sorry, but I think you are a scumbag if you find an exploit in a popular OS or piece of software and do not report it to the vendor. Because if you found it, someone else will too and eventually it will get exploited. That will have a real impact on real people and you could have prevented it.
If that doesn't seem fair, here's the way out--don't go looking for exploits unless you're contracted to do it. It's a very fair bargain--you don't waste your time and society doesn't hold you responsible for that choice. But please don't ask me to believe that it's ok to go hunting for exploits, but then it's somehow someone else's fault you don't get paid for the ones you find. That is what consulting contracts are for.

--
Build a man a fire, he's warm for one night. Set him on fire, and he's warm for the rest of his life.
1. Re:You are under obligation to inform the vendor by bostongraf · 2009-03-25 09:11 · Score: 1
  
  Okay, that was more convincing.
  
  We do live in an age where whistleblowing has become a recognized responsibility in all fields, and taking an uninvolved stance does not always remove obligation.
  
  I was trying to make a point about the existence of a neutral position, but when framed as an ethical question, as opposed to a legal question, it takes on a very different light. The neutral stance would be to ignore the obvious ethical thing to do. While the evil thing to do is to take advantage of the exploit.
  
  A neutral stance attempts to avoid being unethical by taking no action. But the true definition of "unethical" is to NOT do what is ethically correct.
  
  I still do not believe it makes the "neutral" hacker evil. But it does make them a scumbag.
Let me tune my violin... by snowwrestler · 2009-03-25 07:55 · Score: 1

He said he's not going to go through the trouble of finding and bugs and writing an exploit and then giving it away to Apple for free when they pay others money to do the exact same thing.
I guess I missed the part where someone put a gun to his head and forced him to go through all that trouble. He's right that some people do get paid to find bugs--and if he wants to get paid, he should get one of those jobs. Otherwise, yes, he's a black hat. Dark grey, minimum. It's not like this is the only thing a programmer can choose to do with their skills and time.

--
Build a man a fire, he's warm for one night. Set him on fire, and he's warm for the rest of his life.
worth much more by Anonymous Coward · 2009-03-25 09:41 · Score: 0

$50000 to $2000000 is more like it (probably $250000)
To spell it out:
50 thousand to 2 million, probably a quarter million
That's 5x to 200x the $10000 that was paid. (probably 25x)
Re:DIE HACKER DIE by rbrausse · 2009-03-25 10:10 · Score: 1

DAS HÄCKER DER
better?
IPhone broken by Anonymous Coward · 2009-03-25 11:54 · Score: 0

It appears that the IPhone was pwned but the hacker didn't think $10,000 was enough money to give up the exploit.
http://www.computerworld.com/action/article.do?command=viewArticleBasic&taxonomyName=Mobile+and+Wireless&articleId=9130346&taxonomyId=15&pageNumber=2
Article Update: Nils vulnerability affects iphone by Anonymous Coward · 2009-03-26 05:12 · Score: 0

The Computer World article by Gregg Keizer regarding this has been updated. The vulnerability from pwn2own which additionally impacts the iphone was the one discovered by German researcher "Nils" and not the one demonstrated by Charlie Miller.