Pwn2Own 2009 Winner Charlie Miller Interviewed

crazipper writes "Tom's Hardware interviewed Charlie Miller, winner of this year's Pwn2Own contest and formerly with the NSA. He discusses the effort it took before the contest to be able to take down a MacBook within seconds, sandboxing, and the effectiveness of the NX bit and ASLR. His outlook on end-users protecting themselves against attacks? 'Users are at the mercy of the products they buy.'"

In other news...

[djupedal]

> Users are at the mercy of the products they buy

Terminator the movie...1984 - Kyle Reese: "Pain can be controlled - you just disconnect it."

NX and ASLR

[sexconker]

The NX bit is awesome.

ASLR is effective, but it's generally used as a way to slow down attackers after they've already figured out how to break your broken shit.

Re:NX and ASLR

[Ethanol-fueled]

I'm suuuuure his time in the NSA had nothing to do with it. It's not like the NSA knows things that the general public aren't allowed to know.

Re:NX and ASLR

[Sycraft-fu]

ASLR is just more defense in depth. Real security, physical or virtual, comes from having multiple layers. While it is a nice theory to say "Well just make sure X is secure and nothing will ever get past it," that doesn't work in reality. Shit happens, your border security can fail. Thus real security comes in multiple levels. Not all of them are as critical or as effective as others, but they all help.

ASLR is just another level. If you find a flaw in some software connected to the network, you now have an additional problem in terms of getting code to execute. Is it insurmountable? No, but it is just more shit to get around.

The more levels of security you have, the less likely someone is to break through all of it, especially before you notice they are trying. Have a border firewall, and host based firewalls. Run a virus scanner on every computer. Enable execute disable on systems. Operate as a deprivileged user whenever possible and so on. The more you do, the more things there are to trip up an attacker. Don't say "Well we don't need this because we have this other thing."

I see that most common with firewalls. People will have a network firewall and thus assume that host based firewalls aren't worth the trouble. Well, they are. What if something gets by the network firewall? Just because it isn't supposed to doesn't mean it won't happen. Maybe someone brings in an owned laptop, maybe there's a flaw in the firewall, maybe yo just set it up wrong. Whatever, point is have multiple security layers. Make it so that just because you got by the network firewall, doesn't mean you are in.

So while I certainly wouldn't want to see a company rely on ASLR, as in say "No we don't need to fix that app bug, they can't exploit it since we randomize addresses," I do like it as another layer of defense. Not a magic bullet, but just that much harder to get in.

Re:NX and ASLR

[pclminion]

The NX bit should have always been there, and the fact that it wasn't is incomprehensibly stupid.

Re:NX and ASLR

[VGPowerlord]

I agree. One time when I was cleaning malware off of a neighbors computer (wasn't my idea, I got volunteered by someone else in my household), the NX bit kept one of those annoying fake antivirus ones from reinstalling itself when I had Procmon kill its process. At least I think it was Procmon.

Anyway, Windows came up with a nice dialog box telling me that execution was blocked, and it didn't appear to be running after a reboot.

Re:NX and ASLR

[lurch_mojoff]

Both NX flag and ASLR are present Leopard. For a number of compatibility reasons they are not implemented as extensively as they are on other systems, but it's disingenuous to say Mac OS X doesn't have them.

If you go look at Jordan Hubbard's From the Server Room to Your Pocket presentation:
http://www.usenix.org/event/lisa08/tech/hubbard_talk.pdf
or listen to it:
http://www.usenix.org/media/events/lisa08/tech/mp3/hubbard.mp3

you'd realize that Charlie Miller is milking his 15 min of fame for all they are worth with his incendiary comments - basically trolling for publicity.

Re:NX and ASLR

[ledow]

Yes, layers of security are indeed the key. Any one layer isn't totally impenetrable but, like layering nets over nets over nets, if you have enough layers then eventually you end up with something that's damn-near watertight.

People always laugh at me because they can't get on my wireless at home easily when they visit. This is because it has:

- WPA2 with secure passphrase and MAC filtering (so this defeats 99% of my visitor's casual attempts to log on)
- Onto a locked-down network with only one visible IP and on that IP, only one visible port (all clients have their own firewalls so that they regard the wireless as "untrusted" and don't transmit information over it) and that port is only open to known IP's. So even if they do get onto the network by sniffing / guessing /stealing the key (or WPA2 is cracked, etc.), there's nothing interesting to look at with nmap or sniff.
- On that port, an instance of OpenVPN which is secured by its own key infrastructure with passphrases.
- On that VPN, you have to set IP's, DNS and proxy correctly (and manually, no DHCP!) or nothing goes out.

Yet, on the "authentic" client side, all you have to do is copy some keys from a USB key and run one little tiny script and everything just runs... I even play Counterstrike over the wireless/VPN and don't even notice any extra latency. But when WPA2 is cracked, or OpenVPN has a bug discovered in it, or MAC filtering is rendered useless (already is, I know), or they guess my internal network numbering etc. then I have still bought myself an incredible amount of time and security to fix the problem before anybody can get onto the network - and anyone trying will be tripping over so many wires that I will notice them trying and just switch it off until I'm sure it's secure. And, from the outside, it just looks like an ordinary wireless connection. You could go overboard - I could run SSH over the VPN, I could hide the wireless broadcasts, I even have a port-knocking setup that I can use to authenticate the opening of ports, without affecting my use of the system.

Security is a question of probability... it's not that your security guard couldn't be overcome, or the safe cracked, or the cameras disabled, or the alarm cut, but that the chances of that ALL happening without anyone noticing are incredibly slim.

Re:NX and ASLR

[soliptic]

People always laugh at me because they can't get on my wireless at home easily when they visit... defeats 99% of my visitor's casual attempts to log on

*shrug* My visitors always say "cool, thanks!" when they log on my wireless dead easily. But, hey, personally my visitors are my friends and if they want to check their email in my flat I'm happy to help.

What exactly is on your wireless which requires/justifies such heavy security?

Re:NX and ASLR

Or you could own a nintendo DS and have to use WEP with no extra security. Whoops.

Re:NX and ASLR

What exactly requires/justifies such heavy security?

Boredom.

Re:NX and ASLR

[ledow]

An internet connection tied to my name and address?

I work in schools - I can't afford for some little plonker down the road to hack into it and then decide to use it to browse websites which may or may not be illegal and traceable to me (I'm thinking of one particular kind of website, the kind banned in most of the world and which Australia recently tried to block with a blacklist, but I'm currently behind a heavy filter on some of the keywords associated with that particular topic).

Internet access is convenient, sure, and my friends *do* use it (they have my USB key, it takes seconds for it to connect securely), or I lend them my laptop. It's not to protect me against my friends (I just find it funny that they can't figure out why it's locked down, much like you can't), it's to ensure that only people I choose can use it. You think it doesn't happen? There are published cases of arrests for people getting unauthorised access to WLAN's from parked cars every month where I live. You think that I wouldn't be prosecuted? Probably not, but proving that is quite difficult and the law is currently biased towards suspicion rather than leniency in that area. Additionally, just the *mention* of such things would be enough to lose my job with little-to-no recourse against my employer for getting rid of me... they can't afford that sort of reputation.

I also don't see why other people think their WLAN's should be open like this - everything comes back to you and creates hassle, if nothing else (the RIAA are now even talking about cutting off your connection if you get too much downloading going on from your home!). Also, depending on the setup, the wireless provides access (indirectly or not) to your home network. I don't let *anybody* on some of the machines I bring home from work and have to connect to my network (Data Protection, Child Protection, etc.) and I don't like the idea of anyone but me looking at the contents of any of my personal hard drives (no matter how benign they are in general, there will be credit card traces, receipts, logins, passwords, etc.). I have even done this in a live-demo for someone who didn't believe me ("Oh, there's nothing interesting on my computer" and in another case "Oh, you won't see anything going through my wireless without the passwords") and you'd be AMAZED what you can find out from an unsecured (or poorly secured) WLAN.

If you would let someone into your house to plug in an Ethernet lead into your network/computers, then fine... that's your problem. Otherwise, secure your wireless, or at least limit it to "Guest" access to just the Internet if you are using it to attract custom as part of your business.

Re:NX and ASLR

That is a little overboard for personal use. That is even overboard for a small business. You are just a minnow among billions of minnows.

The best security is to not have anything anybody wants and remain anonymous.

Security is only an issue if you have something people want or are so famous you can not be anonymous.

Re:NX and ASLR

[sexconker]

Nothing - he's just a Linux nerd who thinks he's important.

Re:NX and ASLR

[garaged]

That is called Paranoia my friend, and Im a bit paranoic, but I recognize when is going too far and control it

Re:NX and ASLR

[yo_tuco]

You could add one more layer of security. With your access point running OpenBSD's pf, it could have rules that require you to authenticate via a SSH login to a restricted account before it would let you send anything out of the other end of the access point.

Re:NX and ASLR

[Simetrical]

The NX bit should have always been there, and the fact that it wasn't is incomprehensibly stupid.

x86 was originally designed with a segmented memory model. You'd have one segment for code, one for data, one for stack. It was (and is) indeed possible to set data and stack segments non-executable. Actually, I believe this is achieved by the simple expedient of all jump instructions automatically using the CS (code segment) register, with no option to use any others -- thus you can't jump to or call the data or stack segments unless they overlap with the code segment.

The problem is, in practice people just set all three segments equal today, so that all of them fill the entire virtual address space. If you do that, everything is in the code segment, and so everything is executable. The addition of a per-page NX bit is a (very belated) acknowledgement of the fact that the old way of doing things just isn't used anymore. (But I think Google uses it for NaCl.)

Actually, Tanenbaum's Modern Operating Systems, 3e has an interesting remark about this (p. 237, emphasis added):

Since each segment forms a logical entity of which the programmer is aware . . . different segments can have different kinds of protection. A procedure segment can be specified as execute only, prohibiting attempts to read from it or store into it. A floating-point array can be specified as read/write but not execute, and attempts to jump to it will be caught. Such protection is helpful in catching programming errors.

You should try to understand why protection is sensible in a a segmented memory model but not in a one-dimensional paged memory. In a segmented memory the user is aware of what is in each segment. Normally, a segment would not contain a procedure and a stack, for example, but only one or the other, not both. Since each segment contains only a single type of object, the segment can have the protection appropriate for that particular type. . . .

The contents of a page are, in a sense, accidental. The programmer is unaware of the fact that paging is even occurring. Although putting a few bits in each entry of the page table to specify the access allowed would be possible, to utilize this feature the programmer would have to keep track of where in his address space the page boundaries were. That is precisely the sort of administration that paging was invented to eliminate. . . .

Of course, he's wrong in a sense: the NX bit is most definitely being used. (And the book is copyright 2008, too, so you'd think he'd know it.) It's an interesting remark anyway, though, and may explain why a per-page NX bit wasn't there in x86 to start with.

so buy nothing

[hguorbray]

at then you will not be at anyone's mercy ...of course you may not be able to do much then..

I'm Just saying'

Re:so buy nothing

[MrEricSir]

Pirating software won't make it any less vulnerable...

Re:so buy nothing

i didn't mean steal -I meant DON't GET IT -then you won't be vulnerable

I'm just sayin'

Wording

[Idiomatick]

'Users are at the mercy of the products they buy.' So clearly he is a big supporter of FOSS? Then you are at no ones mercy.

Re:Wording

No, in that situation, you are at the mercy of the products you choose to use. Being OSS doesn't make any difference.

Re:Wording

[Brian+Gordon]

The difference it makes is that with OSS more people can sneak in malicious code without jeopardizing their careers. I always avoid unstable releases and especially nightlies.. but for stable releases "somebody" is reading through everything in the source tarball, right?

The kernel is always safe though of course due to extremely high profile.

Re:Wording

Agreed. The "many eyeballs" are nowhere to be seen.

Re:Wording

[Plutonite]

Or at everyone's mercy ;)

Things like OpenBSD are the best for security not only because they are designed specifically with it in mind, but because the people working on it are of a limited, genuine species. With that said, it is probably better to be at 'everyone's mercy' than to be at the mercy of corporations who only want your money. It doesn't matter that the people inside them may want your admiration and recognition. It matters very little, at least. The corporations are who you deal with in the end. :(

in other movies..

[vancondo]

The first rule
next page>
about robot overlords is
next page>
we don't talk about robot overlords
next page>
!!!
--
http://vancouvercondo.info

Re:in other movies..

[djupedal]

we don't talk about robot overlords

--
Ya, know.... I thought about that. Then I thought...what if they know what I'm thinking?!!

So then, naturally, I didn't think about that. Showed them!

Any feminist grandmothers out there?

Thought I'd beat you to the punch...

"If you set me down in front of an application I've never seen before and told me I have 2 minutes to hack it, as is often the case in movies, I'd have no more luck than your grandma at accomplishing it. Well, maybe a little more of a chance, but not much!"

I hope you are offended.

Re:Any feminist grandmothers out there?

[Ironica]

My grandma has no chance of hacking anything, she's dead.

(Both of them are, actually.)

Users are at the mercy of the products they buy

[clarkkent09]

Why can't you sue a software company if you suffer a loss due to poor security in their product?

Re:Users are at the mercy of the products they buy

Because there's no such thing as perfect security.

Re:Users are at the mercy of the products they buy

[TheRealMindChild]

Because you would end up being able to sue almost everyone... ask the same type of question about a car and you will get the same answer "Why can't I sue a car manufacturer for a shitty design?" ... "Because you would end up being able to sue almost anyone"

Re:Users are at the mercy of the products they buy

[Aphoxema]

Because the EULA says so.

*dodges rotten tomatoes*

Re:Users are at the mercy of the products they buy

[supernova_hq]

The same reason you can't sue an alarm company when someone breaks into your house.

If your data is

• Important: back it up
• Sensitive: encrypt it
• Not yours to lose: get insurance (good for companies)

Re:Users are at the mercy of the products they buy

[Yarhj]

Because you would end up being able to sue almost everyone... ask the same type of question about a car and you will get the same answer

Actually, you CAN sue a car company if their poor design causes you harm - think of the Ford Pinto or any number of automotive recalls.

Re:Users are at the mercy of the products they buy

[maxume]

Are you really sure you (always) want to pay for high quality software?

Re:Users are at the mercy of the products they buy

Ah, but if the alarm fails due to negligence on the installer's part... there have been lawsuits.

Re:Users are at the mercy of the products they buy

[MrMista_B]

I illustrate the ridiculousness of your question, I'll rephrase it "Why can't you sue the construction company that built your house if someone vandalizes oor you suffer a loss due to break and enter?"

Re:Users are at the mercy of the products they buy

[Savage-Rabbit]

Why can't you sue a software company if you suffer a loss due to poor security in their product?

*Can't...stop...myself...must...don...tinfoil...hat*

It's because the leadership of the USA realised years ago that if such laws were passed the subsequent class-action lawsuits might bankrupt Microsoft.... they just couldn't go and do that to one of the nation's biggest tech companies, now could they?

Re:Users are at the mercy of the products they buy

Because it's against the EULA.
Even FOSS does this. Software is not always predictable, and they don't want to be sued because somebody did something and somehow killed their computer.

Re:Users are at the mercy of the products they buy

[Brian+Gordon]

Because you're not buying the software you have none of the explicit protections of a normal sale. You're licensing it. And read the license: "We don't guarantee this even does anything. It could wipe your hard drive for all you know. WE PROMISE NOTHING"

Re:Users are at the mercy of the products they buy

[Brian+Gordon]

If they left a gaping hole in your wall..

Re:Users are at the mercy of the products they buy

[99BottlesOfBeerInMyF]

Why can't you sue a software company if you suffer a loss due to poor security in their product?

You can. You are just highly unlikely to win.

Re:Users are at the mercy of the products they buy

Narrator: A new car built by my company leaves somewhere traveling at 60 mph. The rear differential locks up. The car crashes and burns with everyone trapped inside. Now, should we initiate a recall? Take the number of vehicles in the field, A, multiply by the probable rate of failure, B, multiply by the average out-of-court settlement, C. A times B times C equals X. If X is less than the cost of a recall, we don't do one.
Woman on plane: Are there a lot of these kinds of accidents?
Narrator: You wouldn't believe.
Woman on plane: Which car company do you work for?
Narrator: A major one.

Re:Users are at the mercy of the products they buy

[phantomfive]

Basically because

• No one claimed that their software is 100% secure
• Making secure software is really hard
• If you do want software that approaches optimal security, it is going to be expensive, not as expensive as making sure it has no bugs, but similar
• There would be no software companies left, and we try to avoid making laws that wipe out an entire industry.

When someone I'm working with writes a bug or leaves a security hole, I tease them, but the truth is I still have not found a way to write bug-free code myself. You can't really sue someone for not doing something that is impossible.

OK, I admit some companies could do a significantly better job of making things secure. The article gives a couple examples of what Apple could have done to make their code more secure. But if it were possible to sue someone for that, I would be quite worried personally, as a programmer, I don't trust a jury to determine what is a reasonable vulnerability and what is not, so from my point of view it is better to not make insecure software illegal. And in most non-internet code, security isn't really an issue.

Re:Users are at the mercy of the products they buy

If the construction company left a flaw in your house where any builder with knowledge could get in - and then you get vandalized, maybe they should be liable.

Re:Users are at the mercy of the products they buy

[moegoldberg]

Actually, you CAN sue a car company if their poor design causes you harm - think of the Ford Pinto or any number of automotive recalls.

Right, and similarly, I bet you could successfully sue a software company if their product caused you physical harm.

Grandma can't run Linux?

FTFA:

Charlie: I'll leave Linux out of the equation since I know my grandma couldn't run it.

Uh, I think you're quite wrong there. I know more than a few Grandmas running Linux. The thing is, they're the ones that usually need the least amount of software. A browser, maybe e-mail if they don't do it in a browser, that's about it. Linux is perfect.

Re:Grandma can't run Linux?

[supernova_hq]

Linux is NOT perfect. Anyone who thinks so is either an idiot or lying. For a lot of people, it is the best and of much better quality and calibre than the alternatives (windows, macOS), but definitely not perfect.

Disclaimer: Proud Ubuntu user since 7.10 and have never even considered moving back to windows.

Re:Grandma can't run Linux?

Uh, I think you're quite wrong there. I know more than a few Grandmas running Linux. The thing is, they're the ones that usually need the least amount of software. A browser, maybe e-mail if they don't do it in a browser, that's about it. Linux is perfect.

You can't be serious.

Of those "more than a few" Grandmas you know running Linux, how many bought and set up their own computer? How many Grandmas do you know that enjoy compiling drivers?

I'm not a Mac user myself, but for what it's worth, my own Grandma was able to buy herself a Mac and get it plugged in and running on her own. It's similarly easy with a Windows machine as soon as you figure out where all the plugs go, Windows setup is a breeze.

Sure, they need help figuring out what to do once the thing is running, but that's OS-independent.

Re:Grandma can't run Linux?

[Abreu]

Ah, you must be talking about the mythical "Aunt Tilly"

Please provide some proof of these Grandmas' existence... I would like to see some actual seniors using Linux

...and no, McGrew doesn't count ;), I mean non-techically saavy seniors!

Re:Grandma can't run Linux?

[chill]

Okay, here you go.

Re:Grandma can't run Linux?

[meeve]

What AC meant is that Linux is perfect for a particular "Grandma" use case, not perfect in all ways.

Re:Grandma can't run Linux?

[Idiot+with+a+gun]

I think the OP's comment about perfect was within the context of the most basic users. And I'd agree. For the vast majority of "simple" tasks (a very ambiguous statement), the setup/use of Linux (esp. Ubuntu) is exceptionally easy (also subjective).

Within the spheres of some Windows power users, who understand the ins and outs of Windows perfectly, Linux is foreign and useless. But the same could be said about Linux power users and Windows. So that is more of a statement about the difficulty users who are strongly versed in one OS have in switching to another. And that proves nothing in the Linux vs. Windows debate.

As far as security is concerned, I'd probably argue that Linux is more secure, but not completely secure. It's possible to get a Linux box completely screwed up (someone was talking about that here, where they accidentally exposed a Linux box with a very old version of OpenSSL to the web and got it compromised), but the question of which is easier to get more secure, or which will have fewer issues. No software is perfect (please no BSD comments), it's all a game of lesser of two evils.

Re:Grandma can't run Linux?

But Grandma doesn't install Windows or OSX either, they just buy the system and the operating system is already there.

My Grandma uses an EeePc. It works fine for her.

Re:Grandma can't run Linux?

Did you forget the eeepc? Old people love that shit more than their jitterbug

Re:Grandma can't run Linux?

[Repossessed]

Um... how many grandmas do you know who set up their own windows machine? Plugging it in doesn't count, they have to actually install windows.

0?

thought so. Windows is just as much of a PitA as Linux, and the same people who need help setting up one need help setting up the other.

Where Linux fails is the power users, who have learned how to do things beyond email (that someone else set up) in windows, and who have to re learn a sometimes less intuitive way in Linux. (that and peripheral hardware)

Re:Grandma can't run Linux?

[VGPowerlord]

Uh, I think you're quite wrong there. I know more than a few Grandmas running Linux. The thing is, they're the ones that usually need the least amount of software. A browser, maybe e-mail if they don't do it in a browser, that's about it. Linux is perfect.

Only until your mom, aunt, or great aunt gives them a copy of some Popcap (or really any casual) game and it won't run.

Re:Grandma can't run Linux?

You are right, Linux is not perfect.
OpenBSD is :D

But seriously if you get all your data stolen and your bank accounts wiped you should blame your vendor. Even Linux has some more security features than what gets released by distros.

And unlike what Miller states(Because it makes Macs look even worse, and he is a Mac retard). ASLR does a great deal against hackers, NX is important too of course, and other techniques that haven't arrived to "popular" systems. Still, ASLR done right is game over for most.

Even OpenBSD devs will tell you that its best not to have holes in your apps. But the same hole in OpenBSD and Mac isn't even remotely in the same order of exploitability.

All your popular systems compromise your security just to be able to state that they gained 1% performance over the previous version for spawning 65535 threads.

Instead of, well, -30% because we saved you from identity theft.

I use Ubuntu but I wouldn't access my bank account on it.

Re:Grandma can't run Linux?

[AHuxley]

If grandma needs to use Linux, she just seduces a 20 something... and gets any task done correctly and for free.
Thats where grandma's decades of real life experience is more useful than a 20 something's decade in moms basement.
Grandma can seduce her way onto any OS or system or network.
Or just have the best looking forum, blog, webpage or social networking page ever.
The best part is she passed the same skills onto her daughter too.

Re:Grandma can't run Linux?

[ushering05401]

If you really have a thing for ogling old people using FOSS, then check out continuing education programs in your area.

That is a reliable place to find seniors using Linux - as many use the local community center/community college as a place to find new hobbies/friends.

Twenty years ago it was Bingo/Bridge clubs, now all the oldsters are taking ceramics, piano, and 'internet' classes.

Re:Grandma can't run Linux?

[jeff419]

Switched to Ubuntu from XP right around the time Vista was becoming a popular term, version 5,04 or 5.10 was the first install I ever used.

Compared to my experience with Windows Ubuntu has been way better. Never had a virus or spyware. It has always just worked and that's all I need.

Re:Grandma can't run Linux?

[briggsl]

The point you're missing is, even those "Grandmas" that bought Mac or Windows machine didn't have to set up their system either. There are plenty of PC builders that will preinstall Linux on a machine with drivers etc, so your argument isn't really valid.

Re:Grandma can't run Linux?

[Hal_Porter]

If you really have a thing for ogling old people using FOSS

That sounds like the worst Rule 34 ever.

Re:Grandma can't run Linux?

[Abreu]

Thank you, that was what I was looking for!

How's Grandma doing with her computer, almost a year after your journal posts?

Re:Grandma can't run Linux?

[Hatta]

Where Windows fails is the power users, who have learned how to do things beyond email in Linux, and who have to relearn a sometimes less intuitive way in Windows.

Re:Grandma can't run Linux?

[synthespian]

Disclaimer: Proud Ubuntu user since 7.10 and have never even considered moving back to windows.

That sort of ranks you as a n00b.

Re:Grandma can't run Linux?

[Simetrical]

How many Grandmas do you know that enjoy compiling drivers?

I've used Linux exclusively on my desktop for somewhere over a year and a half, and have administered a Linux server for over two years. I have never had to compile a driver. I've only even had to ever install one driver manually (NVIDIA's binary-only driver, sigh), which is more than I can say for Windows! And the overwhelming majority of times I compiled any software at all that I didn't write myself, it was to get access to development versions for better bug reporting, which your typical grandma doesn't need to do.

I'm not a Mac user myself, but for what it's worth, my own Grandma was able to buy herself a Mac and get it plugged in and running on her own. It's similarly easy with a Windows machine as soon as you figure out where all the plugs go, Windows setup is a breeze.

And is this any different from a Dell with preinstalled Ubuntu?

I'm not going to claim that Linux is quite on par with Windows yet for usability, let alone Mac. But it's not all that far behind at this point. Most users should have no problems at all, especially if they're running on compatible hardware like on Ubuntu Dells. I strongly suspect your average grandma wouldn't have much more trouble moving to Linux than moving to Mac.

Re:Grandma can't run Linux?

[supernova_hq]

I never claimed to be an expert, or even an advanced user (though I have compiled a couple programs). I was just making a general user observation. I may be a "n00b" from your point of view, but I find the comment unwarranted and in bad taste. Had I tried pointing out specifics regarding the integrity of Linux, you could definitely use my "n00biness" as a point of argument (though a weak one), but I did no such thing.

I just hope you are nicer to people when (if) you help them out in forums and/or IRC...

Re:Grandma can't run Linux?

[chill]

Grandma has done fairly well. She can get her e-mail and check her bank accounts without assistance, which is 99% of what she wants to do. She still mashes the mouse button, jerking the mouse. She also is majorly impatient, clicking the Firefox icon 3 or 4 times thinking it isn't coming up fast enough. I wish that app had an "allow only one instance" option.

Many of her "senior" friends were encouraging her to use the PC more, but can never answer her question of "for what?" As it turns out, there is a set of them that are big into online games like poker, Mah-jong and the like. She isn't interested in that. She enjoys reading her newspaper over breakfast in the morning and watching the evening news on TV at night, so isn't interested in getting news online. She'd much rather be in her garden than on the PC.

Actually, she is comfortable in just having the PC there so she can tell her friends that she is "online" and get the occasional e-mail. She really does like the online banking. THAT she remembers to check. Her e-mail could go a week before she bothers to look. Snail-mail is faster for her. :-)

I've helped set up PCs for a bunch of her (ancient) friends. Almost all were underpowered, old hand-me-down PCs with something like Win98 or XP Home on them. If anything was less than 5 years old, it escaped my notice. "Let's get grandma a computer" usually is code for "Let's dump our old PC on grandma and use that as justification to buy ourselves a new machine!". This is a big problem because most of these people are impatient and the machines are too slow.

Still, their biggest obstacle in PC adoption is they've spent a lifetime doing things a different way and there is little justification for changing now. Especially when many of them are trying real hard NOT to sit around in front of some electronic box (like the TV) but actually get out and DO something while they still can.

Re:Grandma can't run Linux?

[Repossessed]

Well yes, and I hate using windows for exactly that reason.

Classic Quote

I've spent a lot of my research time on Macs because I like them and they also happen to be pretty easy to break!

That is classic

Re:Classic Quote

[Doctor_Jest]

Funny that. Easy to break because the userbase is so trusting? Because last I checked, the "pwnage" he used still required a click. Unlike Windows that can get worms and other fun stuff just by turning on the DSL modem. :)

That's not to say I'm flaming Windows... I'm more flaming Mac users (of which I am one/split between Leopard and Ubuntu) who need to be more concerned about WTF they're clicking, downloading, and giving their sudo pw too. So put your pitchforks away... I am not pleased with the lack of expedience by Apple in fixing flaws like the one used by this guy either. Even if it's not automatic... so I use Opera... then they have unpatched flaws they don't tell anyone about (platform independent I suppose), so what's a guy who can't get Chrome do? BE CAREFUL, that's what. I wouldn't go into a bad neighborhood with my wallet dangling from a string, so why would I surf the web like I'm on Sesame Street? Why would anyone?

pwnd & ownD

[binarybum]

Tom's Hardware
[NEXT PAGE>
  PWNs & OwnZ U
[NEXT PAGE>
  If you read
[NEXT PAGE>
  their articles
[To continue reading this comment, click here ]

Re:pwnd & ownD

[moderatorrater]

It's true. Not only that, but the interviewer ended up with the majority of the words on the screen anyway. I don't know why the interviewer felt the need to talk so much, but I would have much preferred if the questions were shorter and the answers longer.

Re:pwnd & ownD

Tom's Hardware
[NEXT PAGE>

  PWNs & OwnZ U
[NEXT PAGE>

  If you read
[NEXT PAGE>

  their articles
[To continue reading this comment, click here ]

increase your font size. then you get the scroll feel of slashdot

Re:pwnd & ownD

[adavies42]

burma shave

Re:pwnd & ownD

Yes. It's time click through malware stops being posted to Slashdot.
The interview is pretty uninteresting. We get to know that however math security genius he is, Miller(aka "my grandma") is a retard that cannot use Linux NOR Windows, so he uses only Macs even though he knows they are full of holes.

*hoping someone hacks into his computer and steals all the prize money from his bank accounts*

Re:pwnd & ownD

[jambarama]

He did a substantially similar 1-page interview at zdnet.

EULA

EULA, ever read it?

"[SomeStupidSoftwareCompany] is not responsible for any damages caused by the use/misuse of this software."

From Mozilla's EULA:

4. DISCLAIMER OF WARRANTY. THE PRODUCT IS PROVIDED "AS IS" WITH ALL FAULTS. TO THE EXTENT PERMITTED BY LAW, MOZILLA AND MOZILLA'S DISTRIBUTORS, LICENSORS HEREBY DISCLAIM ALL WARRANTIES, WHETHER EXPRESS OR IMPLIED, INCLUDING WITHOUT LIMITATION WARRANTIES THAT THE PRODUCT IS FREE OF DEFECTS, MERCHANTABLE, FIT FOR A PARTICULAR PURPOSE AND NON-INFRINGING. YOU BEAR ENTIRE RISK AS TO SELECTING THE PRODUCT FOR YOUR PURPOSES AND AS TO THE QUALITY AND PERFORMANCE OF THE PRODUCT. THIS LIMITATION WILL APPLY NOTWITHSTANDING THE FAILURE OF ESSENTIAL PURPOSE OF ANY REMEDY. SOME JURISDICTIONS DO NOT ALLOW THE EXCLUSION OR LIMITATION OF IMPLIED WARRANTIES, SO THIS DISCLAIMER MAY NOT APPLY TO YOU.

5. LIMITATION OF LIABILITY. EXCEPT AS REQUIRED BY LAW, MOZILLA AND ITS DISTRIBUTORS, DIRECTORS, LICENSORS, CONTRIBUTORS AND AGENTS (COLLECTIVELY, THE "MOZILLA GROUP") WILL NOT BE LIABLE FOR ANY INDIRECT, SPECIAL, INCIDENTAL, CONSEQUENTIAL OR EXEMPLARY DAMAGES ARISING OUT OF OR IN ANY WAY RELATING TO THIS AGREEMENT OR THE USE OF OR INABILITY TO USE THE PRODUCT, INCLUDING WITHOUT LIMITATION DAMAGES FOR LOSS OF GOODWILL, WORK STOPPAGE, LOST PROFITS, LOSS OF DATA, AND COMPUTER FAILURE OR MALFUNCTION, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGES AND REGARDLESS OF THE THEORY (CONTRACT, TORT OR OTHERWISE) UPON WHICH SUCH CLAIM IS BASED. THE MOZILLA GROUP'S COLLECTIVE LIABILITY UNDER THIS AGREEMENT WILL NOT EXCEED THE GREATER OF $500 (FIVE HUNDRED DOLLARS) AND THE FEES PAID BY YOU UNDER THIS LICENSE (IF ANY). SOME JURISDICTIONS DO NOT ALLOW THE EXCLUSION OR LIMITATION OF INCIDENTAL, CONSEQUENTIAL OR SPECIAL DAMAGES, SO THIS EXCLUSION AND LIMITATION MAY NOT APPLY TO YOU.

So maybe you can get $500 from Mozilla of something goes wrong?

Re:EULA

[Pope]

You know what? Fuck Mozilla in the ear for putting that shit in all capital letters. There is no reason to do so, unless you actively want people to not read and understand it.

Re:EULA

[ChatHuant]

You know what? Fuck Mozilla in the ear for putting that shit in all capital letters. There is no reason to do so, unless you actively want people to not read and understand it.

Actually it's a legal requirement: under the Uniform Commercial Code, some items in a contract/license, like warranties or disclaimers, must be conspicuous. CAPITALS MAKE THEM SO.

He was sitting on the winning weakness

[iminplaya]

since last year.

A quote from another interview:

"Vulnerabilities have a market value so it makes no sense to work hard to find a bug, write an exploit and then give it away."

Who know what other goodies they have in store. But the browsers and the phones were hardly touched. The contestants are holding out for something better.

Re:He was sitting on the winning weakness

[Fluffeh]

You got to compare [$10k prize money] Vs [Value of exploit].

It's probably very easy to work out.

Re:He was sitting on the winning weakness

[nicolas.kassis]

yeah it's a little sad that these guys are hoarding this info for so long just to win a stupid contest. And he only had to use one of these exploits. What else is he's hoarding for next year? Just saying that that might be of interest to someone with time to get his macbook ya know ;p he does carry around to many countries.

Re:He was sitting on the winning weakness

[vux984]

Just saying that that might be of interest to someone with time to get his macbook ya know ;p he does carry around to many countries.

Just tip off the TSA. They'll confiscate it in a heartbeat.

Then its just a matter of liberating it from the TSA and getting it into the hands of someone who'll know how to read the information on it.

Baby steps...

Re:He was sitting on the winning weakness

[maxume]

The software companies could offer worthwhile bounties. Short of that, I can't fault the prizewinners much.

Re:He was sitting on the winning weakness

[99BottlesOfBeerInMyF]

yeah it's a little sad that these guys are hoarding this info for so long just to win a stupid contest. And he only had to use one of these exploits. What else is he's hoarding for next year?

Which is why software vendors should have standing bounties for useful exploits or, at very least, make a point of hiring these people to do pen testing on their software.

Re:He was sitting on the winning weakness

[Brian+Gordon]

It's not like if he spills it all then the platform will be secure.. there are a million vulnerabilities and he's not doing anything wrong by keeping a few up his sleeve.

Re:He was sitting on the winning weakness

[iminplaya]

It's the same as refusing to throw a life preserver to a drowning man until he throws you his wallet. But in the context of the free market, you are right. He is doing nothing wrong.

Re:He was sitting on the winning weakness

[Seraphim_72]

Really?

Try this then - I have the cure for Cancer (all of it), but I will only take the bounty for each one. How much will you give me for breast cancer? Oh and BTW I set my own price.

This guy is the Pharma of computers.

Re:He was sitting on the winning weakness

[zonker]

I've been in a lengthy argument about this guy on the Ars Technica forums. I ended up emailing Bruce Schneier about this and asked his thoughts.

Here was my email to him:

Hi Bruce,

I've been following the Pwn2Own contest for the last couple of years.
Last year a researcher from ISE ( http://securityevaluators.com/ )
named Charlie Miller used an exploit in a Perl library included in
WebKit, the base code for Apple's Safari browser and won a cash price
for his effort. In the press it was claimed he "hacked Safari in mere
seconds". In truth it took a lot more time than that to devise the
exploit and only seconds to execute it.

This year he did it again with another preplanned exploit which he
says he discovered while researching last years bug. Again he won a
cash prize of $10,000.

In an interview with ZDNet he said: "I never give up free bugs. I have
a new campaign. It's called NO MORE FREE BUGS. Vulnerabilities have a
market value so it makes no sense to work hard to find a bug, write an
exploit and then give it away," Miller told ZDNet. "Apple pays people
to do the same job so we know there's value to this work."

I have a major problem with his philosophy and feel this is a
dangerous precedent to set and a bastardization of the goals of
security in the fist place. I feel he has an obligation to inform
Apple and not dangle a dollar amount for the how-to.

Sure he should be paid for his time and effort which is why he works
at a security firm. This contest is basically bonus money and about
bragging rights. Sitting on a bug puts the safety of other users at
risk. But he is basically demanding bribe money for bugs. Who is to
say he wouldn't give up his research to the highest bidder? I'm sure
there are blackhat groups like those in Russia and China that would
pay handsomely for some juicy exploits like this.

Yes there is a long history of security firms hiring hackers and there
have been many questions of whether that is a good idea. But security
firms should take notice of this philosophy and not employee those who
engage in this kind of behavior. It's bad form for his employer and
makes the security industry as a whole look bad by proxy. Would you
hire a security company that employees hackers who blackmail for bugs
to work on your systems? If we hired his firm while I was working IT
at a large New York bank I would advised my boss to make sure he's not
on our project (and perhaps hire an entirely different firm altogether).

I've been in a discussion with other users about this. There seems to
be a split in viewpoint, one side saying he should let Apple and the
WebKit developers know about this exploit for the betterment of
everyone (for free). The other side feels this is purely about
capitalism and he has no moral or ethical obligation to tell anyone.

Some have likened it to seeing a crack in a bridge that might fail.
Are you obligated to inform someone of the problem? What if Dan
Kaminsky demanded $1 million to divulge details on the DNS BIND problem?

What are your feelings on this?

Thanks

Here's the discussion I've been following:

http://episteme.arstechnica.com/eve/forums/a/tpc/f/174096756/m/996001677931?r=869003677931#869003677931

http://dvlabs.tippingpoint.com/blog/2009/03/21/pwn2own-wrap-up

Bruce wrote me back today with his response:

There's a fine line between being paid for your efforts and extortion. This seems to cross it.

Re:He was sitting on the winning weakness

[J+Mack+Daddy]

Now try this... I don't have a cure for cancer (all of it), but I could do if I expend a huge amount of my own time and effort. Since I know that as soon as all my time and effort is put in, I will receive zero compensation (apart from bragging rights, which I can't eat), I decide not to bother. Net result, 'Pharma' doesn't exist. Yeah, good plan!

Re:He was sitting on the winning weakness

I know I'll et mooded down for this, But but but patents are bad and information wants to be free! And I hate coprorations.

Re:He was sitting on the winning weakness

[maxume]

I find your analogy false, and trite.

Re:He was sitting on the winning weakness

[Civil_Disobedient]

There's a fine line between being paid for your efforts and extortion. This seems to cross it.

It's only extortion if he threatens to use the bug for personal profit, or release the bug to a third party that intends to do the same (unless they pay).

It's not extortion if he simply keeps it to himself.

Re:He was sitting on the winning weakness

[fulldecent]

What is the white-hat way to legitimately sell (sensitive) vulnerabilities? I recently found one affecting a large bank and gave that away. Other ones I post on my blog at privacylog.blogspot but I expect to find more and could somehow benefit from this.

Re:He was sitting on the winning weakness

[zonker]

He did use the bug for personal profit. $10,000 worth of person profit.

Re:He was sitting on the winning weakness

[Simetrical]

Try this then - I have the cure for Cancer (all of it), but I will only take the bounty for each one. How much will you give me for breast cancer? Oh and BTW I set my own price.

Go ahead. No one is obliged to share their knowledge with other people for free if they spent a significant amount of resources obtaining it. Researchers need to eat just like anyone else; they need adequate compensation for their time, one way or another. If they don't get enough money to suit them, they're mostly just not going to be able to do the research: they'll have to find some other line of work that actually pays.

Re:He was sitting on the winning weakness

[iminplaya]

You are incorrect. The analogy is spot on, with millions of deaths every day to back up his claim.

Re:He was sitting on the winning weakness

[maxume]

Millions of people are dying from undisclosed software vulnerabilities?

News to me...

Re:He was sitting on the winning weakness

[iminplaya]

Nice one :-) But the big pharma analogy still applies. And it's just the whole attitude of "every man for himself" that came out of the 80s with its not really free markets that makes the guy act like this. And who knows? Maybe we can find less than six degrees of separation between undisclosed software vulnerabilities and somebody's demise.

Re:He was sitting on the winning weakness

[Seraphim_72]

Please. If he was running a hole patching company I might agree. He is pretty much doing it for the bragging rights. 5K for a total pwn of MacOS? What do you think the black market would pay for such a thing?

Re:He was sitting on the winning weakness

[Seraphim_72]

And your comment is useless and adds nothing to the conversation.

Try this then.

I can halt untold misery, but it will be 5k and a prize, a year from now. Until then, tough. Sitting on a OS owning weakness so you can collect a prize is asshattery of the first order.

Re:He was sitting on the winning weakness

[maxume]

The hyperbole is the trite part, and you just made it worse. Also, I think you are lying about being able to halt untold misery.

Anyway, you are assuming that he came up with the weaknesses independent of the contest; if he researched the weakness because he figured he could win the contest, he is responding to an incentive and the contest is helping Apple. Apple (and other vendors) would do well to notice that people will track done flaws in their products when given proper incentives.

Given that we don't know what his motives for finding the flaws are it isn't really worth having an opinion battle, but as long as it is possible that he researched the flaw specifically to win the contest, I really can't fault him for using the flaw to win the contest.

Re:He was sitting on the winning weakness

Is his non-disclosure resulting in anybody's death? No? Then your analogy is false.

Why should this guy work to improve Apple's product for free? If Apple offered him a suitable payment, I'm sure he'd help Apple to secure the vulnerabilities.

Re:Obama Policies Will Bankrupt USA Tsarkon Report

[Onymous+Coward]

I don't think anyone's falling for your subtle scheme of trying to make conservatives look like rabid nutsos.

Damned liberal sock-puppet-operating conspirators.

What's this all about "PC/Mac/Linux"?

[Zapotek]

PC meaning what? Windows?
And... Mac meaning OS X?
And... Linux meaning a Linux distro?
Whenever I hear someone referring to systems like that I get in a mood to tell them off.
Last time I checked PC meant Personal Computer. Are OS X and Linux only running on Cray mainframes nowadays?
He's a security expert and I've also heard my CS professors talk like that..I mean, shouldn't they at least refer to systems properly?

Sorry for the rant, I couldn't help myself...

Re:What's this all about "PC/Mac/Linux"?

[pclminion]

PC has not meant "personal computer" for a long, long time. If every "personal computer" is a PC, then your iPhone is a PC. Your freaking wristwatch is a PC. I think we can all agree that this usage is dead. "PC" means an Intel architecture computer capable of running Windows. It stands for nothing. Let's call it an "obsolete-cronym"

Re:What's this all about "PC/Mac/Linux"?

[99BottlesOfBeerInMyF]

Whenever I hear someone referring to systems like that I get in a mood to tell them off. Last time I checked PC meant Personal Computer.

Actually, as I recall the term was originally, "IBM compatible personal computer". Thus, the term excluded Macs. It was shortened to "PC" after the meaning was established.

Re:What's this all about "PC/Mac/Linux"?

[somebody1]

"PC" means an Intel architecture computer capable of running Windows.

Well, current Macs are Intel architecture computers and they are capable of running Windows.

Re:What's this all about "PC/Mac/Linux"?

[ushering05401]

What are you talking about?

PC and PC-Clone originally meant IBM, not MS.

Go to wikipedia and type in IBM PC.

Before that it was all micro/mini naming conventions.

Re:What's this all about "PC/Mac/Linux"?

[Starker_Kull]

Let's call it an "obsolete-cronym"

Hmmm... we can do better at coining a new word.

Let's start with an anachronism:

anachronism |É(TM)ËnakrÉ(TM)ËOEnizÉ(TM)m| noun a thing belonging or appropriate to a period other than that in which it exists, esp. a thing that is conspicuously old-fashioned.

Now, let's combine that with an acronym:

anachronism + acronym = anachronym! Sounds better...

Re:What's this all about "PC/Mac/Linux"?

[chthon]

Yeah, Apple only builds home computers.

I think the best quote was...

[vux984]

Between Mac and PC, I'd say that Macs are less secure for the reasons we've discussed here (lack of anti-exploitation technologies) but are more safe because there simply isn't much malware out there.

That pretty much been my take on the situation as well. Vista SP1 really is one of the most secure OSes I've used.

They glossed over Linux on this question, but I suspect Vista SP1 is probably more secure than linux too 'out of the box'... but again less safe in actual practice. Again simply due to the sheer relative volume of malware and the relative high value of windows exploits to linux ones.

(Although Linux at least does have 'SE Linux', AppArmor, Exec Shield, support for ASLR, etc, etc so its more a case that its just not on by default yet. (Ironically a complaint usually levelled at Windows).

And while improvements are added with each kernel release, too Linux admins refuse to install them because would reset their belowed uptime scores which they feel the need to post to /. on a regular basis...

I kid... I kid...

Re:I think the best quote was...

[VGPowerlord]

They glossed over Linux on this question, but I suspect Vista SP1 is probably more secure than linux too 'out of the box'... but again less safe in actual practice. Again simply due to the sheer relative volume of malware and the relative high value of windows exploits to linux ones.

And the sheer amount of users who are trained to click OK at every dialog.

Which is half of the reason why UAC is, on the whole, a failure.

(The other half being that certain actions have too multiple prompts)

Re:I think the best quote was...

[ion.simon.c]

It seems that ASLR of some form or another has been enabled by default in Linux since 2.6.12. [0] Also, IUC compiling code with gcc's -PIE flag helps.

I have a PaX + grsecurity enabled server at home. It'd be *really* nice if the gdb folks could make debugging a possibility under that configuration. Not having stack traces or being able to set breakpoints [1] is a bitch! :)

[0] http://www.nabble.com/Edgy-and-Proactive-Security-td4695373.html
[1] Not being able to set breakpoints is probably something that I can fix with a little Googling.

Re:I think the best quote was...

[ion.simon.c]

Er, make that -fPIE. Proofreading FTL.

Re:I think the best quote was...

[vux984]

I don't really think it was flamebait.

And the sheer amount of users who are trained to click OK at every dialog.

This is legitimate. Its not a windows 'flaw' though.
Its what comes of being the system used by the majority of the least technical people. If the other oses gain siginifant marketshare, the people there will 'ok' away warning or prompt that's between them and their 'free cookie'.

Linux users are for the most part more savvy... for now.

Which is half of the reason why UAC is, on the whole, a failure.

UAC isn't a failure. Expecting UAC to fix unsophisticated users from themselves is unrealistic. Either you let the user have final say, or you don't. It would have been far worse if Microsoft had final say on what runs. That's the TPM/DRM worst case scenario that we REALLY don't want.

But what UAC does is let sophisticated users use Windows safely, and it works well at that. Very nearly as good as Linux in my opinion, especially given how much backwards compatibility with insecure applications that expect admin access it has to provide some sort of accomodation for.

(The other half being that certain actions have too multiple prompts)

See above. Particularly the part about 'backwards compatibility'. Linux doesn't have this problem. There aren't 2 billion programs from two to twenty years ago that linux users expect to use that all were written assuming they had root access. This is exactly the situation on Windows.

Re:I think the best quote was...

[jonaskoelker]

I suspect Vista SP1 is probably more secure than linux too 'out of the box'... but again less safe in actual practice. Again simply due to the sheer relative volume of malware and the relative high value of windows exploits to linux ones.

Suppose I created the mythical 100% secure OS. It would have 0 (working) exploits and no malware. $OTHER_OS (windows, linux, os x, pick your poison) would have more than 0 exploits.

Is my OS secure because it has fewer exploits, or is the other way around: the OS has fewer exploits because it's more secure?

Isn't security by definition the degree to which the OS in question can't be exploited?

Re:I think the best quote was...

[jcupitt65]

If we're comparing default installs, then vista sp1 is a lot less secure than ubuntu. The default login on vista is an administrator and UAC offers very little protection. There are multiple, trivial, unfixable ways to get around it due to Window's legacy. As MS themselves say, UAC is NOT a security barrier.

Ubuntu on the other hand has an unprivileged default user who has to sudo to do anything, with a proper security barrier between the two states. It's also had ASLR, stack protection, heap protection and various other features on by default for a while.

Re:I think the best quote was...

[vux984]

The default login on vista is an administrator...

The 'administrators' group in Vista is a lot more like being on the sudoers list than being root.

Re:I think the best quote was...

[Thyamine]

I agree. I don't know this is flamebait. Often on remote support calls you tell the user, over and over, 'yes, that's fine.. just click OK.. just click Next... ok you are good, if anything else pops up just keep clicking OK'. The problem is that for an install of MS Office or something, it's no big deal, but the user doesn't always understand the danger when their browser or some random app starts prompting them in the same manner.

Re:I think the best quote was...

[vux984]

Is my OS secure because it has fewer exploits, or is it the other way around: the OS has fewer exploits because it's more secure?

The point the pwnd2own winner made was the 2 aren't really all that related.
All systems have exploits, that's why your OS is mythical.

Isn't security by definition the degree to which the OS in question can't be exploited?

Sure. To a point. But how can we know the relative degree to which the OS in question can't be exploited when 9/10ths of the effort is focused on finding exploits for the other OS.

Suppose Linux was a cardboard box and Windows a locked safe.

You stick Linux out in the desert somewhere, and put Windows in an alley in new york.

Even though windows is far more secure (in this hypothetical example); windows will be opened and emptied of anything valuable before the linux box, every time.

Concluding Linux is less exploitable than windows is like concluding homes are more securely built in Saskatoon than in New York because the number of break-ins in Saskatoon
is lower (lower per capita, of course).

Re:I think the best quote was...

[Thelasko]

Although Linux at least does have 'SE Linux', AppArmor, Exec Shield, support for ASLR, etc, etc so its more a case that its just not on by default yet. (Ironically a complaint usually levelled at Windows).

Please vote to stop this nonsense.

Re:I think the best quote was...

[Simetrical]

(Although Linux at least does have 'SE Linux', AppArmor, Exec Shield, support for ASLR, etc, etc so its more a case that its just not on by default yet.

In which distros? RHEL and Fedora ship SELinux by default, and Ubuntu uses AppArmor. The enterprise distros, in particular, tend to have fairly good security AFAIK. I'd be interested to know how such distros compare with Windows in security.

Re:I think the best quote was...

Vista SP1 really is one of the most secure OSes I've used.

Is it? How do you know? Can you prove that it is?

Although Linux at least does have 'SE Linux', AppArmor, Exec Shield, support for ASLR, etc, etc so its more a case that its just not on by default yet.

But it is on by default in the distribution I run, and have run since 2008. Oh, right. You were talking about "Linux", whereas everyone actually using a Linux-based operating system would refer to their chosen distribution. There are several of those. And, incidentally, several of those do have the security mechanisms you mentioned above enabled by default.

You should get updated. Things move quickly.

Re:Obama Policies Will Bankrupt USA Tsarkon Report

You know we dont read this shit dont you troll?

How can you not love this guy?

[mindstormpt]

I've spent a lot of my research time on Macs because I like them and they also happen to be pretty easy to break!

Every time you quote this, somewhere in the world a mac zealot's head explodes. I just did my part :P

Re:How can you not love this guy?

[ciaohound]

Surely he meant that the mac is easy to break if you DROP it or knock it off your desk. That's what went through my head. That has to be it... Whew... Getting warm in here... ahhhh... pressure... aghhhh! (pfffft!)

Re:How can you not love this guy?

[Concerned+Onlooker]

I'm beginning to think this "Mac zealot" business is a figment of overly sensitive Windows users imaginations. I work at a place where around 40-50% of the employees choose to use a Mac. The only derisive comments I EVER hear are little snipes aimed at Macs by the Windows crowd. "The page isn't loading? Is it because you're using a Mac?" "You just can't get any work done on a Mac." And yet the Windows crowd loves to complain about Microsoft. I think Microsoft owes their success to the Stockholm syndrome.

Re:How can you not love this guy?

[Lucid+3ntr0py]

Maybe they like to complain?

Re:How can you not love this guy?

You do realize that the fact that you don't hear Mac users criticize Macs or Apple is a better argument for their zealot tendencies than otherwise, right?

Either that, or Macs are perfect, which, as we all know, they aren't.

Re:How can you not love this guy?

[kevmatic]

Then you clearly don't have any Mac Zealots where you work.

Yes, I personally know Mac Zealots. I took constant belittlement for nearly two years because I don't run MacOS. Every time you fired back with the slightest criticism of Apple's many many problems and flaws, he'd turn the color of a tomato and storm out of the room. He literally alienated himself from his friends after he bought an iMac. Sad.

And that was only one of them. Oh yes, they exist. On the Internet and in real life.

Apple, over the years, has really sought to promote this with their marketing campaigns and such. Ever notice they don't sell on their own features, but rather Windows' flaws?

That being said, being a Mac USER doesn't make you a Mac ZEALOT.

Re:How can you not love this guy?

[Thelasko]

I'm beginning to think this "Mac zealot" business is a figment of overly sensitive Windows users imaginations.

You've never complained about a Mac and been modded into oblivion, have you?

ASLR?

[tux0r]

... 24/M/Australia/Jedi?

Re:ASLR?

[rhenley]

Man, I NEVER have mod points when I need'em.

Google has connected all the dots...

[AHuxley]

A former NSA person is pushing a google browser as safe?
A US company could have your long term search history, your location away from the computer via your mobile phone OS and the application you surf the web with.
Running Mac, Win or Linux is just a matter of lifestyle.
Thats a lot of tracking options for everyday people.

Not only that

[Sycraft-fu]

But if you want something with guaranteed security or uptime or the like, you aren't going to be allowed to mess with it. That means whatever software/features it comes with, you are stuck with. No installing 3rd party tools and such. The design needs to be verified, which means testing all the components against each other and making sure there are no unexpected problems.

So not only would your computer be more expensive, and use older technology (since it'd take longer to develop and test) but it'd be an appliance type device. It would do only what it was originally designed to do. You'd not be allowed to install things on it, or change the hardware.

If you want computers as they are today, where it's the "wild west" situation of being able to do whatever you want with them, well then you have to take some security problems with that. Just life. Me? I'll deal with having to have some security issues for the ability to run whatever I want, and to get systems cheaply.

all you really need to know

[drinkypoo]

He says: OSX is less secure but there's less malware because there's less users than Windows; You need Vista with SP1 to be dramatically more secure than OSX; Linux has mediocre security but is about to get a bump; His grandma can't use Linux; noscript can keep you safe but he doesn't think it's worth it. I figure the last part is just about job security...

On the Payroll Much?

[Techman83]

Charlie: I'll leave Linux out of the equation since I know my grandma couldn't run it. Between Mac and PC, I'd say that Macs are less secure for the reasons we've discussed here (lack of anti-exploitation technologies) but are more safe because there simply isn't much malware out there. For now, I'd still recommend Macs for typical users as the odds of something targeting them are so low that they might go years without seeing any malware, even though if an attacker cared to target them it would be easier for them.

Pity that question wasn't earlier, I wouldn't of had to waste my time reading TFA. Nothing he said was particularly surprising and most of it had a fairly obvious bias.

Re:On the Payroll Much?

[Techman83]

Possibly the Subject is flame bait, but in fairness those that modded this flame bait, have they read the article?

I wonder if you can mod articles flame bait, as going by moderation of my comment it certainly qualifies

Re:On the Payroll Much?

No reason to offer fairness to the mod. A Microsoft type just spent all of their points on this discussion. You weren't alone.

My take on the story is the same. Dismissing noscript was particularly stupid.

I've got a message for the mod, too: Can you really believe that the ability to exploit a webkit vulnerability makes this guy automatically right about any security question about an OS generally? It does not follow.

Grandmas

[shem]

My mother is 80 and uses Ubuntu. My grandma, on the other hand, is dead and has big difficulties using MS-DOS, let alone Linux.

Re:Obama Policies Will Bankrupt USA Tsarkon Report

[dc8e6589a1e4fb80f1f8]

You're making conservatives look like rabid nutsos every time you mention "conspirators" or a left-wing media. You're making conservatives look like rabid nutsos every time you troll on Slashdot.

Also, the USA is already bankrupt and has been for decades. Look how much national debt Obaba inherited.

I know I shouldn't feed the trolls and I'll get modded -1 Offtopic, but I just don't care all that much about my Slashdot karma score.

wine

with ubuntu 8.10, you can use the gui to add/remove wine. now true its not installed by default and the person would need to know about wine. but i digress. once it is installed you simply double click on .EXE's and they are installed and appear on the 'start' menu. its easier that under windows. i just installed a photoshop ps2. its great. so it would be a very good option for 'casual games' or other apps. and classic games, particularly old sierra and adventure games with lots of nice synth music thats was written for good but expensive.obscure sound cards, like rolands and gravis ultrasound. well installing dosbox and hear them in emulated glory, better than the original with your soundblaster. and dosbox also does graphics smoothing and interpolation. so appart from high performance games you dont need windows for windows apps.

Isn't it time to write s/w in better languages?

[master_p]

All throughout the article, the back doors for malware are buffer overflows.

Isn't it time to write our software in something that does not allow buffer overflows? something better than C/C++, that is. The cost of securing apps written in these languages is tremendous...

Mac is behind. Way behind. That surprises me.

OpenBSD, FreeBSD, Linux, and Windows have been using these techniques since 2004.

When I read yesterday that Mac OS X doesn't I was shocked. Shocked! I didn't even believe it, because I thought everybody had adopted this idea already. In 2009 these techniques are very old news.

I still didn't believe it today, so I wrote this program..

#include <sys/types.h>
#include <sys/mman.h>
#include <stdio.h>

int main()
{
      printf("%p\n", mprotect);
      return 0;
}

Sure enough, it prints the same address every time I run. Wow. Just wow, Apple. This shows that they care absolutely nothing about security.

Re:Mac is behind. Way behind. That surprises me.

The same program running on BSD will have the same result. you want:

int main()
{
            register void *ptr __asm__("esp");
            printf("%p\n", ptr);
            return 0;
}

Re:Obama Policies Will Bankrupt USA Tsarkon Report

[Simetrical]

You know we dont read this shit dont you troll?

A heck of a lot more people read it when it has a child that's +1 Insightful.

Re:Obama Policies Will Bankrupt USA Tsarkon Report

[Onymous+Coward]

Okay, here's what happened:

1. Truly anonymous and cowardly Anonymous Coward posts sincere, frothing neoconservative hate rant.
2. A non-anonymous, somewhat bold Onymous Coward poses as a grousing neoconservative, accusing the (truly hate-mongering and ridiculous) Anonymous Coward of actually being a liberal in disguise, accusing the Anonymous Coward of only pretending to be a neocon, accusing Anonymous Coward of really being a liberal trying to denigrate neocons by coming across as a crazy neocon. In fact Onymous Coward really believed the anonymous coward was what he appeared at face value to be, a frothing anti-liberal.
3. You failed to see this was what was going on (understandably -- it's convoluted), and attacked the persona that Onymous Coward put out there.

The Jiu Jitsu here is in making the hatemonger second guess his tactic by feeling that his putative brethren are uncomfortable with being lumped together with such blathering and blatant nuttery, by making him feel like he's doing more harm than help to his own cause by being so strident. The idea is to trip up the annoying AC enough to get him to shut the hell up. I apologize for throwing you off balance in the process.

On reflection, since such raving really does harm the image and viability of the fundamentally xenophobic ideology of neoconservatism... I suppose I should just let him ramble on. It would benefit the world to have his philosophy marginalized by his own distasteful flogging. Tripped myself up! Whoops!

Sorry! Anonymous Hater, if you're listening, please carry on! Shout it, brother!

Re:Obama Policies Will Bankrupt USA Tsarkon Report

[dc8e6589a1e4fb80f1f8]

Oh, my bad. The original AC comment was hidden to me.

Re:Obama Policies Will Bankrupt USA Tsarkon Report

[Onymous+Coward]

No worries. Really my fault for such silly convolution. Sorry.