Safari/MacBook First To Fall At Pwn2Own 2011

recoiledsnake writes "A team of security researchers from the French pen-testing firm VUPEN successfully exploited a zero-day flaw in Apple's Safari browser to win this year's Pwn2Own hacker challenge. The hijacked machine was running a fully patched version of Mac OS X (64-bit). Bekrar's winning exploit did not even crash the browser after exploitation. Within five seconds of surfing to the rigged site, he successfully launched the calculator app and wrote a file on the disk without crashing the browser. Apple has just released Safari 5.0.4 and iOS 4.3 a few minutes before the Pwn2Own contest in an attempt to save face (a last minute patch for Chrome was also released) but failed."

Simple

It's called "Pwn2Own": the hackers win the machines they hack.

Everyone wants Macs. They hack them first. The other computers come down minutes later.

Re:Simple

[TheRaven64]

I think this is the important point. It doesn't matter that the Mac failed first, it matters that it failed at all. The order isn't important - all of the exploits took a small amount of time, and all were done just by making the machine visit a malicious site. Which one was tried first is not the important bit.

The most embarrassing thing for Apple is that OS X has included a mechanism for applying fine-grained sandboxes to applications since 10.5 which Safari doesn't use. It would only be a couple of weeks worth of work for an engineer to create a sandbox policy, test it, and ship it with Safari. For some reason, Apple has decided not to invest this effort.

Re:Simple

Excuses, excuses. Your Mac is an insecure piece of shit.

Re:Simple

[DrXym]

I assume these developers would need a Mac and extensive knowledge of its inner workings in order to develop and test an exploit. Therefore it make no sense to say this is just some hacker after the nicest prize. They're after the prize they know how to obtain and have spent a considerable amount of time researching.

It may well be that other computers fall thereafter and I expect in those cases they fall from people who similarly have knowledge of those respective systems.

So basically it sounds like you're making excuses.

Re:Simple

[clang_jangle]

I think this is the important point. It doesn't matter that the Mac failed first, it matters that it failed at all. The order isn't important - all of the exploits took a small amount of time, and all were done just by making the machine visit a malicious site. Which one was tried first is not the important bit.

Exactly. It might have been far more interesting if we'd had a summary that at least made an effort to tell the whole story, rather than just the one-sided flamebait we got...

Re:Simple

Lies. Several times now they've had to allow more access to the machine before Windows was hacked. One year, before they stopped including Linux, it made it through the entire competition without being hacked despite everyone's best effort.

At some point, you're going to have to accept that OS X just isn't that secure. It has a poor, inconsistent implementation of ASLR and DEP, Apple tends to be very slow at patching vulnerabilities, they don't prioritize security or safe coding practices, and it has absolutely nothing that compares to SELinux. It's 2011, being Unix doesn't magically make you secure.

Re:Simple

[mikael_j]

Actually the reason Safari went down first was because it was the first target. Followed by IE8 which also went down. The researcher who was going to go after Chrome never showed up and Firefox is next in line...

Re:Simple

[V!NCENT]

Where's the Mandatory access control feature on the iMac? Will you help me find it for me please? I'm thinking about making the switch because NT6.1 doesn't have it.

Re:Simple

[clang_jangle]

Perhaps your kind is the reason why Apple is hated. You disgust me.

Thanks for illustrating my point with your blind, irrational, displaced rage.

Read it again troll, this time thinking about the fact that I'm a gentoo and freebsd user. :P

Re:Simple

[daid303]

The researcher who was going to go after Chrome never showed up...

So... google has the best assassins?

Re:Simple

[MrHanky]

I just pointed out that it's neither blind nor irrational. The first dozen or so comments to this story were Apple apologists trying to spin it.

Re:Simple

[aliquis]

Mac reta... err.. users always got an excuse!

I doubt it's got much to do with everyone actually wanting a mac but rather more than people either shooting for the mac because of the fame and extra publicity or because of Apples (and their users) arrogance.

Re:Simple

[N1AK]

What's that rumbling sound I hear? Ach mein gott, it's the stampede of anti-apple trolls with their one-dimensional stereotypes, flaming straw men, and tired, old memes!

Wow. Using 'straw men' in your creation of a straw man argument, my hypocrisy detector nearly blew a fuse.

Re:Simple

I would target it purely for the last reason. Linux often deserves the same treatment. It's bizarre how religion has managed to infiltrate daily thought, especially when dealing with computers.

Re:Simple

[C_amiga_fan]

>>>Apple is it lately.

I don't have a problem with Apple.

I have a problem with the *owners* who act as if owning an "unhackable" Apple was like being married to the most beautiful wife on the planet. ("Why would anybody choose a different partner/ manufacturer???") Apple's personal computers are still..... just PCs. Just like Acuras/Lexuses are just Hondas/Toyotas.

Re:Simple

[NoZart]

Statler and Waldorf, is that you?

Re:Simple

[MrHanky]

Excusing Apple from being hacked is by definition (2) an apology. Being emotional (something which is only your imaginative interpretation of my rather terse writing, btw) does not negate being rational, on the other hand. You're attacking my comments with false logic and false propositions. Good work for someone pretending to be the rational one.

Re:Simple

[Jeff+DeMaagd]

It might be making excuses, but wouldn't the Safari vulnerabilities also be found on the Windows version? After that, starting a program or writing a file might not be so difficult. Either way, it sounds like Apple needs to fix their software and their security focus.

Re:Simple

[clang_jangle]

I have a problem with the *owners* who act as if owning an "unhackable" Apple was like being married to the most beautiful wife on the planet. ("Why would anybody choose a different partner/ manufacturer???")

Who cares? Besides, for the non-geek, and for the multimedia professional it's true -- there is nothing that can touch OS X and the software available for it. It's an idiot-proof, user-friendly *nix.

Yes, it's limited, dumbed-down, locked-down, and has an aggravating tendency to try to force users into doing things "the Apple Way". In that regard, it's just as frustrating to me as windows. But it's still got the power of bash out of the box, and is every bit as capable as linux or any other BSD in many key ways. I can understand why people pay the premium, if the money isn't an issue it's a no brainer for lots of people.

Apple's personal computers are still..... just PCs. Just like Acuras/Lexuses are just Hondas/Toyotas.

Custom PCs with custom mobos running commodity chipsets, with an OS tuned, tested, and optimized for the hardware. It's a completely reasonable choice for people who like what Apple offers. The security isn't "all that", but it certainly beats the hell out of windows for the average user. The whole applehatred thing is weird, like racism or religious zealotry..

Re:Simple

That's not a straw man argument. ftfy.

Re:Simple

[clang_jangle]

Excusing Apple from being hacked is by definition (2) [google.com] an apology

Oh FFS, no-one "excused Apple from being hacked". Facts were presented, you don't like the facts, sucks to be you.

Re:Simple

[dotwhynot]

It's called "Pwn2Own": the hackers win the machines they hack.

Everyone wants Macs. They hack them first. The other computers come down minutes later.

First one wins 15k$ cash. You are saying they risk this by not going after the easiest target first because they so desperately want a Mac?

Re:Simple

OS X 10.6 was only $30 when it came out.

Re:Simple

[filthpickle]

he used google maps to find the place.....and oh, he found it....

Re:Simple

[SuricouRaven]

Ideological differences. Slashdotters like such princibles as open source, patent-free technologies, and the right to do as you wish with hardware you buy even without the manufacturer's approval. They hate DRM and any anti-tamper measures. This means they will be in conflict with Apple, in the same way they are in conflict with Microsoft. Both companies behave in ways (Like requiring code-signing to run any software on an iPod/phone/pad) which are in very strong opposition to the openness and right to tinker that most geeks love.

Re:Simple

[Dunbal]

But you have to understand the psychological aspect. I mean if you had paid twice as much for a brand and a look, found out that for your money you weren't getting much else, and watched the software you thought unhackable fail so miserably when you thought you were paying for security, you would be in denial too and rush to their defense. It's not Apple he is defending, it's his own feeling of foolishness that he's trying to cover up.

Re:Simple

[clang_jangle]

Yes I understand all that, but the thing that trips me up is that I always hope that these discussions will be somewhat rational and fact-based. Whenever Apple comes up it's as if most people here completely lose their intelligence through emotional overload or something. Between the haters and the fanbois one can hardly participate without being assigned a "side" and painted as a one-dimensional stereotype. Factual observations expressed with attempted humor get modded "troll", trolls get modded "insightful"... Reminds me of that original Star Trek episode about Landrew and the Red Hour . "You are not of the body!".

Re:Simple

[andydread]

wow thats a different apologist twist on the issue that Macs are the least secure operating systems and get hacked first. wow.

Re:Simple

[C_amiga_fan]

>>>with an OS tuned, tested, and optimized for the hardware.

While that's true, I prefer hackable hardware like the Ataris, Commodores, and Amigas I grew up with. Even Macs used to be hackable, until Steve Jobs locked them down with his NeXT OS (10.x). I like pushing things to the limit.

I also like using a standard format that is widely supported. Good luck trying to run Mentor Graphics or ModelSim or Utorrent or "2xAV" (double speed) or Final Fantasy 11/13 on a mac.

Re:Simple

[mwvdlee]

Or maybe they already had Macs so they could research the exploits and they started with the Mac just to piss off those annoying "OS-X is so much more safe than Windows" apple fanboys. Someday apple fanboys will realize that their "security" really was "security through obscurity" all along, and on that day many apple fanboys will have to reformat their harddrives.

Re:Simple

[BasilBrush]

Slashdotters like such princibles as open source, patent-free technologies, and the right to do as you wish with hardware you buy even without the manufacturer's approval. They hate DRM and any anti-tamper measures.

That should read "Some Slashdotters..." there certainly isn't universal agreement on those. Particularly those who make a living by developing and selling software very often won't agree with that entire list.

Re:Simple

[C_amiga_fan]

>>>OS X 10.6 was only $30

That was a sale price. The previous 10.x releases (and future release) cost $130 plus $10 shipping. It really was like buying a whole new Windows OS every 1-2 years.

Which is fine if you have the money to spend.
I don't.

Re:Simple

[Gadget_Guy]

Actually the reason Safari went down first was because it was the first target.

But they don't all hack the same computer at the same time. Everybody is allocated a 30 minute timeslot with the different computers and they all get attacked at the same time. At least, that is how it was described in previous years.

When Chaouki Bekrar was bringing down Safari, Stephen Fewer would have been launching his attack on IE8. IE took longer because as Fewer said "I had to chain multiple vulnerabilities to get it to work reliably." Bekrar only spoke of a single vulnerability in his comments. So the Mac was just easier to hack. Certainly all the excuses about hackers wanting the prize of a Macbook more than the others is just unfounded speculation.

Re:Simple

[antifoidulus]

It looks like Apple is starting to walk down the same road that Microsoft has gone down years before, namely where the left hand either doesn't know what the right one is doing or if it does is actively opposed to it. From what little info we do have it seemed Steve kept a pretty tight ship, the various groups in Apple were relatively lock step. However with the increase in the number of products they develop and probably his failing health, he started to lose control and now you are starting to see the results of internal grudges manifesting themselves in the end product. I doubt that the technical limitations of making Safari run in a sandbox are insurmountable, but it could very well be that the Safari group doesn't want to have to submit to the security groups "demands". The various managers are starting to see real empire-building opportunity and are going to do anything they can to cash in on the power vacuum. It remains to be seen if Tim Cook can run the company the same way Steve did.

Re:Simple

wouldn't the Safari vulnerabilities also be found on the Windows version?

Maybe, maybe not. It depend. Does Safari's buggy code (the part which causes the vulnerability) lie entirely in portable code (code which is identical across platforms)? If so, then the answer is likely yes. Otherwise, if the buggy code is in a section that deals with platform specific details (making API calls to the OS), then there is at least a decent chance the answer is no.

Re:Simple

[terjeber]

Eh, let's see if your "logic" holds up. The winner wins $15,000 AND the machine they hack. So, what would a rational person do, hack the easiest in an attempt to win $15,000 AND a $2,000 laptop, or hack the hardest in an effort to (most likely) ONLY win the $2,000 laptop.

I am certain that a Mac fanboi would go straight for the "un-hackable" Apple iron, any rational person would go straight for the box he figured he could hack the fastest though. I think these guys are relatively rational.

Re:Simple

[vawwyakr]

This is true but the other side of that is that it still shows that Macs do in fact have security vulnerabilities that are no less equivalent to those of say a Windows pc. This in spite of a widely held belief that Macs are "safer" and the less widely held belief that since the OS being based on BSD it must also be safer. Security largely still remains in the hands of the user and that should be understood.

Re:Simple

I think that Apple should read this comments and take some actions to resolve their problems.

Re:Simple

[jo_ham]

Yes, exactly like buying Windows Vista Extreme Ultimate Hyper Edition every so often.

If you have an Intel Mac (which you need for 10.6 and 10.7), then you have owned since *at most* January 2006. In that time you could have had 10.4 (released April 05), 10.5 (released October 07), 10.6 (released August 2009).

The first one came with the Mac, so if you started on 10.4 you needed to buy 10.5 and 10.6 - so that's $129 for 10.5 and $29 for 10.6. $158 over 4 years is not too bad I think.

If your Intel Mac came with 10.5 you've only had the option to upgrade once - for $29.

But yes, I'm sure it's a grand conspiracy to force you to spend "another" $100 (when the price of Lion has yet to be confirmed).

Re:Simple

[forgotten_my_nick]

> who act as if owning an "unhackable" Apple

I have never met this person you speak of. I can tell you now for dumb users (ie. My mum) the Apple Mac has had 1 *son* support call in the last year. Prior to that I would be fixing something every 1-2 weeks on Windows (pre Win7 of course).

There is no such thing as unhackable.

Re:Simple

[jo_ham]

The bug they exploited was in Webkit, so I assume it also exists in Chrome too (and thus in Safari and Chrome on all platforms they run on) but I'm not sure exactly whether another vulnerability was also used in the OS X version, since it launched calculator and wrote a file to the hard drive.

Re:Simple

Yes, well, those who make a living on something... aren't going to like having their livelihood threatened... or however that quote went. Doesn't matter whether it's right or not.

I'm sure there's many dolphin hunters in Japan who feel the same way. ...not to relate the two on any ethical level.

Re:Simple

[Machtyn]

Ok, this makes more sense. Getting the $15k by going after the easiest target makes more sense than going after the easiest target to win said target. I mean, why would I want to use a machine that is easy to "pwn"? Unless, of course, it is to dump it for some extra cash.

Re:Simple

[Daengbo]

They get the computer + $15,000. In other words, the computer's value pales in comparison to the award money. I don't think people are doing it for hardware: my guess is that they choose the easiest one to crack, and go for that. Mac wet down first. Win/IE went minutes later. No one even showed up to pwn Chrome, despite Google offering $20,000 extra cash.

Get real. It's not about the hardware.

Re:Simple

[andyr86]

If you look at the article both exploits took roughly 6 man weeks to find and setup. Safari's took 2 weeks for 3 researchers and IE8s took 6 weeks for 1. They are both as bad as each other really.

Re:Simple

[clang_jangle]

Ars has a much better article up. Here's a quote:

Next to fall was 32-bit Internet Explorer 8 on 64-bit Windows 7 Service Pack 1, beaten by security researcher Stephen Fewer of Harmony Security. Just as with Safari, the first contestant to attack the browser was successful in exploiting it, and just as with Safari, this was demonstrated by running Windows' calculator program and writing a file to the hard disk. Fewer says that the successful exploit required use of three separate vulnerabilities: two to achieve successful code execution within the browser, and then a third to escape Internet Explorer's Protected Mode sandbox.

So it appears you may be the one whose smugness is unwarranted. :D

Re:Simple

[Goaway]

In what way was the Amiga ever more "hackable" than a Mac? If anything, it was less so.

Also, "locked them down with his NeXT OS"? That statement also makes no sense at all. OS X mostly made Macs more open.

Re:Simple

[Zediker]

How is that different than -any- other hacker? You need knowledge of the underlying mechanics in order to hack something, its what makes it possible.

Re:Simple

[recoiledsnake]

It's called "Pwn2Own": the hackers win the machines they hack.

Everyone wants Macs. They hack them first. The other computers come down minutes later.

That's just weak, the prizes were $15,000 even for IE8 and Google was offering $20K.

How many Macbooks can you get for $15K or $20K ?

http://www.computerworld.com/s/article/9207939/Google_bets_2...

The easiest way to get a lot of Macbooks would be to exploit the easy software to hack and just buy them from the store.

Re:Simple

[Savage-Rabbit]

>>>OS X 10.6 was only $30

That was a sale price. The previous 10.x releases (and future release) cost $130 plus $10 shipping. It really was like buying a whole new Windows OS every 1-2 years.

Which is fine if you have the money to spend.
I don't.

I know people who spend more than $500 on their gaming rig at way lower intervals than 10 years. The average person will spend more than $500 on cellphones over 10 years. Never mind the premium in fuel bills alone that people pay for an SUV or even a BMW or a slightly souped-up hatchback. I can afford to upgrade OS X every two years and IMHO I get my money's worth.

Re:Simple

If you read the ZDNet summary, you'd notice that the same group had an equivalent working exploit for Win7/IE8, but they chose to concentrate on hacking the Mac first. It's a sensible move since the Mac has roughly double the resale value and makes a better test machine since it can run OS X, Windows, Linux or almost anything else.

So claiming that "OS X is the first to be hacked" is very disingenuous since it implies that it's the easiest to hack. In reality, all the exploits are prepared ahead of time and we can't know which one was the most difficult to achieve. It sounds like none of the platforms survived being hacked, so the only thing we can conclude is that they're all flawed and every computer is vulnerable. The competition gives no useful information on which OS is best in this category, but only that they're all substandard.

The GP post, to me, is not making excuses for Apple which, like every other vendor, failed the tests. But what it's rightly pointing out is that the story's headline is sensationalized and designed to imply a conclusion that's false.

Re:Simple

[Cimexus]

This. A hundred times this.

I'm under no illusions that Mac is any more secure than any other OS. It's simply that it's less targeted and the software is generally more stable. I made sure my parents and my sister got Macbooks last time they got a computer. Not because I'm a particular Apple fan (I don't own any Apple computers myself), but because it's basically set and forget as far as support is concerned. I haven't had to fix anything on them yet, whereas with Windows something would happen fairly regularly.

On top of that most brand name PCs ship loaded up with crapware. I always remove it obviously, but making sure my family got Macs meant less work for me. Didn't need anything other than a quick system update out of the box, and no crapware in sight. That alone is worth good money to me.

Re:Simple

[hairyfeet]

Oh please, are you forgetting that first prize is $10,000 so it would be stupid to risk losing $10k just to get an average Macbook?

The simple fact is with DEP, ASLR, and file and registry virtualization combined with low rights IE Windows 7 is hard to crack so they went for the easier target which ATM is Mac OSX.

Now once Lion comes out and they get a solid ASLR as well that might be a different story, but at this stage of the game the OSX machine is the easier target. trying reading the post from last year's winner, he says the same thing. The new Windows is hard, there are flaws in the current OSX that make it an easier target to pwn.

Re:Simple

[Gizzmonic]

Good luck trying to run Mentor Graphics or ModelSim or Utorrent or "2xAV" (double speed) or Final Fantasy 11/13 on a mac.

PSSsssst, Macs can run Windows. And uTorrent (natively).

Not sure why you'd want to play Final Fantasy on its third-tier platform anyway, but to each his own.

Re:Simple

[BasilBrush]

The whole "which fell first" thing makes a huge assumption that simply isn't true. The assumption that all hardware/software combinations are available at the same time to all participants.

For example, whilst Safari and IE fell on day one, Firefox isn't scheduled to be available to anyone to try to hack till day two. Thus you can't say Safari is somehow less than Firefox.

Likewise you can't say that Safari is less than IE. It may well be that the person with a working exploit for Safari got a time slot to try it before the person with a working exploit for IE. After all, it's not as if they are actually finding the exploits at the competition. They're exploits they've spent weeks preparing.

Re:Simple

[klubar]

The researchers clearly invested more time and money than the price of the machine they can get for "free". It took about 6-person weeks to develop the exploit... assuming the researchers could bill at a consulting rate of $250/hour (not unreasonable for a top security consultant) they've invested $60,000 in the exploit, add to this travel, opportunity cost at the conference plus other expenses.... if they wanted a Mac, buying it would have been way cheaper.

It's a little bit about prestige...and anyway the security consultants can earn more working on the PCs...because everyone knows that Macs are more secure....and there is almost no corporate market for Mac security.

Re:Simple

[DrXym]

Possibly, possibly not. Sounds like the exploit involved bypassing the OS enforced randomized address space layout. We've certainly heard in the past how ASLR in OS X has been lacking compared to Windows and perhaps the exploit leverages that.

I'm sure Windows is vulnerable in its own ways though. Exploits that work through Firefox / IE or even Chrome would have as serious repercussions to Windows users. I'm sure there are many to choose from.

Re:Simple

[Gadget_Guy]

Excuses, excuses. Your Mac is an insecure piece of shit.

That is just juvenile. The Mac is definitely not as magically secure as a lot of fans like to suggest, but it is not an "insecure piece of shit". Apple has been paying more attention to security these days, so the OS and browser will only get more secure as time goes by.

However, you are correct that the original poster was talking rubbish. Every year the Mac goes down first and every year people come up with the same excuse that the hackers target it because they want the prize more than the others. But as VUPEN's twitter post shows, they were allocated to the Mac first by the organisers. They got IE second, but I guess they must have been too late as someone else got that one.

Re:Simple

[jbolden]

They are PCs that run a different OS. Surely on /. you can understand that the OS does make a difference.

Re:Simple

[recoiledsnake]

That happened after this post was submitted.

Re:Simple

[TheRaven64]

Where's the Mandatory access control feature on the iMac?

Nowhere. Mandatory access control is a feature of the OS, and the iMac is a computer which may be running one of a variety of operating systems. If you are asking about MAC features in OS X, then I suggest that you look at the OpenBSM, TrustedBSD, SeatBelt, and sandbox(9) components.

Or were you just trolling?

Re:Simple

[GrBear]

Just like Acuras/Lexuses are just Hondas/Toyotas.

Want to piss of an Infinity owner when he asks what you think of his vehicle? Say, "Meh, it's still a Datsun"

Re:Simple

[fuzzyfuzzyfungus]

A potentially complicating factor is that most of these guys are also professional security researchers/consultants(who else has the time and isn't restricted to travelling only in countries with weak extradition agreements?)

Obviously 15k isn't just beer money, and a shiny new laptop is always good news; but I'd assume that the other real prize is a cool-sounding resume bump. I don't know whether "Cracked the platform nobody else could, came in 3rd on time" or "Hacked that mac so fast it didn't have time to bring up the spinning beach ball" is better PR; but the participants probably have more to gain from better market visibility than they do from another laptop...

Re:Simple

[TheRaven64]

Given that the prize was $15,000 plus the machine, I'm not sure that the value of the machine had much to do with it. However, from the Ars Technica article, it sounds like they had one machine open for hacking at a time. First the Mac, then the Windows / IE machine. Then the Chrome / Windows machine, which no one tried to attack (one person found an exploitable hole, but sold it to Google for $1,337 instead of entering it into the contest). FireFox on Windows is up tomorrow.

Note that the Pwn2Own contest explicitly disallows the use of previously disclosed exploits, so it's entirely possible that a browser with 1,000 known holes would not end up being pwn'd according to the rules of the contest. That doesn't mean that you'd want to actually use it though...

Re:Simple

[BrokenHalo]

...

but the thing that trips me up is that I always hope that these discussions will be somewhat rational and fact-based. Whenever Apple comes up it's as if most people here completely lose their intelligence

Welcome to the club. Macs are just another expression of Unix, which is why I find this old 2nd-hand MacBook so much more useful than my more powerful desktop Linux machines. Some of us have other things to do than fight wars along ideological fronts.

This doesn't mean I happen to love Apple's business model or Steve Jobs personally. Richard Stallman doubtless has his personality defects too, as most certainly does Steve Ballmer. Sooner or later, we have to come up with realistic boundaries around what we are prepared to work with. In my case those exclude Microsoft OSs simply because they give me a headache and make me cross. A Mac box is enough like other unices for me to be relatively comfortable with it.

Re:Simple

[jbolden]

A good deal of OSX is open source. For example this story is about webkit, which is a part of OSX that is open source.

As far as DRM and anti-tamper hardware there is no question Apple is advancing these two agendas. They seem to be somewhat of a mixed mind, but in general are less hacker friendly than android. So far though that has been mainly on consumer electronics and not their computers.

Re:Simple

[C_amiga_fan]

>>>In what way was the Amiga ever more "hackable" than a Mac? If anything, it was less so.

You've got to be kidding.
Most software (especially games/demos) ran on the bare metal, without the OS, similar to the old 8 bit C64 the programmers had cut their teeth on. And hardware-wise there was no limit to what you could build and latch onto an Amiga. Obvious example: Video toaster (for video effects and CGI).

Re:Simple

Previously any noob with a usermode debugger and enough time could eventually exploit flaws in the browsers. It's still like that for Safari and Firefox. Not so much with IE8 or Chrome.

I doubt we'll be seeing as many shoddy browser malware attacks from *.cn domains and the like in the years to come.

Re:Simple

[fuzzyfuzzyfungus]

The trouble is, for the user, that while security may be 'in their hands' in the broad sense of "well, nobody else seems to have it in hand", the challenges of "security" are pretty absurdly high for any but the tiniest percentage of users to meaningfully "have in hand".

In this case, the pwn2own result, for the most commonly used home platforms, fully patched, was "visit website, get owned without further intervention." In these days of rampant URL-shortening, 3rd-party ad embeds, and a constantly shifting alphabet soup of trustworthy and dodgey sites, 'Security remains in the hands of the user' in sort of the same way that 'Safety remains in the hands of th pedestrian': when there are land mines hidden in an unknown; but definitely nonzero, number of crosswalks...

Re:Simple

They are both as bad as each other really.

No, not really. The exploit to take out IE was much more sophisticated. He needed to chain 3 undisclosed exploits together just to make it work reliably. In comparison, the Safari exploit was just more of the same trivial shit we've all seen a dozen times.

Re:Simple

[Wovel]

No one excused them, but the story is misleading. If any of the other hardware was more desirable, it would have fallen first. It was not harder to hack the other platforms, they were just lower in priority...

Re:Simple

[Wovel]

Of course Apple has done more to eliminate DRM from Music than everyone on Slashdot combined.

Weird..

Re:Simple

[delinear]

Regardless, it dispells a few myths about Macs being impenetrable. They're not as soft a target as Windows but clearly still exploitable - if that gets a few more people thinking about security instead of falling into the trap of complacency, it's probably no bad thing even if it's not truly representative of the situation "in the wild".

Re:Simple

[jbolden]

Please I've seen Unix systems fail for 2 dozen years in security. I was thrilled when the NT kernel came out with VMS security.... just to watch Microsoft productize their huge advantages away.

No one on /. thinks Macs are unhackable. What they do think is they don't get attacked as often. Further they have a different user base which might make certain kinds of tricks less likely. For example Apple can push OS changes out fast and expect applications developers to keep up.

Cisco's operating systems are pretty secure and even those get hacked.

Re:Simple

[Tom]

and it has absolutely nothing that compares to SELinux.

No it doesn't. However, I'm one of the very early SELinux fans and for a few years one of its evangelists, and I quite like the sandbox feature that OS X has gotten with 10.5 - that definitely needs some spicing up, documentation and publicity. While it's closer to systrace or AppArmor than SELinux, it does solve many of the most common problems.

Re:Simple

[jbolden]

Lets see from 1997 through 2002 all the way up to 10.1.5 the upgrades were free. You likely paid for 10.2, 10.4. Which gets you to 2006 with 10.5 which is the last full priced OS upgrade. So... how is that every year?

What is the point of making facts up?

Re:Simple

[drinkypoo]

At some point, you're going to have to accept that OS X just isn't that secure. It has a poor, inconsistent implementation of ASLR and DEP, Apple tends to be very slow at patching vulnerabilities, they don't prioritize security or safe coding practices, and it has absolutely nothing that compares to SELinux.

AFAIK only Fedora really uses selinux, everyone else uses AppArmor or nothing. What's sad is that Apple doesn't even have ANY capabilities-based security, not even as good as AppArmor.

Re:Simple

[dlim]

I would think that the cash prizes would offset the value of the hardware. Google was a offering 5 grand more than Apple. Macbooks don't cost that much. http://www.engadget.com/2011/02/03/googles-paying-20-000-to-hack-chrome-any-takers/

Re:Simple

It isn't easy to "pwn" unless you leave it sitting around unlocked and let strangers use it. These are local exploits.

Re:Simple

[drinkypoo]

Further they have a different user base which might make certain kinds of tricks less likely. For example Apple can push OS changes out fast and expect applications developers to keep up.

One problem is that Apple DOESN'T push out OS changes fast. Core components are updated pretty frequently but Apple has been consistently slow in updating the open source components. Meanwhile, Linux systems are attacked more (if I log connection attempts I can see lots of Linux-specific attacks at all hours of the day, all days of the week, etc... and even more Windows-specific ones) than OSX ones and apparently are harder to penetrate.

I truly believe we'd have a Linux desktop now if GNOME and KDE weren't both totally convinced they are doing the right thing in spite of the protestations of users. GNOME is taking away too many options and KDE exposes too many (and/or gives you too-primitive mechanisms for adjusting them) and so far there is no evidence that this will ever change. Maybe it really will be Android, which I am convinced is the wrong solution because it involves Java. I'm willing to be unconvinced though.

Re:Simple

How does that do anything to counter GP's point? He didn't say Windows/IE have better security than Mac/Safari (we all know Windows' history in this area), just that people expecting a better standard of security for their investment in a Mac are likely kidding themselves. On the plus side, the fact that hackers now have to jump through more convoluted hoops to make hacks work has to be good news - we're at least moving in the right direction.

Re:Simple

[drinkypoo]

Custom PCs with custom mobos running commodity chipsets, with an OS tuned, tested, and optimized for the hardware.

Let's look at this. Custom PCs: Yes, they have very nice cases. Custom motherboards: Totally irrelevant; we have seen time and again that the quality of their boards is not any higher than anything else made in a Foxconn plant, like Asus. An OS tuned, tested, and optimized for the hardware? That is a load of dingo's kidneys. OSX is self-tuning just like Linux or NT. It doesn't disable services or run a different edition of a daemon just because you install the same OSX on another machine.

The whole applehatred thing is weird, like racism or religious zealotry.

Apple is a big liar. They tell you their OS is more secure against attack than Windows when it is in fact less secure due to incompetent ASLR and DEP, two features that Windows actually gets right (and does ASLR better than Linux, I might add.) If you turn it on for all applications and then whitelist the ones that fail then you can gain a pretty sharp increase in security. Most Windows infections seem to be trojan-related, and many of the remainder seem to come through the browser. Both of these are still problems on OSX. I don't like liars. Even more, I don't like the users who are dumb enough to believe them on the basis of their slick marketing. Those people are part of the problem in computing.

Anyone making excuses for Apple without getting paid is a douche.

Re:Simple

[C_amiga_fan]

>>>There is no such thing as unhackable.

And yet time and again we have Apple Users come on here and say, "The Mac is spybot proof so you can surf the net safely!!!" or "The Mac has no viruses and never will" or some such variant. Which was my original point:

I don't have a problem with Apple. I have a problem with Apple's customers making these ridiculous claims ("unhackable mac";"unsinkable titanic"), and then telling me to go-out and spend $1000 to upgrade from my $150 Win7 PC.

Re:Simple

No one excused them, but the story is misleading. If any of the other hardware was more desirable, it would have fallen first. It was not harder to hack the other platforms, they were just lower in priority...

There was a 15k$ cash price to the winner.

Re:Simple

[jedidiah]

>>>with an OS tuned, tested, and optimized for the hardware.

This is a real laugh riot.

Once you've gotten past the disparity between price and cost with a Mac you NEED some optimization just to make up for the relative lack of performance.

Not that I buy the whole "tuned,tested and optimized" nonsense anyways.

Re:Simple

[RobbieThe1st]

But when you upgrade your rig, you generally get some major performance gains for that. Unless each OS incarnation makes the same rig at least 20% faster, that upgrade isn't worth the cost. Oh, and most "gamers" keep their OS license across several upgrade-builds of their computers, provided they did the upgrade themselves.

Re:Simple

[thsths]

> ASLR and DEP, two features that Windows actually gets right (and does ASLR better than Linux, I might add.) If you turn it on for all applications and then whitelist the ones that fail then you can gain a pretty sharp increase in security.

While this is true, it does require the user to download development/experimental software, research by experiment which programs are compatible with it, and then edit the configuration accordingly. You cannot expect that from the average user or even the average administrator. So for all practical purposes, Windows (certainly once you install applications) resembles a sieve more than a bucket...

Re:Simple

[clang_jangle]

Either way, it sounds like both Apple and Microsoft need to fix their software and their security focus.

FTFY

Re:Simple

[drinkypoo]

While this is true, it does require the user to download development/experimental software,

Uh what? It's not right there in computer properties? Because it seems to be there on my Windows 7 system.

research by experiment which programs are compatible with it, and then edit the configuration accordingly.

Yes, just like any other OS.

You cannot expect that from the average user or even the average administrator.

I might not expect it from the average user, but anyone who wants to be called an Administrator should be capable of it. This is one of the biggest problems in IT; There are supposedly more Windows admins out there, but as it turns out, virtually all of them are incompetent dimwits who can barely find the power button.

Re:Simple

The most embarrassing thing for Apple is that OS X has included a mechanism for applying fine-grained sandboxes to applications since 10.5 which Safari doesn't use.

I think this is in Lion, along with many other apps being sandboxed by default. There were several reports of bugs due to sandboxes being too restrictive.

Re:Simple

"I assume these developers would need a Mac and extensive knowledge of its inner workings in order to develop and test an exploit."

Alternatively, they could run a copy of Hackintoshed OS X either stand-alone or in a virtual machine. Also, I have a older Mac Mini, running the current OS X, but would still like a macbook.

Re:Simple

[s122604]

mod parent up

"It was hacked first, because the hackers wanted an apple", just another apple fanboi excuse...

Re:Simple

"It was hacked first, because the hackers wanted an apple", just another apple fanboi excuse...

Riiiiiiight, because no-one pays $2k + for those horrible macbook pro things. Oh, wait, yes they do -- guess that makes you a drooling moron, doesn't it?

Re:Simple

Lies. Several times now they've had to allow more access to the machine before Windows was hacked. One year, before they stopped including Linux, it made it through the entire competition without being hacked despite everyone's best effort.

At some point, you're going to have to accept that OS X just isn't that secure. It has a poor, inconsistent implementation of ASLR and DEP, Apple tends to be very slow at patching vulnerabilities, they don't prioritize security or safe coding practices, and it has absolutely nothing that compares to SELinux. It's 2011, being Unix doesn't magically make you secure.

It's never really been all that secure. Apple's marketing team is well aware that when most people hear the word "Virus" they assume it means "Any kind of Malware", and they've used that to great effect.

The major thing to learn from the pwn2own contests is that users are the weakest link in any system, and they shouldn't wander around risky websites clicking and running everything they see.

Re:Simple

[Raenex]

It would only be a couple of weeks worth of work for an engineer to create a sandbox policy, test it, and ship it with Safari.

Are you a program manager, by chance?

Re:Simple

[dotwhynot]

It isn't easy to "pwn" unless you leave it sitting around unlocked and let strangers use it. These are local exploits.

Are you sure about that? The winner is quoted in the linked article: “The victim visits a web page, he gets owned. No other interaction is needed.”

Re:Simple

[clang_jangle]

That's not a straw man argument, nor is this a FTFY.

FTFY

MOD CLUE: this post is both informative and funny.

Re:Simple

[Antisyzygy]

That is because Apple users are simply uninformed assholes that like to bash everything that isn't Mac even if they know nothing about it. Sure, I am over-generalizing, but there are enough Apple fanboi assholes on Slashdot that it actually makes people who used to think Macs were OK hate them out of principal.

Re:Simple

[Antisyzygy]

All true Slashdotters......

Re:Simple

You can't afford to pay 30 dollars every 2 years? Did your parents cut back on your allowance recently?

Re:Simple

[Antisyzygy]

Safari fell first which means either its easier or the other hacker was better. Either way, its close enough to call both browsers pieces of shit.

Re:Simple

[Antisyzygy]

They are too busy trying to figure out more ways to nickle-and-dime you.

Re:Simple

[Stupendoussteve]

Vulnerability was in webkit, not Safari specifically. Chrome may have been vulnerable to it as well.

There was a hacker with a vulnerability for Chrome, but he did not think he could use it in Pwn2Own and reported it to Google. Unfortunately for him he could have, but he'll have to live with the $1337 they gave him.

Re:Simple

But his smugness doesn't come with a price premium. :)

Re:Simple

[LanMan04]

I assume these developers would need a Mac and extensive knowledge of its inner workings in order to develop and test an exploit. Therefore it make no sense to say this is just some hacker after the nicest prize.

Yeah, seeing as I already have one dollar, I certainly wouldn't want another dollar.

Re:Simple

"Certainly all the excuses about hackers wanting the prize of a Macbook more than the others is just unfounded speculation."

No it's Apple fanboy damage control. Like the fire service to a fire when they hear something bad being reported about their beloved Apple alarms ring and they rush to it's defence with lies and other bullshit to try and extinguish the reality that has dared leak into their self-obsessed bubble.

To anyone even slightly sane and capable of even the slightest bit of objective thought it's been quite obvious for a while that Apple just don't get security. Their machines consistently are first to fall in competitions like this and iOS has had more holes in it than a a gay pride parade driving through the middle of a Taliban AK-47 convention.

Yes Apple kit is pretty, but if you expect any kind of technical excellence out of them then you're living in a dream world, this has been demonstrated time and time again from the cracking and sometimes bursting iPhones due to battery expansion issues, through to a phone antenna that was fundamentally flawed to the absolute fail multi-tasking implementation in iOS through to Apple's security methods. Apple don't do technical, they do pretty, and you're a fucking retard if you think otherwise.

Re:Simple

[TheRaven64]

Note: every post in Slashdot has a 'reply' button underneath it. It's really simple; find the post that you want to reply to, and hit the reply button underneath it. Not the one attached to the post above. When you reply to me, with a comment directed at commodore64_love's latest sockpuppet, it just makes you look like an idiot.

Re:Simple

[Wild_dog!]

It is the price you pay for in any store and not on sale.

Re:Simple

[Blue+Stone]

>It really was like buying a whole new Windows OS every 1-2 years.
>Which is fine if you have the money to spend.
>I don't.

You are not Apple's target market then.

Re:Simple

[kevinmenzel]

Except that you don't get a macbook pro, you get a macbook air...

Re:Simple

And I'm sure that somehow, some way, it's the government's fault.

Re:Simple

[drsmithy]

OS X 10.6 was only $30 when it came out.

Only if you had 10.5 (and were honest).

Re:Simple

[arikol]

....and, dear sir, that is exactly what I've spent.
I've also installed a new hard drive (which I installed at the same time as 10.6) and a new battery. Not bad for four and a half years of ownership.
I will also buy Lion, just because upgrades have been worth the admission price up until now.

(I only own one mac, my other computers are Linux (Ubuntu on one and a test rig on another which gets any flavour I want to try out)

Re:Simple

[raist21]

If this is the case...then the Windows Machine with IE8 had to have been the first one to go down. Irish security researcher Stephen Fewer, the guy who exploited that one is the one who won the $15000.
So either this article is incorrect, or you don't know what you're talking about.

Re:Simple

No, that’s not how it works. There is an assigned timeslot for each attacker/target pair. VUPEN/Safari was the first timeslot. The others followed later in the day.

Re:Simple

[Anonymous+Psychopath]

Actually the reason Safari went down first was because it was the first target. Followed by IE8 which also went down. The researcher who was going to go after Chrome never showed up and Firefox is next in line...

This is true, but irrelevant. It doesn't matter which was cracked first, just they they are cracked at all. I even saw a comment on the article saying Safari on Mac is better because it took five seconds and IE on Windows was instant. Also true, also irrelevant.

And since the vulnerability was in WebKit, would that not mean that Safari on Windows, as well as mobile devices, is also vulnerable? They just haven't written an exploit.

Typed on a Mac (but running Chrome).

Re:Simple

The researcher who was going to go after Chrome never showed up...

So... google has the best assassins?

No, he was still waiting for Ovi maps to load on his n900. He plans to get the GPS online by June and his location marked by early September

Re:Simple

[UninformedCoward]

You beat me to it. I was shocked to see a Mac fanboi use gaming as part of THEIR argument. Something new everyday.

Re:Simple

[sosume]

According to your logic, wouldn't it have been MUCH simpler to hack the 'unsecure windoze boxen' first, and thus securing the 15 grand? That would have been enough to buy a low end macbook anyway.
Face the fact, Apple just took over Microsoft as the fastest-to-root platform, and no apologist or applevangelist can change that.

Re:Simple

Unfortunately facts contradict you. The person who hacked IE also got 15K. it's 15K per platform. Begin apologizing in 3,2,1....

Re:Simple

[ynp7]

It's much more simple than that: Apple has never cared about security. They're not starting down the same road as Microsoft, they've always been on it. They just didn't have enough marketshare to force them to try and do something about it.

Re:Simple

[lennier1]

Unless it's related to an EFI vulnerability, which makes the Mac a much bigger target.

Re:Simple

[Giometrix]

Just curious, what seems to be happening with Windows regularly (in particular Windows 7 or Vista)?

Those two in particular seem to have gotten security right, with 7 being less annoying of the two. In the terms of stability, I can honestly say that Windows has been very stable since Windows 2000/XP (at least for me).

Re:Simple

[marcello_dl]

Apple hardware is usually cooler than the competition, no argument there. And the price is the same (free) for all machines, which doesn't unfortunately happen in the stores. I don't buy apple because IMHO linux is a smarter choice in the long run (for desktop and appliances), anyway they used to make the best UI when I was their customer and I don't think it has changed recently.

But I suspect that hackers love to pwn macs because of the debates about the state of security in mac vs. windows.

Re:Simple

[sosume]

Please read TFA again. The Apple machine was hacked in a few seconds. So much for your 'OSX is much safer' - End of story.

Re:Simple

[lgw]

Apple is the computer of the trendy - you know, the people who snub nerds in high school? Is there anything more to be said about this?

Re:Simple

[ynp7]

Not as soft? I don't think that word means what you think it means.

You don't get as big a return per exploit due to the much, much smaller install base, but OSX is definitely a softer target than Windows.

Re:Simple

[Duradin]

He must be a pretty fast typist to type up that malicious web site in a few seconds.

Re:Simple

[lgw]

PSSsssst, Macs can run Windows

You mean mac hardware can run Windows? Sure, they're just PCs these days, of course they can, but it's a darn pricey way to run Windows.

Re:Simple

[sjwaste]

It's not like Apple is pursuing DRM and anti-tamper for a blind purpose. Their goal is to create a positive experience for the average user, free of the shit that "Windows People" complain about. Part of that strategy is to reduce malware by certifying software, maintaining quality by screening applications, and so on. They also have minimized the UI into what is commonly used, and either eliminating or burying the rest. It makes sense for people that aren't you or me.

I happen to like my Macbook. The battery life is ridiculous, and the OS is not locked down. I can do whatever the hell I want with it, with everything that's hiding under the hood. But at the same time, I could hand this to my parents, my sister, anyone else and they'd figure out how to use it.

Apple designs products for the majority. Hobbyists, tinkerers and geeks are a small minority. It's been a great business decision if you look at their stock price. I don't get why a lot of people here just don't understand that. Being a geek doesn't excuse you from having an understanding of basic business principles, at least not if you want to engage in some sort of discussion that touches upon that. If you don't want to buy Apple products because you do not wish to pay a premium for a streamlined experience packaged in a shiny wrapper, that's fine, but please don't assert that your way is the right way. Clearly, Apple has carved out a niche in the market for the experience that they market. And I'm not even talking about the "feeling cool because of the Apple logo" experience. I'm talking about the streamlining and ease of use. I'd give this shit to my grandmother. Turns out, Ubuntu might be too complicated for her.

Re:Simple

[Vancorps]

Bah, as someone who drove 300zx and then upgraded to an Infiniti many years later I can't imagine being offended by that. I imagine ya gotta be pretty insecure in your purchasing decision if that's gonna piss ya off.

Re:Simple

[RulerOf]

The bug they exploited was in Webkit, so I assume it also exists in Chrome too (and thus in Safari and Chrome on all platforms they run on)

New web based iOS jailbreak, perhaps?

Re:Simple

[sosume]

there are enough Apple fanboi assholes on Slashdot that it actually makes people who used to think Macs were OK hate them out of principal.

/raises hand

Re:Simple

Chrome updates every 2-3 three weeks; Safari updates every 3-6 months. Also, Chrome branches WebKit every six weeks, whereas Safari does it once a year. And anyone who's ever dealt with branch maintenance can tell you that the longer you're off the trunk the farther you fall behind--simply because the codebases diverge too much to merge changes off the trunk. So, there's actually a good chance that the same vulnerability that owned Safari is not present in Chrome.

Re:Simple

[jbolden]

One problem is that Apple DOESN'T push out OS changes fast. Core components are updated pretty frequently but Apple has been consistently slow in updating the open source components.

Can and do are different. Apple doesn't have any particular interest in updating the open source stuff frequently. Macports exists for the people who aren't OK with just about any version. I can understand not being thrilled with that, but it doesn't impact their ability to move fast if they needed or wanted to.

I truly believe we'd have a Linux desktop now if GNOME and KDE weren't both totally convinced they are doing the right thing in spite of the protestations of users.

Honestly I think we have a Linux desktop now. Its usable. Its got tons of useful software. What's missing now is good reasons for people to switch... that is areas where Linux is better enough that are of interest to general users. But communities that have found such an area find the desktops quite useful.

Re:Simple

[V!NCENT]

Oh so it's billion dollar costing Dell in a shiny package without serious security? I so wanted to have that Disney interface :(

Re:Simple

[Risen888]

You find freedom irrational? Or the idea that I should be able to do with my property as I please? Why is that?

Re:Simple

[Risen888]

Particularly those who make a living by developing and selling non-free software very often won't agree with that entire list.

You missed a spot.

Re:Simple

[jbolden]

Oh absolutely. A smart bios is a real issue. But... EFI programs are generally only used in limited situations like installing a new OS. In theory though I agree Macs could bring the return of BIOS viruses.

My point to the grandparent was that there is a bid difference between a PC and an Apple OSX.

Re:Simple

Every fanboy wants Macs. What it the overlap between fanboys and hackers?

Re:Simple

[jbolden]

I understand why there are pursuing DRM. Code signing with a one time opt out, which is pretty close to what we have, isn't bad. That being said though if you are ideologically opposed to closed hardware or DRM there is good reason to oppose Apple. You are taking as a given what offers people the best immediate experience is "the best". Heroin would beat Apple every time in terms of user experience but no one is going argue Heroin is a product we should encourage people to take.

So I think disliking Apple for creating a more locked down world is legitimate. The emotionalism that causes people to distort their arguments is not legitimate.

Re:Simple

[jbolden]

I agree. An error or my part. My apologies.

Re:Simple

[n0-0p]

Then the Chrome / Windows machine, which no one tried to attack (one person found an exploitable hole, but sold it to Google for $1,337 instead of entering it into the contest).

You're confusing Chrome and Android: http://jon.oberheide.org/blog/2011/03/07/how-i-almost-won-pwn2own-via-xss/

I talked to the guys who won yesterday, and one of the Team Anon guys who was originally signed up for Chrome. Some of them said their WebKit bugs affected Chrome, but no one had figured out how to break the Chrome sandbox. So, they just withdrew their names rather than waste everyone's time with an exploit they knew wouldn't work.

Re:Simple

There were two teams going after Chrome. One didn't show and the other team backed out because they couldn't get a working exploit against the Chrome sandbox. However, they said they're using the same WebKit bug today against Blackberry.

Re:Simple

[n0-0p]

You're thinking of Jon Oberheide's bug against Android, not Chrome. He's registered to go against Android today, but talking to him yesterday it sounds like the bug he reported to Google is the one he planned to use: http://jon.oberheide.org/blog/2011/03/07/how-i-almost-won-pwn2own-via-xss/

Re:Simple

Bekrar said the Safari exploit was “somewhat difficult” because of the lack of documentation regarding 64-bit Mac OS X exploitation. ”We had to do everything from scratch. We had to create a debugging tool, create the shellcode and create the ROP (return oriented programming) technique,” he explained.

and

He said the creation of a reliable exploit was “much more difficult” than finding the vulnerability.

for Mac vs

“I had to chain multiple vulnerabilities to get it to work reliably,” Fewer said in an interview.

So it seems the "whole story" is that Mac has better obscurity and webkit is full of bugs?

Re:Simple

[Lennie]

There are several reasons why this is wrong, Firefox is not available today, but tomorrow.

Also you get $10,000 US with the Safari but Google added $20,000 US (or was it 10 ?) extra for Chrome with process seperation.

So if it was just about what the hackers want then I think Chrome would have been first.

Re:Simple

[drinkypoo]

Honestly I think we have a Linux desktop now. Its usable. Its got tons of useful software. What's missing now is good reasons for people to switch...

There are loads of reasons, most of which boil down to not getting pwned... which brings us right back on topic. But now to diverge from it again: GNOME is going in the toilet (they're ripping out features left and right without actually converging on a more usable system) and KDE continues to obfuscate and flop around. I think what's missing right now is improvement. Thank goodness for stuff like Compiz. But expecting the user to configure GTK and KDE or GNOME and Qt and then go on to configure Compiz as well is not realistic. I like to play with that stuff (I've released themes for various window managers over the years, hold the applause please) and even I find it a chore at times.

Re:Simple

[228e2]

As I was for some reason reading this troll's thread, I was wondering why no one said this first to shut this troll up. Just aim for the lowest hanging fruit. And its apparently Apple. gg, thx for playing

Re:Simple

Any retard who uses the term "fanboi" should get modded down.

Re:Simple

[teslafreak]

There are supposedly more Windows admins out there, but as it turns out, virtually all of them are incompetent dimwits who can barely find the power button.

Truer words were never spoken! I work with pretty good people at my current job, but where I used to work, the only "solution" you ever heard for Windows or Mac was "Well, we can re-install it".

Re:Simple

[PickyH3D]

Order does not matter, but the IE8 story that you linked to points out just how much more difficult it really is to exploit IE8 compared to Safari.

Not only was the exploiter an experienced Windows hacker, but he also had to exploit multiple exploits, and tune them to get it to work reliably. On the other hand, the only hurdle that the Safari hacker's had was actually learning to make an exploit work on Mac's. Not only did they not find it challenging to find one, but they noticed many other vulnerabilities to go along with it.

Here is an even better story.

Re:Simple

Whether you can afford it or not isn't really the issue. We're talking about features that are easy to integrate and would vastly improve security - if MS was sitting on this stuff just so they could justify the next version of Windows, they'd be rightly slated. For Apple it's standard operating procedure.

Re:Simple

[revscat]

This isn't true.

Brief intro to sandboxing on OS X

OSX Sandboxing Design in Chrome

Re:Simple

[The+End+Of+Days]

You really shouldn't quote from your imagination in an argument. It totally undercuts your credibility, particularly when you are just making an emotional point in the first place.

I'm not saying such sentiments have never been expressed. I'm just letting you know that you've stopped debating and started screaming.

Re:Simple

[The+End+Of+Days]

If you actually hate people because of what they post on Slashdot, what do you think would be the reaction to reading the vitriol you post?

Re:Simple

[Anthony+Mouse]

For example, whilst Safari and IE fell on day one, Firefox isn't scheduled to be available to anyone to try to hack till day two. Thus you can't say Safari is somehow less than Firefox.

Sure you can. We know there is 0% probability that Safari will not fall on the first day it was available, because the contrary has already happened. If Firefox doesn't fall on the first day it's available then Safari is less than Firefox. The probability that Firefox will not fall on the first day it is available, until we actually know the answer, will be more than 0%. Therefore "Safari is somehow less than Firefox." QED.

Re:Simple

[Antisyzygy]

I said I hate Macs because of these people, I don't hate any person at all. In my experience, Apple fanboism breeds assholes, and because of that I do not particularly like Apple. The same could probably be said about other forms of fanboism, but Slashdot seems to have a huge percentage of Apple fanbois compared to other websites. When you get your inbox bombarded by twenty different people praising Apple and calling you an idiot or all manner of other names for constructively criticizing Apple's business practices or hardware/software, it gets old. Its as simple as that. Fanboism basically made it so I dislike Apple products, so in effect fanbois are ruining their goal of having everyone agree with them by being assholes.

Re:Simple

[gstrickler]

It's not $15k to the first to fall, it's $15k for a Mac exploit on day 1, another $15k for a Windows exploit on day 1, and separate prizes for iPhone, Android, and other phone exploits. The rules are relaxed, and the prizes are lowered on days 2 and 3. A chrome exploit is worth $20 on any day of the contest this year. Who the money comes from changes from day 1 to days 2&3, but it's $20k on each day because Google is putting up at least half of the $20k.

Re:Simple

[scatter_gather]

If I had mod points you would get one. Macs are now and always have been safer simply because a PC exploit reaches so many more machines that it gives a better return on the hacking effort than doing an equivalent exploit on a Mac.

Re:Simple

[gstrickler]

Actually, a well prepared hacker will go in with exploits for Mac, Windows, and possibly other systems (iPhone, Android, etc.). The order in which you get to test your exploit is determined randomly, the more platforms you're going after, the better your odds of being one of the first on some platform, therefore, the better your odds of winning a prize.

Re:Simple

[demonbug]

The bug they exploited was in Webkit, so I assume it also exists in Chrome too (and thus in Safari and Chrome on all platforms they run on) but I'm not sure exactly whether another vulnerability was also used in the OS X version, since it launched calculator and wrote a file to the hard drive.

I found it interesting that in the first exploit for IE8 on Win7 (someone linked to the article up above somewhere...) the exploit followed the same path, malicious web page -> calculator -> writing file. Anyone with more knowledge have an idea why in both cases calc/calculator were used?

Re:Simple

[scot4875]

In other words, it's a *feature.*

--Jeremy

Re:Simple

[powerlord]

No additional knowledge, but I assume they were used because they are both applications that the exploit writer can assume are installed on the machine.

Re:Simple

The previous 10.x releases (and future release) cost $130 plus $10 shipping...
Which is fine if you have the money to spend.
I don't.

Then you probably only use your computer to dick around, playing games and posting on Slashdot instead of using it to earn money.

If you look at your computer as an investment and a productivity tool, $130 is NOTHING.

Re:Simple

[scot4875]

It's not like they could, you know, start a timer or anything after releasing the machine to be attacked and then, perhaps, keep track of how long it takes each machine to get compromised, then compare the relative times.

Oh no, that doesn't make sense. I guess it must be like back in my track days, where the people in the second heat were screwed because they were always at least several minutes behind the winners from the first heat.

--Jeremy

Re:Simple

[david_thornley]

There's another possibility.

Don't get the OS update if you don't think it's worth what you'd have to pay.

We have two Macs at home running Leopard. We got Leopard because it had some features we wanted that weren't in the older OSes (like Boot Camp). We haven't seen any need to upgrade the OS since then.

You may not believe this, but not once this year has Steve Jobs kicked in our front door with his jackboots and stormed in with a flamethrower. I bet you could get by with not upgrading your OS too, if you wanted.

Re:Simple

[david_thornley]

Depends on what you mean by "safer". Clearly, Microsoft has become more security-conscious than Apple (although they're hindered by decades of bad decisions). However, if you have two computer-illiterate relatives, and give one a Mac and one a Windows box, who's likelier to get pwned within a couple of weeks?

What I really want Apple to do is modify the iPad so it doesn't need another computer to go along with it. Then I'm getting one for my mother-in-law. It'll do everything she actually wants to do, and it's going to be awful hard to bring her into a botnet like that.

Re:Simple

How do you like knowing that your Mac is probably being hacked and used as a zombie on a botnet right now? And it was easier to accomplish than on any other platform in existence.

Re:Simple

You're not fooling anyone, commodore

Re:Simple

[jbolden]

Gnome is pretty usable for most people. You ever seen how little functionality the typical end user actually uses?

I agree KDE is flopping around but mainly because they achieved their original goals. The next steps they don't have agreement on. And Trolltech is no longer leading. That's a pity but KDE lets power users screw around with their desktop and has some pretty cool features and has some good apps.

And don't forget XFCE, ROX and LXDE are bringing in a new generation for the netbook / tablet crowd.

Re:Simple

[gstrickler]

That's still a local exploit. It's a drive-by, but you still have to get the user to visit a malicious website. It's not something that can be initiated and exploited over the network, a local user has to initiate the action.

Re:Simple

[JonJ]

The first one came with the Mac, so if you started on 10.4 you needed to buy 10.5 and 10.6 - so that's $129 for 10.5 and $29 for 10.6. $158 over 4 years is not too bad I think.

And they were full versions of the operating system. No 'basic' 'home basic' 'home premium' etc.

Re:Simple

[jellomizer]

For some reason, Apple has decided not to invest this effort.
There could be some good reasons.
1. Competition in terms of speed. Safari is competing against Chrome in terms of speed. A sandbox could take off those mili-seconds off their benchmarks.
2. OS Integration. Unlike Chrome or Firefox Safari is more tightly integrated with the OS. Just blindly adding a sandbox can break a lot of sub systems.
3. 3rd party software. It is unknown the full effect this can have on other

Any other of valid reasons.

I myself have a lot of experience working on legacy systems or code that I didn't make. And often enough a lot of those things that seems like an easy fix to make it better really isn't that easy. Heck I have seen some "Modern" .NET apps that takes 15 minutes to load up a simple form. So changing the UI around makes it a full day task.

Re:Simple

[BlueWaterBaboonFarm]

Exactly, you might just as well say the FF takes a full day to hack because it wasn't scheduled until the next day.

Re:Simple

Hey congratulations, jedidiah! Once more you've successfully demonstrated that there is unlikely to be any correlation between UID and IQ.

Re:Simple

[clang_jangle]

I'm not saying such sentiments have never been expressed. I'm just letting you know that you've stopped debating and started screaming.

Oh that was years ago he turned that bend!

Re:Simple

[Duradin]

/. probably has the same amount of Apple fanboys as America had communists running around in the 50s and 60s trying to overthrow the government.

"Straw-munists" you could call them. Always there and up to no-good when you need an enemy to make your side seem more palatable.

The only Apple Fanboys around here are the ones the Droidbois et. al. "quote" in their posts.

Re:Simple

[clang_jangle]

Unless his time is worth nothing, it really does!
:D

Re:Simple

[Antisyzygy]

No. I routinely get bombarded by foul or insulting responses whenever I criticize Mac. If I criticize Android I get bombarded with praises.

Re:Simple

[MattBD]

Google are also offering $20,000 to whoever hacks Chrome, however, which kind of negates the argument as with that money you can buy a Mac and have plenty of spare change.

Re:Simple

Note: people make mistakes, don't be an asshole.

Re:Simple

[drinkypoo]

I sit corrected. I haven't used 10.5, I got off that particular bus before then.

Re:Simple

[Gadget_Guy]

No, thatâ(TM)s not how it works. There is an assigned timeslot for each attacker/target pair. VUPEN/Safari was the first timeslot. The others followed later in the day.

How is that different from what I said? They have 30 minute timeslots, so when VUPEN was allocated Safari, other people were allocated the other browser/OS to hack. Therefore they were all hacked at the same time exactly as I said in my post.

Re:Simple

[BasilBrush]

Ah yes, I was forgetting the kilt factor. ;-)

Re:Simple

[BasilBrush]

If it's sold, it's not free.

Yes, I'm aware of the beer/libre distinction. But there isn't a market for libre software any more than there is for free beer software. Only a market for supporting libre software. Which is outside the scope of the group I referred to.

Re:Simple

[BasilBrush]

"Thus you can't say Safari is somehow less than Firefox."

*If* Firefox doesn't fall on the first day

There's a big difference between *is* and *if*. The unknown vs certainty does not make *is*.

And you missed out on the possibility that FF falls in less time on the second day than Safari fell on the first day. Which, if we're going on the bogus time metric, would make FF less than Safari.

Re:Simple

[BasilBrush]

It's not like they could, you know, start a timer or anything after releasing the machine to be attacked and then, perhaps, keep track of how long it takes each machine to get compromised, then compare the relative times.

Of course they could. But that's not the metric that's referred to when people say Safari fell first. How could it be when FF hasn't faced the clock yet?

It's like, in your track days, if someone declared a winner before have the competitors had had their time trials. Now clearly, because you did track, you understand this, so don't bother responding trying to continue to support your position.

Re:Simple

[Kalriath]

Ah, but you'll also be able to buy it for $2.99 on the Mac App Store, due to "accounting regulations"!

Re:Simple

[Kalriath]

It's not a path - they'd be used to demonstrate two distinct actions. Running calc to demonstrate remote process execution, and writing the file to demonstrate sandbox escaping.

Re:Simple

But when you upgrade your rig, you generally get some major performance gains for that. Unless each OS incarnation makes the same rig at least 20% faster, that upgrade isn't worth the cost. Oh, and most "gamers" keep their OS license across several upgrade-builds of their computers, provided they did the upgrade themselves.

It's all relative. Like about 80% or more of the personal computer using world I don't care all that much about CPU or graphics card performance. My MacBook will last me another 3-4 years with the kind of things I'm doing which is mostly app, mobile and embedded development. Currently the only thing that even mildly tempts me to replace my MacBook is a desire to get faster I/O speeds with Light Peak/Thunderbolt. With each new OS iteration I get new features and them I value WAY more than the relatively marginal increase in performance I will get from shelling out $500 for a graphics card. Every time I try to sell one of my old laptops some dweeb comes along and tries to haggle the price down 40-50% by pointing out "the processor is X many generations older than the newest from Intel" and "the graphics card is like sooooo... behind the state of the art gaming cards... Hell, dude! that graphics card was obsolete even when that laptop was new.". Every time that happens I tell them the same thing: Don't bother, for every one of you there is a dozen people who don't give a rodent's rear about that sort of stuff and who will pay me more or less what I am asking. All I have to do is wait... so far I haven't been disappointed.

Re:Simple

[drsmithy]

Lets see from 1997 through 2002 all the way up to 10.1.5 the upgrades were free.

OS X10.0 came out in 2001 and cost $129.
OS X 10.1 came out in 2001 and cost $129 unless you already owned 10.0.
OS X 10.2 came out in 2002 and cost $129.
OS X 10.3 came out in 2003 and cost $129.
OS X 10.4 came out in 2005 and cost $129.
OS X 10.5 came out in 2007 and cost $129. It was the last to support PPC systems.
OS X 10.6 came out in 2009 and cost $29 because you wouldn't have a machine to run it if you didn't already have 10.5.

See the pattern ? 10.7 is pretty much guaranteed to cost $129 (maybe they'll drop it to $99).

Re:Simple

[Cimexus]

Yeah 7 is pretty good. I use it at home and have been very happy with it. Most of my comments relate to XP, since the last time my parents bought a computer was when 7 had only just been released and I was replacing a previous XP machine.

However the crapware argument still applies. 7 comes loaded down with as much as ever, if you buy from one of the big manufacturers. This doesn't apply to my personal machines because I buld them myself, but my parents live a long way away and it wasn't practical for me to build one for them.

The other thing is that, even with no stability or virus problems at all, Windows generally gets more 'random looking popups' than Mac OS. Just a few a days ago my mother-in-law emailed us freaking out about 'some message about protection and viruses OMG'. Upon further investigation, it was just the AV software wanting its definitions updated. But Flash, Java, and many other pieces of software pop up 'please upgrade me' boxes at random times too. Whereas on a Mac things never pop up randomly, and updates are done through a single central update manager.

Again, I have no personal love of Macs and still buy PCs myself. But buying Macs for my tech-incompetent family has objectively (and massively) reduced the amount of my time taken up with investigating or fixing things (I won't say 'problems', because 75% of the time it isn't actually a problem, just them not knowing what some random dialog box means).

Re:Simple

[jbolden]

Rhapsody and Kodiak came out in 1997 and 2000 respectively 10.1 was a free upgrade (I think you had to pay like $10 for media) for 10.0. 10.7 will likely cost $129 I don't disagree. My point was that it ain't $100 a year. You could have ridden OSX for many years without paying for the OS. After 10.2 you are on a $129 / 2 year cycle.

And frankly I loved when the OS was improving rapidly. It was great with 10.2 where I was a decade ahead of windows.

Re:Simple

[Kyusaku+Natsume]

The interesting part is that in Windows and OS X the exploits successfully bypassed DEP and ASLR. The vulnerabilities that they found are in Webkit so all Webkit based browsers so Chrome and other OS's like iOS and Android are also vulnerable. But well, at least things like this should be a welcome wake up call to the security team at Apple. There is still the checkbox to open "safe" files automatically in the latest iteration of Safari. I will check latter if at least that checkbox is unchecked by default.

Re:Simple

[drsmithy]

Rhapsody and Kodiak came out in 1997 and 2000 respectively

And neither of them were remotely ready to public consumption. Heck, 10.0 barely was (as tacitly admitted by the free 10.1 upgrade).

10.1 was a free upgrade (I think you had to pay like $10 for media) for 10.0.

Yes. Just like I said.

10.7 will likely cost $129 I don't disagree. My point was that it ain't $100 a year. You could have ridden OSX for many years without paying for the OS. After 10.2 you are on a $129 / 2 year cycle.

Well, it's basically impossible to average it out across the last decade, because somewhere around 2009 you had to buy a whole new machine to get the updated OS.

However, from 2001-2007 (10.0 - 10.5), you would have averaged $107.50/yr (5*129/6). Assuming 10.7 hits this year at $129, you would have paid about $40/yr since buying your new Mac.

And frankly I loved when the OS was improving rapidly. It was great with 10.2 where I was a decade ahead of windows.

No you weren't. The only meaningful capability OS X had over Windows was its display system, and that discrepancy ended in 2006, with Vista. Even during that time, Windows was superior in most ways, in particular it had much better and more mature low level kernel optimisations, especially on SMP systems. Most of the low-level improvements Apple were making to OS X in the 2001-2007 timeframe, Microsoft had been making to NT in the 1996-2003 timeframe (people seem to forget Apple were ~7 years behind in releasing their "next generation OS", though that did have the benefit of being able to implement features like Rosetta and Classic Mode, that were impractical when Microsoft was doing its transition from DOS-based Windows). This is one of the big reasons OS X was so dismally slow, even on cutting edge hardware, for about the first 5 years of its existence, and why performance was improving with each release (kinda hard to go backwards from where they were).

Today they're reasonably equal, at least on the client side. On the server side, Windows is well ahead with features like Hyper-V, Terminal Services, Active Directory/Group Policy, and DFS[-R]. But Apple were never really interested in that part of the market anyway, so that's not especially surprising.

Re:Simple

[LingNoi]

All I can say to this is "welcome to slashdot". Seriously, it has ALWAYS been like this for almost a decade.

Problem is you have employees and partners from Microsoft, Apple, etc that are regulars of this site. They all have their own vested interests hence why the discussion gets ridiculous fast. IMO the people that work for MS, Apple, Google etc should have to publicly state their connections. Not privately astroturf as AC on slashdot.

Re:Simple

[Kyusaku+Natsume]

In essence yes, but in practical terms it isn't since they have a more fragmented browser market, so for the common use for browser exploits today they have an smaller attack area an are of less interest for hackers outside security researchers. After all, despite all those Macs that Apple sells, you can't be sure that all of them will be running OS X and Safari. On the other hand, there are still more millions of machines running Windows Xp that are an even easier and larger target.

That said, Apple is being lucky of have gained a little bit of security thorough obscurity up to this time. But now that the guys at Vupen had developed the tool chain neccesary to develop exploits against OS X Apple will need to step up significantly their security efforts.

At Zdnet I found a link to this essay by Dennis Fisher that is very interesting and I agree completely with him:
https://threatpost.com/en_us/blogs/why-pwn2own-whats-right-security-030911

Re:Simple

[LO0G]

That might have been the case back 10 years or so ago, but not these days. That's a large part of the reason that the pwn2own folks stopped doing the "target the OS" contests - every major OS is sufficiently locked down that the number of vulns that involve remote code execution that doesn't involve any level of user interaction is essentially 0. This is true even for mobile OSs.

These days, a "click and you're 0wned", vuln is counted as being a remote exploit (because all that's needed is the ability to lure the user to a page).

Nowadays, when people talk of local exploits, they're usually talking about exploits where you go from interactively logged user to root.

Re:Simple

It has a poor, inconsistent implementation of ASLR and DEP, Apple tends to be very slow at patching vulnerabilities, they don't prioritize security or safe coding practices, and it has absolutely nothing that compares to SELinux. It's 2011, being Unix doesn't magically make you secure.

So we're being truthful when it comes to OS X, but next week we'll have to hear a dozen fanbois tell us how Linux is more secure than Windows because of its UNIX likeness.

This is just like "OS X is dumbed down" vs. "Ubuntu is dumbed up".
Or rebooting for a patch to take effect is a problem in Windows, but throwing down a new libc on a running system is a "feature" in Linux.

Give me a break. Eventually all this new found truth & honesty is going to bite Linux in the ass when people see it for what it really is.

Re:Simple

[mikael_j]

But they don't all hack the same computer at the same time.

So your posts begins with "You said A but that's not true, it's A, not B."?

Unless I've missed something in the various reports of the competition then Safari was the first target, followed by IE, next up was Chrome (where there were no attacks).

That is to say, while Safari did technically fail "first" if the first time slot had been given to IE then it would've been the first browser to fail. I'm still assuming that the anti-mac trolls will have a field day claiming that "Safari was hacked first" without understanding/caring about the fact that it only failed first because it was attacked first.

Imagine if the Farnsworth Killbot(r) was pitted against the world's top boxers, one match every two hours starting with the current world champ. Would it be truthful to say that the champ performed the worst against the killbot simply because he was torn to shreds two hours before the next boxer was torn to shreds by the killbot? Because that's the reasoning a lot of people are using with pwn2own...

Re:Simple

How does it feel to be a caricature?

Re:Simple

[jbolden]

Rhapsody and Kodiak came out in 1997 and 2000 respectively

And neither of them were remotely ready to public consumption. Heck, 10.0 barely was (as tacitly admitted by the free 10.1 upgrade).

I don't know what "ready for public consumption" was. But I was running a ton of Linux stuff via. Fink, and the darwin port of XFree. I was running a lot of Mac stuff from classic, there were some apps that had ported over via. carbon and there was some stuff (a lot of it originally from NeXT) that was using Cocoa. I had a wealth of business applications almost on par with a Windows machine, and at the same time a wealth of open source not quite as good as a Linux. It beat the hell out of dual booting and VMWare was still expensive back then.

As far as the broad public, that is Mac users. They liked it. OS-8 was an advanced OS but things hadn't improved for a long time and OS-9 wasn't much better.

10.1 was a free upgrade (I think you had to pay like $10 for media) for 10.0.

Yes. Just like I said.

10.7 will likely cost $129 I don't disagree. My point was that it ain't $100 a year. You could have ridden OSX for many years without paying for the OS. After 10.2 you are on a $129 / 2 year cycle.

Well, it's basically impossible to average it out across the last decade, because somewhere around 2009 you had to buy a whole new machine to get the updated OS.

Yes but in reality I'm a pretty good case study. I ended up buying 10.2 and 10.6. Most likely I'm going to upgrade my laptop and get 10.7 for nothing. The machine I'm on will stay as a 10.6 machine the same way I still have a 12" Powerbook that runs 10.4 and my in laws are finally getting rid of a machine I have them that still runs 10.3 (upgraded from 9.x). My wife wouldn't ever have bought any of the upgrades on her own. You pay for the OS by paying more for the machines. This whole idea of people paying out frequently just ain't true.

On the other hand these cheap upgrades are good if you just bought a machine.

However, from 2001-2007 (10.0 - 10.5), you would have averaged $107.50/yr (5*129/6).

no 4*129/6. You can't charge for 10.0 and 10.1.

Assuming 10.7 hits this year at $129, you would have paid about $40/yr since buying your new Mac.

Your math is off as I mentioned. But that isn't $100/yr, which is what I was responding too.

And frankly I loved when the OS was improving rapidly. It was great with 10.2 where I was a decade ahead of windows.

No you weren't. The only meaningful capability OS X had over Windows was its display system, and that discrepancy ended in 2006, with Vista.

Welll lets see. Comparing 10.2

a) You agree with the display system. Though honestly I'm not sure they really caught up with Quartz extreme in terms of offloading graphics. OTOH not many application developers haven't taken advantage of this so....
b) I had the equivalent of power shell with OS shells, and frankly better. With Applescript I had application level easy scripting.
c) I had movie integration features, i.e. quicktime as a low level component.
d) I had "virtual folders" i.e. aliases and softlinks.
e) Dock used applications not windows, per windows 7
f) Bonjour which Windows still doesn't have
g) CUPS, which is IMHO less good than the print manager in Windows server but way better then what the desktops have.
h) Sherlock -- integrated web services and search. Something you off and on get.
j) I had free development IDE which didn't happen on the Windows side for years.

Even during that time, Windows was superior in most ways, in particular it had much better and more mature low level kernel optimisations, especially on SMP s

Re:Simple

[Risen888]

Oh hush, you silly communist. Why do you hate freedom?

Re:Simple

[Risen888]

Then there isn't a market for any software, only supporting software. (Or typically, the illusion of support.)

Re:Simple

[C_amiga_fan]

>>>not once this year has Steve Jobs kicked in our front door

Nope. Instead he releases a new version of Safari or iTunes or BootCamp that won't work on Leopard --- thereby forcing you to upgrade, or else not being able to access the store, web, etc.

That was my problem with my old Mac: Couldn't find a browser to work on it, and was instead stuck with Safari 2 which rendered everything poorly.

Re:Simple

The previous 10.x releases (and future release) cost $130 plus $10 shipping. It really was like buying a whole new Windows OS every 1-2 years. Which is fine if you have the money to spend. I don't.

Quit trolling. Of course you have the money to spend.

$140 over two years is only 6 bucks a month. You must be too poor to afford coffee or tea, huh?

Re:Simple

[BasilBrush]

WTF? Of course there's a market for commercial non-free closed source software. A very big one.

Re:Simple

[drsmithy]

I don't know what "ready for public consumption" was.

Rhapsody was a developer beta. Kodiak was a public beta. 10.0 wasn't much better than Kodiak.

As far as the broad public, that is Mac users. They liked it.

No they didn't. Early versions of OS X were shunned due its atrocious performance and (to many) inferior - albeit pretty - UI. Heck, Apple themselves didn't even use OS X as the default option on their systems until the beginning of 2002, and the first version of OS X that wasn't borderline-unusably slow was 10.2 (it was still slow, but at least not frustrating to use).

OS-8 was an advanced OS but things hadn't improved for a long time and OS-9 wasn't much better.

MacOS Classic, even by version 9, was only marginally more advanced than Windows 3.1.

Yes but in reality I'm a pretty good case study. I ended up buying 10.2 and 10.6.

Most Mac users I know have bought every OS X upgrade since release (even the ones that stuck with MacOS 9 until ca. 2002). Snow Leopard has been the only one they've hesistated with (though nearly all eventually cracked).

This was not helped by Apple's (typical) bad attitude to legacy support, with older versions of OS X quickly being completely deprecated and unsupported, not to mention incapable of running newer versions of apps and games.

no 4*129/6. You can't charge for 10.0 and 10.1.

10.0 or 10.1 - $129
10.2 - $129
10.3 - $129
10.4 - $129
10.5 - $129

That's 5x$129, though I suppose in hindsight you could reduce it to four because any Mac that was running the original 10.0 would be unsupported (not to mention unusable) past 10.4.

So it's 4x$129 plus a new Mac. :)

a) You agree with the display system. Though honestly I'm not sure they really caught up with Quartz extreme in terms of offloading graphics.

It exceeded it in capabilities. Though, as with OS X, those are somewhat underutilised.

b) I had the equivalent of power shell with OS shells, and frankly better. With Applescript I had application level easy scripting.

Applescript is indeed nice, though I would argue that few use it.

c) I had movie integration features, i.e. quicktime as a low level component.

I'm not sure exactly what you mean here, but Windows has had its Quicktime equivalent built-in since Windows 95.

d) I had "virtual folders" i.e. aliases and softlinks.

Windows has had shortcuts since Windows 95.

e) Dock used applications not windows, per windows 7

And Windows 7 took a huge step backwards in terms of UI usability for multitaskers by doing so (and it started with that godawful "collapsing multiple taskbar buttons" in Windows XP, which Windows 7's Taskbar is just a logical development of). Probably best not to bring up the Dock at all, it's a UI catastrophe, especially the earlier versions (Apple short-circuited the awfulness of the Dock as a task-switching tool with Expose, though Expose also has problems once you move past a non-trivial number of Windows).

f) Bonjour which Windows still doesn't have

Microsoft implemented Zeroconf and UPNP (what Apple calls Bonjour) in Windows XP.

g) CUPS, which is IMHO less good than the print manager in Windows server but way better then what the desktops have.

I'm blown away you think having a print manager like CUPS should even be necessary on a standalone desktop. Other than pausing/cancelling jobs, and maybe selecting a different printer, just what else does a normal desktop user need

Re:Simple

[jbolden]

First off thank you for intelligent dialogue with factual responses! This is a pleasant debate.

As far as the broad public, that is Mac users. They liked it.

No they didn't. Early versions of OS X were shunned due its atrocious performance and (to many) inferior - albeit pretty - UI. Heck, Apple themselves didn't even use OS X as the default option on their systems until the beginning of 2002, and the first version of OS X that wasn't borderline-unusably slow was 10.2 (it was still slow, but at least not frustrating to use).

I was using Windows2000, Linux and OS 10.1 regularly. I certainly did not find OS 10.1 unusably slow or even problematic. It might have been on bad hardware, I was using a dual core 500mhz G4 system which was better than average (though not by a ton). I multitasked heavily, several large apps cutting and pasting between them. You can read John Siracusa's review of 10.0. He finds the performance, relative to OS 9 a mixed bag. http://arstechnica.com/reviews/01q2/macos-x-final/macos-x-5.html. Which is pretty shocking considering we were talking a brand new OS and he was running apps in classic, being compared to a highly optimized mature OS. As an aside in reading his 10.1 review, the upgrade was free from 10.0 to 10.1 if you went to a retailer to get a CD. I will say though that looking at the reviews most people were not excited about 10.0.

Yes but in reality I'm a pretty good case study. I ended up buying 10.2 and 10.6.

Most Mac users I know have bought every OS X upgrade since release (even the ones that stuck with MacOS 9 until ca. 2002). Snow Leopard has been the only one they've hesistated with (though nearly all eventually cracked).

You may have misunderstood. The context here was that most get the OS with new systems. So the only ones I had to buy were 10.2 and 10.6. I've bought a bunch of computers in the last 15 years.

This was not helped by Apple's (typical) bad attitude to legacy support, with older versions of OS X quickly being completely deprecated and unsupported, not to mention incapable of running newer versions of apps and games.

I actually like the everybody has to upgrade. Legacy support is a PIA in the Windows world. But I will agree Apple does make it hard to stay on old versions. But... for example I use 10.4 on a secondary laptop quite comfortably.

10.0 or 10.1 - $129
10.2 - $129
10.3 - $129
10.4 - $129
10.5 - $129

OK gotcha. Now reality (my example):

10.0 free
10.1 $10 for media
10.2 ~ $100 I think
10.3 included / free (new machine)
10.4 included / free (wife's machine got free upgrade) otherwise would have had to pay
10. 5 included free (got a new machine)
10.6 ~$25 but I could have gotten it for free if I had known my daughter was going to want a mac
10.7 I will probably get a new machine again.

b) I had the equivalent of power shell with OS shells, and frankly better. With Applescript I had application level easy scripting.

Applescript is indeed nice, though I would argue that few use it.

I agree that most don't use it. But for example, my non programmer wife used it. She wrote her own semi custom extension creating foot pedal support for quicktime (which isn't standard). She used it to create a Safari / Excel app tying an internet grading system into her spreadsheets. That's two apps by someone who doesn't know what a for loop is. She's done a bunch of minor stuff.

Take a look at Machints you'll see a bunch of Applescript references. Also in things like MacRuby you'll see its application layer controls are basically a wrapper around Applescript interfaces.

Re:Simple

Except the order is actually determined by the contest, you jackass. IE8 fell seconds after access was granted, same as Safari. Stupid troll.

Re:Simple

[toddestan]

We were trading DRM-free music long before Apple had even conceived of the DRM-encumbered iPod and iTunes Music Store.

Re:Simple

[toddestan]

Well, you do have OS X Server, which is a more expensive license that the regular OS X you're talking about. In that sense, the only OS that doesn't have multiple tiers at different prices is the various Linux and BSD distributions.

Re:Simple

[drsmithy]

I was using Windows2000, Linux and OS 10.1 regularly. I certainly did not find OS 10.1 unusably slow or even problematic. It might have been on bad hardware, I was using a dual core 500mhz G4 system which was better than average (though not by a ton). I multitasked heavily, several large apps cutting and pasting between them. You can read John Siracusa's review of 10.0. He finds the performance, relative to OS 9 a mixed bag.

I've used just about every version of OS X, on just about every different type of Mac, for about the last decade. Even with many of the G5s it was still sluggish, and in the G3 and G4 days it was just awful.

No. It doesn't have a primitive graphic system with support for movies. It has a really nice included video player. Think about OLE but with video supported by all apps. So you can "cut and paste" frames from a movie. Same thing with sound.

What ? Where in a default OS X install are the tools to do this sort of video editing ?

I think you don't quite get what Sherlock did. You may be thinking spotlight. Sherlock was an integrated search that went well beyond files on my system:

This sounds very similar to the "integration" IE4 offered. I didn't use Macs much in the Classic days, however, so I'm happy to leave it.

Huh? OS/2 was running a VDM dos environment. And that was on 286's with 4 megs of ram.

Yes, but a VDM only gives you *DOS apps*. The proper comparison is *Win16 apps* in a fully virtualised container, which OS/2 wasn't doing (and certainly not on a 286). A win16 app could (and did) crash the whole system, for example.

Huh? No. Windows 3.0 and 3.1 loaded the drivers and memory management from DOS. That's the whole reason everyone in the 3.0 days bought QEMM [wikipedia.org], to replace HIMEM.SYS and EMM386.EXE because it was so important to get the drivers to work right on the DOS level. It was DOS6 not Windows that began to solve these problems. I was an OS/2 guy after Windows 3.1 so I didn't worry about this nonsense but I had to worry about it all through Windows 3.0 and 3.1.

No, QEMM was bought to maximise memory availability when running DOS apps. It had nothing to do with running Windows apps.

I have dozens of windows open right now. And I'm on a macbook that's almost 3 years old.

All I can say the my "normal" workload brings a 4GB RAM MacBookPro5,1 to its knees, as far as responsiveness goes.

And I just got my first Imac... great!!

...First

Bias in pwn2own

Pwn2own is clearly bias, because the security researchers are obviously going to try harder to pwn the machine they want to own.
(Not the mac)

Re:Bias in pwn2own

So let me get this right. In a contest where you win $10,000, the thought of getting a $2,000 laptop for free is somehow of paramount concern. Never mind that most of the winners are certainly not broke and already have equal or better hardware.

Re:Bias in pwn2own

So let me get this right. In a contest where you win $10,000, the thought of getting a $2,000 laptop for free is somehow of paramount concern. Never mind that most of the winners are certainly not broke and already have equal or better hardware.

shsss.. you are disturbing the RDF bliss. (the price this year was $15,000 btw)

cool

it will also be the first patched...

Chrome was updated

[inpher]

Why was Chrome allowed to be updated but other browsers not? What did Google do to deserve such special treatment?

Re:Chrome was updated

[Nerdfest]

I believe Apple released 50+ patches a few minutes before the contest. No special treatment for Google that I'm aware of.

Re:Chrome was updated

Apple has just released Safari 5.0.4 and iOS 4.3 a few minutes before the Pwn2Own contest in an attempt to save face(Chrome and Safari also released last minute patches) but failed."

Safari is a browser and was allowed to be updated same with Firefox, so what special treatment are you reffering too? Also since Google up the reward for owning Chrome OS by $20,000 with their own money I would they might be deserving of some special treatment although that is not what happened here.

Re:Chrome was updated

[psergiu]

The organizers said that the software configuration was frozen a week ago. Nobody was allowed to do last-minute updates (like it was last year)

Re:Chrome was updated

The hacked Safari was 5.0.3, not the patched 5.0.4. It would be interesting to know if the exploit works on 5.0.4, too.

Re:Chrome was updated

Apple did release 5.0.4 with the 50+ patches last week, but 5.0.3 was still used at pwn2own.

Re:Chrome was updated

[skyfex]

This article seems to indicate so:

http://www.computerworld.com/s/article/9214002/Safari_IE_hacked_first_at_Pwn2Own

"But the Safari patches still had a part to play in Vupen winning. If the vulnerability used by Vupen to hack Safari had been fixed in 5.0.4, TippingPoint would not have awarded the $15,000 prize."

Re:Chrome was updated

Correct, however that version of Apple Safari was not allowed to be used at the contest.

Re:Chrome was updated

[inpher]

Chrome got to use the built in auto mechanism just before the contest started (source 1, source 2, source 3) which is probably why the contestant registered to try to beat Chrome did choose not to try.

Re:Chrome was updated

Because Google paid money to have the rules changed for them.

Re:Chrome was updated

[inpher]

Why am I being modded as offtopic? Can anyone explain what in my reply was offtopic, this is the parent:

The organizers said that the software configuration was frozen a week ago. Nobody was allowed to do last-minute updates (like it was last year)

This is my reply

Chrome got to use the built in auto mechanism just before the contest started (source 1, source 2, source 3) which is probably why the contestant registered to try to beat Chrome did choose not to try.

Granted, there was a spelling mistake, it should have said "built in auto update mechanism" but why mod me down?

Re:Chrome was updated

The latest version of Safari is 5.0.4 the version used was 5.0.3. Safari was not allowed to update.

Re:Chrome was updated

[ynp7]

Why cry about moderation?

Re:Chrome was updated

[gstrickler]

Actually, no Chrome did not get to use the auto-update mechanism. None of the sources you cited say what you think they said. The software configuration was frozen 2 weeks before the contest, and Chrome 9 was the version to be tested. However, by releasing patches in the past 2 weeks, Apple, Mozilla, and Google ensured that any exploit that was fixed in the latest versions would not be awarded the prize, it would instead go to the first to exploit an unpatched vulnerability.

The reason the hacker who was scheduled to attack Chrome didn't show is because he told Google about the vulnerability 1-2 days before he found out he was selected to have the first attempt at attacking Chrome in the contest. Since he already reported the vulnerability, that vulnerability does not qualify for the contest. He didn't have another successful exploit of Chrome ready, so he didn't go to the contest. Had he waited a couple days, he would have known he was first up to attack Chrome, wouldn't have reported the vulnerability, and could have walked away with $20k.

Re:Chrome was updated

[theArtificial]

If you recall the scene in Return of the Jedi where Vader throws Palpatine down the shaft to his spectacular doom? Something like that just happened with your karma.

Le pwn?

[gtch]

How does one pronounce 'pwn' in French?

Re:Le pwn?

I pronounce it like "pawn".

Re:Le pwn?

[sakdoctor]

pvoir!

Re:Le pwn?

I usually say "poune" / "pounaide!" (pwnd), but "pône" is also ok :)

Re:Le pwn?

We say Poon. Yeah, I know.

Re:Le pwn?

[ynp7]

"puh-ho-ho-ho"

Firefox/Linux

[sakdoctor]

Firefox and Linux are under represented in pwn2own as usual.
I'm not complacent, just saying it's nice.

Re:Firefox/Linux

Why Pwn2Own doesn't target Linux

Re:Firefox/Linux

[georgesdev]

sure, who would want to pwn Firefox or Linux, and get to own a free download ;) ...

Re:Firefox/Linux

[sakdoctor]

Thanks for googling that for me using the I'm feeling lucky button.

Re:Firefox/Linux

[sakdoctor]

Yeah, fine forget linux. It's been tested in the past but not this year.

...it's nice to see firefox under represented in pwn2own.

Re:Firefox/Linux

Quoting from the link: "Linux is not an operating system that has widespread use with any one particular distribution, flavor or configuration," Portnoy said. "In general Linux is still a server-based operating system, people do use it on the desktop, but you can't go to BestBuy and buy Linux with a specific distro on it that everyone uses that has widespread market share"

To me this like a combination of two classic arguments: one that Linux doesn't have enough market share to warrant our attention, two that it given the diversity of Linux, which is one of its security strong points, it might be too difficult to crack it and even if we did, we can't make as big of a media spectacle about it. If I recall correctly, Ubuntu was included in this test a year or two ago and was the only one that was not cracked.

Re:Firefox/Linux

When Linux grows up and becomes a serious desktop contender it will get it's shot...

For now the desktop platforms such as GNOME are just not good enough as Jon Larimer showed us at ShmooCon. You can just read the source, find a nice unchecked buffer (of which there are a lot) and write an exploit.

Don't get me wrong, I'm not a Linux hater - it's an awesome server OS, but as a desktop platform it's still very young.

Re:Firefox/Linux

[somersault]

Safari and IE8 are free downloads too, what's your point? It's the hardware they get to own, an OEM OS license is pretty insignificant next to that.

Re:Firefox/Linux

[jcupitt65]

Ubuntu was in Pwn2Own in 2008 and was not hacked in the three-day contest:

http://www.theregister.co.uk/2008/03/29/ubuntu_left_standing/

(though it sounds like they might have been able to break out of flash given a bit more time, who knows)

Re:Firefox/Linux

That really just shows they didn't try hard or study hard enough. GP was right. Linux on its own is quite secure usually. Add in these massive software platforms like KDE and Gnome which are a complete mess of code submissions and you have a total security nightmare.

If you don't believe me, start reading the sources to these projects and you'll soon be crying. Literally.

Re:Firefox/Linux

[jcupitt65]

But this contest is about exploiting via a browser (and perhaps email? I forget if they allow that).

Holes in GNOME aren't really relevant. Once you get some code running in the firefox process you co do whatever you like to the user's account.

Re:Firefox/Linux

[Pvt_Ryan]

Quoting from the link: "..., but you can't go to BestBuy and buy Linux with a specific distro on it that everyone uses that has widespread market share"

I thought you could buy linux PCs off the shelf in one of big American chains (walmart???). Was a low powered eco thingy iirc.

Also as far as I know you can buy linux on laptops from Dell as well.

Re:Firefox/Linux

[mwvdlee]

...and a sh!tload of internet connected appliances such as routers, mediatanks, blueray players and even TV's.

Re:Firefox/Linux

[Daengbo]

Unfortunately, you might run into AppArmor after getting that overflow.

Re:Firefox/Linux

[fuzzyfuzzyfungus]

Having tested a few, with nothing more than a script-kiddie level of knowledge and whatever attack tools I could apt-get without leaving the default repos, you Do. Not. Want. To. Know. how awful the Linux, and network-related daemons running on top of it, generally is in that embedded consumer junk.

If you are lucky, the most recent patch(if any patches are offered) will be a relatively sane configuration that is 8 months and several critical vulnerabilities out of date. If less lucky, you can forget the "recent patch" and "relatively sane" parts entirely, and increment the numbers for months-out-of-date and critical vulnerabilities considerably. That shit is horrendous.

Re:Firefox/Linux

[jbolden]

You can. But there are a huge variety of distributions in use. Dell goes back and forth on distributions. Some weeks it likes Ubuntu others it pushes Suse.

Re:Firefox/Linux

[jedidiah]

+...then choose a Linux desktop vendor.

+...or pick a we known desktop OS and use it's latest release version.

Seems like a bunch of lame excuses coming from these guys really. Including why they don't have XP there. Plenty of people still use it. Just assuming that it's worse than Win7 in practice is the same sort of stupidity as this Mac result demonstrates.

Re:Firefox/Linux

[jedidiah]

...well. Except an "OEM OS license" requires an entire machine to go with it with MacOS.

Makes it a bit harder to have something to "just play around with".

Re:Firefox/Linux

[Raenex]

I thought you could buy linux PCs off the shelf in one of big American chains (walmart???).

No, you can't. That was a short-lived experiment a few years ago.

Also as far as I know you can buy linux on laptops from Dell as well.

That's a mixed history as well. Can you find a page to buy a Dell with Linux pre-installed? I looked around and only found support options, not pre-packaged computers. I also looked at buying one of the cheap desktops, the Inspirion 560, and the only options for the OS were versions of Windows.

Re:Firefox/Linux

Actually you missed the diversity comment completely. Given the diversity of linux they can't simply select one distro. As for it being a security strong point - well I am going to take it that you don't work in the security field. One of the largest issues faced in security is people have the right skills to properly deploy systems. Often exploits wouldn't be as successful if the systems were properly configured or updated. So having multiple distros, each with their own quarks and slight differences, makes its harder to ensure that your linux admin is knowledgable.

Re:Firefox/Linux

[somersault]

Which makes it a poor choice to try to hack unless you already own a Mac yes.. but some VAIOs still cost more than some Macs.. plus you don't need to buy a VAIO to learn to hack Linux.. so it's a much more attractive option if you're just in it for the free device and not the prestige.

Re:Firefox/Linux

[Pvt_Ryan]

Yes I can, assuming you live in the US (I don't)

Re:Firefox/Linux

[Raenex]

Congratulations. I looked and couldn't find one. Would you mind sharing the path you took to find it?

Re:Firefox/Linux

Hackers are likely the ones doing the patches for Linux.

Re:Firefox/Linux

[LordLimecat]

Claiming "diversity" as a security point sounds rather like "security through obscurity". There is some truth to it, as you avoid situations where one exploit hits the entire linux ecosystem, but thats not security as much as it is mitigation.

Re:Firefox/Linux

[Pvt_Ryan]

I just googled "dell linux" and it was the 2nd link. 1st if you exclude the sponsored link.

Re:Firefox/Linux

[jbolden]

I think the real issue is that no one much cares if there are new vulnerabilities in XP desktop. Microsoft's feeling is that it an ancient operating system and its time for people to upgrade. They'll patch stuff they know about if it is easy but otherwise they won't. What would be the point of finding new XP holes?

Re:Firefox/Linux

Because you're also given the machine it's installed on.

Re:Firefox/Linux

[tlhIngan]

Also as far as I know you can buy linux on laptops from Dell as well.

...and a sh!tload of internet connected appliances such as routers, mediatanks, blueray players and even TV's.

You forget, this is Pwn2Own. The winner gets to keep the hardware they pwned.

Even if you put up a pile of vulnerable blu-ray players and crappy dell laptops and such, they still won't go quickly because who cares about them?

You have a super-sweet MacBook Pro sitting there, so obviously most people desire that nice piece of hardware.

Hell, Pwn2Own will be far more interesting if they ran all the OSes on the same hardware - all MacBook Pros, rather than a really desirable laptop and two OK laptops.

Goes to show that even geeks care about formfactor and design despite Slashdot's objections.

Re:Firefox/Linux

[Raenex]

Funny, I did the same thing, but ended up on this page: http://linux.dell.com/ , which didn't have anything of interest. I didn't see the sponsored link because of Ad block, I assume. What's funny is if I click on the sponsored link, I don't see anything about Linux.

I still can't find the route you took to get to that machine. For example, from linux.dell.com, if I click on "Ubuntu on Dell", it doesn't show anything about 10.10. I can't see a simple link that lets you buy a Dell with Linux on it.

Dell is either making it very difficult to get Linux on a machine or I'm obtuse. Somehow I think it's the former.

Re:Firefox/Linux

[Raenex]

Ah, never mind, found it. It was the 3rd link for me: http://www.dell.com/content/topics/segtopic.aspx/ubuntu?c=us&l=en&cs=19

"We're glad you found Dell's Ubuntu website."

Yeah, apparently it's not so easy for everybody. And then if you go to the end of the page and hit "Shop for Ubuntu", you get a whopping choice of one machine with a base price of $460.

Re:Firefox/Linux

no it means linux is as insignificant as it was 5 years ago, but let's rad more into it than is really there, Linux is the uber-invincible OS. No it's an insignificant hobby OS. It will never be taken seriously. Maybe one day you will all realize that it would be easy with enough money for organized crime to set up their own legitimate contributions to the LINUX world. Fund some programmers, set them up in different areas of the world, get them all to peer review and analyze the code. Claim it is bug free, and works as promised. Add code which allows the user the software runs under to get root, when desired. Now wait until enough people download and install. Now update and root. Done right nobody ever knows it's even running. Paranoid? Maybe but it doesn't mean they wouldn't or didn't already do it.

Re:Firefox/Linux

The reward is usually the hardware *plus* a cash prize that far exceeds the price of the hardware, so I don't think they'd care that they only get a $200 machine if they also get $10,000-$20,000.

Re:Firefox/Linux

But this contest is about exploiting via a browser (and perhaps email? I forget if they allow that).

Not originally. It used to be about which OS could be remotely exploited. Nobody went down so they changed it to a web browser visiting a site.

Re:Firefox/Linux

[twebb72]

If there's no market share, there's no PWN. If there's no PWN, there's no OWN.
If there's no OWN, there's no ... #5342867862346721|02/13|028|Cardholder Joe
- Sent from my iPhone

Re:Firefox/Linux

A Macbook Pro far exceeds $200, I doubt the value of it is insignificant even compared to the substantially larger prize money. Is is significant enough to influence the contestants choice of hardware? I don't know, but it would be better to actually ask the contestants than making potentially flawed assumptions.

Hilarious

[theolein]

I'm a Mac user and fortunately not a mindless one (honest, promise!). That Apple has been extremely lucky in not being overrun in exploited machines has more to do with the normal target area for exploiters being windows due to marketshare, but Macs have a big enough marketshare these days to make it worthwhile for crackers. I'm pretty sure that the time will come when Macs will be running dubious AV products like most Windows people do.

Re:Hilarious

Time to move to Lynx on OpenBSD :-).

Re:Hilarious

[Saint+Gerbil]

What a refreshing change most mindless fanbois claim that its because it is the most coveted system it was the main focus and therefore the first to fall, regardless of which system it is on.

Re:Hilarious

[Nikker]

wget www.somesite.com | less

Re:Hilarious

You seem to have a great deal of confidence in less. Do you know whether it has ever been audited wrt malicious input?

Re:Hilarious

wget -q -O- www.somesite.com | less

get it right

Re:Hilarious

[jbolden]

I agree with you market share is likely to be the #1 issues.

There are several other cultural differences. For example Apple doesn't promise OS to OS applications won't break. Lots of stuff broke 10.5 -> 10.6, 10.4 -> 10.5.... Apple has their developers trained so they can shift things in response to classes of attacks.

Another thing is that Apple users like their machines more and have a greater sense of ownership.

Re:Hilarious

The summary is unclear on which version of Safari was pwned. Per arstechIt was 5.0.3. They froze the system configuration last week, so Apple's last minute patch to 5.0.4 didn't make it in time for the competition.

Re:Hilarious

Hey... what does market share have to do with me wanting to buy a Mac? And why you always gotta dis the crackers?

Re:Hilarious

Macs have a big enough marketshare these days to make it worthwhile for crackers.

Maybe, but nobody is going to go through all that trouble just to get to a bunch of videos from burning man.

Re:Hilarious

[boristdog]

Yep. Last week my mother, who is the Mac "guru" amongst all her associates, called me to ask why and how a virus could have wiped out all the Macs at her job in one day. "That's not possible, is it?" she asked. Um...it happened, didn't it?

The "Macs are safe from viruses" mantra has been drilled into the users a little too well. The vast majority of Mac users are convinced they are safe and take no precautions.

Re:Hilarious

[vague+disclaimer]

Yet oddly, this amazing event didn't make the news.

I suspect your pants are on fire.

Re:Hilarious

[scot4875]

Since when is "virus takes out small company's computers" a story that shows up on the news? Does CNN dispatch reporters whenever a network admin has to restore from backups? Or is it only when it happens to Macs?

I'm not saying it couldn't be made up, but your assertion that it would have been something everyone heard about it just asinine.

I'm really sure a company is going to be keen on the idea of getting word out that their workstations have all been owned.

--Jeremy

Re:Hilarious

[Noughmad]

less is for noobs with shiny new computers that can print text faster than they can read.

Re:Hilarious

[mjwx]

I'm a Mac user and fortunately not a mindless one (honest, promise!). That Apple has been extremely lucky in not being overrun in exploited machines has more to do with the normal target area for exploiters being windows due to marketshare

True, but the days of being scared of devastating w32 worms are over. The most destructive ones are years old and mostly run on older OS's (XP). Even Win7 has enough built in security measures to make something like conficker quite hard.

Add to this that malware is no longer primarily trying to infect machines to become part of a botnet, the focus is on data mining which is normally done via less destructive malware. The idea is that a data mining program remains hidden, so it can collect data unhindered. Even Joe Luddite knows that when he gets a virus or his machine is too slow it's time to do something so modern malware needs to remain hidden.

but Macs have a big enough marketshare these days to make it worthwhile for crackers.

Not really, global market share is still around 5%, compared to 90% of desktops using Windows and a good number of Windows servers (50% being the guestimate I pulled out of my arse). It's still not profitable to write a serious worm but data miners are taking a little notice.

Re:Hilarious

[Relayman]

Sounds more like a disgruntled employee than a virus.

Re:Hilarious

[Relayman]

It's a "man bites dog" story. If the company's running Windows, it's not news. But if it's a company with all Macs, then it's news and it will show up.

Re:Hilarious

[Kyusaku+Natsume]

Well, if it was a remote exploit, that wouldn't be the only instance of this case and certainly it would be news. After all, we are reading a story about a single mac getting cracked. More probable, is that because the strong belief in Macs being secure because are Macs, if GP story has some truth, they had unprotected admin accounts but then, a severe mistake like that could make easy to destroy any OS.

Re:Hilarious

[vague+disclaimer]

Since when is "virus takes out small company's computers" a story that shows up on the news?

Are you serious? You don't think Gizmodo, Engadget, Ars, and all the rest wouldn't be all over this like a rash? And Giz has a track record of paying cold hard cash for stories...

Re:Hilarious

[Nikker]

Easy gramps I got rid of the 486SX25 about 15 years ago. Now get back to the BBS where you belong.

Re:Hilarious

[Dabido]

When I bought my Mac I bought AV/Firewall software etc. The guy at the store laughed at me and asked why I needed it.

No matter how 'secure' the hype says something is, it never hurts to be careful.

Never been an issue before

No one knows. Up until now the French have never had reason to use the word. You can't pwn someone and surrender at the same time.

Re:Never been an issue before

Yes, you can.
French didn't go to Irak and that pwned the Americans.

Re:Never been an issue before

[(Score.5,+Interestin]

No one knows. Up until now the French have never had reason to use the word. You can't pwn someone and surrender at the same time.

Safari meurt, mais il ne se rend pas!

Is that so...

From TFA:

He said the creation of a reliable exploit was “much more difficult” than finding the vulnerability.

“There are many WebKit vulnerabilities. You can run a fuzzer and get lots of good results. But it’s much more difficult to exploit it on x64 and to make your exploit very reliable,” he said.

If the vulnerabilities are so easy to find, why doesn't Apple just use a fuzzer itself and fix the vulnerabilities?

IOW obscurity=security fails again

[ewe2]

The groundwork they did will be most sought-after.

no surprise there

Well you get to keep the computer that you hack and no offence but I'd rather get a MBA rather than a cheapo windows/linux machine. Plus they did say that the exploit was not at all easy to develop. Oh and did you notice the new Safari update released yesterday ...

Re:no surprise there

[somersault]

They had a VAIO with Ubuntu on it in 2008, which nobody hacked. VAIOs are certainly not "cheapo".

Re:no surprise there

[filthpickle]

They also got $15K and the publicity for hacking OS X and safari....something a large population of people liked to think couldn't be done. I seriously doubt that anyone on VUPEN's team doesn't already have a macbook if they really want one. Or at least, access to one.

Re:no surprise there

[Daengbo]

Cash prize ($35K for Chrome) that dwarfs the cost of the hardware = you being wrong

Re:no surprise there

[gstrickler]

It's not $35k for a Chrome exploit, it's $20k. $20k from Google, $0k from Tipping Point if is falls on day 1, $10k each from Google and Tipping Point if it falls on days 2 or 3.

It is slowly ramping up

[Sycraft-fu]

We've had a few Macs (Macs that were administered by the person, not by IT) at work owned. In one case it was pure user stupidity, a world writable FTP. They couldn't see what was wrong though because "Macs can't get hacked!" In another case it was a virus that seemed to use the speech synthesizer to read ads. Was really funny.

It is rare, compared to Windows, but growing. The real problem is, as I mentioned, the "But Macs are safe!" people. They really do think that running a Mac absolves them from any security responsibility. I think there are going to be some nasty awakenings and users will have to accept that no matter what you do, you need to have good security practices. A virus scanner is a good idea as well, since it can help catch things if you slip up (and we all slip up).

Re:It is slowly ramping up

A virus scanner is a good idea as well, since it can help catch things if you slip up (and we all slip up).

A virus scanner won't necessarily catch user error and security software often ends up being more intrusive than malware, burrowing itself deep into the OS and making removal difficult. Who in their right mind would want garbage like Norton on a Mac?

Re:It is slowly ramping up

[coopaq]

I know. That argument is annoying. If they would just say they like the machine build quality, Unix like underpinnings and user interface better it would make it easier to listen to them.

As for your antivirus comment. Well you must be a sys admin to love such crapware.

Seriously in the middle of doing an install of Fedora 14 on my corporate laptop since McAfee is sucking the IO life out of my Windows install. I can jump through hoops to sometimes avoid it, but is company policy. 100000 files in my project and doing a simple copy to an external esata drive takes forever with McAfee cock blocking IO bullshit.

No such trouble or company gripes with Linux.

Re:It is slowly ramping up

Secure config > OS Choice.
 
More after these words.

Re:It is slowly ramping up

[smash]

If they would just say they like the machine build quality, Unix like underpinnings and user interface better it would make it easier to listen to them.

This is exactly why i am buying Macs (I also have Windows and BSD boxes). I consider no desktop OS to be secure, so i don't browse dodgy shit without using a VM, and run a firewall in front of it.

Re:It is slowly ramping up

You know, I share that opinion for Windows and OS X, but only because they're closed off. AV solutions on those platforms are almost inevitably half-assed and poorly integrated (the last is somewhat understandable). But on a platform with a fully open kernel, AV could be much cleaner and less intrusive than we're used to.

...it occurs to me you could replace all instances of AV with DRM and it'd still be true. DRM would lose its effectiveness though.

Re:It is slowly ramping up

[davidshewitt]

A virus scanner is a good idea as well, since it can help catch things if you slip up (and we all slip up).

I work at a help desk, and people bring in infected machines all the time, mainly with fake antivirus scam malware. I've found that the anti-virus software has either been circumvented by the malware, or it hasn't detected the virus. The best way to solve the problem of casual, drive-by malware is user education.
Specifically, users should be informed of:

1. Always run your machine behind a firewall.
2. Never run or click on something that gives you even the slightest suspicion.
3. Be able to tell the difference between what's running in your browser, and what's running in your operating system. Many of the fake antivirus scams pretend to show a Windows XP version of My Computer in a browser window in an infected state.
4. Poor english in an email or application is a sure sign of a scam.

I would propose TV commercials as a medium to teach items 1, 2, and 4. These methods could be communicated in a short but informative way (i.e. showing someone plugging an ethernet cable into a router with a visual representation of what the router's built-in firewall does for item 1). Item 3 could be communicated through a tutorial shipped with new computers.

Re:It is slowly ramping up

[mwvdlee]

Norton is malware.
But there are still antivirus products which atleast try to have minimal impact on the system.

Re:It is slowly ramping up

[jo_ham]

It's funny how those of that *do* say those things about Macs are conveniently ignored on slashdot, or lumped in as one job lot with people who know nothing about security and claim that OS X is immune. Or even have our intelligence questioned for our choice of computing environment. It's really quite tiresome.

The specific bug that was exploited in this case is in WebKit, so it's a concern for any browser based on it - Apple or not. The purpose of the contest is PR, but does lead to exploits being exposed and patched (albeit held back by the people going for the prizes so they have something to deploy as soon as the contest begins - it took those guys a lot of work to get it to the stage where they could deploy it quickly - they could have disclosed their method some time ago [but the same is true for all the exploits used in this contest, on all of the platforms]).

The attack order of the machines really has little ultimate value in the end - the fact that security holes exist in the first place is the take home message. I hope OS X keeps getting attacked - the more exploits are found, the more get closed off. I am careful with my machine, but I welcome disclosure and patching of bugs.

Re:It is slowly ramping up

Seems like an unlikely story. There is no FTP server on the Mac. Never has been. If the mac in question had a "world writable FTP", it must have been installed by someone. You can't blame the platform for that. Also, I follow Mac viruses closely. There is no known virus in the wild (yet) for the Mac. By that I mean one that can propagate by itself without authentication. Yes, there are trojans, but they also have to be authenticated.

Agreed that the Mac community (if there is such a thing) needs to be alert. But please don't invent stories.

Re:It is slowly ramping up

Chrome uses webkit.

Re:It is slowly ramping up

[rolfwind]

Problem is that people are never taught security practices. The software just lets them get up and go, not even offering a tutorial.

It's the equivalent of handing a 16 year old kid the car keys, whether he knows to drive or not, whether he has taken classes or not, and then blaming the car when he gets into an accident.

I realize there are more vulnerabler OSes (XP, Win9x) and less (*BSD) but no security mechanisms can fix user error.

I have gotten my parents Macs and am happier, by and large, but set it up in a way so they still need to use passwords to use the computer and install software. I tried explaining the implications of installing software although I wonder if that just went in one ear and out another, or about surfing the web from public hotspots/wirelessly. Even set up their router to use encryption, and thankfully they don't travel much.

However, there are other security practices that drives them nuts, I wish they would use noscript, but it's more hassle than it's worth, and I get calls why such and such banking page isn't working, every so often...

Re:It is slowly ramping up

[jbolden]

I think there are going to be some nasty awakenings and users will have to accept that no matter what you do, you need to have good security practices.

That's not quite true. The weaker the OS security the more your practices matter. A capability system can be very secure. NT could have been massively more secure. The SE features in OSX could take security much much further. You can make things easier or harder on end users.

That being said... end users don't like intrusive security.

Re:It is slowly ramping up

As a computer idiot that uses Macs for non-security reasons, could you point me to a document for my "security responsibility"?

I found this:

https://www.csp.noaa.gov/policies/NOAA_IT_System_Rules_of_Behavior_2006_updated.pdf

but its outdated and doesn't seem applicable to a home user.

This is more outdated:

http://www.giac.org/certified_professionals/practicals/gsec/1685.php

This link says I shouldn't be a zombie:

http://www.silicon.com/technology/security/2010/08/09/zombie-pcs-time-for-their-zombie-owners-to-take-some-responsibility-39746189/

But this one says my ISP should stop zombies:

http://www.pcworld.com/article/135820/report_isps_should_take_more_responsibility_for_security.html

I mean, I just do email, surf the web, edit photos and videos. I never knew there was some kind of social contract to do extra things to be in compliance with security responsibility. To be in compliance, how much time a week does it take? What actions should I do on a weekly basis? Is my Mac defective by design? Does it need "anti-virus" software? I've never heard of a Mac getting a virus.

OK, lets forget about the Mac. That seems too hard.

What about my "phone"? It runs Linux/Android. Being that its a newer technology, I would guess its easier to fulfill my security obligations than a PC. What about my HP printer? What about my Linksys router?

Re:It is slowly ramping up

[Relayman]

Okay, but who has a real virus scanner for Mac? Several I've seen advertised appear to be scams; they pretend to scan and then say, "Everything's good!" Of course, I expect perfection in a world where even the best virus scanner for Windows gets, what, 80% of the malware?

Re:It is slowly ramping up

[Antisyzygy]

Shit, Mcafee is these days as well. I used to use the enterprise edition since its the only one worth a damn that doesn't bombard you with popups and have an overbearing UI.

Re:It is slowly ramping up

[Stupendoussteve]

Preferences > Sharing > File Sharing > Options... "Share files and folders using FTP"

That's not to say it's inherently insecure. The shared folders were obviously set up as world writable by the user.

Re:It is slowly ramping up

[Sycraft-fu]

I can't give you a good virus scanner for Mac as I don't know yet. Macs are a new part of my responsibilities at work so I've only done some research. I can say Sophos does have a Mac virus scanner, Sophos is what we license at work. However I can also say fuck Sophos, I hate it and would not recommend it.

As for catch rate, no it is much better than that. Good virus scanners tend to get 98% or more. There is some balance between higher catch rate and too many false positives, but you can have few false positives with a 98% or better rate. The very best tend to be 99.5-99.9% catch rate.

http://www.av-comparatives.org/images/stories/test/ondret/avc_od_aug2010.pdf for the latest results. The AV Comparatives site has more overall data for other kinds of tests too.

Perfect? No but nothing in the world is. If you demand only perfection you end up missing out on everything because nothing meets your impossible standard.

Re:It is slowly ramping up

[Anonymous+Psychopath]

Chrome uses webkit.

That's an excellent point that I had forgotten. Does anyone understand the exploit well enough to know if this is specific to Safari's implementation of Webkit, or can it be easily modified for Chrome as well?

Re:It is slowly ramping up

[sznupi]

Relatively few people (any people, about anything) say "they like it better" (and, heck, even "being used to" or "lazy" or good reasons in my book); more often than not it's a tirade about how their choice "is better".

Re:It is slowly ramping up

[parlancex]

Actually, it says a lot about the browser and operating system that the exploit was able to launch applications and write files to the disk. In a properly secured web browser and operating system neither of those things would have been possible, even if the browser was compromised. The browser should have simply crashed.

Re:It is slowly ramping up

[CannonballHead]

They really do think that running a Mac absolves them from any security responsibility.

You would get that impression from reading slashdot, too. They have been told this, multiple times. It's not really their fault, heh.

Re:It is slowly ramping up

[Daniel+Dvorkin]

ClamAV runs as well on Macs as on any Unix system, and if you want a GUI there's ClamXav.

Re:It is slowly ramping up

[Guy+Harris]

There is no FTP server on the Mac.

$ sw_vers
ProductName: Mac OS X
ProductVersion: 10.6.6
BuildVersion: 10J567
$ man ftpd
TNFTPD(8) BSD System Manager's Manual TNFTPD(8)

NAME
tnftpd -- Internet File Transfer Protocol server

...

$ ls /usr/libexec/ftpd
/usr/libexec/ftpd

And, yeah, it came with the OS. In case you hadn't noticed, Macs are UN*X boxes these days (UNIX(R) boxes, starting with 10.5 for Intel).

Re:It is slowly ramping up

[jo_ham]

And slashdot is one of the few places where you have to add qualifying statements to generally colloquial English that "is better" is almost always a contraction of "for me personally, it is better".

Remember, this was the site that took Steve Jobs to task for claiming the iPhone 4's retina display was indistinguishable from high dpi pint at arm's length with a lengthy discussion about the average distance of a person's arm and the degrees of arc of human vision, just to get an Apple bash story and that Jobs' keynote figure was 2 or 3 inches out.

Thus, you have to twist around and be specifically verbose, lest you be accused of saying something you don't mean literally.

Re:It is slowly ramping up

[jo_ham]

Yes, or should be properly sandboxed in the first place - this is something supposedly coming in 10.7. I'm not trying to justify the exploit or lessen the effectiveness - security breaches are serious, I was just addressing the point that not everyone who uses Apple products is standing with white earbuds in turned up to high volume going "lalalala no exploits on mac!" whenever security is brought up.

Re:It is slowly ramping up

[Relayman]

Thanks for the pdf. I found the comparison helpful; I was surprised that there were some many products catching 98% or more of the malware.

Re:It is slowly ramping up

[Relayman]

ClamXav seems to me to check Mac systems for Windows malware. The ClamXav site I found indicates that they know of no viruses for Macs. The reason for running ClamXav is to keep from passing Windows viruses on to your friends and coworkers.

Re:It is slowly ramping up

[sznupi]

And... unremarkably, it's one of many, many places where even supposedly versed individuals [1] ignore how people work in general. No, what you describe is not how our minds work, it's one of fantasies we like to convince ourselves in at best (go through a list of cognitive biases). If we get / have something, we have a profound need to see it as the best, period (not "I like it, even for silly [2] reasons")

[1] plus here self-selection, "technical", "non-people" background, might even solidify it.
[2] Which would be, again, still absolutely valid.

Re:It is slowly ramping up

[blackpig]

According to...

http://www.dailytech.com/article.aspx?newsid=21097

"The attack also exploited poor coding in Apple's branch of WebKit, which features many bugs and security flaws. While Apple's WebKit branch, which powers its Safari browser, shares a certain amount of code with Google's WebKit browser Chrome, Google has added much more robust security layers and is less buggy."

So it looks like the exploit is Safari specific.

Not even surprised

I am not surprised at all that the Mac/Safari would collapse. Apple has boasted for years that it was more secure than PCs since they never get malware...or viruses, oh wait, never mind.

Holding back exploits to score quick victories?

[jo_ham]

Given the financial incentives involved here (for example, the guy who gave up an almost certain $15,000 because he reported a bug to Google rather than keep it under wraps until he could clean up at Pwn2Own, how many bugs on all of the major platforms are kept "secret" to be used in contests like this?

I understand the nature of the event is to demonstrate the issues of security and code vulnerability, but sitting on exploits is surely counterproductive here?

Re:Holding back exploits to score quick victories?

[kangsterizer]

it's a business. at least you get some bugs fixed that way. they'd keep it for other people if other people paid more (and some do!)
so yeah, it's just business. most businesses aren't very moral for that matter.

Re:Holding back exploits to score quick victories?

[gl4ss]

they're not exactly secrets. a secret is something someone else couldn't stumble upon by accident or by purpose, these flaws are there or they aren't and everybody has practically the access to the same running code to examine at their leisure.

maybe google should up the rewards and cut the paychecks of their useless academics to make it a non issue. they could just make their bounties a bit less of a joke, a thousand dollars is like 1/120th of the money it takes to employ their average guy who SHOULD HAVE FIXED THE BUG EARLIER.

Re:Holding back exploits to score quick victories?

[Frosty+Piss]

I understand the nature of the event is to demonstrate the issues of security and code vulnerability, but sitting on exploits is surely counterproductive here?

You don't understand the mind-set of hackers, do you....

Re:Holding back exploits to score quick victories?

Why the hell should he do Apple's job of finding/fixing bugs in their products? Is Apple going to reward him for increasing the security of their

Re:Holding back exploits to score quick victories?

[jo_ham]

Well, given the information in the article it was non-trivial to write a working exploit of this bug, so the guy clearly put a lot of effort into it. However, if bugs like these were reported more as a matter of course then it would leave the *really* esoteric ones for contests like this, which would be a security win for everyone, since more difficult bugs would be exploited and squashed for money.

I think the people involved here are relatively altruistic in terms of security (ie, "white hat"), but I can't help thinking it's low hanging fruit that they have hidden behind a curtain, to be revealed in the day of the contest (for all platforms involved, not just Safari on OS X).

Re:Holding back exploits to score quick victories?

[jo_ham]

I'm not talking just about Apple - note that I was talking generally, and even specifically mentioned Google as an example - it's right there in my comment. I am talking about the contest as a whole, including all of the operating systems and browsers involved, but feel free to ignore my point and just have an Apple bash. After all, we are on slashdot.

Also, talking about this specific bug, it was an exploit in WebKit - so are you now saying that WebKit is an Apple product? After so many years of "Apple just took KHTML and rebranded it and claimed all the credit" posts on slashdot, now suddenly it *is* an Apple product? You can't have it both ways.

My original point was referring to all browsers and operating systems involved, both with OSS components and closed code.

Re:Holding back exploits to score quick victories?

[filthpickle]

See all the recent HBGary stories.

Re:Holding back exploits to score quick victories?

[mwvdlee]

Wow! Your employer pays you 120,000.- US$ for each individual bug you fix? I fix bugs on a daily basis and get paid less than that for a whole year.

Re:Holding back exploits to score quick victories?

[AmiMoJo]

If your prime motive is profit then you could easily sell a zero day vulnerability for more than 15k. If they were available for less than that someone would just buy one and win the competition to turn a profit.

Re:Holding back exploits to score quick victories?

Well, let's read the article, shall we? Here's from the bit about hacking Safari...

In an interview with ZDNet, Bekrar said the vulnerability exists in WebKit, the open-source browser rendering engine. A three-man team of researchers spent about two weeks to find the vulnerability (using fuzzers) and writing a reliable exploit.

So, they kept it secret for about 2 weeks.

Re:Holding back exploits to score quick victories?

Anybody else bugged by that unmatched parenthesis? doesn't quite compile for me...

Re:Holding back exploits to score quick victories?

Google pays less than Pwn2Own? That is part of the disincentive.

Re:Holding back exploits to score quick victories?

Maybe if Google paid more than $1,373 (something like that) for a major bug people would be all over that. How about $5K-$10K per major (define this) bug.

Re:Holding back exploits to score quick victories?

For the right people an unknown 0-day remote execution exploit can be worth a LOT more than $15.000

Re:Holding back exploits to score quick victories?

[jo_ham]

Which if you're being genuinely altruistic about this sort of thing is a couple of weeks too long.

Re:Holding back exploits to score quick victories?

[jo_ham]

Apologies - I rephrased part way through and forgot to go back and remove it. I spotted it after hitting submit.

Re:Holding back exploits to score quick victories?

Given the financial incentives involved here (for example, the guy who gave up an almost certain $15,000 because he reported a bug to Google rather than keep it under wraps until he could clean up at Pwn2Own, how many bugs on all of the major platforms are kept "secret" to be used in contests like this?

I understand the nature of the event is to demonstrate the issues of security and code vulnerability, but sitting on exploits is surely counterproductive here?

Well, you see, there is a large difference between finding a bug and being able to create and execute an exploit. The holes aren't extremely difficult to find, but believe me, trying to hack through Chrome's sandbox is absolute hell. Once you are able to get some access, it is almost impossible to retrace yourself back out. Google has produced a solid product with Chrome.

Re:Holding back exploits to score quick victories?

I think your understanding of altruism is flawed.

Most of the people at Cansecwest either have criminal records or were smart enough to not get caught. The only reason they're "white-hat" is because companies pay them a ton of money to do what they do for fun anyway.

Re:Holding back exploits to score quick victories?

Maybe you should try fixing the bugs in your brain's reading algorithm, that is not what he said at all.

He said, that Google pays a bounty of $1000 for each security vulnerability reported (I actually thought it was $1337), and guessed it was 1/120th of the salary of one of the Google employee's responsible for fixing the bug.

Same story every year, mac goes down

http://en.wikipedia.org/wiki/Pwn2own

Re:Same story every year, mac goes down

[betterunixthanunix]

I am left wondering if it is because the top security researchers just want Macs, or if it is because Mac OS X + Safari is a dangerous combination.

Re:Same story every year, mac goes down

[gstrickler]

Same story every year, Windows goes down. Every year, IE goes down. Every year, Safari goes down. Every year, Firefox goes down. Every year, Chrome survives (would have gone down this year, except the hacker gave Google the exploit shortly before Pwn2Own).

Now we can stop the platform trolling pissing match.

The pen industry

[Noam.of.Doom]

Am I the only one who thinks that it's strange for a firm that tests pens to hire security experts and participate in this competition?

Re:The pen industry

That's pen as in penetration, so penetration-testing company not a writing implement.

Re:The pen industry

That joke went right over you head.

Sandbox

[Mr_Silver]

The most interesting and disappointing thing about Pwn2Own for me was that all the recent development of sand-boxing in browsers suggested that they were going to herald in a new era of browser security.

In actual fact it turns out that, thanks sloppy implementations, they aren't very good at their job.

Re:Sandbox

[MoeDrippins]

It doesn't matter how good the idea is if the execution is sloppy. I do suspect browsers are more secure, and at least partially due to the sandboxing idea, than in the past, no?

Re:Sandbox

Really? I think you're imagining things here. Chaining three exploits to best IE is no simple feat. It still didn't gain admin access (though that's the second easiest part).

And Chrome still hasn't been beaten. While I'm not impressed by Google's coding standards, it's my understanding that Chrome's sandboxing architecture is a bit more complex than IE's total reliance on MIC.

Re:Sandbox

Sandboxing and privilege escalation being needed did make it so IE/Windows needed 3 concurrent exploits to be broken, as opposed to Safari/OSX's 1 exploit.

Re:Sandbox

[jbolden]

It could. Its still young. There were these sorts of problems in the mid 1990s with the Java sandbox.

Re:Sandbox

[timeOday]

The new layer of security is engineered using the same techniques as the old one, so...

On slashdot and elsewhere the conventional wisdom still seems to be that the solution is there, and everybody just needs to try harder at using them. I'm becoming more convinced this is false. It's increasingly clear that nobody knows any practical method to secure any network that is a target of directed attacks. With any luck you can delay the attacks and make the more expensive, but that's it. In retrospect I guess that should come as no surprise, just as it's impossible to run a business without some loss to theft.

misleading title on /.? never!

[risinganger]

Well that headline is misleading at best I'd say. I suggest reading pwn2own day one: Safari, IE8 fall, Chrome unchallenged in which it states that both Safari and IE fell at the first attempt, clearly it was a matter of nothing more than the ordering. Apologies for disturbing all the anti-apple ranting but both systems are weak.
 
Please feel free to resume posting uninformed comments now.

Re:misleading title on /.? never!

Well that headline is misleading at best I'd say. I suggest reading pwn2own day one: Safari, IE8 fall, Chrome unchallenged in which it states that both Safari and IE fell at the first attempt, clearly it was a matter of nothing more than the ordering. Apologies for disturbing all the anti-apple ranting but both systems are weak. Please feel free to resume posting uninformed comments now.

There is something strange about how this is worded, as the first hacker - taking down Safari/MacOS - won 15k$. It sounds really strange if that price was decided just by the ordering of attempts.

Re:misleading title on /.? never!

Awwwww... poow widdle Macinista! You can go back to jerking off to pictures of Steve Jobs now...

Re:misleading title on /.? never!

[drinkypoo]

Well that headline is misleading at best I'd say. I suggest reading pwn2own day one: Safari, IE8 fall, Chrome unchallenged in which it states that both Safari and IE fell at the first attempt,

Nobody cares, because it's not news when IE gets compromised. It's news when Apple says "oh we're so secure" and iFanbois say "oh it's so secure" and it's the first to fall.

Re:misleading title on /.? never!

[bidule]

The successful hack came in spite of a large security patch, Safari 5.0.4, that Apple released ahead of the competition, patching some 60 security holes in the browser. As well as Safari, Apple also patched iOS to version 4.3. This is because, in a change to historic competition rules, the system configuration was frozen last week, so the last-minute fix hasn't prevented exploitation.

How to make the truth a lie.

Re:misleading title on /.? never!

This is an Apple advertisement, not a Microsoft advertisement. Microsoft's marketing department pales in comparison to Apple's.

Re:misleading title on /.? never!

How is the title misleading? It says Safari first to fall at pwn2own 2011. That's exactly what happened.

Re:misleading title on /.? never!

[roothog]

The headline is truthful: the Mac was the first to fall. Had the headline said "only to fall", then it would have been a lie.

The fact that IE also fell doesn't make the Mac's failure OK.

Re:misleading title on /.? never!

FTFA: "First up, and first to fall, was Safari 5.0.3 on fully-patched Mac OS X 10.6.6."

First up or not, it was the first to fall. Hence the correct headline.

Re:misleading title on /.? never!

If you are going to talk about misleading, you might also want to include this titbit of information:

However, the contestant registered to attempt the attack did not show up, so the browser remains unbeaten. One possible reason for this is that Google published a Chrome update yesterday, closing at least 24 security flaws.

Also, Apple did roll out a bunch of patches for Safari just before the contest. Microsoft didn't (their own fault).

Re:misleading title on /.? never!

As others have stated, all attacks happen at the same time and there is a race. Safari fell first.

Re:misleading title on /.? never!

[RatPh!nk]

I wonder what version of Safari was being used (not that it really makes that that much difference) just for completeness sake. That Ars article says

First up, and first to fall, was Safari 5.0.3 on fully-patched Mac OS X 10.6.6.

Then later in the article it says

The successful hack came in spite of a large security patch, Safari 5.0.4, that Apple released ahead of the competition, patching some 60 security holes in the browser.

I am guessing it was really running a 5.0.4 on a fully patched etc...

Re:misleading title on /.? never!

I read your article. Did you? It says "First up, and first to fall, was Safari 5.0.3 on fully-patched Mac OS X 10.6.6."..."Next to fall was 32-bit Internet Explorer 8 on 64-bit Windows 7 Service Pack 1".

When someone says "First" that usually implies a "Next" and hence an ordering of events involved. OS X was schedule first...IE 8 scheduled next. Or do you need a car analogy? You are a fool if you are mislead. If English isn't your first or second language then I apologize for calling you a fool.

Re:misleading title on /.? never!

That's ok. I'm a smug Linux nerd, so it works either way for me.

Re:misleading title on /.? never!

Except that's not how the contest is run. Otherwise they wouldn't have been waiting for day 2 to start attempting against FireFox.

Re:misleading title on /.? never!

[fermion]

So why was chrome not effected if the bug was in Webkit?

Re:misleading title on /.? never!

[CannonballHead]

Yeah... most Windows users don't claim that Windows is immune to viruses, hacks, etc., either. :) MS itself keeps their virus/security thing up to date pretty well now, it seems.

Re:misleading title on /.? never!

[140Mandak262Jamuna]

So why was chrome not effected if the bug was in Webkit?

There was only one contestant registered to hack Chrome. Google released a batch of updates the day before the release. According to the rules, the machine was frozen a week ago with the latest updates available then. If that machine gets hacked you get to own that machine. If the bug is still present on the latest update as of the day of the contest, then you get prize money too. The prize money is more for Chrome, but the machine is not a big deal. So no one showed up to hack Chrome.

It is possible the lone contestant was the one who took the 1337$ bug bounty giving up the 20K prize money too. Getting on the good books of Google might be worth a lot more to that contestant, if my conjecture is true, than embarrassing them in this high profile contest.

Re:misleading title on /.? never!

[scot4875]

Because if Chrome sandboxes the Webkit code, even if Webkit has a vulnerability, the exploit would still have to find a way to get out of the sandbox.

--Jeremy

Re:misleading title on /.? never!

the title is misleading?

First up, and first to fall, was Safari 5.0.3 on fully-patched Mac OS X 10.6.6.

second paragraph, 1st sentence from your linked article.

Re:misleading title on /.? never!

[Wild_dog!]

The one that fell was with Safari 5.0.3 I have heard. With Safari 5.0.4 the hack wouldn't have worked and 6 weeks of work would have gone down the drain. Good thing the machines weren't updated right before the contest.

Re:misleading title on /.? never!

[Wild_dog!]

As I posted above:
The one that fell was with Safari 5.0.3 I have heard. With Safari 5.0.4 the hack wouldn't have worked and 6 weeks of work would have gone down the drain. Good thing the machines weren't updated right before the contest.

Re:misleading title on /.? never!

[Wild_dog!]

The devoloper who was going to attempt the hack on chrome no showed, so there was no attempt. Also, I think somewhere above someone was saying that people can't use the same exploits.

Re:misleading title on /.? never!

Yes and No. Although you are correct about the order playing a role in Safari falling first, it also left with the title of falling the fastest something which order played no role in. If the information I read was correct it was a matter of seconds not minutes which it took to make Safari fall. Lets be honest here you are clearly a pro-Apple kinda person. Although I personally don't use the Apple devices myself (mainly due to my personal dislike of their business practices) I can objectively say that their devices from a functionality standpoint are incredible. Apple has shown that is has what it takes to be one of the market leaders in design & user experience period. The issue with Apple now is that they need to be far more security focused as their products are beginning to take flight. Lets be honest Apple is enjoying a larger share of the consumer market then they ever have. In order for them to continue this growth pattern and see more and more consumers 'make the switch' they will need to curb these security concerns both quickly and publicly.

extortion

Sitting on some damaging knowledge until you are paid to reveal it is plain extortion. Why there isn't law which allows the "winner" of these sorts of contest to be immediately arrested is beyond me. Fortunately, the way our government is going, it'll only be a matter of time until such people are dealt with.

Re:extortion

[Gadget_Guy]

Sitting on some damaging knowledge until you are paid to reveal it is plain extortion.

If I find a security hole in some software, I am under no obligation to tell anyone about it. But if a contest is set up (with the approval of the software companies) where I can use my knowledge to win a prize (and that knowledge is passed on the appropriate companies and NOT released to the public) then there is absolutely no problem.

It is only extortion if I contact the companies themselves and threaten to release the code to the world if I am not paid unless they pay me. But that is not what is happening here. Pwn2Own has been going on for years, and nobody has been arrested because of it.

Lets face it : Apple got served.

[unity100]

There is no other way of putting it. When you get served, you get served. and apple, has got served. much better for apple and its fans to take lessons from it, accepting the result, to better their stuff, than to try to spin and defend it.

Re:Lets face it : Apple got served.

[jo_ham]

If 3 guys working for 2 weeks to set up an exploit in the Webkit engine, and sitting on it until the contest is "getting served" then I suppose they did.

The way I see it, it took them considerable time to set up, and now we have another bug to patch (there are many). IE8 fell almost as quickly, but when has that been good linkbait? The result is "code has vulnerabilities, news at 11".

The more they find, the safer the code gets.

Re:Lets face it : Apple got served.

[unity100]

ie8 fell almost as quickly, but neither windows, nor ie, were being touted by 'safe and secure' as their fanbois.

Re:Lets face it : Apple got served.

[BitZtream]

Yep, and the lesson here is, people really want to win the Mac, so it gets the most attacks to start with ... THEN people go after the others.

Its the same thing ever year and well understood. Its also well ignored by most who would rather assume that its bad security.

All of them fall pretty quickly once people target them, as has already been pointed out, people are sitting on exploits waiting for pwn2own in order to win the machines they want. The macs are well sought after, hence they go first.

God forbid, don't let reality obscure your perspective though.

Re:Lets face it : Apple got served.

Yep, and the lesson here is, people really want to win the Mac, so it gets the most attacks to start with ... THEN people go after the others.

Its the same thing ever year and well understood. Its also well ignored by most who would rather assume that its bad security.

All of them fall pretty quickly once people target them, as has already been pointed out, people are sitting on exploits waiting for pwn2own in order to win the machines they want. The macs are well sought after, hence they go first.

God forbid, don't let reality obscure your perspective though.

Ok, so in your reality, winning a Macbook Air 13 is so attractive that it trumps the 15000 USD cash price?

Re:Lets face it : Apple got served.

[Anonymous+Psychopath]

Yep, and the lesson here is, people really want to win the Mac, so it gets the most attacks to start with ... THEN people go after the others.

Its the same thing ever year and well understood. Its also well ignored by most who would rather assume that its bad security.

All of them fall pretty quickly once people target them, as has already been pointed out, people are sitting on exploits waiting for pwn2own in order to win the machines they want. The macs are well sought after, hence they go first.

God forbid, don't let reality obscure your perspective though.

This is a silly argument for several reason:

1) They have to already own a Mac in order to develop the exploit.
2) They could buy a lot of Macs with $15,000 USD.
3) Why would you want to really, really win any particular brand of PC when you had just discovered and written something that lets anyone with a web server pwn it?
4) Even assuming your argument is accurate, that means that all it takes is a little extra effort to crack a Mac, in this case because the browser isn't properly sandboxed. This is because Apple has done a poor job. That isn't a good thing for those of us that use them every day, including me. Discovering vulnerabilities and demonstrating exploits is a Good Thing for users, just a bad thing for fanbois.

Re:Lets face it : Apple got served.

[SadButTrue]

Funny, you think people are going after the $2k mac but don't care about the $20k cash that google offered to target chrome?

So $15k + Mac has more value than $20k + PC? I mean, I know the waiting list for macs is nearly 20 years long now and they are giving PCs away with the purchase of soup but....

Re:Lets face it : Apple got served.

[jo_ham]

So wait, who is "being served" here? Apple or Apple 'fanbois'?

You originally claimed Apple, now you're saying it's the fanbois. You realise they don't speak for Apple, right? Just as neckbeards in parental basements don't speak for the Linux community as a whole.

Re:Lets face it : Apple got served.

[unity100]

as = by. mistake.

way too jumpy, you are, padawan.

Webkit

If the flaw is in Webkit, wouldn't that mean that any browser, including a webkit-backed Epiphany on Linux, would also easily fall?

Re:Webkit

If the flaw is in Webkit, wouldn't that mean that any browser, including a webkit-backed Epiphany on Linux, would also easily fall?

Not necessarily, the goal here is to compromise the underlying OS through the browser. It's unfortunately impossible to have a sivil technical discussion about this, but several of the winners of this contest have detailed why MacOS is lacking in security measures vs other OS's, including Windows7, but working on catching up.

I feel a disturbance

[Dunbal]

I feel a disturbance in the Force, as if a million Apple users suddenly cried out in terror, and were pwn3d.

Re:I feel a disturbance

[rolfwind]

More likely that was a million rabid anti-Apple haters orgasming from the news.

Apple users probably going about their day unaware of the news. A few of their computers may be pwned w/o them knowing it, who knows.

Re:I feel a disturbance

[scot4875]

Apple users probably going about their day unaware of the news.

That sounds about right...

--Jeremy

Re:I feel a disturbance

[Noughmad]

Do Windows users cry out in terror when a Window machine gets owned? No, and neither do Apple users.

On the other hand, if a Linux system were to fail, there would be madness among the Linux users.

Ywn2Own

[skingers6894]

Every year headlines claim platforms "pwned" in seconds but it's misleading and sensationalist.

The exploits are researched and practiced over days or weeks, rehearsed and simply repeated on the day. Yes it's bad, yes it demonstrates insecurity but the headlines imply that some guy just sits down at a fresh machine, sight unseen, decides to have a go at hacking it and within seconds it's done.

Of course the exploits take seconds to run - they are running them on computers - they are fast.

I'm sure they get faster every year.

Re:Ywn2Own

[InfiniteZero]

Every year headlines claim platforms "pwned" in seconds but it's misleading and sensationalist.

The exploits are researched and practiced over days or weeks, rehearsed and simply repeated on the day. Yes it's bad, yes it demonstrates insecurity but the headlines imply that some guy just sits down at a fresh machine, sight unseen, decides to have a go at hacking it and within seconds it's done.

Noobs. That's exactly how Hugh Jackman did it, with a gun pointing at his head, while receiving a blow job.

Re:Ywn2Own

From the article:

Bekrar said that in total, a team of three researchers took two weeks to assemble the successful exploit.

Re:Ywn2Own

[Securityemo]

Actually, the only part of executable-level exploits that takes any humanly perceivable time at all is if the shellcode searches through process memory for bits of itself or otherwise, or if the exploit has to try several times to succeed. Or, obviously, if it takes time to get the application into the exploitable state. But under ideal conditions an exploit program can have a shell-process/in-memory payload program spawned almost instantly after the program is run.

Re:Ywn2Own

[Noughmad]

Noobs. That's exactly how Hugh Jackman did it, with a gun pointing at his head, while receiving a blow job.

Hugh who?

Sensationalism on Slashdot

[xororand]

Sadly it's Slashdot summary have a tendency to be sensationalist, misleading and sometimes even wrong. For comparison, consider Ars Technica's headline: "pwn2own day one: Safari, IE8 fall, Chrome unchallenged" — it's neutral and contains more information.

I read the article

[forgotten_my_nick]

So what I take it that the exploit is in WebKit (along with many others). They did mention it was quite hard to build the root kit for x64.

So does this mean it is a cross platform exploit?

Any word on when apple will patch it?

Re:I read the article

[jo_ham]

Anyone can patch it - Webkit is open source!

I imagine it will be added to the next batch of security fixes.

Re:I read the article

[SadButTrue]

Doubt this is the case. If it were, chrome would have fallen to the same exploit.

Unless this was patched in WebKit and Apple still hasn't pushed the update to end users. Which I think would actually be worse than not knowing the exploit existed at all.

Re:I read the article

[Wild_dog!]

Chrome didn't fall cause it wasn't challenged. The developers trying the Chrome hack no showed. Also as someone above mentioned you cannot use the same hack.

Apple updated right before the contest to 5.0.4 which would have prevented the exploit, but the machine at the contest was 5.0.3 which was vulnerable as I understand it.

Re:I read the article

[SadButTrue]

No, the hack that was used was NOT patched in the 5.0.4 update.

I am not sure if you are deriving some other meaning from what I said, but no one showing up to try it does indeed mean it wasn't challenged.

Re:I read the article

[Wild_dog!]

ok... you are right. Reading thru the Ars Technica article mentioned that the hack worked on the latest update. It is funny because the patch 5.0.4 fixed dozens of problems with WebKit. They must have missed the exploit which was being used.

It seems that Chrome has gone 2 years unscathed. There are exploits people could use, but with the sandboxing, apparently they have been unable to utilize the exploits which WebKit has in Chrome as well.

Anyhow. Hopefully, Apple will implement the sandboxing which google has done. I have read that they can, but I'm not certain why they haven't up until now. In another article, I read that they were going to implement sandboxing in OSX Lion, but that they could do it already with SnowLeopard.

Hmmmmm. Good job for chrome. I wonder if Iron Browser implementation of OpenSource Chromium has the same abilities. I like using that browser quite a bit.

Title is also misleading.

[forgotten_my_nick]

It says the Macs were the first to fall. This is because they were the first part of the competition. It appears to imply that all OS were being hacked at the same time.

Re:Title is also misleading.

[roothog]

Was the Mac the first to fall? Yes. The headline is accurate.

Re:Title is also misleading.

So were they the first to fall? Did they fall first?

That doesn't seem misleading at all.

Re:Title is also misleading.

[forgotten_my_nick]

It is misleading because it implies that Mac was rooted faster then the others.

It is like having a race between Bob and John except Bob runs on Saturday and John Sunday. Then have a headline "Bob to reach finish line first".

So to be clear, was the Mac system running OS/X?

[Phrogman]

According to this link: Why Pwn2Own doesn't target linux (linked in another post), Pwn2Own only targets systems running MS Windows 7. If that is the case then this must have been Safari running on Win7, not OS/X.

I accept that OS/X likely has security holes - the same hole that permitted this exploit might work in the OS/X version of Safari as well after all - but I don't want to read endless MS Fanboi posts about how pathetic OS/X is, if the exploited system was running MS Windows 7

Don't let facts get in the way

[UnknowingFool]

According to this more article, the version used by all browsers had been frozen from several weeks back so neither Safari nor IE were the latest.

TippingPoint's Peter Vreugdenhil said the browsers were "frozen" two weeks before today's tip-off with the then-current versions of Safari, Google's Chrome 9, Microsoft's IE8 and Mozilla's Firefox 3.6, to give researchers a stationary target.

While Apple did release a patch just minutes before the contest, it was not used and the release may not be related to the contest. The patch fixed some vulnerabilities but not the one that appeared to have been used. Also IE fell to the first attack. I'm not clear on the details of the contest but it appear that it is turn based.

Vupen, which was waiting in the wings in case Fewer failed, did not get a chance to try its luck against IE8.

It appears that Safari was selected or picked first to be tried.

Re:Don't let facts get in the way

[drinkypoo]

It appears that Safari was selected or picked first to be tried.

It's been the easiest hack in every contest so far, so you'd have to be crazy to not try to hack it first for the quick win.

Re:Don't let facts get in the way

[UnknowingFool]

My recollection is that IE in previous years also fell to the first attacks. Apparently Chrome and Firefox are harder and are tried last. From what I know MacBooks might have been an additional incentive. Hack Safari first and get a MacBook and money or hack IE first and get a PC laptop and money.

Re:Don't let facts get in the way

[Wild_dog!]

The hacks aren't run concurrently.
They are lined up one at a time.
Firefox is tomorrow.
Chrome was 3rd in the lineup but the people attempting the hack no showed as I understand it.

A few points to consider

[galego]

1) If you are a security researcher, do you want to win/pwn the MacBook Air or some random brand Winders notebook? To me, the Mac is the bigger/more fun target in an event like this.

2) From TFA: *He said the creation of a reliable exploit was “much more difficult” than finding the vulnerability.'*
Yes, Macs are not safe, but the crack was also not trivial. Something tells me they didn't come up with it on the spot.

3) From TFA: *Bekrar said VUPEN plans to hit Internet Explorer 8 on 64-bit Windows 7 (SP1) later in the contest.*
Well, we can see where they focused first.

4) 'Mac goes down first' is a much cooler headline than 'Sec. team puts all their effort into cracking Mac first, Will try Windows next'

Re:A few points to consider

[Antisyzygy]

Reread that again. It took less exploits to Pwn the Mac. Furthermore, the Windows and Mac PC's were being attacked at the same time by two different teams. Last year the same shit happened, Mac went down first. Furthermore, you win 15000 dollars when you take down a machine so people have more of an incentive to go for speed. You misinformed, willfully ignorant and delusional Fanboi's are the reason people on / . hate Macs.

Re:A few points to consider

[roothog]

1) If you are a security researcher, do you want to win/pwn the MacBook Air or some random brand Winders notebook? To me, the Mac is the bigger/more fun target in an event like this.

You win the device *and* $15,000. You're going to focus on the weakest device (not the sexiest device) because the major portion of the win is cash.

Re:A few points to consider

[Wild_dog!]

Reread that again. It took less exploits to Pwn the Mac.
---------------
Or looking at it another way... there were multiple exploits to attack with.
With the mac they had to develop a new entirely new set of tools and write new attack code from scratch whereas perhaps the windows exploits just used already existing code?

I didn't see anything about this being a race either from the ArsTechnica article at least. It is not how the contest is organized as I understand it. Each platform is scheduled with its own prize money. They scheduled the attempts in order 1-4 with the Firefox Browser going tomorrow. Since the hacks take less than 5 seconds to run what is more important is that each was hacked on the first try.

Re:A few points to consider

but man adoodley like man the mac man is like man so like secure man adoodley.

Live by hype die by hype

Re:A few points to consider

[galego]

**You misinformed, willfully ignorant and delusional Fanboi's are the reason people on / . hate Macs**

Now I remember why I love to read /. ... the kind, well-spoken base of users that provide for such stimulating conversation.

PS - I run Ubuntu at home.

Re:So to be clear, was the Mac system running OS/X

[dingen]

The exploited system wasn't running Windows 7, it was running Snow Leopard. See the official blog for more info: http://dvlabs.tippingpoint.com/blog/2011/02/02/pwn2own-2011

Whining Apple users

[pleasegetreal]

This is only news because of all the "Macs are safer" bullshit we are continually bombarded with, especially by Apple. Now Apple sycophants are whining because they are getting a dose of what Windows people hear all the time.

Why no sql attack contest?

With the importance of data bases to the computer industry I fail to understand why nothing other than web browsers and the desktop were the target. Seems to me a more important vector for the core troubles on the net is how most large data transactions really take place. If I were a crook and was into hacking this is where the real cash could be made. Holding a banking transaction data base hostage and putting the squeeze on internet money flow would seem to be the real goal of organised crime hackers.

Therefore you need much more than just getting access to Joe Users desktop to become a successful Black Hat. After you steal the user info then you need a way to trick the data base that Joe User must access to do transactions. What the bad guys have to do is a two step hack not just a simple browser exploit! You can bet that there are some really bad dudes already operating at this level...chances are that the commercial crime going on today is already way ahead of these guys. Seeing that some cyber crime can almost be considered a state sponsored enterprise in Eastern Europe and elsewhere.

Conflicting Info

I see conflicting reports. The linked article says they exploited the fully patched Safari, while the Arstechnica article from a week ago quotes Charlie Miller as saying:

Still, Miller thinks that a change in the rules from past Pwn2Own contests will keep any last-minute patch from spoiling his chances for another victory. "Back in the old days when I won, you had to hit the latest and greatest, even if the patch came out that day," he told Ars. "For the first time, as long as the vulnerability is still present on the day of the competition, the actual device being exploited was locked in a week or so ago."

Was anyone at the conference or involved and actually know whether or not the Safari and Chrome patches were applied to the machines or if they were, indeed, running software as it was two weeks ago?

Re:Conflicting Info

[gstrickler]

Both are accurate. The software running on the machines was frozen 2 weeks ago. However, to win the prize, the vulnerability must not have been patched in the latest release. That does not necessarily mean that the exploit works on the latest release, it could be that the vulnerability is still there, but the exploit might need some changes to work correctly. The way it was done this year is much more realistic since most users don't update immediately, and because an unpatched vulnerability that requires changes to the exploit is still an exploitable vulnerability. The hackers don't have to try to update their exploit at the last minute, they have 2 weeks to make sure it works correctly on the configuration to be tested. They only get 'screwed' if a specific vulnerability their exploit used was patched by the vendor before the start of the contest (or if it was a vulnerability that had already been reported to the vendor, even though it remained unpatched).

What do the experts say?

[veldon]

Here are Charlie Miller and Dino Dai Zovi's responses to the very question of which is more secure, Windows 7 or Mac OS X. These are Apple security researchers. It is the second question in the interview:

http://www.h-online.com/security/features/Hackers-versus-Apple-1202598.html

The summary: Mac is only safer from browser attacks than Windows because there is less malware written for it. That is, security through obscurity. But Mac is less safe from targeted attacks.

I am always surprised to hear people claim that somehow Mac is magically more secure. It does nothing but reveal their ignorance.

Re:What do the experts say?

[Relayman]

Some of us base our view of security on what actually happens in the real world. I constantly hear stories about Windows machines being riddled with viruses and other malware but I have never known of a regular person with a Mac that was infected. Of course it could happen and but it's not happening now. It's to the point where you're crazy if you use a Windows machine for on-line banking.

Re:What do the experts say?

[Antisyzygy]

Apple Fanbois are the worst kind of stupid. They think because they own or maybe can afford a Mac is somehow makes them a power-user and technology guru. Funny thing about that, they spout the same old bullshit lines again and again without actually knowing what they are talking about at all. Sure, some of them are OK and smart people, but its a minority. I used to think Macs were OK but after being flamed and having my inbox bombarded repeatedly every time I criticize anything that Apple does it makes me hate Macs out of principal.

Re:What do the experts say?

Har. From OP's linked article

Charlie Miller: ... If you only listen to Apple (or Mac fanboys), you would believe Macs are impossible to hack, which isn't the case. By telling people of the risks, in a real and fair way, I hope users can make informed decisions about how they use their Apple devices.

Dino Dai Zovi: ...At present, a Mac with Snow Leopard is the safer option primarily due to its market share being well below Windows 7's. From a targeted attack, however, it has been my experience that finding and exploiting vulnerabilities in Mac OS X is significantly easier than doing so in modern Windows systems (Vista and 7). However, the 3rd party plug-ins installed in most users' browsers makes attacking even the latest and greatest Windows systems significantly easier. I recommend that users surf the web with Google Chrome, disable unnecessary plug-ins, and use site-based plug-in security settings for the plug-ins that they do need.

Charlie Miller: ...However, experience shows me that OS X probably has more bugs than a Windows browser. Every QuickTime vulnerability is accessible through the browser, and there are a lot of those! As for difficulty of exploitation, Mac OS X is weaker than Windows 7 as well. The industry standard for stopping exploitation are Address Space Layout Randomization (ASLR) and Data Execution Prevention (DEP). While these are highly technical terms, the fact is that Windows since Vista practises full ASLR and DEP while OS X does not. OS X only randomises some portions of memory and so does not have full ALSR and its DEP is limited to only 64-bit processes, like Safari, but does not affect 32-bit processes like Flash.

And these quotes were taken from just the first page of the article! Face Apple fanbois, your OS is pretty, but it ain't secure.

Re:What do the experts say?

[ledow]

Mac is secure is in aggregate. It all depends on how you view it.

I *KNOW* that if I cross a road, I'm putting my life at more risk than if I stay at home. It doesn't mean that I will never have an accident at home.

Similarly, if you put all your eggs in the Windows basket, you're more likely, on aggregate, to be a victim of something. It doesn't mean that a locked-down Windows PC is any less secure than a wide-open Mac. It's just a statistical average.

By that measure, Windows is excruciatingly far behind on using proper security practices to make sure it's HUNDREDS OF MILLIONS of users aren't affected. Whereas Apple can afford to be a little lax because it TENS OF MILLIONS of users don't exhibit those problems in such numbers.

That said, any PC is at risk if you don't manage it well. However, statistically, if I pick a machine that we *KNOW* to be infected, it's much more likely to be a Windows machine than any other.

"Mac is more secure" doesn't cover it in enough detail (i.e. what Mac, what model, what software, what user, what configuration, how well managed, what connection, what services, etc.") but it has a statistical truth. Your problem is not people telling lies, it's people failing to clarify their argument.

Re:What do the experts say?

[scot4875]

Please, enlighten us on what "proper security practices" Windows is behind on. Please.

--Jeremy

Re:What do the experts say?

[ledow]

Single example, there are many others.

Privilege separation in the default configuration

http://support.microsoft.com/kb/255281

versus

http://www.losurs.org/docs/tips/sysadmin/bind-nonroot

for DNS, for instance, resulting in things like: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1748 giving you "root" access to the server itself.

feeding and caring

[mevets]

1. Are you disgusted by what you see as undaunted loyalty to a brand, or because you feel he is misrepresenting the facts?

2. Either way, I agree the frustration inherent in these kinds of debates. I find that these contests are a bit like the weird pulling locomotives 20 years with your teeth. It is a big event with all sorts of interest, but it doesn't have the decisive conclusion of a real sporting event.
Personally, my favourites are jousting and duellling, as there is little interpretation to make of the outcome.

3. Maybe there is a way in which these sorts of contests can be made a bit more rigorous, at least in the interpretation of results. The way it is currently is a bit like a bowling tournament or an awards show where everybody gets a prize for something and everybody feels a bit humiliated.
It might involve raising the stakes [ ie. each vendor has to submit a VP who will be sacrificed if their product loses ]; or a pre-established agreement on the interpretation of the outcome.

Hey, maybe there is something to this:
http://tech.slashdot.org/story/11/03/06/2142233/Disarm-Internet-Trolls-Gently

Slashdot is a Nerd Tabloid

Low, low editorial values and sensational headlines to get page impressions. It should be no surprise that this headline was accepted and not fixed by the so-called editors.

Vax?

Connected to vax.recon.cx. Escape character is '^]'. SSH-1.5-1.2.30 - Anyone have x2 offsets for vax?

Apple fanboi misdirection on /.? never!

Apple's platform fell within 5 seconds. Period. Deal with it.

Safari not very good in general

This does not surprise me as Safari is the poorest of all the browsers. There are a few "nice" features, but overall the experience is lacking. I think Safari is largely crippled to support iOS implementations, but overall I just cannot use Safari as many websites that I frequent just do not work properly on Safari. I typically uninstall and ignore all Safari updates. I would rather use a beta of IE 9 then Safari, and that says a lot (although I will use Chrome any chance I have).

While this might be a damaging claim, I doubt this will have any impact on the typical Mac user.

Written by PeterB? A known troll?? No thanks.

Peter Bright just retells what others wrote already and he attempts to put his own "spin" on it, which isn't worth much considering he's a dropout from his collegiate comp. science degree attempts.

Doesn't surprise me at all

[Myria]

I reported a local privilege escalation exploit in the Darwin x86-32/64 kernel about eight months ago and they still haven't released a patch yet. What's stupid is that fixing it is an obvious single line to change in the code.

Even if they used the sandboxing API, I'm sure it wouldn't be too hard to find a bug like mine to get root access.

As an aside, if this exploit weren't specific to x86, I would've given the exploit to the iPhone jailbreak hackers instead of Apple.

Opera's not there @ all: Why?

See subject-line above, & can ANYONE tell us all reading here WHY Opera's not represented this year @ all?

"Firefox and Linux are under represented in pwn2own as usual." - by sakdoctor (1087155) on Thursday March 10, @05:41AM (#35441026) Homepage

Per YOUR VERY POINT? I don't even SEE Opera being targetted @ this year's "pwn2own" contest @ all/whatsoever!

(Thanks-In-Advance!)

APK

P.S.=> I just found it rather "odd" is all... &, is it because of the folks @ Opera not being willing to be in this "hack/crack" contest of webbrowsers... or, was it the "pwn2own" folks being unable to find any holes in Opera 11.x @ all?? apk

Tom (822) disagrees with you.

[jscotta44]

The poster just above you seems to disagree with you.

Would the exploits work on the Safari 5.04?

[jscotta44]

The chatter is great, but no one seems to be answering the question of whether or not the exploit would work on the now current version of Safari - 5.04? I don't really care if it was released a few minutes before the contest. Does it prevent the exploit?

Re:Would the exploits work on the Safari 5.04?

[Wild_dog!]

From what I read, it does, but that is just heresay. I read about it somewhere, but can't recall where.

I assume that 5.0.4 arrived concurrently the day of the contest because Apple already knows how the hack works and has had time to fix it. Part of the contest is to figure these exploits out. The code for the hacks and what the vulnerabilities are remain locked away from the public until the browser developers can release their fixes.

Re:Would the exploits work on the Safari 5.04?

[jscotta44]

Yes, the new version was released a few minutes (according to the article) before the event started, but because they lock the versions a week before the contest, the updated version was not used. Thus my question about whether or not the exploit would work. I don't know enough about what was updated to know if they finally implemented the sand boxing that Safari is capable of or not, for example. From what I've seen, if they have just turned that on, then the exploit would not work – similar to how the sand box in Google (which also uses webkit) prevents just such an attack vector. Sohonestly curious.

Re:Would the exploits work on the Safari 5.04?

[Wild_dog!]

Me too....
If you find something maybe you could post it here.
I read somewhere that it would not have allowed the hack, but I don't know where I read it and can't find it again.
I am curious.

Re:Would the exploits work on the Safari 5.04?

[mister_dave]

Safari 5.04 is still vulnerable to the same attack.

Apple released Safari 5.0.4 a day ahead of the competition, patching some 60 security holes in the browser. However, this year the rules have been altered: the configuration was frozen a week ago, hence the competition being run against Safari 5.0.3. Under the new rules, pwning (and hence owning) only needs to succeed on the frozen version. However, to receive prize money (in addition to the hardware), the flaw must also exist in the newest release.

In VUPEN's case, the team will be winning both the hardware and the money. In spite of Apple's last-minute patch, their attack still works.

Re:Would the exploits work on the Safari 5.04?

[jscotta44]

Thanks, for the update. So it would seem that Apple has still not implemented their own sand box with Safari. That sucks.

Re:Would the exploits work on the Safari 5.04?

[mister_dave]

Looks like things will improve with OSX 10.7. Webkit2 should bring some of Chrome's innovations to Safari.

There's an interesting interview with two "Mac hackers" on Heise.

Re:Would the exploits work on the Safari 5.04?

[jscotta44]

Nice find. So this summer before Safari gets the same level of protection.

SoI guess that if that is true, Pwn2Own will have to basically cease to exist. I mean, there were no attempts to break Chrome this year on any device. So Chrome must be impervious and thus Safari will be impervious for next year's attempt. Obviously, the hackers would not have put all of there security investigation efforts just to beat Safari to make a political statement or anything like that. Thus, next year, Chrome and Safare users can rejoice together at having completely impregnable browsers!! Yay!!!

Seriously then, that is a nice find regarding Webkit2.

Oh my my

[dadelbunts]

Whats this. An exploit found in precious unhackable apple products? Like i have always said, the only reason there arent widespread malware,exploits on macs are simply because no one wanted to make them. When someone WANTS to find exploits in anything they will.

Re:Oh my my

Certainly there would be no glory in being the first to create a self-propagating OS X virus targeting close to 100 million machines. Nope. No interest whatsoever.

Re:Oh my my

[Wild_dog!]

The exploit was in WebKit and is not unique to apple. Webkit is used by Chrome as well.

Re:Oh my my

[dadelbunts]

A useless number without something to compare it to. Compare market shares of OSX to Windows OSX is about 7% and XP is about 50%.

Re:Oh my my

Why yes -- 100 million machines is a MUCH more useless number than a percentage. Because 7% is so *small*, it must not be a lot of machines. I mean, who would bother targeting only 7%? It would be silly. It's not like we're talking about a big number of machines like say... oh, 100 million or so.

Trolling in the OP, now?

[vague+disclaimer]

Apple has just released Safari 5.0.4 and iOS 4.3 a few minutes before the Pwn2Own contest in an attempt to save face

Yes. I'm sure dissing pose2own was foremost in Apple's thinking when planning its release schedule.

Router malware pwns Linux-based network devices

ITS ALREADY PWNED:

"Why Pwn2Own doesn't target Linux" - by Anonymous Coward on Thursday March 10, @05:46AM (#35441054)

Yes, Penguins: Linux is ALREADY "pwn'd" is why, so THE HACKER/CRACKER TYPES OUT THERE DON'T HAVE TO!

See here:

---

Router-rooting malware pwns Linux-based network devices - Bad for your ELF:

http://www.theregister.co.uk/2011/03/10/router_rooting_malware/

---

LOL!

APK

P.S.=> "HOT OFF THE PRESSES" today, 03/10/2011... apk

Morbo Concurs

[mjwx]

If you look at the article both exploits took roughly 6 man weeks to find and setup. Safari's took 2 weeks for 3 researchers and IE8s took 6 weeks for 1. They are both as bad as each other really.

I concur with this statement, Safari is just as bad as IE.

Flaw in your argument

Google put forth an extra $20k incentive to whoever cracked Chrome (in addition to the $15k given by the competition). So given your logic, that would be the first to go. With that kind of money, you could buy many Macs. (Money can be exchanged for goods and services.)

Not possible....

[twebb72]

It must have been a Windows PC, running IE, made to look like iOS/Safari. We all know that Apples products don't contain vulnerabilities, whereas Microsoft's PCs can be hacked anytime after POST.
More money, more problems huh Steve...