It turns out there really is a vast global conspiracy.
Protip: Don't be a sucker like your neighbors. Sure they look great but it is unnecessary to wear fancy headgear to avoid the reds mindcontrol beams. Tinfoil works just fine!
How about OS/400? If you have a bank account chances are your money was being calculated at some point with an AS/400. Very popular in the banking and finance world and if you like your money I'd say it's pretty damned important..
It's not truly dead though because it's now been rebadged as "IBM i".
I've been in a lengthy argument about this guy on the Ars Technica forums. I ended up emailing Bruce Schneier about this and asked his thoughts.
Here was my email to him:
Hi Bruce,
I've been following the Pwn2Own contest for the last couple of years. Last year a researcher from ISE ( http://securityevaluators.com/ ) named Charlie Miller used an exploit in a Perl library included in WebKit, the base code for Apple's Safari browser and won a cash price for his effort. In the press it was claimed he "hacked Safari in mere seconds". In truth it took a lot more time than that to devise the exploit and only seconds to execute it.
This year he did it again with another preplanned exploit which he says he discovered while researching last years bug. Again he won a cash prize of $10,000.
In an interview with ZDNet he said: "I never give up free bugs. I have a new campaign. It's called NO MORE FREE BUGS. Vulnerabilities have a market value so it makes no sense to work hard to find a bug, write an exploit and then give it away," Miller told ZDNet. "Apple pays people to do the same job so we know there's value to this work."
I have a major problem with his philosophy and feel this is a dangerous precedent to set and a bastardization of the goals of security in the fist place. I feel he has an obligation to inform Apple and not dangle a dollar amount for the how-to.
Sure he should be paid for his time and effort which is why he works at a security firm. This contest is basically bonus money and about bragging rights. Sitting on a bug puts the safety of other users at risk. But he is basically demanding bribe money for bugs. Who is to say he wouldn't give up his research to the highest bidder? I'm sure there are blackhat groups like those in Russia and China that would pay handsomely for some juicy exploits like this.
Yes there is a long history of security firms hiring hackers and there have been many questions of whether that is a good idea. But security firms should take notice of this philosophy and not employee those who engage in this kind of behavior. It's bad form for his employer and makes the security industry as a whole look bad by proxy. Would you hire a security company that employees hackers who blackmail for bugs to work on your systems? If we hired his firm while I was working IT at a large New York bank I would advised my boss to make sure he's not on our project (and perhaps hire an entirely different firm altogether).
I've been in a discussion with other users about this. There seems to be a split in viewpoint, one side saying he should let Apple and the WebKit developers know about this exploit for the betterment of everyone (for free). The other side feels this is purely about capitalism and he has no moral or ethical obligation to tell anyone.
Some have likened it to seeing a crack in a bridge that might fail. Are you obligated to inform someone of the problem? What if Dan Kaminsky demanded $1 million to divulge details on the DNS BIND problem?
Aside from Apple posting a website and saying the usual "it's wonderful" market-speech there, it is the tech media that is giving it all the hype. The media does more to hype Apple products (for the better or worse) than Apple has ever done. Let me know when they start posting ads on TV, magazines and websites for Safari 4.
Sorry, I hate to sound like an Apple fanboy but it just struck me as a nit that needed picking.
Very true. The problem is that chipsets don't sell computers like processors do. Joe Shopper at WalMart doesn't know what a northbridge is but he has some understanding of what a Core 2 Duo is.
More likely that all of our money has gone to stupid wars for stupid reasons and we'll never see any meaningful positive outcome from them nor will we finish paying for them in our lifetime. No you're right. It's all about taxes./sarcasm
All I got from the commercial is Jerry Seinfeld has turned into Al Bundy and Bill Gates like things with a circus theme. Not sure what it has to do with Microsoft though.
I wouldn't get my hopes up on that. I think Sony just has a few good eggs in the PS3 group. However Sony as a whole is gigantic and the various groups don't tend to interact much. This makes their gaming division somewhat unique in the company because the entertainment group (movies, music), media group (MemoryStick, UMD, Blu-Ray) and other various hardware groups work together on common goals. I can't see such a large corporate cultural shift happening any time soon. Sony is a stodgy old company that reacts slowly and conservatively but the PlayStation unit has been their biggest profit center for quite some time so hopefully I'm wrong.
Slashdot Mirror
Basementman's question sounds like Napoleon Dynamite's younger brother Kip.
It turns out there really is a vast global conspiracy.
Protip: Don't be a sucker like your neighbors. Sure they look great but it is unnecessary to wear fancy headgear to avoid the reds mindcontrol beams. Tinfoil works just fine!
How about OS/400? If you have a bank account chances are your money was being calculated at some point with an AS/400. Very popular in the banking and finance world and if you like your money I'd say it's pretty damned important..
It's not truly dead though because it's now been rebadged as "IBM i".
He did use the bug for personal profit. $10,000 worth of person profit.
I've been in a lengthy argument about this guy on the Ars Technica forums. I ended up emailing Bruce Schneier about this and asked his thoughts.
Here was my email to him:
Hi Bruce,
I've been following the Pwn2Own contest for the last couple of years.
Last year a researcher from ISE ( http://securityevaluators.com/ )
named Charlie Miller used an exploit in a Perl library included in
WebKit, the base code for Apple's Safari browser and won a cash price
for his effort. In the press it was claimed he "hacked Safari in mere
seconds". In truth it took a lot more time than that to devise the
exploit and only seconds to execute it.
This year he did it again with another preplanned exploit which he
says he discovered while researching last years bug. Again he won a
cash prize of $10,000.
In an interview with ZDNet he said: "I never give up free bugs. I have
a new campaign. It's called NO MORE FREE BUGS. Vulnerabilities have a
market value so it makes no sense to work hard to find a bug, write an
exploit and then give it away," Miller told ZDNet. "Apple pays people
to do the same job so we know there's value to this work."
I have a major problem with his philosophy and feel this is a
dangerous precedent to set and a bastardization of the goals of
security in the fist place. I feel he has an obligation to inform
Apple and not dangle a dollar amount for the how-to.
Sure he should be paid for his time and effort which is why he works
at a security firm. This contest is basically bonus money and about
bragging rights. Sitting on a bug puts the safety of other users at
risk. But he is basically demanding bribe money for bugs. Who is to
say he wouldn't give up his research to the highest bidder? I'm sure
there are blackhat groups like those in Russia and China that would
pay handsomely for some juicy exploits like this.
Yes there is a long history of security firms hiring hackers and there
have been many questions of whether that is a good idea. But security
firms should take notice of this philosophy and not employee those who
engage in this kind of behavior. It's bad form for his employer and
makes the security industry as a whole look bad by proxy. Would you
hire a security company that employees hackers who blackmail for bugs
to work on your systems? If we hired his firm while I was working IT
at a large New York bank I would advised my boss to make sure he's not
on our project (and perhaps hire an entirely different firm altogether).
I've been in a discussion with other users about this. There seems to
be a split in viewpoint, one side saying he should let Apple and the
WebKit developers know about this exploit for the betterment of
everyone (for free). The other side feels this is purely about
capitalism and he has no moral or ethical obligation to tell anyone.
Some have likened it to seeing a crack in a bridge that might fail.
Are you obligated to inform someone of the problem? What if Dan
Kaminsky demanded $1 million to divulge details on the DNS BIND problem?
What are your feelings on this?
Thanks
Here's the discussion I've been following:
http://episteme.arstechnica.com/eve/forums/a/tpc/f/174096756/m/996001677931?r=869003677931#869003677931
http://dvlabs.tippingpoint.com/blog/2009/03/21/pwn2own-wrap-up
Bruce wrote me back today with his response:
There's a fine line between being paid for your efforts and extortion. This seems to cross it.
Gives a whole new meaning to "what is this crap"?
Or "this isn't worth the paper it's printed on".
Aside from Apple posting a website and saying the usual "it's wonderful" market-speech there, it is the tech media that is giving it all the hype. The media does more to hype Apple products (for the better or worse) than Apple has ever done. Let me know when they start posting ads on TV, magazines and websites for Safari 4.
Sorry, I hate to sound like an Apple fanboy but it just struck me as a nit that needed picking.
The irony of it was the fact that the same audiotape could store a clip of the same audio in much better quality on less tape. Ah well. :)
Yeah I just can't wait for Nokia to put a terminal shell and a C compiler on my phone. I can't wait to compile my next kernel while calling home...
Very true. The problem is that chipsets don't sell computers like processors do. Joe Shopper at WalMart doesn't know what a northbridge is but he has some understanding of what a Core 2 Duo is.
Remember what the ISS is mostly made of.
Love?
Are you saying his Grandma goes out cruising bars?
If you read the newspaper (you know, all of them) you can run for Vice President. Even better, if you can't read you can run for President.
More like "What's Going On With Sun?". Their last big hit was Java and that was quite some time ago...
Perhaps you can call StarOffice "big" for allowing the creation of OpenOffice. Sun isn't exactly the proud company they used to be.
Too bad they couldn't have designed a new car for Knight Rider while they were at it. The Ford cash-grab is appalling.
Yep. Microsoft OneScare to the rescue.
Babies on spikes. Yummy!
They need a Jonathan Ive and a Gunpei Yokoi...
You're right! Quick everyone PANIC!
Must be God playing games with us. /creationist nonsense
More likely that all of our money has gone to stupid wars for stupid reasons and we'll never see any meaningful positive outcome from them nor will we finish paying for them in our lifetime. No you're right. It's all about taxes. /sarcasm
Peace is good business?
All I got from the commercial is Jerry Seinfeld has turned into Al Bundy and Bill Gates like things with a circus theme. Not sure what it has to do with Microsoft though.
Linux Not Supported For Democratic Convention Video? That does it! I'm voting Republican!
Is this the message I'm supposed to take away from this article? Seriously?
I wouldn't get my hopes up on that. I think Sony just has a few good eggs in the PS3 group. However Sony as a whole is gigantic and the various groups don't tend to interact much. This makes their gaming division somewhat unique in the company because the entertainment group (movies, music), media group (MemoryStick, UMD, Blu-Ray) and other various hardware groups work together on common goals. I can't see such a large corporate cultural shift happening any time soon. Sony is a stodgy old company that reacts slowly and conservatively but the PlayStation unit has been their biggest profit center for quite some time so hopefully I'm wrong.