You have enough time on your hands to write a big karma whoring rant, but not two minutes to learn that Vista just restarts the driver in the event of a crash and moves on. You don't lose something that you've typed in notepad and haven't saved. Whereas in Linux you would lose the gvim session with the unsaved buffers. You've successfully told the moderators what they want to hear and earned the mod points though. Good job.
Ubuntu 7.10 runs Gnome by default. So it's either Firefox or Epiphany(or both, don't remember) that comes with it. Konqueror might get in tomorrow(i.e today).
I've tested the load times of (clean) Vista vs. (year-old) OS X 10.4, on the same machine (a 2G Macbook with Boot Camp). Vista took twice as long to boot, and three times as long from hitting enter on the login screen to the time the hard drive stops being accessed. Safari loads 25% faster than IE 7 on Windows XP, in my tests, and its recent JavaScript benchmarks have shown a much higher rate of speed than any other browser. Vista SP1 dramatically improves boot up times. Also, on first boots it might be slower till the speed up tools optimize the file placement on disks and make subsequent boots faster.
So yes, I have a right to make this claim. No. You might have had a chance if Vista or Ubuntu were cracked in 3 or 4 minutes or even 30. But they weren't cracked ALL day. Just cut out the nitpicking BS. It's not even close to plausible.
No, you enforce it using a clean room and no Internet access. I'm not saying that you couldn't memorize how to create an exploit, but you have to create it on-site. And then you have to the have the competition for 10 days with people looking at each other bored and the conference cost will run into millions.
Ok, look at it another way: what if there is a very serious Vista exploit based on opening Outlook Express (Windows Mail or whatever it's called now) and open an email in their Inbox. But they can't get it to happen within 2 minutes, because Outlook Express takes longer to load than Safari. How fair would that be? You are punishing Apple because they have an extremely fast browser. What a crock of bs. Each contestant were given 30 minute slots to go at each machine(was done in parallel on all three machine, each with a different team trying to crack it). And I would believe the difference in IE7 and Safari startup times and to run simple websites across a crossover cable would be in the order of seconds, not even minutes.
Maybe, but I won't waste my time trying to hack it if it was more difficult to hack than the other two laptops. I would straight away go for the easier ones.
Social engineering does more damage than you can undo with whatever vista+IEwhatever can undo. My lawyer is going to click yes if the bait looks good enough to her.
The only way to get in the way of that is to get in the way of that: Special purpose browsers that don't have a place to plug in a URL. And even that is not good enough, but it's better than trying to use ACLs to build walled gardens like this "integrity levels" thing Vista has. That's like saying since laws against rape cannot help murder victims and does not prevent murder, they're useless and hence rape must be allowed since murder is a lot worse than rape. And stop the nonsense about special purpose browsers that can visit only one site. It's a solution that's worse than the problem. The internet would've never taken off and we wouldn't be posting here if there were only special purpose browsers. Just take your machine off the internet. I think that will be good for both you and us.
What business does a laptop have for its existence without a user tapping at it? Who are the Einsteins that modded this "insightful"? Are you out of your mind? Laptops are meant to be gracefully slid into to thin manila folders and kept in them.
The article suggests that the contest winner had an exploitive script ready to go on a private server before the contest even began. Do you honestly think the same thing could not have been accomplished with I.E.? What has me thinking one way or the other anything to do with it? The real question is why didn't it happen. Also, IE on Vista runs under a sandbox, making attacks like this hard to pull off.
Baloney. You can buy about 5 Macbook Airs by selling off the Windows and Linux laptops on Ubuntu on ebay + $10,000 cash prize. Anyone who tried for the Macbook while sitting on Linux and Windows vulnerabilities is a idiot.
There's no conceivable way that the exploit was discovered and attack code written in two minutes. Hell, I could barely write a slightly sophisticated 'hello world' app in that time (maybe I'm just a slow typist, or he's an android.)
From what I've seen, (correct me if I'm wrong) the rules stated that no previously disclosed vulnerabilities could be used. So, if this guy kept quiet for a few weeks, he could have used exploit code he had already developed. That is exactly the goal of the contest, to responsibly disclose previously undiscovered vulnerabilities. Since the contest was announced a long time back, people would've started working on researching the holes. All in all, a good thing because a vulnerability has been sent off to Apple to be fixed, instead of being possibly discovered by a blackhat and be exploited in the wild.
Well, I've never been rickrolled (well, not nonconsensually) so I'm probably pretty safe from hack attacks Every day there is news of websites getting hacked and bad code being uploaded that compromises browsers. So even the sites you think are trustworthy can get you owned(not directly the fault of the people who run it, of course).
There are no known un-patched vulnerabilities for Safari 3. What are these then? Also your statement shows that you haven't even read the headline, the summary, or the article or just under the influence of a certain kind of field.
You can buy 4 Macbook Airs for $10,000. Or 25 iPhones. So if it were easier to crack Ubuntu or Vista, people would've definitely gone for it. And the prize for cracking on the first day was $20,000 each. The people who tried to go for the Macbook Air while sitting on Linux and Windows holes would be really stupid.
As long as the browser has the ability to be re-directed to any site but the site it was defined for, you're going to have spoofing.
As long as you have spoofing, you're going to be losing your tokens. Repeat after me. Security is not a product or a program. Security is all about layers. Vista's sandbox model for IE is another security layer that Safair is lacking. The anti-phishing features in IE and other browsers are another are another layer. None of the layers are perfect, but they stop a class of attacks. The sandbox won't prevent spoofing(even the antiphishing filter is useless against zero day phishing sites), but it can easily stop or mitigate the very kind of vulnerability we are discussing that took down the Mac in the contest. You can use VMs to browse if you're that paranoid about security(the recent security holes found in VMWare not withstanding).
Well, they let them use a Vista laptop because Windows 7 isn't available yet (not sure it means anything, but Microsoft is still an OS generation behind Apple). You mean Microsoft is a OS generation behind Apple in security holes so that we can win cool laptops and cash prizes?:)
The winner got to keep the unit AND 10,000 Don't forget that the prize was 20,000 each for the first day. And none of the machines got compromised. Including the Vista and Ubuntu machines. So, the GP is even more wrong than you think.
Let's face it: if the prize is the laptop you hack then everyone would be trying to hack the Mac: who the fuck wants the shame of walking away with a Dell under their arm? Uhh? Can't they ditch the Dell in the nearest trashcan and run to the Apple store with the $10,000 in cash? Or did you miss reading about the cash prize under the influence of some kind of field.
You first said:
instead you got a beauty contest. Which apple apparently won. Any contestant with half a brain knows that he can get 4+ Macbook Airs for the $10,000 cash prize and then ebay or install hackintosh on the "non-beautiful" laptops if they really hate Ubuntu or Vista that much. Seriously, if it was easier to compromise Ubuntu or Vista why not do that instead of going to the trouble of hacking the more secure(your implied claim) Apple laptop?
And you forgot the prospect for employment. Hack a mac and you put it on your resume, hack a PC and no one cares or worse thinks your are a script kiddie. If the company really thinks in that way, I don't think you want to be working there in the first place. And what about Linux? Why wasn't it hacked?
More to the point, what you can't measure here is the real world vulnerability. I cringe at keeping my Linux machines up-to-date and protected. I rely on firewalls not themachines. With the machines, which are production machines, it's huge roll of the dice to try to apply a patch and descend into dependency hell and discover over the next week which parts of your production got broken and which need compat libs and so on. With my fleet of macs, I don't hesistate to software update (well actually, unless the vulnerability is rampant I wait a week cause even apple screws the pooch. But just a week, and then you know it's safe.)
SO in the real world macs are highly patched. MS can be and it's only a wee bit harder. (And when they fuck up (SP1) they go big, but it's mainly a function of your hardware.) Linux requires real expertise and knowledge of how your specific magic mixture of packages will be affected. That's more besides the point than to the point. All the Apple patches in the world won't save you from this exploit, since they don't have a patch for it out, yet. Besides, are you comparing updating production servers on Linux to Mac desktops? That's not a fair comparison at all. Desktop Ubuntu can also be updated without a hitch. Also, I've never seen a Windows Server 2003 production server have any problems with any of Microsoft's updates. And if you're using Debian stable on your server, you will be pretty stable with installing all the security fixes and updates because they do a really good job of testing the fixes.
I don't get you. First you say(emphasis mine):
Good to see that social engineering is still all it requires to compromise something. And then you say:
Bigger hoops to jump through? Linux has fairly high levels of user/admin separation, and windows has been burned enough times that the sandbox that IE runs with is effective enough to slow people down, far more than it was back in the ie6 or ie5.5 days. Care to explain how if user interaction is all that's required, user/admin separation and sandboxes are getting in the way?
no, what he is saying is that more people would be trying for the macbook air, because more people would want to own a macbook air. The $10,000 cash prize makes it irrelevant and would make people go for the easier hack rather than trying way to break a comparitively secure but preferable laptop.
it should only count if the entire exploit was created and performed on-site How would you enforce that rule? By reading people minds?
Who is to say that someone else would not have found a Vista exploit that way, in much less time than Charlie Miller did? And the contestants had enough advance warning of the contests(almost a year I think, definitely more than a month) so that's a moot point anyway. That theoretical "someone" you talk about had plenty of time(and still has) to craft a Vista exploit and take home a laptop and lots of cash.
Your mention of WINE makes me think. Can you install Safari on the other machines and take them? Don't know if they consider a popular application, but the rules are that you can't use the same exploit to own more than one machine(and winning contestants are barred from competing for the remaining laptops). So you would at least have to find another Safari hole to make your plan work.
Are you for real? Did you bother reading that article and seeing the fine print? The laptops were tested in parallel all day and Mac fell first, the other two were tested for the rest of the day and weren't hacked so they go to the next round with relaxed rules(3rd party s/w installed). It's extremely funny that you did exactly what you're accusing others of doing. Nice self-pwnage.
Slashdot Mirror
You have enough time on your hands to write a big karma whoring rant, but not two minutes to learn that Vista just restarts the driver in the event of a crash and moves on. You don't lose something that you've typed in notepad and haven't saved. Whereas in Linux you would lose the gvim session with the unsaved buffers. You've successfully told the moderators what they want to hear and earned the mod points though. Good job.
Ubuntu 7.10 runs Gnome by default. So it's either Firefox or Epiphany(or both, don't remember) that comes with it. Konqueror might get in tomorrow(i.e today).
Maybe, but I won't waste my time trying to hack it if it was more difficult to hack than the other two laptops. I would straight away go for the easier ones.
Baloney. You can buy about 5 Macbook Airs by selling off the Windows and Linux laptops on Ubuntu on ebay + $10,000 cash prize. Anyone who tried for the Macbook while sitting on Linux and Windows vulnerabilities is a idiot.
You can buy 4 Macbook Airs for $10,000. Or 25 iPhones. So if it were easier to crack Ubuntu or Vista, people would've definitely gone for it. And the prize for cracking on the first day was $20,000 each. The people who tried to go for the Macbook Air while sitting on Linux and Windows holes would be really stupid.
Do you still stand by your parent post that said user interaction is all that's required?
You forgot to factor in the $10,000 cash prize.
Are you for real? Did you bother reading that article and seeing the fine print? The laptops were tested in parallel all day and Mac fell first, the other two were tested for the rest of the day and weren't hacked so they go to the next round with relaxed rules(3rd party s/w installed). It's extremely funny that you did exactly what you're accusing others of doing. Nice self-pwnage.