I really think sony doesn't want to sell laptops to people who know anything about them. Finding information on that VAIO on sonystyle.com is like pulling teeth. Look on the Canadian site sony.ca. It's $2300+
And I made it easy for you
the security flaw was in Safari- probably a buffer overflow allowing arbitrary code to be executed. had safari been on any other OS with that flaw the other OSes would be fscked as well no questions asked. IE7 on Vista runs in a sandbox so hence won't be so easy with such a buffer overflow. But you're right, Safari on Windows would go down pretty quick with this exploit. Maybe they'll install it tomorrow on Vista and it might get owned with another exploit(using the same exploit again is not allowed, just as the same contestants won't be allowed to try to hack the other OSes).
I think he's trying to say that since the Mac was not compromised on Day 1, it's secure and was only hacked under the relaxed rules. But that logic falls on its face once you consider that the rules were relaxed for the other two OSes as well.
sudo (especially, M$'s patented snake-oil version of sudo) all by itself isn't enough. sudo? sudo is a sandbox? since when? I should have guessed that people calling Microsoft M$
You have to have single-purpose browsers, and they can't be just parameterized instances of the general purpose browser (and, no, the current MSIE is not even such a parameterizable browser). What are you blathering about? What's a single purpose browser? Like a browser that can only browse one site? Or one browser running in a virtual machine for each tab opened?
So is it official that the Vista and Ubuntu machines have survived day 2??! Judging from the blog... it isn't:
Update 5:45 PST - The contest is officially over for today. Check back tomorrow to see how the Vista and Ubuntu laptops fare.
Do you have an inside scoop?? You misunderstod the contest rules. No inside scoop. Just the blog.
Day 1: March 26th: Remote pre-auth
All laptops will be open only for Remotely exploitable Pre-Auth vulnerabilities which require no user interaction. First one to pwn it, receives the laptop and a $20,000 cash prize.
The pwned machine(s) will be taken out of the contest at that time.
Day 2: March 27th: Default client-side apps
The attack surfaces increases to also include any default installed client-side applications which can be exploited by following a link through
email, vendor supplied IM client or visiting a malicious website. First one to pwn it receives the laptop and a $10,000 cash prize.
The pwned machine(s) will be taken out of the contest at that time.
Day 3: March 28th: Third Party apps
Assuming the laptops are still standing, we will finally add some popular 3rd party client applications to the scope. That list will be made available at CanSecWest, and will be also posted here on the blog. First to pwn it receives the laptop and a $5,000 cash prize.
So the security will be even more relaxed on the third day because Ubuntu and Vista survived the first two days without a hack. The Mac finished last and is out of the race.
All Apple products cause herpes. Maybe the articles are just pointing out that the Apple products you worship are not without their faults?
Come on guys the Mac/Apple bashing articles are really getting silly. Yea lets bury this news article then just because it's anti-Apple? You're the one blaming the messenger(Slashdot) for posting news. Maybe you should blame reality for all the 'Mac bashing'.
considering who is doing the attacking I'd bet that physical access would make these comps 100% breakable. all that needs to be done is reset the bios and pop in a live cd and it's game over. So why was a unpatched security vulnerability in Safari needed if it were so simple? There was no physical access provided. Give some credit to the organizers, they're not dumbasses to give $10k in cash and a expensive laptop to the first contestant that jogs into the competition.
I know... it shocked me that installing software often didn't require any sort of authentication what so ever... Because the code ran under Safari's privileges, i.e not root but user.
you could look at it this way: cracking anything Windows is pretty much nothing special, it's being done on a massive scale botnets and zombies considered- what is perhaps a ncier target is a 2,000 dolalr macbook that claims to have a lot higher security than windows. motivation being the biggest security danger of them all. The Sony VAIO TZ37CN Ubuntu laptop costs $2300+ You mean no one wanted that and 10k in cash when "all that needs to be done is reset the bios and pop in a live cd and it's game over."?
as more than one person mentions above,)... that the attack on the mac was the first attempted hack under the relaxed rules. I think it's clear that the hacker wanted the mac, especially since there are known open vulnerabilities that could have been used on MSIE, and some highly probable directions fairly well known on Firefox. You've lost me. Where does it say that the mac(apart from your 'persons above' handwaving) was the first attempted hack under the relaxed rules? Go read the site. It says that all three laptops were tried all day and the Mac was removed from the competition because it failed to survive the second day. The others did. Under the same rules.
especially since there are known open vulnerabilities that could have been used on MSIE, and some highly probable directions fairly well known on Firefox. So there are known open vulnerabilities in IE7 and Firefox and no one wanted a free 10k in cash (20k in total) for just running them plus 2 expensive laptops? Are you kidding me?
We know that the browser is vulnerable. Anyone who thinks general purpose browsers are invincible is living in a dream world. IE7 on Vista runs in a sandbox. This kind of attack on IE7 wouldn't have worked without another hole compromising the sandbox. Stop coloring all the browsers with the same color just because the one you use got pwned.
It's time to abandon the general purpose browser. It's also time to quit surfing as your log-in user. You need a browser for surfing that you run (sudo or something) as a strictly limited privilege user without log-in capabilities. If you pulled your head out of the sand and informed yourself beyond the anti-Vista tripe that's posted on here, you might have known that IE7 on Vista does exactly what you described ever since it came out more than a year ago.
You aren't totally correct on that. The article says "He was the first contestant to attempt an attack on any of the systems." (on the second day). None of the systems fell on the remote only side but when it came to test user interaction the Mac was the first one tested. I'm still waiting for the result on the other machines. It is what a lot of us suspected... because of Apple's rep., people would be eager to take on the Mac first. It is still not to say it isn't bad... oh, it is. But the contest isn't over yet. Sorry, that's just plain wrong. Every laptop had different contestants going on about it in 30 minute slots all day.
Day 1: March 26th: Remote pre-auth
All laptops will be open only for Remotely exploitable Pre-Auth vulnerabilities which require no user interaction. First one to pwn it, receives the laptop and a $20,000 cash prize.
The pwned machine(s) will be taken out of the contest at that time.
Day 2: March 27th: Default client-side apps
The attack surfaces increases to also include any default installed client-side applications which can be exploited by following a link through email, vendor supplied IM client or visiting a malicious website. First one to pwn it receives the laptop and a $10,000 cash prize.
The pwned machine(s) will be taken out of the contest at that time.
Day 3: March 28th: Third Party apps
Assuming the laptops are still standing, we will finally add some popular 3rd party client applications to the scope. That list will be made available at CanSecWest, and will be also posted here on the blog. First to pwn it receives the laptop and a $5,000 cash prize So the Macbook is out of the race since it finished last. Tomorrow, the Ubuntu and Vista machines will have a prize of $5000 on them being cracked with lots of third party apps installed.
Good to see that social engineering is still all it requires to compromise something. So why weren't the Windows and Linux machines be able to be hacked inspite of the social engineering and users being at the helm all day?
And the karma-whoring RDF sets in.
anyone who either has physical access to the computer being attacked or can convince the user running the machine to install/download anything is capable of breaking pretty much any OS they want. So no one wanted 20k of cash and expensive windows and linux laptops? Why weren't anyone able to hack the Windows and Linux laptops?
They did not have physical access to the machine. Nothing was downloaded or installed manually. Only a website hosted by the attacker was just visited by the organizers on the browsers and mails were opened(attachemnts were not) and read.
The fact that they had to relax the rules so that the Mac could be broken into illustrates this nicely. The fact that inspite of the relaxed rules, the Windows and Linux laptops were not broken into, illustrates totally something else. I will let you guess it. They are going to further relax the rules tomorrow to include third party applications to make it even easier to hack. Unfortunately, the Mac won't be there because it didn't make it to the third day.
Uhh what? The Air has nothing to do with it. All fully patched machines running OS X with the latest Safari 3.1 are vulnerable to this exploit. And you mean a exploit targeting fully patched Vista SP1 or Ubuntu 7.10 won't make headlines? Think again.
CANCELABLE javascript. Wha? Any time you get a javascript prompt, you'll have OK, cancel, and "stop all javascript right fucking now". Opera already does this.
Apple said itself that the term is not binding Any reference to back that up?
Do not confuse "having legal standing" with "going to win". "Legal standing" is about whether the plaintiff is indeed the harmed party, is indeed the right party to bring the suit. If you whitness that your neighbor Pete is defrauding your other neighbor Tom, you can't sue Pete, because you are not the harmed party. You have no legal standing. Only Tom, the harmed party, can bring suit. Exception to this is criminal matters where the state sues on behalf of the harmed party. You knew what I meant, so can you answer it? Is Apple "going to win" or not?
Can you name a browser than doesn't have, and never will have, any critical vulnerability, that non-tech-savvy individuals can use? Yes, though may not like the answer. IE on Vista runs in a sandbox, so the damange from most vulnerabilities are confined from affecting even the user files.
It seems highly unlikely to me that many of the users who download Safari without thinking about it are going to go looking for it in the Programs menu and launch it. Safari installs a icon the desktop.
And it's not vulnerable if it's not running.
Can I come over to your home and install a whole bunch of unwanted and vulnerable software on your machines?
And what the hell are you talking about with MS giving guidelines? You mean like, MS should give you guidelines on what you should and should not do with your PC? Dude, seriously, where the hell did you come up with your ideas? Give him a break, he's just trying to spin the whole fiasco as Microsoft's fault.
It's fixed in the next release and it's not binding anyway. Really? So is the 'only Apple machines' clause in the OS X licence 'not binding anyway' too? Can legally install a bought copyt of OS X on my PC? Can I setup a shop that installs OS X on customer's PCs for a fee and Apple won't have any legal standing to sue me?
There's no reason to believe that by installing music software, the manufacturer will also push a browser to you. It's actually even worse. Users are slowly getting accustomed to new software installs being bundled with other nonrequested stuff like Google Toolbar, but iTunes doesn't try to install Safari on the first install, but sneaks it in as a 'update' to iTunes. This is more underhanded because users are not at all used to installing totally unrelated software as part of a update to the software they have installed.
Good god, man! We've got to get them back on Internet Explorer! Though you meant it as a joke, for users on Vista, that could actually be a good thing. IE on Vista runs in a sandbox, so any code owning IE can only mess with the cache folder or something, and can do nothing to your system as well nor any thing to your user files like documents. Whereas, almost every other browser out there runs with the user permissions(not root or admin) by default(on all OSes, AFAIK), so that a compromise can result in viruses/keyloggers etc. that can run on startup, delete your user files/documents and/or email them to Nigeria whereas that's not simply possible with IE on Vista.
Update: 03/26 21:21 GMT by Z : Safari is now at 100%, apparently, with Safari close behind at 98%.
Looks like someone wasn't reading what they were writing. The links are right though. That only means Safari running around itself in circles.:)
Do you have any evidence for this? It's just human nature.
No, browsers aren't actually all that large (the rendering engines for the Opera desktop browser and the mobile browser are the same), and you don't have to painstakingly discuss absolutely everything. Nothing would ever get done.
Yes, Safari and Opera are both moving fast. Extremely fast compared with Firefox and Internet Explorer. But that is because they are much smaller codebases. Gecko is huge and crufty. Changing one thing can have knock-on effects all over the place. Internet Explorer has three very different rendering engines attempting to remain compatible with years-old intranet applications.
One of the reasons Apple chose KHTML instead of Gecko for Safari was that it was much smaller and had a cleaner design. And that choice has paid off in spades, the turnaround on new features and functionality is extremely quick. Since we don't have access to Opera's source code, lets look at khtml/webkit. I tried to download the latest snapshot of the WebKit source tree from the webkit site so that I could separate the resources(binary files, changelogs etc.) from the source code and get the size of it, but I was struck by a 265MB (yes you read it right) download. Since I am on a slow connection right now, maybe someone can perform a more accurate analysis and post the results here. But even assuming 100MB of resources, 165MB is a HUGE amount of source code for something that you claim has a 'much smaller and cleaner' design and is "not all that large".
What you are seeing here are not crazy hacks, but the consequences of years of savvy architectural and management decisions. When you invest in clean design up-front, the cost of efforts like this is vastly reduced. I can't really post without knowing about the internals of Webkit and Opera (and so can't you) but the snippet of code that the AC above you posted looks like a hack. Instead of fixing the rendering of the 'Ahem' font, it seems to turn off font smoothing just to make it look like the reference rendering(note that it does it only for the web font). What about such bugs for other fonts? Brushed under the carpet called Acid3 compliance. And that's just one snippet. God knows what hacks are in the other parts of the code. Clean design can't do everything when you're in a hurry and in a race to get the most press coverage.
Can't really comment on that snippet of code without knowing a ton of details. As a side note, I can't understand programmers tend to use code like
m_allowFontSmoothing = (nameStr != "Ahem"); instead of
Sure, it will take a few seconds more to type, but you write code only once but it's read many times by different people who don't have to solve a mini-puzzle in their head before understanding what it does. Same with folks who think that writing things like while(--i) is clever coding. It's not, it makes the code harder to understand for even you when you come back to reading it after a few days and is a pain to understand and maintain.
If this were news about IE, I'd care. If it were news about Firefox, I'd care. Since I'm a Mac user, if it were news about Safari I'd probably care, at least a little (although I use Firefox). But Opera? I don't even test my stuff against that browser - it's just never been particularly relevant.
First off, Opera use is large enough for the company to survive on revenue from Google from the search bar(just like FireFox). I've seen figures of 1 to 2% of use, and when you factor in the huge number of web surfers, ~1% is nothing to sneeze at.
Now, I realize that Opera zealotry is as fervent as the worst Mac fans, and loses nothing to the Nikon/Canon camps; but really - the installed base is tiny. When I look at my site stats, Opera doesn't even show up (and even Netscape 4.x still has a tiny sliver of the pie). So I'm not sure even the "competition is good for everyone" argument particularly applies here.
That's pretty narrow minded thinking. Many of the features in Firefox and and it's extensions are Opera innovations or it was the first browser to have a good implementation. You can see some of the innovations here . Of course, Opera has taken some cues from Firefox too, but I think it's safe to say that all the browsers have benefited because of the existence of Opera. Hence, it's not 'irrelevant' just because there are hardly any hits from Opera on your site. Many of the features you enjoy in Firefox have their root in Opera.
Slashdot Mirror
I think he's trying to say that since the Mac was not compromised on Day 1, it's secure and was only hacked under the relaxed rules. But that logic falls on its face once you consider that the rules were relaxed for the other two OSes as well.
All laptops will be open only for Remotely exploitable Pre-Auth vulnerabilities which require no user interaction. First one to pwn it, receives the laptop and a $20,000 cash prize.
The pwned machine(s) will be taken out of the contest at that time.
Day 2: March 27th: Default client-side apps
The attack surfaces increases to also include any default installed client-side applications which can be exploited by following a link through email, vendor supplied IM client or visiting a malicious website. First one to pwn it receives the laptop and a $10,000 cash prize.
The pwned machine(s) will be taken out of the contest at that time.
Day 3: March 28th: Third Party apps
Assuming the laptops are still standing, we will finally add some popular 3rd party client applications to the scope. That list will be made available at CanSecWest, and will be also posted here on the blog. First to pwn it receives the laptop and a $5,000 cash prize.
So the security will be even more relaxed on the third day because Ubuntu and Vista survived the first two days without a hack. The Mac finished last and is out of the race.
Uhh what? The Air has nothing to do with it. All fully patched machines running OS X with the latest Safari 3.1 are vulnerable to this exploit. And you mean a exploit targeting fully patched Vista SP1 or Ubuntu 7.10 won't make headlines? Think again.
Can I come over to your home and install a whole bunch of unwanted and vulnerable software on your machines?
First off, Opera use is large enough for the company to survive on revenue from Google from the search bar(just like FireFox). I've seen figures of 1 to 2% of use, and when you factor in the huge number of web surfers, ~1% is nothing to sneeze at.
Now, I realize that Opera zealotry is as fervent as the worst Mac fans, and loses nothing to the Nikon/Canon camps; but really - the installed base is tiny. When I look at my site stats, Opera doesn't even show up (and even Netscape 4.x still has a tiny sliver of the pie). So I'm not sure even the "competition is good for everyone" argument particularly applies here.That's pretty narrow minded thinking. Many of the features in Firefox and and it's extensions are Opera innovations or it was the first browser to have a good implementation. You can see some of the innovations here . Of course, Opera has taken some cues from Firefox too, but I think it's safe to say that all the browsers have benefited because of the existence of Opera. Hence, it's not 'irrelevant' just because there are hardly any hits from Opera on your site. Many of the features you enjoy in Firefox have their root in Opera.