"Unsurprisingly, Charlie Miller, principal security analyst with Independent Security Evaluators, took home the $10,000 prize after he hacked Safari on a MacBook Pro without having access to the machine"
This would be called hacking via remote access.
'There are two lessons for businesses to learn about security here, right off the bat. First, using Apple hardware and software is not an adequate defense, in and of itself. Despite the common perception that the Mac OS X operating system is just inherently more secure than Windows, the reality is that the primary reason Macs aren't attacked and compromised more often is that the platform with 92 percent market share promises malware developers a significantly higher return on investment than the platform with 5 percent market share."
For this hack to work in the real world, you would need to physically click a link to the malicious site somehow (in an email maybe, or a link via IM or whatever). Social Engineering. It relies on the ignorance of the computer user to do the hacker's job for him, because he can't do it himself.
Can your Mac get hacked remotely? No.
Will the hacker drive to your house and personally point your web browser to his site to infect your Mac? Not likely.
I wouldn't worry too much about it. The contest has no actual meaning, beyond the obvious: don't let a hacker get their actual, physical hands on your machine.
Or hack your router, or hack the DNS server, or serve up a malicious web page and send you a email to click.
How about a malicious redirect? A corrupted PDF document or image?
Heck, even insert packets when your updating OS X or the programs you use turning them into trojans.
Lots of ways to crack a Mac or any computer without physical access.
Someone has figured out a way to insert rogue code into Apple's keyboard firmware, which is not erased when the hard drive is.
Everything I wrote was acurrate. Don't attack me persoanlly...we can disagree but quit the personal attack ...
I don't want to get into a flame war.
Please note that absolutely nothing I said was in fact anything close to a "personal attack."
I just maintained that you were wrong, which in fact you are. I think anonymouse sums up the reasons why the "contest" is misleading, flase, etc. the best, so maybe just read that.
For this hack to work in the real world, you would need to physically click a link to the malicious site somehow (in an email maybe, or a link via IM or whatever). Social Engineering. It relies on the ignorance of the computer user to do the hacker's job for him, because he can't do it himself.
Can your Mac get hacked remotely? No.
Will the hacker drive to your house and personally point your web browser to his site to infect your Mac? Not likely.
But thats not realworld what you described......everyone surfs the web......everyone is vulnerable to click on a link to a malicious website.....you don't have be directed to do it...the link could be named anything. It won;t be named "click here to malicious website"
It could be anything.......it could be a fake headline to a news article you have been following.......
Can you download a copy of Photoshop CS4 trial and hack it and get a fully functional copy for free??
Yep, modify a plist file and block it from contacting the servers at Adobe for activation. However I did have to find a working serial number first online.
The consumer market is over 50% of the market and doesn't have the costly demands for different configurations like the enterprise market has. So Apple can make limited product lines and maximize margins through streamlining, automation, economies of scale and discounts on mass purchases of third party parts.
The iPad is likely very close to 100% assembled by robots, running 24/7. Unlike Mac Pro's which are very likely assembled by hand.
The iPhone was hacked in seconds......Windows 7 machine was compromised in about 2 minutes I believe this year..... so no one platform is safe....assuming you will not get compromised because you are on a Mac is sticking your head in the sand.
Any platform can get hacked at anytime..... and not just by a virus....Most of them by malicious code from a website.......so everyone is vulnerable.....unless you don't connect to the outside world that is.......
You seem to keep missing the critical question (at least the one I'm trying to pose) here, and the article you link does not address it.
Siting your example above; were the iPhone and Win 7 machine both hacked by the same person? Yes/No? Were they as experienced / proficient at hacking both systems equally?
Is Chrome is last man standing because it is the most secure? Or because there are no "Chrome hackers" at Pwn2Own?
It all seems "relative" because media reporting of the event doesn't address the critical aspects of the contest. (and I read all about it every year)
"People will criticize me and say I'm a bad guy for not handing over [the vulnerabilities], but it actually makes more sense to me to not tell them," Miller said.
Of course it makes more sense to him - if they don't fix the exploits, he can do it again next year, for MORE money.
You seem to keep missing the critical question (at least the one I'm trying to pose) here, and the article you link does not address it.
Siting your example above; were the iPhone and Win 7 machine both hacked by the same person? Yes/No? Were they as experienced / proficient at hacking both systems equally?
Is Chrome is last man standing because it is the most secure? Or because there are no "Chrome hackers" at Pwn2Own?
It all seems "relative" because media reporting of the event doesn't address the critical aspects of the contest. (and I read all about it every year)
I guess what I was trying to get you to do was some research on your to answer your own questions. the link to the website I posted had links to other articles. Also just Google it and you will have the answers to the questions you posted....
Yep, modify a plist file and block it from contacting the servers at Adobe for activation. However I did have to find a working serial number first online.
Not that I care, or use Photoshop; but doesn't the demo still expire after the clock runs out without activation?
Yep, modify a plist file and block it from contacting the servers at Adobe for activation. However I did have to find a working serial number first online.
or use a outgoing firewall like littlesnitch or others
"Unsurprisingly, Charlie Miller, principal security analyst with Independent Security Evaluators, took home the $10,000 prize after he hacked Safari on a MacBook Pro without having access to the machine"
Then how did he "make" the machine to go to the malicious website? If he had remote access, who gave him the password?
I guess what I was trying to get you to do was some research on your to answer your own questions. the link to the website I posted had links to other articles. Also just Google it and you will have the answers to the questions you posted....
If I remember correctly, the last time I heard about this contest none of the computers were hacked on the first day, then on the second day the rules get relaxed and the hackers are allowed to have partial password rites to the computer being hacked, like sending an email to the computer with malicious code and allowing the receiving computer to click accept and open the email, thus releasing the hack.
Is there a similar situation going on here? let?s get all the fact, because what I described above is not a true test of security.
The second day (last year) the contest situation was set up to realistically mimic real user situations, surfing the net, emailing etc. using the computer basically. Not just a locked box sitting on a table.
So is the speed with which a device / system is hacked, more an indication of inherent vulnerability, or an indication of the talent of the individual hacker.
If Charlie Miller hacked a Mac in XX number of minutes; was he not able to hack a Windows system just as fast?
no - it means that charlie miller was well prepared. IIRC - in the past he had found vulnerabilities in open source contributions to the mac os and didn't report them so he could get himself a macbook air.
Comments
Can you download a copy of Photoshop CS4 trial and hack it and get a fully functional copy for free??
yes......but of course I would not but it depends on how much time you want to spend on the hack......anything can be hacked given time and resources
Your reading gets more and more selective.
"Unsurprisingly, Charlie Miller, principal security analyst with Independent Security Evaluators, took home the $10,000 prize after he hacked Safari on a MacBook Pro without having access to the machine"
This would be called hacking via remote access.
'There are two lessons for businesses to learn about security here, right off the bat. First, using Apple hardware and software is not an adequate defense, in and of itself. Despite the common perception that the Mac OS X operating system is just inherently more secure than Windows, the reality is that the primary reason Macs aren't attacked and compromised more often is that the platform with 92 percent market share promises malware developers a significantly higher return on investment than the platform with 5 percent market share."
For this hack to work in the real world, you would need to physically click a link to the malicious site somehow (in an email maybe, or a link via IM or whatever). Social Engineering. It relies on the ignorance of the computer user to do the hacker's job for him, because he can't do it himself.
Can your Mac get hacked remotely? No.
Will the hacker drive to your house and personally point your web browser to his site to infect your Mac? Not likely.
"This is the #1 reason Macs are slow to dent the business world..."
I don't think so.
What is the #1 reason then?
I wouldn't worry too much about it. The contest has no actual meaning, beyond the obvious: don't let a hacker get their actual, physical hands on your machine.
Or hack your router, or hack the DNS server, or serve up a malicious web page and send you a email to click.
How about a malicious redirect? A corrupted PDF document or image?
Heck, even insert packets when your updating OS X or the programs you use turning them into trojans.
Lots of ways to crack a Mac or any computer without physical access.
Someone has figured out a way to insert rogue code into Apple's keyboard firmware, which is not erased when the hard drive is.
Read and be very afraid.
http://arstechnica.com/apple/news/20...h-firmware.ars
What is the #1 reason then?
IT careers.
You should think first then post......
Everything I wrote was acurrate. Don't attack me persoanlly...we can disagree but quit the personal attack ...
I don't want to get into a flame war.
Please note that absolutely nothing I said was in fact anything close to a "personal attack."
I just maintained that you were wrong, which in fact you are. I think anonymouse sums up the reasons why the "contest" is misleading, flase, etc. the best, so maybe just read that.
For this hack to work in the real world, you would need to physically click a link to the malicious site somehow (in an email maybe, or a link via IM or whatever). Social Engineering. It relies on the ignorance of the computer user to do the hacker's job for him, because he can't do it himself.
Can your Mac get hacked remotely? No.
Will the hacker drive to your house and personally point your web browser to his site to infect your Mac? Not likely.
But thats not realworld what you described......everyone surfs the web......everyone is vulnerable to click on a link to a malicious website.....you don't have be directed to do it...the link could be named anything. It won;t be named "click here to malicious website"
It could be anything.......it could be a fake headline to a news article you have been following.......
SNIP
The person who was registered to hack the Nokia went missing in action so no result for that device.
SNIP
probably at the bottom of a lake in finland by now...
Can you download a copy of Photoshop CS4 trial and hack it and get a fully functional copy for free??
Yep, modify a plist file and block it from contacting the servers at Adobe for activation. However I did have to find a working serial number first online.
What is the #1 reason then?
The consumer market is over 50% of the market and doesn't have the costly demands for different configurations like the enterprise market has. So Apple can make limited product lines and maximize margins through streamlining, automation, economies of scale and discounts on mass purchases of third party parts.
The iPad is likely very close to 100% assembled by robots, running 24/7. Unlike Mac Pro's which are very likely assembled by hand.
Now this was the first post that made sense!!!
read this article http://www.pcworld.com/businesscente...n_contest.html
The iPhone was hacked in seconds......Windows 7 machine was compromised in about 2 minutes I believe this year..... so no one platform is safe....assuming you will not get compromised because you are on a Mac is sticking your head in the sand.
Any platform can get hacked at anytime..... and not just by a virus....Most of them by malicious code from a website.......so everyone is vulnerable.....unless you don't connect to the outside world that is.......
You seem to keep missing the critical question (at least the one I'm trying to pose) here, and the article you link does not address it.
Siting your example above; were the iPhone and Win 7 machine both hacked by the same person? Yes/No? Were they as experienced / proficient at hacking both systems equally?
Is Chrome is last man standing because it is the most secure? Or because there are no "Chrome hackers" at Pwn2Own?
It all seems "relative" because media reporting of the event doesn't address the critical aspects of the contest. (and I read all about it every year)
Too funny.
Pwn2Own winner tells Apple, Microsoft to find their own bugs
"People will criticize me and say I'm a bad guy for not handing over [the vulnerabilities], but it actually makes more sense to me to not tell them," Miller said.
Of course it makes more sense to him - if they don't fix the exploits, he can do it again next year, for MORE money.
You seem to keep missing the critical question (at least the one I'm trying to pose) here, and the article you link does not address it.
Siting your example above; were the iPhone and Win 7 machine both hacked by the same person? Yes/No? Were they as experienced / proficient at hacking both systems equally?
Is Chrome is last man standing because it is the most secure? Or because there are no "Chrome hackers" at Pwn2Own?
It all seems "relative" because media reporting of the event doesn't address the critical aspects of the contest. (and I read all about it every year)
I guess what I was trying to get you to do was some research on your to answer your own questions. the link to the website I posted had links to other articles. Also just Google it and you will have the answers to the questions you posted....
Try this link http://dvlabs.tippingpoint.com/blog/...5/pwn2own-2010
or this one.....http://blogs.zdnet.com/security/?p=995
or at the source....http://cansecwest.com/
Yep, modify a plist file and block it from contacting the servers at Adobe for activation. However I did have to find a working serial number first online.
Not that I care, or use Photoshop; but doesn't the demo still expire after the clock runs out without activation?
Yep, modify a plist file and block it from contacting the servers at Adobe for activation. However I did have to find a working serial number first online.
or use a outgoing firewall like littlesnitch or others
"Unsurprisingly, Charlie Miller, principal security analyst with Independent Security Evaluators, took home the $10,000 prize after he hacked Safari on a MacBook Pro without having access to the machine"
Then how did he "make" the machine to go to the malicious website? If he had remote access, who gave him the password?
I guess what I was trying to get you to do was some research on your to answer your own questions. the link to the website I posted had links to other articles. Also just Google it and you will have the answers to the questions you posted....
Try this link http://dvlabs.tippingpoint.com/blog/...5/pwn2own-2010
or this one.....http://blogs.zdnet.com/security/?p=995
or at the source....http://cansecwest.com/
Sorry thought this part of my post loosely addressed that: "(and I read all about it every year)"
My question is why do the media (and commenters) not address these questions about the competition, whose absence make the results meaningless?
If I remember correctly, the last time I heard about this contest none of the computers were hacked on the first day, then on the second day the rules get relaxed and the hackers are allowed to have partial password rites to the computer being hacked, like sending an email to the computer with malicious code and allowing the receiving computer to click accept and open the email, thus releasing the hack.
Is there a similar situation going on here? let?s get all the fact, because what I described above is not a true test of security.
The second day (last year) the contest situation was set up to realistically mimic real user situations, surfing the net, emailing etc. using the computer basically. Not just a locked box sitting on a table.
So is the speed with which a device / system is hacked, more an indication of inherent vulnerability, or an indication of the talent of the individual hacker.
If Charlie Miller hacked a Mac in XX number of minutes; was he not able to hack a Windows system just as fast?
no - it means that charlie miller was well prepared. IIRC - in the past he had found vulnerabilities in open source contributions to the mac os and didn't report them so he could get himself a macbook air.