.... yeah, for the first day. Then when the iPhone is not hacked they'll "loosen" the rules on the second day so that they can get some juicy headlines.
Isn't that what happened last year?
They never allowed physical access, they loosened the rules so the contestant could ask an operator on the laptop to do typical tasks. In this cas he asked the operator to visit a website which contained an exploit code using a flaw in Safari.
I think this is a perferctly valid hack, thanks to the hacker to have discovered the flaw and thanks to Apple to have fixed it.
They never allowed physical access, they loosened the rules so the contestant could ask an operator on the laptop to do typical tasks. In this cas he asked the operator to visit a website which contained an exploit code using a flaw in Safari.
I think this is a perferctly valid hack, thanks to the hacker to have discovered the flaw and thanks to Apple to have fixed it.
The fact that they "loosened" the rules at all shows what they're really about- headlines.
It wouldn't have been very exciting if the end of the conference summary was that nobody won....
It's super useful to have these devices hacked in a controlled setting instead of going undiscovered for months while the real bad guys are stealing your info. Ohhh, and watch out for those (hushed tone)... h-a-c-k-e-r-s. (hold me, I'm scared!)
After being humbled last year at the high-profile CanSecWest security conference, Apple faces further scrutiny as the same event organizers not only plan to test the Mac's defenses but, for the first time, the iPhone's as well.
3Com's security branch, TippingPoint, says that the 2009 edition of the Pwn2Own challenge will ask security experts and others attending the Vancouver, Canada event to hack smartphones, not just computers, in an attempt to find exploits that would allow arbitrary code.
I wish this TippingPoint thing would die. There were so many problems with how that contest was conducted and reported that it really just boiled down to being a publicity stunt for the event.
It was reported like it was a methodical security test when in fact the contestants got to walk away with any hacked machines. Therefore it's no surprise the highly desireable Macbook Air was the first to be targeted and the first to go down. Second, the hackers only failed to get Windows first because it was running a service pack none of them expected. Third, OS X and Windows were both only compromised *after* the hackers were allowed to direct a user's behavior on the machines which, in effect, equals physical access which pretty much nullifies any conclusions you might want to draw about security.
You know, the tech press had a field day with that event and they let the real headline walk right by them: the fact that all three platforms withstood the network-based attacks of the first day. That's amazingly good news and shows how far security on *all* platforms has come, but I didn't see anyone other than me in my blog reporting that.
make it a real challenge and prevent physical access to the test machines.
No social engineering tricks should be allowed.
I think both physical access and social engineering should be included. These are part of the real-world security challenge that we face and want to be protected from.
I think both physical access and social engineering should be included. These are part of the real-world security challenge that we face and want to be protected from.
Yeah, because in the real-world strangers have physical access to my PC. \
And, by definition, no one can protect you against social engineering except yourself.
Winning scenarios against the mobile devices include attacks that can be exploited via email, SMS text, website browsing and other general actions a normal user would take while using the device. Physical access will not be granted to the mobile devices, and proving successful exploitation of one of the mobile devices will be verified by our team of hardware hacker judges on the ground at the event.
I think that comment makes no sense, what is their malicious intent? .
To create security problems where there was once no security problems, come on wise up These companies want to build a hacker base for the iphone... and make profit on it.
Its bad for everyone bar them, dont kid yourself they are nice friendly folk doing good deeds.
Comments
.... yeah, for the first day. Then when the iPhone is not hacked they'll "loosen" the rules on the second day so that they can get some juicy headlines.
Isn't that what happened last year?
They never allowed physical access, they loosened the rules so the contestant could ask an operator on the laptop to do typical tasks. In this cas he asked the operator to visit a website which contained an exploit code using a flaw in Safari.
I think this is a perferctly valid hack, thanks to the hacker to have discovered the flaw and thanks to Apple to have fixed it.
They never allowed physical access, they loosened the rules so the contestant could ask an operator on the laptop to do typical tasks. In this cas he asked the operator to visit a website which contained an exploit code using a flaw in Safari.
I think this is a perferctly valid hack, thanks to the hacker to have discovered the flaw and thanks to Apple to have fixed it.
The fact that they "loosened" the rules at all shows what they're really about- headlines.
It wouldn't have been very exciting if the end of the conference summary was that nobody won....
Hmmm.
People with way too much time on their hands.
Like the morons posting here whining about this.
It's super useful to have these devices hacked in a controlled setting instead of going undiscovered for months while the real bad guys are stealing your info. Ohhh, and watch out for those (hushed tone)... h-a-c-k-e-r-s. (hold me, I'm scared!)
After being humbled last year at the high-profile CanSecWest security conference, Apple faces further scrutiny as the same event organizers not only plan to test the Mac's defenses but, for the first time, the iPhone's as well.
3Com's security branch, TippingPoint, says that the 2009 edition of the Pwn2Own challenge will ask security experts and others attending the Vancouver, Canada event to hack smartphones, not just computers, in an attempt to find exploits that would allow arbitrary code.
I wish this TippingPoint thing would die. There were so many problems with how that contest was conducted and reported that it really just boiled down to being a publicity stunt for the event.
It was reported like it was a methodical security test when in fact the contestants got to walk away with any hacked machines. Therefore it's no surprise the highly desireable Macbook Air was the first to be targeted and the first to go down. Second, the hackers only failed to get Windows first because it was running a service pack none of them expected. Third, OS X and Windows were both only compromised *after* the hackers were allowed to direct a user's behavior on the machines which, in effect, equals physical access which pretty much nullifies any conclusions you might want to draw about security.
You know, the tech press had a field day with that event and they let the real headline walk right by them: the fact that all three platforms withstood the network-based attacks of the first day. That's amazingly good news and shows how far security on *all* platforms has come, but I didn't see anyone other than me in my blog reporting that.
Hopefully that will stop the constant complaints about the iPhones's disabled bluetooth stack.
If not maybe a bluetooth exploit can be triggered by something contained in an MMS?
make it a real challenge and prevent physical access to the test machines.
No social engineering tricks should be allowed.
I think both physical access and social engineering should be included. These are part of the real-world security challenge that we face and want to be protected from.
I think both physical access and social engineering should be included. These are part of the real-world security challenge that we face and want to be protected from.
Yeah, because in the real-world strangers have physical access to my PC.
And, by definition, no one can protect you against social engineering except yourself.
TERRI FORSLOF WED 25 FEB 2009 00:09A
Winning scenarios against the mobile devices include attacks that can be exploited via email, SMS text, website browsing and other general actions a normal user would take while using the device. Physical access will not be granted to the mobile devices, and proving successful exploitation of one of the mobile devices will be verified by our team of hardware hacker judges on the ground at the event.
Just send an SMS containing a link to the SymbOS/Yxes worm as soon as you can get a phone number, Game Over Symbian within seconds.
I think that comment makes no sense, what is their malicious intent? .
To create security problems where there was once no security problems, come on wise up
Its bad for everyone bar them, dont kid yourself they are nice friendly folk doing good deeds.
I take it from the lack of screaming headlines that the hacker's attempts were somewhat unsuccessful.
Another bump:
http://www.engadget.com/2010/03/25/i...t-11/#comments