By accepting prizes at the Pwn2Own competition, put on by TippingPoint, the exploited methods are revealed only to the affected company so that they can patch the exploits.
"People will criticize me and say I'm a bad guy for not handing over [the vulnerabilities], but it actually makes more sense to me to not tell them," Miller said.
Firefox plus AdBlock; FlashBlock and NoScript, on a Mac. That's a pretty secure combo I reckon.
Yes, a lot more secure than Safari on a Mac.
Add the following: Ghostery, RequestPolicy and WOT (Web of Trust)
Good thing about WOT is it will verify links in web based emails.
Running in a General User, not Admin, is a wise decision for Mac and Windows users.
Simply create a new Admin User, log into it and change the previous Admin User to General User.
What this does for one is to protect the applications folder from alterations. If one needs to do something a window pops up and you enter the admin name and password, gives you a short period of Admin power while in General User.
You are correct.....except that the Mac was compromised in less time than anyother machine including Windows machines......
OK, this is just completely stupid. Yet, every year we hear people spouting this same nonsense.
The time it takes to hack one of these systems is not the time they report at the contest. The time it takes to hack one of these systems is the total time that the participants put into figuring out how to do it, which is never reported. There is no basis for comparison of the relative security of systems based on the reported times, nor based on the order in which machines are compromised, nor even on whether a system is compromised or not.
(To expand on the last point, a system may have 100 vulnerabilities, possibly known to various people with malicious intent, but it's entirely possible that none of the participants in this event will discover any one of those 100 vulnerabilities, yet they may exist and may be known to someone who intends to use them.)
In essence, this is just a big publicity stunt by the organizers, and a chance to gain some fame, money, and hardware for the participants. The only thing this event shows is that certain specific vulnerabilities exist on certain systems.
So is the speed with which a device / system is hacked, more an indication of inherent vulnerability, or an indication of the talent of the individual hacker.
If Charlie Miller hacked a Mac in XX number of minutes; was he not able to hack a Windows system just as fast?
OK, this is just completely stupid. Yet, every year we hear people spouting this same nonsense.
The time it takes to hack one of these systems is not the time they report at the contest. The time it takes to hack one of these systems is the total time that the participants put into figuring out how to do it, which is never reported. There is no basis for comparison of the relative security of systems based on the reported times, nor based on the order in which machines are compromised, nor even on whether a system is compromised or not.
(To expand on the last point, a system may have 100 vulnerabilities, possibly known to various people with malicious intent, but it's entirely possible that none of the participants in this event will discover any one of those 100 vulnerabilities, yet they may exist and may be known to someone who intends to use them.)
In essence, this is just a big publicity stunt by the organizers, and a chance to gain some fame, money, and hardware for the participants. The only thing this event shows is that certain specific vulnerabilities exist on certain systems.
You are right....the exploits they use took them a lot of time to figure out and how to use them...... Except for the last 3 years when Charlie Miller used the SAME exploit that he reported to Apple but went unpatched. That is how was able to compromise the Mac in 2 minutes.....
Virtually every major browser and operating system were targets at this week's "Pwn2Own" hacking contest, with Apple Safari, Mozilla Firefox, and Internet Explorer 8 vulnerabilities exploited, along with flaws in the iPhone OS.
On the first day of the competition based in Vancouver, British Columbia, Canada, researchers found a way to take advantage of Apple's Safari browser in Mac OS X 10.6 Snow Leopard, its latest operating system, according to CNet.
Unsurprisingly, Charlie Miller, principal security analyst with Independent Security Evaluators, took home the $10,000 prize after he hacked Safari on a MacBook Pro without having access to the machine. He's the same researcher who cracked Safari in Mac OS X last year, taking home the $5,000 prize. He also hacked a MacBook Air in 2008 at the competition.
Miller has also repeatedly said that he believes Macs are a safer alternative to Windows PCs for average users. He cited the lack of malware on the Mac platform as the principal reason for his recommendation.
Last year Miller also discovered an SMS hack in the iPhone that Apple quickly patched after it was made public. But researchers at this year's Pwn2Own found yet another SMS hack to take home a $15,000 prize.
Ralf-Phillip Weinmann, from the University of Luxembourg, and Vincenzo Iozzo, from German company gained access to an iPhone that was not "jailbroken," a procedure that allows users to run unauthorized code and unlock the handset for use on unapproved carriers.
By making a user visit a malicious Web site, the exploit allowed the researchers to access the phone's entire database of text messages, including deleted ones. The two wrote the hack in about two weeks, and the data was received in the competition in under 20 seconds.
The two said the hack could be modified to allow access to more data, such as contacts and photos. The transfer takes place without the victim ever knowing they have been hacked.
By accepting prizes at the Pwn2Own competition, put on by TippingPoint, the exploited methods are revealed only to the affected company so that they can patch the exploits.
Also hacked in this year's competition was Microsoft's Internet Explorer 8 browser. Peter Vreugdenhill, an independent security researcher from the Netherlands, took home a $10,000 prize by taking advantage of two vulnerabilities for a four-part hack that compromised the user's system.
Another person who went solely by Nils, the head of research MWR InfoSecurity in the U.K., discovered an exploit in Firefox in the 64-bit version of Windows 7. He took home a $10,000 prize.
The iPhone was hacked in seconds......Windows 7 machine was compromised in about 2 minutes I believe this year..... so no one platform is safe....assuming you will not get compromised because you are on a Mac is sticking your head in the sand.
Any platform can get hacked at anytime..... and not just by a virus....Most of them by malicious code from a website.......so everyone is vulnerable.....unless you don't connect to the outside world that is.......
So is the speed with which a device / system is hacked, more an indication of inherent vulnerability, or an indication of the talent of the individual hacker.
If Charlie Miller hacked a Mac in XX number of minutes; was he not able to hack a Windows system just as fast?
I wouldn't worry too much about it. The contest has no actual meaning, beyond the obvious: don't let a hacker get their actual, physical hands on your machine.
"People will criticize me and say I'm a bad guy for not handing over [the vulnerabilities], but it actually makes more sense to me to not tell them," Miller said.
So does that mean he's not accepting the money?
He won the money and the devices (who wouldn't go for the more expensive Mac's first anyhow?) but insists the companies are not doing enough to find the bugs themselves.
So by not telling them, rather showing them how to find them, he hopes they will get the idea and find them out for themselves.
Holding these hacking contests has been a inexpensive way for these companies to test their products apparently.
My belief is the companies purposely are not trying their best to find the exploits on their own because they have been asked not to do so by Uncle Sam.
If I was in charge, I would have several servers running fuzzing software on all my code 24/7, well beyond human capability and updating the vulnerabilities as soon as they are found.
Instead Apple has to be told about a vulnerability and they sit on it for several months before fixing it.
Is there a reason Apple doesn't give a rats ass? Or are they allowing complacency to rule because they have been told if they want to sell hardware to the Army they better not?
Is the Army getting the more secure versions of Apple's software?
It's public knowledge that Microsoft provides a more secure version of Windows to the military than the public at large.
He won the money and the devices (who wouldn't go for the more expensive Mac's first anyhow?) but insists the companies are not doing enough to find the bugs themselves.
So by not telling them, rather showing them how to find them, he hopes they will get the idea and find them out for themselves.
Yes, I read all of that, but the AI article seem to suggest that there were some kind of rules or contract saying that by accepting the prizes, they would reveal the exploits to the affected companies. So if he doesn't reveal, does he have to return the prizes? Or is this just some sort of unenforceable agreement.
I wouldn't worry too much about it. The contest has no actual meaning, beyond the obvious: don't let a hacker get their actual, physical hands on your machine.
Your reading gets more and more selective.
"Unsurprisingly, Charlie Miller, principal security analyst with Independent Security Evaluators, took home the $10,000 prize after he hacked Safari on a MacBook Pro without having access to the machine"
This would be called hacking via remote access.
'There are two lessons for businesses to learn about security here, right off the bat. First, using Apple hardware and software is not an adequate defense, in and of itself. Despite the common perception that the Mac OS X operating system is just inherently more secure than Windows, the reality is that the primary reason Macs aren't attacked and compromised more often is that the platform with 92 percent market share promises malware developers a significantly higher return on investment than the platform with 5 percent market share."
If I remember correctly, the last time I heard about this contest none of the computers were hacked on the first day, then on the second day the rules get relaxed and the hackers are allowed to have partial password rites to the computer being hacked, like sending an email to the computer with malicious code and allowing the receiving computer to click accept and open the email, thus releasing the hack.
Is there a similar situation going on here? let?s get all the fact, because what I described above is not a true test of security.
If I remember correctly, the last time I heard about this contest none of the computers were hacked on the first day, then on the second day the rules get relaxed and the hackers are allowed to have partial password rites to the computer being hacked, like sending an email to the computer with malicious code and allowing the receiving computer to click accept and open the email, thus releasing the hack.
Is there a similar situation going on here? let?s get all the fact, because what I described above is not a true test of security.
Comments
That magazine caters to the windows world, nothing said in that article can be construed as fact, its mostly FUD.
If that makes you feel better. Talk about head in sand . . .
Ok...how about Macworld then.....
http://www.macworld.com/article/1500...3/pwn2own.html
As it contains much of the same information it must be FUD as well.
That is not entirely correct... the hack them becuse they are low hanguing fruit. The Mac as been the first computer hacked 3 years in row so far.
It was the first put up in the "contest".
It's not like they all started hacking all the computers at the same moment and the Apple was the 1st to be exploited.
This is the #1 reason Macs are slow to dent the business world.....
No it's not. As even Apple has stated, Apple does almost nothing to cater to the business world.
It was the first put up in the "contest".
It's not like they all started hacking all the computers at the same moment and the Apple was the 1st to be exploited.
No it's not. As even Apple has stated, Apple does almost nothing to cater to the business world.
You are correct.....except that the Mac was compromised in less time than anyother machine including Windows machines......
Sorry editing.... my post.
This years total results are not in yet. I was basing my statements on the past years Pwn2Own results......
By accepting prizes at the Pwn2Own competition, put on by TippingPoint, the exploited methods are revealed only to the affected company so that they can patch the exploits.
Pwn2Own winner tells Apple, Microsoft to find their own bugs
"People will criticize me and say I'm a bad guy for not handing over [the vulnerabilities], but it actually makes more sense to me to not tell them," Miller said.
So does that mean he's not accepting the money?
Firefox plus AdBlock; FlashBlock and NoScript, on a Mac. That's a pretty secure combo I reckon.
Yes, a lot more secure than Safari on a Mac.
Add the following: Ghostery, RequestPolicy and WOT (Web of Trust)
Good thing about WOT is it will verify links in web based emails.
Running in a General User, not Admin, is a wise decision for Mac and Windows users.
Simply create a new Admin User, log into it and change the previous Admin User to General User.
What this does for one is to protect the applications folder from alterations. If one needs to do something a window pops up and you enter the admin name and password, gives you a short period of Admin power while in General User.
You are correct.....except that the Mac was compromised in less time than anyother machine including Windows machines......
OK, this is just completely stupid. Yet, every year we hear people spouting this same nonsense.
The time it takes to hack one of these systems is not the time they report at the contest. The time it takes to hack one of these systems is the total time that the participants put into figuring out how to do it, which is never reported. There is no basis for comparison of the relative security of systems based on the reported times, nor based on the order in which machines are compromised, nor even on whether a system is compromised or not.
(To expand on the last point, a system may have 100 vulnerabilities, possibly known to various people with malicious intent, but it's entirely possible that none of the participants in this event will discover any one of those 100 vulnerabilities, yet they may exist and may be known to someone who intends to use them.)
In essence, this is just a big publicity stunt by the organizers, and a chance to gain some fame, money, and hardware for the participants. The only thing this event shows is that certain specific vulnerabilities exist on certain systems.
If Charlie Miller hacked a Mac in XX number of minutes; was he not able to hack a Windows system just as fast?
OK, this is just completely stupid. Yet, every year we hear people spouting this same nonsense.
The time it takes to hack one of these systems is not the time they report at the contest. The time it takes to hack one of these systems is the total time that the participants put into figuring out how to do it, which is never reported. There is no basis for comparison of the relative security of systems based on the reported times, nor based on the order in which machines are compromised, nor even on whether a system is compromised or not.
(To expand on the last point, a system may have 100 vulnerabilities, possibly known to various people with malicious intent, but it's entirely possible that none of the participants in this event will discover any one of those 100 vulnerabilities, yet they may exist and may be known to someone who intends to use them.)
In essence, this is just a big publicity stunt by the organizers, and a chance to gain some fame, money, and hardware for the participants. The only thing this event shows is that certain specific vulnerabilities exist on certain systems.
You are right....the exploits they use took them a lot of time to figure out and how to use them...... Except for the last 3 years when Charlie Miller used the SAME exploit that he reported to Apple but went unpatched. That is how was able to compromise the Mac in 2 minutes.....
Virtually every major browser and operating system were targets at this week's "Pwn2Own" hacking contest, with Apple Safari, Mozilla Firefox, and Internet Explorer 8 vulnerabilities exploited, along with flaws in the iPhone OS.
On the first day of the competition based in Vancouver, British Columbia, Canada, researchers found a way to take advantage of Apple's Safari browser in Mac OS X 10.6 Snow Leopard, its latest operating system, according to CNet.
Unsurprisingly, Charlie Miller, principal security analyst with Independent Security Evaluators, took home the $10,000 prize after he hacked Safari on a MacBook Pro without having access to the machine. He's the same researcher who cracked Safari in Mac OS X last year, taking home the $5,000 prize. He also hacked a MacBook Air in 2008 at the competition.
Miller has also repeatedly said that he believes Macs are a safer alternative to Windows PCs for average users. He cited the lack of malware on the Mac platform as the principal reason for his recommendation.
Last year Miller also discovered an SMS hack in the iPhone that Apple quickly patched after it was made public. But researchers at this year's Pwn2Own found yet another SMS hack to take home a $15,000 prize.
Ralf-Phillip Weinmann, from the University of Luxembourg, and Vincenzo Iozzo, from German company gained access to an iPhone that was not "jailbroken," a procedure that allows users to run unauthorized code and unlock the handset for use on unapproved carriers.
By making a user visit a malicious Web site, the exploit allowed the researchers to access the phone's entire database of text messages, including deleted ones. The two wrote the hack in about two weeks, and the data was received in the competition in under 20 seconds.
The two said the hack could be modified to allow access to more data, such as contacts and photos. The transfer takes place without the victim ever knowing they have been hacked.
By accepting prizes at the Pwn2Own competition, put on by TippingPoint, the exploited methods are revealed only to the affected company so that they can patch the exploits.
Also hacked in this year's competition was Microsoft's Internet Explorer 8 browser. Peter Vreugdenhill, an independent security researcher from the Netherlands, took home a $10,000 prize by taking advantage of two vulnerabilities for a four-part hack that compromised the user's system.
Another person who went solely by Nils, the head of research MWR InfoSecurity in the U.K., discovered an exploit in Firefox in the 64-bit version of Windows 7. He took home a $10,000 prize.
[ View this article at AppleInsider.com ]
So I guess the message here is don't let any of these guys sit down at your PC unattended.
Nothing is unhackable at the current moment that I am aware of.
Now this was the first post that made sense!!!
read this article http://www.pcworld.com/businesscente...n_contest.html
The iPhone was hacked in seconds......Windows 7 machine was compromised in about 2 minutes I believe this year..... so no one platform is safe....assuming you will not get compromised because you are on a Mac is sticking your head in the sand.
Any platform can get hacked at anytime..... and not just by a virus....Most of them by malicious code from a website.......so everyone is vulnerable.....unless you don't connect to the outside world that is.......
So is the speed with which a device / system is hacked, more an indication of inherent vulnerability, or an indication of the talent of the individual hacker.
If Charlie Miller hacked a Mac in XX number of minutes; was he not able to hack a Windows system just as fast?
I wouldn't worry too much about it. The contest has no actual meaning, beyond the obvious: don't let a hacker get their actual, physical hands on your machine.
Pwn2Own winner tells Apple, Microsoft to find their own bugs
"People will criticize me and say I'm a bad guy for not handing over [the vulnerabilities], but it actually makes more sense to me to not tell them," Miller said.
So does that mean he's not accepting the money?
He won the money and the devices (who wouldn't go for the more expensive Mac's first anyhow?) but insists the companies are not doing enough to find the bugs themselves.
So by not telling them, rather showing them how to find them, he hopes they will get the idea and find them out for themselves.
Holding these hacking contests has been a inexpensive way for these companies to test their products apparently.
My belief is the companies purposely are not trying their best to find the exploits on their own because they have been asked not to do so by Uncle Sam.
If I was in charge, I would have several servers running fuzzing software on all my code 24/7, well beyond human capability and updating the vulnerabilities as soon as they are found.
Instead Apple has to be told about a vulnerability and they sit on it for several months before fixing it.
Is there a reason Apple doesn't give a rats ass? Or are they allowing complacency to rule because they have been told if they want to sell hardware to the Army they better not?
Is the Army getting the more secure versions of Apple's software?
It's public knowledge that Microsoft provides a more secure version of Windows to the military than the public at large.
He won the money and the devices (who wouldn't go for the more expensive Mac's first anyhow?) but insists the companies are not doing enough to find the bugs themselves.
So by not telling them, rather showing them how to find them, he hopes they will get the idea and find them out for themselves.
Yes, I read all of that, but the AI article seem to suggest that there were some kind of rules or contract saying that by accepting the prizes, they would reveal the exploits to the affected companies. So if he doesn't reveal, does he have to return the prizes? Or is this just some sort of unenforceable agreement.
I wouldn't worry too much about it. The contest has no actual meaning, beyond the obvious: don't let a hacker get their actual, physical hands on your machine.
Your reading gets more and more selective.
"Unsurprisingly, Charlie Miller, principal security analyst with Independent Security Evaluators, took home the $10,000 prize after he hacked Safari on a MacBook Pro without having access to the machine"
This would be called hacking via remote access.
'There are two lessons for businesses to learn about security here, right off the bat. First, using Apple hardware and software is not an adequate defense, in and of itself. Despite the common perception that the Mac OS X operating system is just inherently more secure than Windows, the reality is that the primary reason Macs aren't attacked and compromised more often is that the platform with 92 percent market share promises malware developers a significantly higher return on investment than the platform with 5 percent market share."
Is there a similar situation going on here? let?s get all the fact, because what I described above is not a true test of security.
If I remember correctly, the last time I heard about this contest none of the computers were hacked on the first day, then on the second day the rules get relaxed and the hackers are allowed to have partial password rites to the computer being hacked, like sending an email to the computer with malicious code and allowing the receiving computer to click accept and open the email, thus releasing the hack.
Is there a similar situation going on here? let?s get all the fact, because what I described above is not a true test of security.
read it for yourself...
http://www.pcworld.com/businesscente...n_contest.html
Nothing is unhackable at the current moment that I am aware of.
Can you download a copy of Photoshop CS4 trial and hack it and get a fully functional copy for free??