Fresh from winning the PWN2OWN contest yesterday, Charlie Miller has been interviewed by ZDNet. He talks about how Mac OS X is a very simple operating system to exploit due to the lack of any form of anti-exploit features. He also explains that the underlying operating system is much more important in creating a successful exploit than the bowser, why Chrome is so hard to hack, and many other things.
To read all comments associated with this story, please click here.
Member since:2008-07-15
I agree, even though I also understand his side of it. The man is obviously extremely intelligent, and should be paid for what he does best. Basically, however, what he's saying is he'd rather make money than prevent others from getting royally screwed, a prime example of the selfish greed-motivated mentality that seems to be so prevalent today, and one that will ultimately screw us all for good. When you come right down to it, that's pathetic.
Member since:2005-07-09
I do not see anything wrong with his mentality. It is not his job to help out companies unless the company is paying him directly to do so. At least that is how I see it. There is nothing wrong with using your talents and making money off of it. If Apple was really that concerned about security then they would pay him big bucks to bang away at their software all day. But they dont as far as I know.
Microsoft on the other hand holds these types of security competitions every year and they are reported on the web as well and they actually pay those hackers.
Sure Apple is based on a NIX OS and therefore it has the advantage in security but thats not how I am seeing it nowadays. It seems that it is an OS with a somewhat false sense of security now? I am not saying Microsoft is better dont get me wrong. But I am saying OS X is not necessarily better especially if a hacker comes out and downright says that the OS is easy to screw up!
I always believe being paranoid is the best way to go when it comes to security. From what I am seeing Windows has definitely improved its security especially since they have had no choice but to go up lol but it seems OS X has just remained stagnant in that department but people think because its a NIX based OS they are inherently secure. It could be true to a certin extent but I would rather be paranoid than a victim.
Member since:2005-07-06
On the other hand, shouldn't it be Apples responsibility to make sure their customers don't get royally screwed. If Apple really cared they'd pay the money to hire people like Mr Miller. If Apple has such a lax approach to security why should other people do Apple's job for free.
Member since:2005-11-13
Yeah, God forbid anybody should ever be paid for what they're doing. Perhaps you would like to feed his family while he works for the good of humanity; we'll just set up a Paypal account in your name.
Member since:2007-09-06
He sat on the vuln for a year intentionally saving it for this competition. How many criminals found that same vulnerability in that time? How many users where left hanging unknowingly. Not even a bug report.
Wanting monetary return is one thing; we all have to eat. That suggests approaching the relevant company in a timely manner though. We want companies to view vulns and issue a patch the day after they are notified of it but that has to go both ways. This is starting to sound like Microsoft business strategy; release the "innovations" as slow as you can to maximize shareholder profits rather than user benefits... booo..
No doubt he's smarter than me but I think the enthusasm with which he's pushing to be paid and the decision to leave users vulnerable for a money shot perl necklace is in bad taste.
Come on Sec devs, those of us in infosec that don't do Dev work are out here mitigating when we could have patched long ago and had safer users.
Member since:2008-06-26
Member since:2006-01-09
Apple decided not to release their code, why would they have a right to know the exploits other people find for them?
They've chosen that model, now they have to deal with the downsides.
Do you even know what you're talking about?
Safari's engine (Webkit) is released as fully open source --and it's used by many other browsers, including Google Chrome.
Member since:2007-05-12
Since the exploit in this case is for Safari Apple are in fact releasing the code, so if were a question of reciprocity the guy has no excuse.
But availability, or "openness" if you will, of the source is not an issue here. This guy supposedly is a white hat (a.k.a. "security researcher") and as such is supposedly trying to find exploitable holes so they can be fixed before people get harmed. Sitting on an exploit for a year so you can get a free laptop and 15 min of fame is certainly black hat and is even nearly criminal.
He is free to not research Apple's software and get a paying gig for someone else or apply for a job at Apple.
Member since:2005-08-18
Allright, so by this logic if you find a fatal flaw in, say, a car from Ford the right and responsible thing to do (since Ford's designs arent "open source") would be to sit on it for an undetermined abount of time until you've find a way to trigger it. once you've done that you do NOT tell the public what the problem is but instead you try to "extort" money from Ford in exchange for not letting anyone know.
Yes, that's surely a society I'd love to live in.
Get this straight, it has NOTHING to do with if Apple's product is open or not, it's about the risk the consumers and the general public is exposed to.
Member since:2009-03-20
The exploit Miller used last year was in the open-source WebKit part of Safari. (In fact, it was in a third-party library used by WebKit, and not a bug in Apple's code as such.) It's likely, though hardly guaranteed, that the bug he used this year is also in WebKit, since he's said before that he discovered it at the same time. (By the way, he found the bug by reading source code. Pretty cool, huh?)
Since Chrome uses all the same WebKit code as Safari, it's likely that both of these bugs are (or were) present in Chrome. The exploits would still be very different, though: The initial bug will get you through the front door, but it won't lead you to the self-destruct button.
It's true that Safari's interface is closed-source, but it's also true that fixing a WebKit bug would benefit the open source community, because that's public code used by a number of browsers.
Member since:2007-09-06
It's about the users. Why should the users be left vulnerable to a known exploit just because Apple's business model isn't the same as Red Hat's? Do you extend the same towards Microsoft? It's ok for Microsoft's poor quality control to cause loss among the user base because they don't follow a FOSS business strategy?
Please..
Member since:2006-02-06
Member since:2005-07-06
Selling bugs/exploits for money is pretty low... He is almost in the same league with virus writers...
I don't think he intends to sell to some criminal organization. Which I am sure he would have no problems doing - for more money too. And selling exploits to the makers of the software - what's wrong with that? He spends a lot of time and efforts to find these exploits. Why should a software company, that makes a lot of money from that software be entitled to get the results of his hard labour for free? That's just like saying that getting paid to develop software is low.
Member since:2007-05-12
Nothing. But it needs to be done exactly the opposite way of what he's doing. He should have contacted Apple with the proposition to search for exploitable bugs at whatever terms he has (flat fee, per issue fee, whatever). If they had refused - move on to the next company. What he's doing now is surprisingly similar to extortion. "Boy, Apple, you have a mighty fine browser there. It'd be a shame if something bad happened to it. Care to give me a token of appreciation?"
Member since:2008-03-05
He is almost in the same league with virus writers and people that use those exploits for their own benefits.
Let me get this straight, you are implying we all should take our hours of work and donate it for free for the betterment of a corporation? (Apple in this case) You surely can not believe that Charlie's long hours of work are worth nothing and that he should just donate his time to Apple so they can make billions off of his work.
Charlie deserves to get paid for his work and I stand by his decision to offer no more free bugs. Apple doesn't give OSX away for free, so why should Charlie donate his work to Apple?
Edited 2009-03-20 17:16 UTC
Member since:2005-11-10
No
Let put it in another way: If somebody is spending a significant numbers of hours to find a way into your home, without you asking him to do so, means it is ok for him to sell that information and make money from it?
BTW, people that make phishing sites also spent hours of work; does that makes it ok for them to make money from them?
Finding security holes (especially without being hired by the target party) is a gray area because the usage of the found breaches totally depends on the moral of the person.
Greed for money usually leads to questionable moral choices.
Exactly the moral choices differentiate between a white hat and a black hat.
Member since:2007-09-06
I can understand how it's not easy work. You get a lab, you get the product, you fuzz it along with what ever other methods you use. That all takes time. That takes long periods between pay cheques if your working purly contract/bounty. Charlie absolutely deserves to get paid. He should have presented the bug and reached a reasonable agreement for compensation a year ago though. It's not that he shouldn't be paid, it's that intentionally leaving the users who can't fix there own systems open to damages becomes very questionable.
Personally, I'd love to see the user base turn around on MS and Apple demanding higher product quality. I'd much rather see a product already designed better trump both those retail items. Until either of those outcomes, we need all we can do to protect ourselves and clients.
Member since:2006-02-19
Charlie deserves to get paid for his work and I stand by his decision to offer no more free bugs. Apple doesn't give OSX away for free, so why should Charlie donate his work to Apple?
No, I think everyone agrees that we should be paid for our talents. It is not the matter of getting paid, it is how you get paid. Charlie's pompous attitude and extortion like mentality is pretty low.
What if paramedics worked like this? "Sorry sir, I can stop that bleeding gash in your head if you pay my fee." NO MORE FREE FIRST AID!
If Charlie is so smart, he would take his talents to a proper company or contract with companies to find vulnerabilities. Not holding on to the crap for a year to win a prize and try to extort the company...
Member since:2005-07-06
"So in summary... Google has pulled the plug on support on a protocol they've helped popularize, after years of promising interoperability, for reasons that are dubious at best, and in a way that leaves people who don't jump to the new Hangouts app unable to talk to their contacts without any feedback that their IMs aren't getting through... And they've done that with no warning to anyone. I imagine there's a bunch of people out there wondering where some of their buddies have gone, or why their messages aren't getting responses, because this isn't documented anywhere." Google really messed this up. Such a dick move.
The Tizen Greek Community has some screenshots of a very recent build of Tizen running on a Samsung GT-i8800. It looks wholly unremarkable.Joint statement to The Next Web from Microsoft and Google: "Microsoft and YouTube are working together to update the new YouTube for Windows Phone app to enable compliance with YouTube's API terms of service, including enabling ads, in the coming weeks. Microsoft will replace the existing YouTube app in Windows Phone Store with the previous version during this time." Good to know these children stopped acting like little pricks. Can we have full Google support in Windows 8 now, please?
Yahoo is acquiring Tumblr, the microblogging and social networking website, for $1.1 billion USD. Tumblr offers little revenue but lots of eyeballs if Yahoo can monetarize them. Now Yahoo is bidding for Hulu, the streaming video service. After years of ineffective responses while Google, Facebook, and others took large chunks of the online advertising market, Yahoo is fighting back. Can Yahoo reignite the momentum it had at the turn of the century? What do you think?
"Sources have described iOS 7 as 'black, white, and flat all over'. This refers to the dropping of heavy textures and the addition of several new black and white user interface elements." I couldn't be happier.
"Ilja van Sprundel, a security researcher with IOActive, has discovered a large number of issues in the way various X client libraries handle the responses they receive from servers, and has worked with X.Org's security team to analyze, confirm, and fix these issues."
"Google is facing a new antitrust probe by the U.S. Federal Trade Commission into whether the company is using its leadership in the online display-advertising market to illegally curb competition, people familiar with the matter said." Sucks to be Google today, apparently."In the midst of the major press blitz surrounding its annual I/O Conference, Google dropped some unfortunate news about its instant messaging plans. In several places around the web, the company is replacing the existing 'Talk' platform with a new one called 'Hangouts' that sharply diminishes support for the open messaging protocol known as XMPP (or sometimes informally Jabber), and also removes the option to disable the archiving of all chat communications. These changes represent a switch from open protocols to proprietary ones, and a clear step backward for many users." That's why I always say: only suckers trust companies."The wave of departures is a sign of internal struggle, but amidst all the bad news, there is a glimmer of hope. According to an anonymous HTC executive cited by WSJ, the crucial HTC One is selling 'pretty good so far'. The executive revealed that HTC sold about five million One units since launch, a performance that is deemed encouraging. However, sales have been limited by the persisting supply issues that still plague the production of the HTC One." Finally some good news for HTC. Five million units amidst supply constraints is very impressive.
"Sony gave the PS4 50% more raw shader performance, plain and simple (768 SPs @ 800MHz vs. 1152 SPs & 800MHz). Unlike last generation, you don't need to be some sort of Jedi to extract the PS4's potential here. The Xbox One and PS4 architectures are quite similar, Sony just has more hardware under the hood. Weâll have to wait and see how this hardware delta gets exposed in games over time, but the gap is definitely there. The funny thing about game consoles is that itâs usually the lowest common denominator that determines the bulk of the experience across all platforms. On the plus side, the Xbox One should enjoy better power/thermal characteristics compared to the PlayStation 4. Even compared to the Xbox 360 we should see improvement in many use cases thanks to modern power management techniques." AnandTech does its usual in-depth thing.
Member since:
2005-11-10
Selling bugs/exploits for money is pretty low...
He is almost in the same league with virus writers and people that use those exploits for their own benefits.
Edited 2009-03-20 14:27 UTC