Fresh from winning the PWN2OWN contest yesterday, Charlie Miller has been interviewed by ZDNet. He talks about how Mac OS X is a very simple operating system to exploit due to the lack of any form of anti-exploit features. He also explains that the underlying operating system is much more important in creating a successful exploit than the bowser, why Chrome is so hard to hack, and many other things.
To view parent comment, click here.
To read all comments associated with this story, please click here.
Member since:2006-01-09
Apple decided not to release their code, why would they have a right to know the exploits other people find for them?
They've chosen that model, now they have to deal with the downsides.
Do you even know what you're talking about?
Safari's engine (Webkit) is released as fully open source --and it's used by many other browsers, including Google Chrome.
Member since:2008-06-26
Member since:2007-05-12
Since the exploit in this case is for Safari Apple are in fact releasing the code, so if were a question of reciprocity the guy has no excuse.
But availability, or "openness" if you will, of the source is not an issue here. This guy supposedly is a white hat (a.k.a. "security researcher") and as such is supposedly trying to find exploitable holes so they can be fixed before people get harmed. Sitting on an exploit for a year so you can get a free laptop and 15 min of fame is certainly black hat and is even nearly criminal.
He is free to not research Apple's software and get a paying gig for someone else or apply for a job at Apple.
Member since:2008-06-26
Member since:2006-09-18
What's the difference with what a salaried security researcher does? The negotiation up front? I'll guarantee you this guy is making less because he's doing it under his terms, working his own hours. He's not any more black hat than Microsoft that sits on known vunerabilities for more than 6 months. Also the fact that he knows something doesn't oblige him to do a damn thing.
"I have a new campaign. It’s called NO MORE FREE BUGS." "What’s the ballpark value of that Safari bug? It was probably more than that $5,000 prize I won."
Meaning he probably used to do this for free, nobody gave him a job or money. (read that to mean greedy Apple) Now he has a nice resume, industry recognition, and some money etc. I could spend my time walking around making sure old people get across the street for free. Instead I put food on the table. Are you evil because you know how to do something good, but don't? Ask yourself again next time you fire up Half Life instead of inviting homeless people into your house. He didn't sell to criminals! I believe Mozilla has a 500$ bounty on bugs. MS and Apple could easily put a 5000$ bounty on exploitable bugs. Put your hate where it belongs.
Member since:2005-07-06
In the interview, Miller stated that the underlying OS had as much (if not more) to do with enabling the exploit as the browser itself.
As much as I'm a fan of the reciprocity principle, I don't think it applies in this case. Unless Apple has released the full source for OS X and I managed to miss it.
Member since:2005-08-18
Allright, so by this logic if you find a fatal flaw in, say, a car from Ford the right and responsible thing to do (since Ford's designs arent "open source") would be to sit on it for an undetermined abount of time until you've find a way to trigger it. once you've done that you do NOT tell the public what the problem is but instead you try to "extort" money from Ford in exchange for not letting anyone know.
Yes, that's surely a society I'd love to live in.
Get this straight, it has NOTHING to do with if Apple's product is open or not, it's about the risk the consumers and the general public is exposed to.
Member since:2008-07-15
Member since:2006-09-27
Why not blame FORD executives for refusing to buy the information about defective cars, thereby exposing their customers to the risk?
I'm with Miller on this one, to some extent. Selling the information to criminals would be wrong, but I don't think anyone should work for free for closed-source, IP-paranoid company who boasts making a highly secure and usable operating system. In fact, I'd say it would be extremely shortsighted to help these companies for free instead of contributing to improve FOSS alternatives. Remember the exploit is not just about Webkit, not even about Safari. The whole OS matters for the exploit, and OSX is not open source.
Member since:2009-03-20
The exploit Miller used last year was in the open-source WebKit part of Safari. (In fact, it was in a third-party library used by WebKit, and not a bug in Apple's code as such.) It's likely, though hardly guaranteed, that the bug he used this year is also in WebKit, since he's said before that he discovered it at the same time. (By the way, he found the bug by reading source code. Pretty cool, huh?)
Since Chrome uses all the same WebKit code as Safari, it's likely that both of these bugs are (or were) present in Chrome. The exploits would still be very different, though: The initial bug will get you through the front door, but it won't lead you to the self-destruct button.
It's true that Safari's interface is closed-source, but it's also true that fixing a WebKit bug would benefit the open source community, because that's public code used by a number of browsers.
Member since:2005-07-06
According to rumors on some other site I read the exploit wasn't in WebKit per se, but in a third party (open source) library used by the javascript engine. The real kicker, according to the same post, was the the bug Miller exploited has already been found and fixed upstream, but Apple is using an old version of that library that still has the bug.
Of course the only people who actually know what happened are under NDA, so take this with a grain of salt.
Member since:2007-09-06
It's about the users. Why should the users be left vulnerable to a known exploit just because Apple's business model isn't the same as Red Hat's? Do you extend the same towards Microsoft? It's ok for Microsoft's poor quality control to cause loss among the user base because they don't follow a FOSS business strategy?
Please..
Member since:2006-02-06
"At the end of a week in which Electronic Arts confirmed it wasn't developing a thing for the Wii U, one of the software engineers in EA Sports' Canada studio, in a series of since-deleted tweets, disparaged the console as 'crap' and suggested Nintendo should give up on hardware altogether. 'The Wii U is crap. Less powerful than an Xbox 360. Poor online/store. Weird tablet', tweeted Bob Summerwill, listed as a senior software engineer at EA Canada, in a reply to a tweet posting a link about EA's no-Wii U news. 'Nintendo are walking dead at this point'." The Wii U is turning into the 21st century's Virtual Boy.
"In NixOS, the entire operating system - the kernel, applications, system packages, configuration files, and so on - is built by the Nix package manager from a description in a purely functional build language. The fact that it's purely functional essentially means that building a new configuration cannot overwrite previous configurations. Most of the other features follow from this." Interesting approach. A Linux distribution, sure, but with some very refreshing ideas about system configuration.
Appfour added, among other features, C/C++ support to its new version of AIDE. From Android-IDE, "Now you can write parts of your app or your whole app in C/C++ on your device. AIDE supports the Standard Android NDK toolchain (GCC 4.6 + Bionic, STL, ...). No changes are necessary if you want to build an app developed on a PC with Eclipse. C/C++ development is fully integrated: Build errors appear in the error list and files can easily be navigated to with Go to file. The editor supports C/C++ syntax highlighting."
Ars nails it: "The answer is that Google did announce what amounts to a fairly substantial Android update yesterday. They simply did it without adding to the update fragmentation problems that continue to plague the platform. By focusing on these changes and not the apparently-waiting-in-the-wings update to the core software, Google is showing us one of the ways in which it's trying to fix the update problem."
"It is good for programmers to understand what goes on inside a processor. The CPU is at the heart of our career. What goes on inside the CPU? How long does it take for one instruction to run? What does it mean when a new CPU has a 12-stage pipeline, or 18-stage pipeline, or even a 'deep' 31-stage pipeline? Programs generally treat the CPU as a black box. Instructions go into the box in order, instructions come out of the box in order, and some processing magic happens inside. As a programmer, it is useful to learn what happens inside the box. This is especially true if you will be working on tasks like program optimization. If you don't know what is going on inside the CPU, how can you optimize for it? This article is about what goes on inside the x86 processor's deep pipeline."
"It was the only moment I heard regret slip into Otellini's voice during the several hours of conversations I had with him. 'The lesson I took away from that was, while we like to speak with data around here, so many times in my career I've ended up making decisions with my gut, and I should have followed my gut,' he said. 'My gut told me to say yes.'" The world would've been a much different place - Apple would have been less dependant on Samsung for its chips, which probably would've meant less money for Samsung to develop its Galaxy business.Glass is getting some love at Google I/O as well. New applications have been released - Facebook, Twitter, Evernote, Elle, Tumblr, and CNN. Perhaps more interesting: the newly announced Google Glass Developer Kit will allow offline applications and direct hardware access - great for hacking and expanding Glass' potential. This kit will really allow hackers to put Glass through its paces."But Beck and Merrill decided that simply banning toxic players wasn't an acceptable solution for their game. Riot Games began experimenting with more constructive modes of player management through a formal player behavior initiative that actually conducts controlled experiments on its player base to see what helps reduce bad behavior. The results of that initiative have been shared at a lecture at the Massachusetts Institute of Technology and on panels at the Penny Arcade Expo East and the Game Developers Conference." Absolutely fascinating stuff. I'm a League of Legends player, and to be honest, the community isn't nearly as bad as some make it out to be. I'm happy Riot games has the guts to employ science to address the issue.
"Android and iOS, the number one and number two ranked smartphone operating systems worldwide, combined for 92.3% of all smartphone shipments during the first quarter of 2013 as Windows Phone crept past BlackBerry for 3rd place. According to the International Data Corporation Worldwide Quarterly Mobile Phone Tracker, Android smartphone vendors and Apple shipped a total of 199.5 million units worldwide during 1Q13, up 59.1% from the 125.4 million units shipped during 1Q12." Windows Phone doubles from a few to twice few, iOS loser market share as its growth is slower than that of the overall market. BlackBerry continues slide into irrelevance."According to the latest research from our Wireless Smartphone Strategies service, global Android smartphone profits reached US$5 billion in total during the first quarter of 2013. Samsung dominated and captured an impressive 95 percent share of all Android smartphone profits." Wow.
Member since:
2008-06-26
Why?
Apple decided not to release their code, why would they have a right to know the exploits other people find for them?
They've chosen that model, now they have to deal with the downsides.