Slashdot Log In
Pwn2Own 2009 Winner Charlie Miller Interviewed
Posted by
samzenpus
on Wed Mar 25, 2009 07:51 PM
from the chief-hacker dept.
from the chief-hacker dept.
crazipper writes "Tom's Hardware interviewed Charlie Miller, winner of this year's Pwn2Own contest and formerly with the NSA. He discusses the effort it took before the contest to be able to take down a MacBook within seconds, sandboxing, and the effectiveness of the NX bit and ASLR. His outlook on end-users protecting themselves against attacks? 'Users are at the mercy of the products they buy.'"
Related Stories
[+]
First Pwn2Own 2009 Contest Winners Emerge 98 comments
mellowdonkey writes "Last year's CanSecWest hacking contest winner, Charlie Miller, does it again this year in the 2009 Pwn2Own contest. Charlie was the first to compromise Safari this year to win a brand spankin new Macbook. Nils, the other winner, was able to use three separate zero day exploits to whack IE8, Firefox, and Safari as well. Full detail and pictures are available from the sponsor, TippingPoint, who acquired all of the exploits through their Zero Day Initiative program."
[+]
A Closer Look At Chromium and Browser Security 109 comments
GhostX9 writes "Tom's Hardware's continuing series on computing security has an interview with Adam Barth and Collin Jackson, members of Stanford University's Web Security Group and members of the team that developed Chromium, the open-source core behind Google Chrome. The interview goes into detail regarding the sandboxing approach unique to Chromium, comparisons between the browser and its competition, and web security in general."
[+]
The iPhone SMS Hack Explained 94 comments
GhostX9 writes "Tom's Hardware just interviewed Charlie Miller, the man behind the iPhone remote exploit hack and winner of Pwn2Own 2009. He explains the (now patched) bug in the iPhone which allowed him to remotely exploit the iPhone in detail, explaining how the string concatenation code was flawed. The most surprising thing was that the bug could be traced back to several previous generations of the iPhone OS (he stopped testing at version 2.2). He also talks about the failures of other devices, such as crashing HTC's Touch by sending a SMS with '%n' in the text."
This discussion has been archived.
No new comments can be posted.
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
Full
Abbreviated
Hidden
Loading... please wait.
Users are at the mercy of the products they buy (Score:5, Interesting)
Re: (Score:3, Insightful)
Re: (Score:3, Funny)
Because the EULA says so.
*dodges rotten tomatoes*
Re:Users are at the mercy of the products they buy (Score:5, Insightful)
The same reason you can't sue an alarm company when someone breaks into your house.
If your data is
Parent
Re:Users are at the mercy of the products they buy (Score:5, Insightful)
I illustrate the ridiculousness of your question, I'll rephrase it "Why can't you sue the construction company that built your house if someone vandalizes oor you suffer a loss due to break and enter?"
Parent
Re:Users are at the mercy of the products they buy (Score:4, Insightful)
Parent
Re:Users are at the mercy of the products they buy (Score:5, Insightful)
When someone I'm working with writes a bug or leaves a security hole, I tease them, but the truth is I still have not found a way to write bug-free code myself. You can't really sue someone for not doing something that is impossible.
OK, I admit some companies could do a significantly better job of making things secure. The article gives a couple examples of what Apple could have done to make their code more secure. But if it were possible to sue someone for that, I would be quite worried personally, as a programmer, I don't trust a jury to determine what is a reasonable vulnerability and what is not, so from my point of view it is better to not make insecure software illegal. And in most non-internet code, security isn't really an issue.
Parent
pwnd & ownD (Score:5, Insightful)
Tom's Hardware
[NEXT PAGE>
PWNs & OwnZ U
[NEXT PAGE>
If you read
[NEXT PAGE>
their articles
[To continue reading this comment, click here [brokenlink.com] ]
Re: (Score:3, Informative)
Re:pwnd & ownD (Score:4, Funny)
Parent
He was sitting on the winning weakness (Score:5, Insightful)
since last year.
A quote from another interview:
"Vulnerabilities have a market value so it makes no sense to work hard to find a bug, write an exploit and then give it away."
Who know what other goodies they have in store. But the browsers and the phones were hardly touched. The contestants are holding out for something better.
Re:He was sitting on the winning weakness (Score:4, Interesting)
I've been in a lengthy argument about this guy on the Ars Technica forums. I ended up emailing Bruce Schneier [schneier.com] about this and asked his thoughts.
Here was my email to him:
Hi Bruce,
I've been following the Pwn2Own contest for the last couple of years.
Last year a researcher from ISE ( http://securityevaluators.com/ [securityevaluators.com] )
named Charlie Miller used an exploit in a Perl library included in
WebKit, the base code for Apple's Safari browser and won a cash price
for his effort. In the press it was claimed he "hacked Safari in mere
seconds". In truth it took a lot more time than that to devise the
exploit and only seconds to execute it.
This year he did it again with another preplanned exploit which he
says he discovered while researching last years bug. Again he won a
cash prize of $10,000.
In an interview with ZDNet he said: "I never give up free bugs. I have
a new campaign. It's called NO MORE FREE BUGS. Vulnerabilities have a
market value so it makes no sense to work hard to find a bug, write an
exploit and then give it away," Miller told ZDNet. "Apple pays people
to do the same job so we know there's value to this work."
I have a major problem with his philosophy and feel this is a
dangerous precedent to set and a bastardization of the goals of
security in the fist place. I feel he has an obligation to inform
Apple and not dangle a dollar amount for the how-to.
Sure he should be paid for his time and effort which is why he works
at a security firm. This contest is basically bonus money and about
bragging rights. Sitting on a bug puts the safety of other users at
risk. But he is basically demanding bribe money for bugs. Who is to
say he wouldn't give up his research to the highest bidder? I'm sure
there are blackhat groups like those in Russia and China that would
pay handsomely for some juicy exploits like this.
Yes there is a long history of security firms hiring hackers and there
have been many questions of whether that is a good idea. But security
firms should take notice of this philosophy and not employee those who
engage in this kind of behavior. It's bad form for his employer and
makes the security industry as a whole look bad by proxy. Would you
hire a security company that employees hackers who blackmail for bugs
to work on your systems? If we hired his firm while I was working IT
at a large New York bank I would advised my boss to make sure he's not
on our project (and perhaps hire an entirely different firm altogether).
I've been in a discussion with other users about this. There seems to
be a split in viewpoint, one side saying he should let Apple and the
WebKit developers know about this exploit for the betterment of
everyone (for free). The other side feels this is purely about
capitalism and he has no moral or ethical obligation to tell anyone.
Some have likened it to seeing a crack in a bridge that might fail.
Are you obligated to inform someone of the problem? What if Dan
Kaminsky demanded $1 million to divulge details on the DNS BIND problem?
What are your feelings on this?
Thanks
Here's the discussion I've been following:
http://episteme.arstechnica.com/eve/forums/a/tpc/f/174096756/m/996001677931?r=869003677931#869003677931 [arstechnica.com]
http://dvlabs.tippingpoint.com/blog/2009/03/21/pwn2own-wrap-up [tippingpoint.com]
Bruce wrote me back today with his response:
There's a fine line between being paid for your efforts and extortion. This seems to cross it.
Parent
I think the best quote was... (Score:5, Interesting)
Between Mac and PC, I'd say that Macs are less secure for the reasons we've discussed here (lack of anti-exploitation technologies) but are more safe because there simply isn't much malware out there.
That pretty much been my take on the situation as well. Vista SP1 really is one of the most secure OSes I've used.
They glossed over Linux on this question, but I suspect Vista SP1 is probably more secure than linux too 'out of the box'... but again less safe in actual practice. Again simply due to the sheer relative volume of malware and the relative high value of windows exploits to linux ones.
(Although Linux at least does have 'SE Linux', AppArmor, Exec Shield, support for ASLR, etc, etc so its more a case that its just not on by default yet. (Ironically a complaint usually levelled at Windows).
And while improvements are added with each kernel release, too Linux admins refuse to install them because would reset their belowed uptime scores which they feel the need to post to /. on a regular basis...
I kid... I kid...
How can you not love this guy? (Score:5, Funny)
Every time you quote this, somewhere in the world a mac zealot's head explodes. I just did my part :P
Re:How can you not love this guy? (Score:5, Informative)
I'm beginning to think this "Mac zealot" business is a figment of overly sensitive Windows users imaginations. I work at a place where around 40-50% of the employees choose to use a Mac. The only derisive comments I EVER hear are little snipes aimed at Macs by the Windows crowd. "The page isn't loading? Is it because you're using a Mac?" "You just can't get any work done on a Mac." And yet the Windows crowd loves to complain about Microsoft. I think Microsoft owes their success to the Stockholm syndrome.
Parent
ASLR? (Score:5, Funny)
Re: (Score:3, Funny)
we don't talk about robot overlords
--
Ya, know.... I thought about that. Then I thought...what if they know what I'm thinking?!!
So then, naturally, I didn't think about that. Showed them!
Re:Grandma can't run Linux? (Score:5, Insightful)
Linux is NOT perfect. Anyone who thinks so is either an idiot or lying. For a lot of people, it is the best and of much better quality and calibre than the alternatives (windows, macOS), but definitely not perfect.
Disclaimer: Proud Ubuntu user since 7.10 and have never even considered moving back to windows.
Parent
Re:Grandma can't run Linux? (Score:4, Insightful)
Within the spheres of some Windows power users, who understand the ins and outs of Windows perfectly, Linux is foreign and useless. But the same could be said about Linux power users and Windows. So that is more of a statement about the difficulty users who are strongly versed in one OS have in switching to another. And that proves nothing in the Linux vs. Windows debate.
As far as security is concerned, I'd probably argue that Linux is more secure, but not completely secure. It's possible to get a Linux box completely screwed up (someone was talking about that here, where they accidentally exposed a Linux box with a very old version of OpenSSL to the web and got it compromised), but the question of which is easier to get more secure, or which will have fewer issues. No software is perfect (please no BSD comments), it's all a game of lesser of two evils.
Parent
Re: (Score:3, Insightful)
Uh, I think you're quite wrong there. I know more than a few Grandmas running Linux. The thing is, they're the ones that usually need the least amount of software. A browser, maybe e-mail if they don't do it in a browser, that's about it. Linux is perfect.
You can't be serious.
Of those "more than a few" Grandmas you know running Linux, how many bought and set up their own computer? How many Grandmas do you know that enjoy compiling drivers?
I'm not a Mac user myself, but for what it's worth, my own Grandma was able to buy herself a Mac and get it plugged in and running on her own. It's similarly easy with a Windows machine as soon as you figure out where all the plugs go, Windows setup is a breeze.
Sure, they need help figuring out what to do once the thing i
Re:Grandma can't run Linux? (Score:4, Insightful)
Um... how many grandmas do you know who set up their own windows machine? Plugging it in doesn't count, they have to actually install windows.
0?
thought so. Windows is just as much of a PitA as Linux, and the same people who need help setting up one need help setting up the other.
Where Linux fails is the power users, who have learned how to do things beyond email (that someone else set up) in windows, and who have to re learn a sometimes less intuitive way in Linux. (that and peripheral hardware)
Parent
Re:Grandma can't run Linux? (Score:4, Funny)
Thats where grandma's decades of real life experience is more useful than a 20 something's decade in moms basement.
Grandma can seduce her way onto any OS or system or network.
Or just have the best looking forum, blog, webpage or social networking page ever.
The best part is she passed the same skills onto her daughter too.
Parent
Re:NX and ASLR (Score:5, Insightful)
ASLR is just more defense in depth. Real security, physical or virtual, comes from having multiple layers. While it is a nice theory to say "Well just make sure X is secure and nothing will ever get past it," that doesn't work in reality. Shit happens, your border security can fail. Thus real security comes in multiple levels. Not all of them are as critical or as effective as others, but they all help.
ASLR is just another level. If you find a flaw in some software connected to the network, you now have an additional problem in terms of getting code to execute. Is it insurmountable? No, but it is just more shit to get around.
The more levels of security you have, the less likely someone is to break through all of it, especially before you notice they are trying. Have a border firewall, and host based firewalls. Run a virus scanner on every computer. Enable execute disable on systems. Operate as a deprivileged user whenever possible and so on. The more you do, the more things there are to trip up an attacker. Don't say "Well we don't need this because we have this other thing."
I see that most common with firewalls. People will have a network firewall and thus assume that host based firewalls aren't worth the trouble. Well, they are. What if something gets by the network firewall? Just because it isn't supposed to doesn't mean it won't happen. Maybe someone brings in an owned laptop, maybe there's a flaw in the firewall, maybe yo just set it up wrong. Whatever, point is have multiple security layers. Make it so that just because you got by the network firewall, doesn't mean you are in.
So while I certainly wouldn't want to see a company rely on ASLR, as in say "No we don't need to fix that app bug, they can't exploit it since we randomize addresses," I do like it as another layer of defense. Not a magic bullet, but just that much harder to get in.
Parent
Re:NX and ASLR (Score:5, Interesting)
Yes, layers of security are indeed the key. Any one layer isn't totally impenetrable but, like layering nets over nets over nets, if you have enough layers then eventually you end up with something that's damn-near watertight.
People always laugh at me because they can't get on my wireless at home easily when they visit. This is because it has:
- WPA2 with secure passphrase and MAC filtering (so this defeats 99% of my visitor's casual attempts to log on) /stealing the key (or WPA2 is cracked, etc.), there's nothing interesting to look at with nmap or sniff.
- Onto a locked-down network with only one visible IP and on that IP, only one visible port (all clients have their own firewalls so that they regard the wireless as "untrusted" and don't transmit information over it) and that port is only open to known IP's. So even if they do get onto the network by sniffing / guessing
- On that port, an instance of OpenVPN which is secured by its own key infrastructure with passphrases.
- On that VPN, you have to set IP's, DNS and proxy correctly (and manually, no DHCP!) or nothing goes out.
Yet, on the "authentic" client side, all you have to do is copy some keys from a USB key and run one little tiny script and everything just runs... I even play Counterstrike over the wireless/VPN and don't even notice any extra latency. But when WPA2 is cracked, or OpenVPN has a bug discovered in it, or MAC filtering is rendered useless (already is, I know), or they guess my internal network numbering etc. then I have still bought myself an incredible amount of time and security to fix the problem before anybody can get onto the network - and anyone trying will be tripping over so many wires that I will notice them trying and just switch it off until I'm sure it's secure. And, from the outside, it just looks like an ordinary wireless connection. You could go overboard - I could run SSH over the VPN, I could hide the wireless broadcasts, I even have a port-knocking setup that I can use to authenticate the opening of ports, without affecting my use of the system.
Security is a question of probability... it's not that your security guard couldn't be overcome, or the safe cracked, or the cameras disabled, or the alarm cut, but that the chances of that ALL happening without anyone noticing are incredibly slim.
Parent
Re:NX and ASLR (Score:4, Interesting)
I agree. One time when I was cleaning malware off of a neighbors computer (wasn't my idea, I got volunteered by someone else in my household), the NX bit kept one of those annoying fake antivirus ones from reinstalling itself when I had Procmon kill its process. At least I think it was Procmon.
Anyway, Windows came up with a nice dialog box telling me that execution was blocked, and it didn't appear to be running after a reboot.
Parent