Last Year's CanSecWest Winner Repeats on Vista, Ubuntu Wins 337
DimitryGH followed up on the earlier news that the MacBook Air lost CanSecWest by noting that "Last year's winner of the CanSecWest hacking contest has won the Vista laptop in this year's competition. According to the sponsor TippingPoint's blog, Shane Macaulay used a new 0day exploit against Adobe Flash in order to secure his win. At the end of the day, the only laptop (of OS X, Vista, and Ubuntu) that remained unharmed was the one running Ubuntu. How's that for fueling religious platform wars?"
What kind of exploit? (Score:2, Insightful)
Shane Macaulay used a new 0day exploit against Adobe Flash in order to secure his win. At the end of the day, the only laptop (of OS X, Vista, and Ubuntu) that remained unharmed was the one running Ubuntu. How's that for fueling religious platform wars?"
It depends what kind of exploit that was.
Newsworthy? (Score:4, Insightful)
What did you expect? (Score:4, Insightful)
Re:Newsworthy? (Score:5, Insightful)
Re:Popcorn anyone? (Score:5, Insightful)
1 day later. (Score:3, Insightful)
I don't know about a religious platform war .... (Score:5, Insightful)
Re:Know this: no one uses linux on desktop, no sof (Score:5, Insightful)
The really fun thing about absolute statements is that one counter-example disproves them. I use Linux on desktop. See? You're wrong. :-)
Of course, so does my wife (who majored in fashion merchandising), and my 88 year old father, and the exchange student who stayed in my house last year, and roughly half of the thousand people at PyCon two weeks ago (just from snooping screens during the plenaries), and about 4% of the desktop users world-wide. True, that's small compared to Windows' 85% share and a bit below Mac's 8%, but it's certainly not "nobody".
And note that the market share leader Windows survived the Mac by a day (though, my friend the Mac-fan said that only proves the Mac was so much more desirable than the other two laptops - touché! :-)
Well, anyway, sorry to have fed the troll.
Re:1 day later. (Score:2, Insightful)
Re:Popcorn anyone? (Score:4, Insightful)
So by not using Windows, users are made more secure by not being such a targeted pool in the first place, (as influenced by marketshare). But the design of the OS helps too.
Know this: people use linux on desktop (Score:3, Insightful)
Really? So this must be some magical post I'm making ...
I agree, which is why I don't "do" Windows.
I use linux at home, and linux + bsd at work.
My sister switched to an iMac, and "once you go mac, you never go back."
People routinely remote into another linux box at work when they want to get "real" work done in a more powerful graphical environment like kde, or need to do stuff that Windows just can't do without a lot of work ...
Even web developers no longer need to keep a Windows box handy "for compatability testing" - IE 7 runs fine under linux.
Re:Hierarchy of Desirable Laptops? (Score:2, Insightful)
Re:Know this: no one uses linux on desktop, no sof (Score:2, Insightful)
Re:Something is Fishy (Score:3, Insightful)
Actually, the fact that Vista held its own against every attack the contestants attempted against it for days, and only finally fell when the contest organizers modified the rules to allow exploitable third-party applications in, says a lot about Vista security. It's just that what it says about Vista security is opposite to what most Slashdottians would like it to say.
Re:Newsworthy? (Score:2, Insightful)
The people that participate in this are like magicians selling their secrets at a bus stop.
This isn't like a McAfee vs Norton contest. The "the total end point security" which you reference is no where near contextual. This is a how much are black hats willing to give up for chump-change contest.
Re:Popcorn anyone? (Score:1, Insightful)
Get these n00bs off my lawn!
Re:I don't know about a religious platform war ... (Score:3, Insightful)
At the same time, I've not seen it go beyond about 150MB of memory, and more commonly manages a third of that. Startup time was rubbish a couple of years ago when it'd sit there loading about 20 different plugins for no particular reason, but that's not been a problem for a while now.
Re:Let me get this straight (Score:4, Insightful)
Re:Something is Fishy (Score:1, Insightful)
-JD
Re:Something is Fishy (Score:5, Insightful)
See the following: background info [robertdowney.com], and most of this post [robertdowney.com] deals with UAC.
Re:Hey! (Score:5, Insightful)
*Useful to me; not to advertisers or corporate web designers who think interrupting the flow of my surfing and irritating the hell out of me are good ways to earn my shopping dollars
Re:Something is Fishy (Score:4, Insightful)
Really? What I hear is Vista security sucks in the real world. Seems to me that that's what most /.ers would like it to say. After all, OSes don't exist so we can admire their austere beauty, they exist so we can get things done with application programs.
Re:Software sucks. (Score:3, Insightful)
Okay, let's have an explanation... why *is* it possible to do any damage at all with Flash?
I guess comments like yours explain exactly why our software sucks.
Re:Know this: no one uses linux on desktop, no sof (Score:2, Insightful)
Re:Popcorn anyone? (Score:1, Insightful)
Sandbagging? (Score:3, Insightful)
I'd wager they each have a handy arsenal of "zero day" exploits ready for next year's competition already.
Re:Something is Fishy (Score:5, Insightful)
What the hell? Do you only read highly moderated Slashdot comments for all your information on Windows or what? One exploit in Firefox or Flash on Linux(default config on all major distros) can completely and silently wipe away all your user files or ftp them to Nigeria. All your smug talk about proper compartmentalization in "other OSes" won't help shit to stop that. Can you tell us what exactly on Linux would prevent the same hole in flash(or in Firefox) from shitting all over your user directory?
UAC is basically sudo and like the root password prompts that come up under GUI in Linux, except that MS didn't think that it would make sense to prompt a user already designated as a admin to enter the password because the vast majority of their users run in a single user environment. If the user is not an admin, then the admin password is prompted for. Can your provide some references for how windows not properly com
Contrast that to IE7 on Vista. Read this [msdn.com]. It's in part a implemtation of the Biba security model [wikipedia.org]. So a similar vulnerability in IE7 or any of its plugins(including Flash) will only be able work in sandbox that prevents access to anything but low risk files like temporary internet files.
From the linked article:So in order for the exploit on Flash to work on Vista SP1, it must have been run on Firefox/Opera/Safari/ OR it must have been run on IE7 and broken through the sandbox(quite possible, but the news shouldn't be about not only a exploit in Flash, but another one in Windows as well). THAT is the point of your parent post. And no, this is not an assumption. It's a fact even if you bury your head in sand.
Re:1 day later. (Score:3, Insightful)
Re:Popcorn anyone? (Score:2, Insightful)
10 Things to Remember About CanSecWest (Score:3, Insightful)
"The CanSecWest contest featured a number of security researchers, each with different backgrounds, motivations, and levels of expertise working to exploit flaws in the three systems running Mac OS X, Windows Vista, and Ubuntu Linux. However, rather than being a level contest to expose the flaws in the three systems, it was really a contest highlighting the knowledge and abilities of the researchers, each of whom targeted the platform of their choice."
10 Things to Remember About CanSecWest and Software Vulnerabilities [roughlydrafted.com]
Re:Newsworthy? (Score:5, Insightful)
In sum, what this means is that Windows systems depend heavily on closed-source software and the judgment of individual users, both of which are less secure than the community-oriented "more eyes" approach taken by open-source Linux distributions.
Re:What kind of exploit? (Score:3, Insightful)
I wonder if Flash was attacked via Firefox, or in some other fashion. Through IE, running as a non-admin and with the IE7 on Vista sandboxing, any vuln in flash should have been pretty useless in owning the OS.
I wish there were more details posted.
Also interesting that the folks who took down the Vista box said its a couple hours of work from this being effective against OSX and Linux as well.
Re:Popcorn anyone? (Score:3, Insightful)
On a typical Linux distro, the web browser runs as the same user/privs as the person using the desktop, so anything that can cause the browser or browser-plugin to reach outside of the app's sandbox can quite easily read/write to anything on the box that the desktop user can read/write to/from. Same for WinXP.
But on Vista using IE7, this is very much not the case. Even if you completely pwn the browser, its running as a user process that has almost zero ability to write or read anywhere on the file system.
Which makes me wonder if this attack was via Flash on Firefox, which would be much more vulnerable to this type of disclosure attack than Flash on IE (as long as the site wasnt in Trusted Sites on the IE).
Now mind you, some of the mandatory acccess control packages on linux systems can strongly mitigate this, much like IE7 on Vista. I cant say whether these would apply to Firefox, say, on a typical Linux distro though.
Re:Popcorn anyone? (Score:2, Insightful)
Didn't think so..
Re:Software sucks. (Score:3, Insightful)
Bugs like buffer overflows, the uber-exploits anyone can use to run code on your machine.
Software will suck as long as speed is more important than correctness.