Pwn2Own 2009 Winner Charlie Miller Interviewed 160
crazipper writes "Tom's Hardware interviewed Charlie Miller, winner of this year's Pwn2Own contest and formerly with the NSA. He discusses the effort it took before the contest to be able to take down a MacBook within seconds, sandboxing, and the effectiveness of the NX bit and ASLR. His outlook on end-users protecting themselves against attacks? 'Users are at the mercy of the products they buy.'"
Users are at the mercy of the products they buy (Score:5, Interesting)
Re:Users are at the mercy of the products they buy (Score:2, Interesting)
Because you would end up being able to sue almost everyone... ask the same type of question about a car and you will get the same answer
Actually, you CAN sue a car company if their poor design causes you harm - think of the Ford Pinto or any number of automotive recalls.
Re:He was sitting on the winning weakness (Score:3, Interesting)
The software companies could offer worthwhile bounties. Short of that, I can't fault the prizewinners much.
I think the best quote was... (Score:5, Interesting)
Between Mac and PC, I'd say that Macs are less secure for the reasons we've discussed here (lack of anti-exploitation technologies) but are more safe because there simply isn't much malware out there.
That pretty much been my take on the situation as well. Vista SP1 really is one of the most secure OSes I've used.
They glossed over Linux on this question, but I suspect Vista SP1 is probably more secure than linux too 'out of the box'... but again less safe in actual practice. Again simply due to the sheer relative volume of malware and the relative high value of windows exploits to linux ones.
(Although Linux at least does have 'SE Linux', AppArmor, Exec Shield, support for ASLR, etc, etc so its more a case that its just not on by default yet. (Ironically a complaint usually levelled at Windows).
And while improvements are added with each kernel release, too Linux admins refuse to install them because would reset their belowed uptime scores which they feel the need to post to /. on a regular basis...
I kid... I kid...
Not only that (Score:3, Interesting)
But if you want something with guaranteed security or uptime or the like, you aren't going to be allowed to mess with it. That means whatever software/features it comes with, you are stuck with. No installing 3rd party tools and such. The design needs to be verified, which means testing all the components against each other and making sure there are no unexpected problems.
So not only would your computer be more expensive, and use older technology (since it'd take longer to develop and test) but it'd be an appliance type device. It would do only what it was originally designed to do. You'd not be allowed to install things on it, or change the hardware.
If you want computers as they are today, where it's the "wild west" situation of being able to do whatever you want with them, well then you have to take some security problems with that. Just life. Me? I'll deal with having to have some security issues for the ability to run whatever I want, and to get systems cheaply.
Re:NX and ASLR (Score:4, Interesting)
I agree. One time when I was cleaning malware off of a neighbors computer (wasn't my idea, I got volunteered by someone else in my household), the NX bit kept one of those annoying fake antivirus ones from reinstalling itself when I had Procmon kill its process. At least I think it was Procmon.
Anyway, Windows came up with a nice dialog box telling me that execution was blocked, and it didn't appear to be running after a reboot.
Re:He was sitting on the winning weakness (Score:3, Interesting)
Try this then - I have the cure for Cancer (all of it), but I will only take the bounty for each one. How much will you give me for breast cancer? Oh and BTW I set my own price.
This guy is the Pharma of computers.
Re:He was sitting on the winning weakness (Score:4, Interesting)
I've been in a lengthy argument about this guy on the Ars Technica forums. I ended up emailing Bruce Schneier [schneier.com] about this and asked his thoughts.
Here was my email to him:
Hi Bruce,
I've been following the Pwn2Own contest for the last couple of years.
Last year a researcher from ISE ( http://securityevaluators.com/ [securityevaluators.com] )
named Charlie Miller used an exploit in a Perl library included in
WebKit, the base code for Apple's Safari browser and won a cash price
for his effort. In the press it was claimed he "hacked Safari in mere
seconds". In truth it took a lot more time than that to devise the
exploit and only seconds to execute it.
This year he did it again with another preplanned exploit which he
says he discovered while researching last years bug. Again he won a
cash prize of $10,000.
In an interview with ZDNet he said: "I never give up free bugs. I have
a new campaign. It's called NO MORE FREE BUGS. Vulnerabilities have a
market value so it makes no sense to work hard to find a bug, write an
exploit and then give it away," Miller told ZDNet. "Apple pays people
to do the same job so we know there's value to this work."
I have a major problem with his philosophy and feel this is a
dangerous precedent to set and a bastardization of the goals of
security in the fist place. I feel he has an obligation to inform
Apple and not dangle a dollar amount for the how-to.
Sure he should be paid for his time and effort which is why he works
at a security firm. This contest is basically bonus money and about
bragging rights. Sitting on a bug puts the safety of other users at
risk. But he is basically demanding bribe money for bugs. Who is to
say he wouldn't give up his research to the highest bidder? I'm sure
there are blackhat groups like those in Russia and China that would
pay handsomely for some juicy exploits like this.
Yes there is a long history of security firms hiring hackers and there
have been many questions of whether that is a good idea. But security
firms should take notice of this philosophy and not employee those who
engage in this kind of behavior. It's bad form for his employer and
makes the security industry as a whole look bad by proxy. Would you
hire a security company that employees hackers who blackmail for bugs
to work on your systems? If we hired his firm while I was working IT
at a large New York bank I would advised my boss to make sure he's not
on our project (and perhaps hire an entirely different firm altogether).
I've been in a discussion with other users about this. There seems to
be a split in viewpoint, one side saying he should let Apple and the
WebKit developers know about this exploit for the betterment of
everyone (for free). The other side feels this is purely about
capitalism and he has no moral or ethical obligation to tell anyone.
Some have likened it to seeing a crack in a bridge that might fail.
Are you obligated to inform someone of the problem? What if Dan
Kaminsky demanded $1 million to divulge details on the DNS BIND problem?
What are your feelings on this?
Thanks
Here's the discussion I've been following:
http://episteme.arstechnica.com/eve/forums/a/tpc/f/174096756/m/996001677931?r=869003677931#869003677931 [arstechnica.com]
http://dvlabs.tippingpoint.com/blog/2009/03/21/pwn2own-wrap-up [tippingpoint.com]
Bruce wrote me back today with his response:
There's a fine line between being paid for your efforts and extortion. This seems to cross it.
Re:NX and ASLR (Score:5, Interesting)
Yes, layers of security are indeed the key. Any one layer isn't totally impenetrable but, like layering nets over nets over nets, if you have enough layers then eventually you end up with something that's damn-near watertight.
People always laugh at me because they can't get on my wireless at home easily when they visit. This is because it has:
- WPA2 with secure passphrase and MAC filtering (so this defeats 99% of my visitor's casual attempts to log on) /stealing the key (or WPA2 is cracked, etc.), there's nothing interesting to look at with nmap or sniff.
- Onto a locked-down network with only one visible IP and on that IP, only one visible port (all clients have their own firewalls so that they regard the wireless as "untrusted" and don't transmit information over it) and that port is only open to known IP's. So even if they do get onto the network by sniffing / guessing
- On that port, an instance of OpenVPN which is secured by its own key infrastructure with passphrases.
- On that VPN, you have to set IP's, DNS and proxy correctly (and manually, no DHCP!) or nothing goes out.
Yet, on the "authentic" client side, all you have to do is copy some keys from a USB key and run one little tiny script and everything just runs... I even play Counterstrike over the wireless/VPN and don't even notice any extra latency. But when WPA2 is cracked, or OpenVPN has a bug discovered in it, or MAC filtering is rendered useless (already is, I know), or they guess my internal network numbering etc. then I have still bought myself an incredible amount of time and security to fix the problem before anybody can get onto the network - and anyone trying will be tripping over so many wires that I will notice them trying and just switch it off until I'm sure it's secure. And, from the outside, it just looks like an ordinary wireless connection. You could go overboard - I could run SSH over the VPN, I could hide the wireless broadcasts, I even have a port-knocking setup that I can use to authenticate the opening of ports, without affecting my use of the system.
Security is a question of probability... it's not that your security guard couldn't be overcome, or the safe cracked, or the cameras disabled, or the alarm cut, but that the chances of that ALL happening without anyone noticing are incredibly slim.
Re:EULA (Score:3, Interesting)
You know what? Fuck Mozilla in the ear for putting that shit in all capital letters. There is no reason to do so, unless you actively want people to not read and understand it.
Actually it's a legal requirement: under the Uniform Commercial Code, some items in a contract/license, like warranties or disclaimers, must be conspicuous [cornell.edu]. CAPITALS MAKE THEM SO.