Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Security

Pwn2Own 2009 Winner Charlie Miller Interviewed 160

crazipper writes "Tom's Hardware interviewed Charlie Miller, winner of this year's Pwn2Own contest and formerly with the NSA. He discusses the effort it took before the contest to be able to take down a MacBook within seconds, sandboxing, and the effectiveness of the NX bit and ASLR. His outlook on end-users protecting themselves against attacks? 'Users are at the mercy of the products they buy.'"
This discussion has been archived. No new comments can be posted.

Pwn2Own 2009 Winner Charlie Miller Interviewed

Comments Filter:
  • The NX bit is awesome.

    ASLR is effective, but it's generally used as a way to slow down attackers after they've already figured out how to break your broken shit.

    • I'm suuuuure his time in the NSA had nothing to do with it. It's not like the NSA knows things that the general public aren't allowed to know.
    • Re:NX and ASLR (Score:5, Insightful)

      by Sycraft-fu ( 314770 ) on Wednesday March 25, 2009 @08:01PM (#27337363)

      ASLR is just more defense in depth. Real security, physical or virtual, comes from having multiple layers. While it is a nice theory to say "Well just make sure X is secure and nothing will ever get past it," that doesn't work in reality. Shit happens, your border security can fail. Thus real security comes in multiple levels. Not all of them are as critical or as effective as others, but they all help.

      ASLR is just another level. If you find a flaw in some software connected to the network, you now have an additional problem in terms of getting code to execute. Is it insurmountable? No, but it is just more shit to get around.

      The more levels of security you have, the less likely someone is to break through all of it, especially before you notice they are trying. Have a border firewall, and host based firewalls. Run a virus scanner on every computer. Enable execute disable on systems. Operate as a deprivileged user whenever possible and so on. The more you do, the more things there are to trip up an attacker. Don't say "Well we don't need this because we have this other thing."

      I see that most common with firewalls. People will have a network firewall and thus assume that host based firewalls aren't worth the trouble. Well, they are. What if something gets by the network firewall? Just because it isn't supposed to doesn't mean it won't happen. Maybe someone brings in an owned laptop, maybe there's a flaw in the firewall, maybe yo just set it up wrong. Whatever, point is have multiple security layers. Make it so that just because you got by the network firewall, doesn't mean you are in.

      So while I certainly wouldn't want to see a company rely on ASLR, as in say "No we don't need to fix that app bug, they can't exploit it since we randomize addresses," I do like it as another layer of defense. Not a magic bullet, but just that much harder to get in.

      • Re:NX and ASLR (Score:5, Interesting)

        by ledow ( 319597 ) on Thursday March 26, 2009 @05:07AM (#27339731) Homepage

        Yes, layers of security are indeed the key. Any one layer isn't totally impenetrable but, like layering nets over nets over nets, if you have enough layers then eventually you end up with something that's damn-near watertight.

        People always laugh at me because they can't get on my wireless at home easily when they visit. This is because it has:

        - WPA2 with secure passphrase and MAC filtering (so this defeats 99% of my visitor's casual attempts to log on)
        - Onto a locked-down network with only one visible IP and on that IP, only one visible port (all clients have their own firewalls so that they regard the wireless as "untrusted" and don't transmit information over it) and that port is only open to known IP's. So even if they do get onto the network by sniffing / guessing /stealing the key (or WPA2 is cracked, etc.), there's nothing interesting to look at with nmap or sniff.
        - On that port, an instance of OpenVPN which is secured by its own key infrastructure with passphrases.
        - On that VPN, you have to set IP's, DNS and proxy correctly (and manually, no DHCP!) or nothing goes out.

        Yet, on the "authentic" client side, all you have to do is copy some keys from a USB key and run one little tiny script and everything just runs... I even play Counterstrike over the wireless/VPN and don't even notice any extra latency. But when WPA2 is cracked, or OpenVPN has a bug discovered in it, or MAC filtering is rendered useless (already is, I know), or they guess my internal network numbering etc. then I have still bought myself an incredible amount of time and security to fix the problem before anybody can get onto the network - and anyone trying will be tripping over so many wires that I will notice them trying and just switch it off until I'm sure it's secure. And, from the outside, it just looks like an ordinary wireless connection. You could go overboard - I could run SSH over the VPN, I could hide the wireless broadcasts, I even have a port-knocking setup that I can use to authenticate the opening of ports, without affecting my use of the system.

        Security is a question of probability... it's not that your security guard couldn't be overcome, or the safe cracked, or the cameras disabled, or the alarm cut, but that the chances of that ALL happening without anyone noticing are incredibly slim.

        • People always laugh at me because they can't get on my wireless at home easily when they visit... defeats 99% of my visitor's casual attempts to log on

          *shrug* My visitors always say "cool, thanks!" when they log on my wireless dead easily. But, hey, personally my visitors are my friends and if they want to check their email in my flat I'm happy to help.

          What exactly is on your wireless which requires/justifies such heavy security?

          • Re: (Score:2, Funny)

            by Anonymous Coward

            What exactly requires/justifies such heavy security?

            Boredom.

          • by ledow ( 319597 )

            An internet connection tied to my name and address?

            I work in schools - I can't afford for some little plonker down the road to hack into it and then decide to use it to browse websites which may or may not be illegal and traceable to me (I'm thinking of one particular kind of website, the kind banned in most of the world and which Australia recently tried to block with a blacklist, but I'm currently behind a heavy filter on some of the keywords associated with that particular topic).

            Internet access is conve

          • Nothing - he's just a Linux nerd who thinks he's important.

        • by yo_tuco ( 795102 )

          You could add one more layer of security. With your access point running OpenBSD's pf, it could have rules that require you to authenticate via a SSH login to a restricted account before it would let you send anything out of the other end of the access point.

    • The NX bit should have always been there, and the fact that it wasn't is incomprehensibly stupid.
      • Both NX flag and ASLR are present Leopard. For a number of compatibility reasons they are not implemented as extensively as they are on other systems, but it's disingenuous to say Mac OS X doesn't have them.

        If you go look at Jordan Hubbard's From the Server Room to Your Pocket presentation:
        http://www.usenix.org/event/lisa08/tech/hubbard_talk.pdf [usenix.org]
        or listen to it:
        http://www.usenix.org/media/events/lisa08/tech/mp3/hubbard.mp3 [usenix.org]

        you'd realize that Charlie Miller is milking his 15 min of fame for all the
      • Re: (Score:3, Insightful)

        by Simetrical ( 1047518 )

        The NX bit should have always been there, and the fact that it wasn't is incomprehensibly stupid.

        x86 was originally designed with a segmented memory model. You'd have one segment for code, one for data, one for stack. It was (and is) indeed possible to set data and stack segments non-executable. Actually, I believe this is achieved by the simple expedient of all jump instructions automatically using the CS (code segment) register, with no option to use any others -- thus you can't jump to or call the data or stack segments unless they overlap with the code segment.

        The problem is, in practice peopl

    • Re:NX and ASLR (Score:4, Interesting)

      by VGPowerlord ( 621254 ) on Wednesday March 25, 2009 @09:35PM (#27337949)

      I agree. One time when I was cleaning malware off of a neighbors computer (wasn't my idea, I got volunteered by someone else in my household), the NX bit kept one of those annoying fake antivirus ones from reinstalling itself when I had Procmon kill its process. At least I think it was Procmon.

      Anyway, Windows came up with a nice dialog box telling me that execution was blocked, and it didn't appear to be running after a reboot.

  • at then you will not be at anyone's mercy ...of course you may not be able to do much then..

    I'm Just saying'

  • 'Users are at the mercy of the products they buy.' So clearly he is a big supporter of FOSS? Then you are at no ones mercy.
    • Or at everyone's mercy ;)

      Things like OpenBSD are the best for security not only because they are designed specifically with it in mind, but because the people working on it are of a limited, genuine species. With that said, it is probably better to be at 'everyone's mercy' than to be at the mercy of corporations who only want your money. It doesn't matter that the people inside them may want your admiration and recognition. It matters very little, at least. The corporations are who you deal with in the end.

  • by clarkkent09 ( 1104833 ) on Wednesday March 25, 2009 @07:09PM (#27336949)
    Why can't you sue a software company if you suffer a loss due to poor security in their product?
    • Re: (Score:3, Insightful)

      Because you would end up being able to sue almost everyone... ask the same type of question about a car and you will get the same answer "Why can't I sue a car manufacturer for a shitty design?" ... "Because you would end up being able to sue almost anyone"
      • Re: (Score:2, Interesting)

        by Yarhj ( 1305397 )

        Because you would end up being able to sue almost everyone... ask the same type of question about a car and you will get the same answer

        Actually, you CAN sue a car company if their poor design causes you harm - think of the Ford Pinto or any number of automotive recalls.

    • Re: (Score:3, Funny)

      by Aphoxema ( 1088507 )

      Because the EULA says so.

      *dodges rotten tomatoes*

    • EULA (Score:1, Informative)

      by Anonymous Coward

      EULA, ever read it?

      "[SomeStupidSoftwareCompany] is not responsible for any damages caused by the use/misuse of this software."

      From Mozilla's EULA:

      4. DISCLAIMER OF WARRANTY. THE PRODUCT IS PROVIDED "AS IS" WITH ALL FAULTS. TO THE EXTENT PERMITTED BY LAW, MOZILLA AND MOZILLA'S DISTRIBUTORS, LICENSORS HEREBY DISCLAIM ALL WARRANTIES, WHETHER EXPRESS OR IMPLIED, INCLUDING WITHOUT LIMITATION WARRANTIES THAT THE PRODUCT IS FREE OF DEFECTS, MERCHANTABLE, FIT FOR A PARTICULAR PURPOSE AND NON-INFRINGING. YOU BEAR ENTIRE RISK AS TO SELECTING THE PRODUCT FOR YOUR PURPOSES AND AS TO THE QUALITY AND PERFORMANCE OF THE PRODUCT. THIS LIMITATION WILL APPLY NOTWITHSTANDING THE FAILURE OF ESSENTIAL PURPOSE OF ANY REMEDY. SOME JURISDICTIONS DO NOT ALLOW THE EXCLUSION OR LIMITATION OF IMPLIED WARRANTIES, SO THIS DISCLAIMER MAY NOT APPLY TO YOU.

      5. LIMITATION OF LIABILITY. EXCEPT AS REQUIRED BY LAW, MOZILLA AND ITS DISTRIBUTORS, DIRECTORS, LICENSORS, CONTRIBUTORS AND AGENTS (COLLECTIVELY, THE "MOZILLA GROUP") WILL NOT BE LIABLE FOR ANY INDIRECT, SPECIAL, INCIDENTAL, CONSEQUENTIAL OR EXEMPLARY DAMAGES ARISING OUT OF OR IN ANY WAY RELATING TO THIS AGREEMENT OR THE USE OF OR INABILITY TO USE THE PRODUCT, INCLUDING WITHOUT LIMITATION DAMAGES FOR LOSS OF GOODWILL, WORK STOPPAGE, LOST PROFITS, LOSS OF DATA, AND COMPUTER FAILURE OR MALFUNCTION, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGES AND REGARDLESS OF THE THEORY (CONTRACT, TORT OR OTHERWISE) UPON WHICH SUCH CLAIM IS BASED. THE MOZILLA GROUP'S COLLECTIVE LIABILITY UNDER THIS AGREEMENT WILL NOT EXCEED THE GREATER OF $500 (FIVE HUNDRED DOLLARS) AND THE FEES PAID BY YOU UNDER THIS LICENSE (IF ANY). SOME JURISDICTIONS DO NOT ALLOW THE EXCLUSION OR LIMITATION OF INCIDENTAL, CONSEQUENTIAL OR SPECIAL DAMAGES, SO THIS EXCLUSION AND LIMITATION MAY NOT APPLY TO YOU.

      So maybe you can get $500 from Mozilla of something goes wrong?

      • by Pope ( 17780 )

        You know what? Fuck Mozilla in the ear for putting that shit in all capital letters. There is no reason to do so, unless you actively want people to not read and understand it.

        • Re: (Score:3, Interesting)

          by ChatHuant ( 801522 )

          You know what? Fuck Mozilla in the ear for putting that shit in all capital letters. There is no reason to do so, unless you actively want people to not read and understand it.

          Actually it's a legal requirement: under the Uniform Commercial Code, some items in a contract/license, like warranties or disclaimers, must be conspicuous [cornell.edu]. CAPITALS MAKE THEM SO.

    • by supernova_hq ( 1014429 ) on Wednesday March 25, 2009 @07:29PM (#27337095)

      The same reason you can't sue an alarm company when someone breaks into your house.

      If your data is

      • Important: back it up
      • Sensitive: encrypt it
      • Not yours to lose: get insurance (good for companies)
    • by maxume ( 22995 )

      Are you really sure you (always) want to pay for high quality software?

    • by MrMista_B ( 891430 ) on Wednesday March 25, 2009 @07:55PM (#27337297)

      I illustrate the ridiculousness of your question, I'll rephrase it "Why can't you sue the construction company that built your house if someone vandalizes oor you suffer a loss due to break and enter?"

    • Re: (Score:1, Troll)

      Why can't you sue a software company if you suffer a loss due to poor security in their product?

      *Can't...stop...myself...must...don...tinfoil...hat*

      It's because the leadership of the USA realised years ago that if such laws were passed the subsequent class-action lawsuits might bankrupt Microsoft.... they just couldn't go and do that to one of the nation's biggest tech companies, now could they?

    • Re: (Score:3, Insightful)

      Because you're not buying the software you have none of the explicit protections of a normal sale. You're licensing it. And read the license: "We don't guarantee this even does anything. It could wipe your hard drive for all you know. WE PROMISE NOTHING"
    • Re: (Score:3, Insightful)

      Why can't you sue a software company if you suffer a loss due to poor security in their product?

      You can. You are just highly unlikely to win.

    • by phantomfive ( 622387 ) on Wednesday March 25, 2009 @08:36PM (#27337609) Journal
      Basically because
      • No one claimed that their software is 100% secure
      • Making secure software is really hard
      • If you do want software that approaches optimal security, it is going to be expensive, not as expensive as making sure it has no bugs, but similar
      • There would be no software companies left, and we try to avoid making laws that wipe out an entire industry.

      When someone I'm working with writes a bug or leaves a security hole, I tease them, but the truth is I still have not found a way to write bug-free code myself. You can't really sue someone for not doing something that is impossible.

      OK, I admit some companies could do a significantly better job of making things secure. The article gives a couple examples of what Apple could have done to make their code more secure. But if it were possible to sue someone for that, I would be quite worried personally, as a programmer, I don't trust a jury to determine what is a reasonable vulnerability and what is not, so from my point of view it is better to not make insecure software illegal. And in most non-internet code, security isn't really an issue.

      • Not only that (Score:3, Interesting)

        by Sycraft-fu ( 314770 )

        But if you want something with guaranteed security or uptime or the like, you aren't going to be allowed to mess with it. That means whatever software/features it comes with, you are stuck with. No installing 3rd party tools and such. The design needs to be verified, which means testing all the components against each other and making sure there are no unexpected problems.

        So not only would your computer be more expensive, and use older technology (since it'd take longer to develop and test) but it'd be an a

  • pwnd & ownD (Score:5, Insightful)

    by binarybum ( 468664 ) on Wednesday March 25, 2009 @07:22PM (#27337045) Homepage

    Tom's Hardware
    [NEXT PAGE>
      PWNs & OwnZ U
    [NEXT PAGE>
      If you read
    [NEXT PAGE>
      their articles
    [To continue reading this comment, click here [brokenlink.com] ]

  • by iminplaya ( 723125 ) on Wednesday March 25, 2009 @07:29PM (#27337093) Journal

    since last year.

    A quote from another interview:

    "Vulnerabilities have a market value so it makes no sense to work hard to find a bug, write an exploit and then give it away."

    Who know what other goodies they have in store. But the browsers and the phones were hardly touched. The contestants are holding out for something better.

    • You got to compare [$10k prize money] Vs [Value of exploit].

      It's probably very easy to work out.
      • Re: (Score:3, Informative)

        yeah it's a little sad that these guys are hoarding this info for so long just to win a stupid contest. And he only had to use one of these exploits. What else is he's hoarding for next year? Just saying that that might be of interest to someone with time to get his macbook ya know ;p he does carry around to many countries.
        • by vux984 ( 928602 )

          Just saying that that might be of interest to someone with time to get his macbook ya know ;p he does carry around to many countries.

          Just tip off the TSA. They'll confiscate it in a heartbeat.

          Then its just a matter of liberating it from the TSA and getting it into the hands of someone who'll know how to read the information on it.

          Baby steps...

        • Re: (Score:3, Interesting)

          by maxume ( 22995 )

          The software companies could offer worthwhile bounties. Short of that, I can't fault the prizewinners much.

          • Re: (Score:3, Interesting)

            by Seraphim_72 ( 622457 )
            Really?

            Try this then - I have the cure for Cancer (all of it), but I will only take the bounty for each one. How much will you give me for breast cancer? Oh and BTW I set my own price.

            This guy is the Pharma of computers.
            • Try this then - I have the cure for Cancer (all of it), but I will only take the bounty for each one. How much will you give me for breast cancer? Oh and BTW I set my own price.

              Go ahead. No one is obliged to share their knowledge with other people for free if they spent a significant amount of resources obtaining it. Researchers need to eat just like anyone else; they need adequate compensation for their time, one way or another. If they don't get enough money to suit them, they're mostly just not going to be able to do the research: they'll have to find some other line of work that actually pays.

        • yeah it's a little sad that these guys are hoarding this info for so long just to win a stupid contest. And he only had to use one of these exploits. What else is he's hoarding for next year?

          Which is why software vendors should have standing bounties for useful exploits or, at very least, make a point of hiring these people to do pen testing on their software.

        • It's not like if he spills it all then the platform will be secure.. there are a million vulnerabilities and he's not doing anything wrong by keeping a few up his sleeve.
    • by zonker ( 1158 ) on Thursday March 26, 2009 @02:06AM (#27338985) Homepage Journal

      I've been in a lengthy argument about this guy on the Ars Technica forums. I ended up emailing Bruce Schneier [schneier.com] about this and asked his thoughts.

      Here was my email to him:

      Hi Bruce,

      I've been following the Pwn2Own contest for the last couple of years.
      Last year a researcher from ISE ( http://securityevaluators.com/ [securityevaluators.com] )
      named Charlie Miller used an exploit in a Perl library included in
      WebKit, the base code for Apple's Safari browser and won a cash price
      for his effort. In the press it was claimed he "hacked Safari in mere
      seconds". In truth it took a lot more time than that to devise the
      exploit and only seconds to execute it.

      This year he did it again with another preplanned exploit which he
      says he discovered while researching last years bug. Again he won a
      cash prize of $10,000.

      In an interview with ZDNet he said: "I never give up free bugs. I have
      a new campaign. It's called NO MORE FREE BUGS. Vulnerabilities have a
      market value so it makes no sense to work hard to find a bug, write an
      exploit and then give it away," Miller told ZDNet. "Apple pays people
      to do the same job so we know there's value to this work."

      I have a major problem with his philosophy and feel this is a
      dangerous precedent to set and a bastardization of the goals of
      security in the fist place. I feel he has an obligation to inform
      Apple and not dangle a dollar amount for the how-to.

      Sure he should be paid for his time and effort which is why he works
      at a security firm. This contest is basically bonus money and about
      bragging rights. Sitting on a bug puts the safety of other users at
      risk. But he is basically demanding bribe money for bugs. Who is to
      say he wouldn't give up his research to the highest bidder? I'm sure
      there are blackhat groups like those in Russia and China that would
      pay handsomely for some juicy exploits like this.

      Yes there is a long history of security firms hiring hackers and there
      have been many questions of whether that is a good idea. But security
      firms should take notice of this philosophy and not employee those who
      engage in this kind of behavior. It's bad form for his employer and
      makes the security industry as a whole look bad by proxy. Would you
      hire a security company that employees hackers who blackmail for bugs
      to work on your systems? If we hired his firm while I was working IT
      at a large New York bank I would advised my boss to make sure he's not
      on our project (and perhaps hire an entirely different firm altogether).

      I've been in a discussion with other users about this. There seems to
      be a split in viewpoint, one side saying he should let Apple and the
      WebKit developers know about this exploit for the betterment of
      everyone (for free). The other side feels this is purely about
      capitalism and he has no moral or ethical obligation to tell anyone.

      Some have likened it to seeing a crack in a bridge that might fail.
      Are you obligated to inform someone of the problem? What if Dan
      Kaminsky demanded $1 million to divulge details on the DNS BIND problem?

      What are your feelings on this?

      Thanks

      Here's the discussion I've been following:

      http://episteme.arstechnica.com/eve/forums/a/tpc/f/174096756/m/996001677931?r=869003677931#869003677931 [arstechnica.com]

      http://dvlabs.tippingpoint.com/blog/2009/03/21/pwn2own-wrap-up [tippingpoint.com]

      Bruce wrote me back today with his response:

      There's a fine line between being paid for your efforts and extortion. This seems to cross it.

      • There's a fine line between being paid for your efforts and extortion. This seems to cross it.

        It's only extortion if he threatens to use the bug for personal profit, or release the bug to a third party that intends to do the same (unless they pay).

        It's not extortion if he simply keeps it to himself.

    • What is the white-hat way to legitimately sell (sensitive) vulnerabilities? I recently found one affecting a large bank and gave that away. Other ones I post on my blog at privacylog.blogspot but I expect to find more and could somehow benefit from this.

  • by vux984 ( 928602 ) on Wednesday March 25, 2009 @08:24PM (#27337523)

    Between Mac and PC, I'd say that Macs are less secure for the reasons we've discussed here (lack of anti-exploitation technologies) but are more safe because there simply isn't much malware out there.

    That pretty much been my take on the situation as well. Vista SP1 really is one of the most secure OSes I've used.

    They glossed over Linux on this question, but I suspect Vista SP1 is probably more secure than linux too 'out of the box'... but again less safe in actual practice. Again simply due to the sheer relative volume of malware and the relative high value of windows exploits to linux ones.

    (Although Linux at least does have 'SE Linux', AppArmor, Exec Shield, support for ASLR, etc, etc so its more a case that its just not on by default yet. (Ironically a complaint usually levelled at Windows).

    And while improvements are added with each kernel release, too Linux admins refuse to install them because would reset their belowed uptime scores which they feel the need to post to /. on a regular basis...

    I kid... I kid...

    • It seems that ASLR of some form or another has been enabled by default in Linux since 2.6.12. [0] Also, IUC compiling code with gcc's -PIE flag helps.

      I have a PaX + grsecurity enabled server at home. It'd be *really* nice if the gdb folks could make debugging a possibility under that configuration. Not having stack traces or being able to set breakpoints [1] is a bitch! :)

      [0] http://www.nabble.com/Edgy-and-Proactive-Security-td4695373.html [nabble.com]
      [1] Not being able to set breakpoints is probably something that I ca

    • I suspect Vista SP1 is probably more secure than linux too 'out of the box'... but again less safe in actual practice. Again simply due to the sheer relative volume of malware and the relative high value of windows exploits to linux ones.

      Suppose I created the mythical 100% secure OS. It would have 0 (working) exploits and no malware. $OTHER_OS (windows, linux, os x, pick your poison) would have more than 0 exploits.

      Is my OS secure because it has fewer exploits, or is the other way around: the OS has fewer exploits because it's more secure?

      Isn't security by definition the degree to which the OS in question can't be exploited?

      • by vux984 ( 928602 )

        Is my OS secure because it has fewer exploits, or is it the other way around: the OS has fewer exploits because it's more secure?

        The point the pwnd2own winner made was the 2 aren't really all that related.
        All systems have exploits, that's why your OS is mythical.

        Isn't security by definition the degree to which the OS in question can't be exploited?

        Sure. To a point. But how can we know the relative degree to which the OS in question can't be exploited when 9/10ths of the effort is focused on finding exploits

    • If we're comparing default installs, then vista sp1 is a lot less secure than ubuntu. The default login on vista is an administrator and UAC offers very little protection. There are multiple, trivial, unfixable ways to get around it due to Window's legacy. As MS themselves say, UAC is NOT a security barrier.

      Ubuntu on the other hand has an unprivileged default user who has to sudo to do anything, with a proper security barrier between the two states. It's also had ASLR, stack protection, heap protection

      • by vux984 ( 928602 )

        The default login on vista is an administrator...

        The 'administrators' group in Vista is a lot more like being on the sudoers list than being root.

    • Although Linux at least does have 'SE Linux', AppArmor, Exec Shield, support for ASLR, etc, etc so its more a case that its just not on by default yet. (Ironically a complaint usually levelled at Windows).

      Please vote to stop this nonsense. [ubuntu.com]

    • (Although Linux at least does have 'SE Linux', AppArmor, Exec Shield, support for ASLR, etc, etc so its more a case that its just not on by default yet.

      In which distros? RHEL and Fedora ship SELinux by default, and Ubuntu uses AppArmor. The enterprise distros, in particular, tend to have fairly good security AFAIK. I'd be interested to know how such distros compare with Windows in security.

  • by mindstormpt ( 728974 ) on Wednesday March 25, 2009 @08:36PM (#27337603)

    I've spent a lot of my research time on Macs because I like them and they also happen to be pretty easy to break!

    Every time you quote this, somewhere in the world a mac zealot's head explodes. I just did my part :P

    • Surely he meant that the mac is easy to break if you DROP it or knock it off your desk. That's what went through my head. That has to be it... Whew... Getting warm in here... ahhhh... pressure... aghhhh! (pfffft!) [youtube.com]

    • by Concerned Onlooker ( 473481 ) on Thursday March 26, 2009 @01:03AM (#27338731) Homepage Journal

      I'm beginning to think this "Mac zealot" business is a figment of overly sensitive Windows users imaginations. I work at a place where around 40-50% of the employees choose to use a Mac. The only derisive comments I EVER hear are little snipes aimed at Macs by the Windows crowd. "The page isn't loading? Is it because you're using a Mac?" "You just can't get any work done on a Mac." And yet the Windows crowd loves to complain about Microsoft. I think Microsoft owes their success to the Stockholm syndrome.

      • Then you clearly don't have any Mac Zealots where you work.

        Yes, I personally know Mac Zealots. I took constant belittlement for nearly two years because I don't run MacOS. Every time you fired back with the slightest criticism of Apple's many many problems and flaws, he'd turn the color of a tomato and storm out of the room. He literally alienated himself from his friends after he bought an iMac. Sad.

        And that was only one of them. Oh yes, they exist. On the Internet and in real life.

        Apple, over the years, h

      • I'm beginning to think this "Mac zealot" business is a figment of overly sensitive Windows users imaginations.

        You've never complained about a Mac and been modded into oblivion, have you?

  • ASLR? (Score:5, Funny)

    by tux0r ( 604835 ) <magicfingers+sla ... m ['l.c' in gap]> on Wednesday March 25, 2009 @09:13PM (#27337831) Homepage
    ... 24/M/Australia/Jedi?
  • All throughout the article, the back doors for malware are buffer overflows.

    Isn't it time to write our software in something that does not allow buffer overflows? something better than C/C++, that is. The cost of securing apps written in these languages is tremendous...

"You'll pay to know what you really think." -- J.R. "Bob" Dobbs

Working...