Interview with PWN2OWN hacker Charlie Miller

If you haven't been keeping up with the CanSecWest Conference PWN2OWN contest, know that it was anti-climatic. On the first day, IE8, FireFox, and Safari were compromised.

http://blogs.zdnet.com/security/?p=2941

The Interview is with Charlie Miller. He also was a first place winner in last year's contest, hacking into a Mac on the second day.

The gist of the interview pretty much tells us what we already know. The browser is probably the most vulnerable part of your system. He also slams OSX for being too easy to exploit, which is no surprise. That's old news. He gives high marks to Firefox and especially Chrome in terms of security.

 

Yup, Chrome was the only browser that couldn't get exploited. Let's see if Day 2, if Chrome can still hold up.

 

just goes to show that those mac fanboys who claim "osx is the best, it has the best security" are wrong. the only reason that they arent getting hacked into is because most ppl dont use macs. the majority use windows, which make haxx0rs more likely to hit windows with a larger population.

 

Kudos for those hackers (who sometimes only received a 'meager' $5000 and a Vaio, while such bugs are worth much more on the dark side).

Hooray for SandboxIE and Geswall, by the way.

 

I think this competition is garbage. While Miller may have some valid criticisms about Mac OS X's lack of security features, the competition itself is extremely pointless given that the participants already come to the table with the bugs and exploits in hand. What does the competition aim to show if the speed with which the hackers compromise a machine really depends on how quickly they can run the exploit, rather than how quickly they can find the exploit?

The competition loses it's purpose when it becomes comparable to an exam where the questions are given to students before the exam! It doesn't shed any light on how knowledgable/adept the students are; it just illustrates how quickly they can fill in the answers (ie, run the exploit).

It's not that it couldn't get exploited, it's just that the competitors knew that Chrome was more difficult to hack in light of the same reward as cracking the other browsers: all the exploits earned them $5000. So it was really a matter of laziness. All of those browsers and operating systems are hackable, it's just that the difficulty varies.

 

Web browsers are insecure, who'd'a thunk it?

 

lol @ apple

 

I think the competition shed a much needed spotlight on computer security. How many of your fellow computer users do you know have infected their computer through a link in their browser. Pretty much everyone I know that has had a virus/malware got it through their browser. I guarantee you any computer technician will make the same observation. This competition not only serves to help vendors harden their product, but also serves to educate the public.

I hardly think the format of the competition serves to negate the skills of the participants.

For one, all machines are fully patched. Thus, any current bugs and exploits are likely blocked, unless the vendor is draggin their feet. Thus the participant has to find their own bug and then write their own exploit, or in other words use a zero day attack.

Two, the key to any attack is preparation, not speed of execution. Hardly any attacks are researched and written in one sitting, ala Hollywood. Rather, these attacks are planned for weeks on to months.

Three, considering all the attacks have been the zero day version, the competition DOES display the skills of the participants. Ask any programmer how long does it take to find a big and write a zero day and they will give you an answer the equivalent of "it takes a very long time."

 

They are Great people. even though from their physical appearance you can tell that they are exceptionally genius and gifted. The one on the left side reminds me of an employee that I worked with. They speaks many things
that you can't understand and fast...(At first)

If you can just move/explore their talents on others things. that would be great.

I wonder why nobody tried that before? or just I don't know.

maybe they can answer the solutions on todays crisis

It's time to move on IE and Firefox... Sandbox and Virtualization is the next thing to do... I think.

 

LOL....some so-called 'open-book' exams like in Law are very very difficult and a very small percentage of examinees pass...!