Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
Vulnerabilities that have some value in relation to exploitation in the wild are purchased by the Zero Day Initiative which hosts the pwn2own contest.

ZDI further researches the vulnerabilities for products (http://h17007.www1.hp.com/us/en/products/network-security/index.aspx) and services that they sell then reports the vulns to the vendors for patching.

I guess researchers want to cut out the middle man and sell the vulns to the vendors directly.

Yeah, third parties such as ZDI and other above board institutions and organizations weren't the kind of third party to which I was referring when I was rebutting the asinine and completely ignorant extortion charges.

"Supposedly, the hacker going after Android had a working exploit but thought that it did not qualify for the rules of pwn2own so reported the vuln to Google and the vuln was subsequently patched. Seems kind of bogus given that Android devices using non-default UI, such as the Sense UI, are still running older versions of Android."

Ok so no one attacks Chrome, no one attacks Android, a guy suddenly thought that he does not qualify for the rules and gives everything to Google, what a hell?

Have you bothered looking up what actually happened or do you prefer to imply conspiracy and malfeasance because you don't like the results.

http://www.computerworld.com/s/article/9213763/Researcher_blows_15K_by_reporting_bug_to_Google

This was pretty widespread news yesterday.


"Researchers Exploit Safari Security Hole in Five Seconds at PWN2OWN"

You basically know that this statement is totally wrong and that you hope (and actually succeeded) to attract a flame war in your forum for the sake of increasing the number of page hits on your site.

Yes, the headline is sensationalistic but it is not inaccurate. It delivers the single most relevant point to the end user. The exploit takes five seconds to work. The time in developing the exploited is irrelevant to the exploitee. I don't understand why this is so difficult for people to understand.

Does it matter if it took years for a car thief to develop the skills that let him break in to a car in fifteen seconds? What about the burglar? Bank robber? Does it matter how long it took for someone to develop a rifle?

The time to develop any executable skill doesn't matter at the point of execution. Why do you people keep coming back to the "well, it took weeks." Of course it took weeks. What do you think this is, a movie?

Again it took three men (PAID to do that, this is very important to remember that) and two weeks to implement an exploit.

Chrome was not attacked, no one is showing up. But I really don't think that it is because no one can take it down. The exploit of IE 8 shows that it is possible to escape from the sandbox, there is always someone who can because they are PAID to find flaws in software. I just think that some money is flying around so that no one is actually showing for Chrome.

This is pathetic. Do you have ANY proof to back up your supposition for your conspiracy theory about Chrome? Any whatsoever? One shred? One iota? Anything?

And people give Microsoft a hard time for spreading FUD.

And Charlie Miller did it three years in a row basically working in his spare time so what's your point with this PAID nonsense?
 
In other news...

Apple's iPhone 4 and RIM's BlackBerry Torch 9800 both succumbed to hackers today at Pwn2Own, but two other smartphones running Android and Windows Phone 7 were unchallenged, the contest's sponsor said.

Link
 
I just think that some money is flying around so that no one is actually showing for Chrome.

Wait, you're saying Google paid people to stay away? :D

Here's an idea: Instead of various (utterly unsubstantiated) conspiracy theories about corruption of the competition it could be that people tested the patch on Chrome before actually trying it out on stage, so to speak. If it stops working after an update there really is no point showing up.

BTW:

"Historically, the competition has required competitors to use the newest version of the browser and operating system. Perhaps aware of this, Apple released Safari 5.0.4 a day ahead of the competition, patching some 60 security holes in the browser. However, this year the rules have been altered: the configuration was frozen a week ago, hence the competition being run against Safari 5.0.3. Under the new rules, pwning (and hence owning) only needs to succeed on the frozen version. However, to receive prize money (in addition to the hardware), the flaw must also exist in the newest release.

In VUPEN's case, the team will be winning both the hardware and the money. In spite of Apple's last-minute patch, their attack still works."

Source: http://arstechnica.com/security/news/2011/03/pwn2own-day-one-safari-ie8-fall-chrome-unchallenged.ars
 
Yes the point is Macs can easily be hacked. However you misses his point. The exploit itself took five seconds, but all the preparations and knowledge behind it took more than five seconds. At minimum it took them 1-2 days of nonstop work.

Also, it took a malicious website to crack in. In other words, be a safe user and don't visit dodgy websites. This is true across ALL platforms. Impending Linux distros.

An exploit could be attached to any site through an ad. Avoiding "dodgy" sites is absolutely wrong.
 
The only thing I don't like about the situation with Android in pwn2own is that Android phones from many carriers are not running the latest version of Android.

Many are still running Android 2.1 which means that a lot of devices have known vulnerabilities that have already been patched in the newest version of Android, which is being tested at pwn2own.

Phones using older releases of Android is due to carriers deciding to use a non-default UI that the carriers have to maintain on their own. When new versions of Android are released the carriers have to test their UI functionality with the new Android release before updating the phones. So, many Android phones are not using the newest "fully patched" Android OS.

The fact that many Android phones in the wild are not fully patched means that researcher's exploit is still a live 0day for some devices. I think that exploit should still be eligible for winning at pwn2own despite being patched by google given that not all Android phones are fully patched.
 
You don't know very much about computers and this post makes that obvious.

The only thing obvious to me is that your post demonstrates your ability to deliver an emotional argument for Apple and little else.

First, the reason Mac OS goes down first is because its always tested first. People at pwn2own get to keep the machine they crack so of course they want the mac.

What do you "know" here? I see pure arrogance from a clearly fanatical Mac user thinking that an arbitrary assignment on which platform is put to the test first means someone only wants to own the Mac computer. Yes, that's very logical and you obviously know a LOT about computers to come to that conclusion and put someone else down for theirs. :D

Frankly, Macs are typically the least valuable per dollar actually spent on the performance you're getting. Give me a choice between a $3000 Mac or a $3000 PC and I'll take the PC. It's got a lot more powerful equipment in it. With Apple, you're paying for the brand, not the computer and since they refuse to let anyone else install their OS, you either put up with it or go Hackintosh if you want their OS.

Second, security through obscurity is a myth. It has to do with Mac OS being built on unix.

Yes, we all know that Unix isn't "obscure" at all as a consumer desktop operating system relative to the rest of the world (Windows). :D

I'm not even going to bother digging up the countless links that prove this (anyone who is a computer science major like myself can tell you).

So because your college uses a Unix (or Unix-like) operating system that means what? It's invulnerable? Did you even read the headline of this thread or did you just jump in head first to defend the company you love? A major in computer science is utterly irrelevant to this discussion unless you're implying that's how you learned your hacking skills to compete in this contest. Or is this a peeing contest? I've already got two degrees if you want to go in that direction.


I agree, but it still doesn't concern me.

It concerns me, but you, however do not concern me. I couldn't care less if your computer gets wiped or your identity is stolen. Go ahead. Relax. BTW, what did you say your IP address was again? :D

"Miller and some other researchers have, however, scaled back their reporting of security flaws to Apple in the face of its refusal to match other companies' offerings of cash rewards for finding such holes."

Seriously?!
That's not "security research", that's plain old fashion extortion straight up. Apple shouldn't pay off these jerks. It's time to file a class action lawsuit against these "security researchers" on behalf of all users.

So people should work for free? Hey, I need my fence painted and my garage door sanded, re-stained and clear-coated. Why don't you come over and take care of it? Don't try to extort any money from me! :rolleyes:

A lot of people do research in this world. That doesn't mean they aren't paid for it, whether by a company or as part of their job at a University with grants, etc.

"Researchers Exploit Safari Security Hole in Five Seconds at PWN2OWN"

You basically know that this statement is totally wrong and that you hope (and actually succeeded) to attract a flame war in your forum for the sake of increasing the number of page hits on your site.

I wonder if people understand the English language sometimes. The quote is quite accurate. They did in fact "exploit" the security hole in 5 seconds at PWN2OWN. The headline says NOTHING about how long it took to create the exploit. It's a verb for goodness sake. The exploit took 5 seconds to take down Safari and this happened at the PWN2OWN event. No web site should be responsible for a person's inability to read what is written.
 
Exactly. While it's good to know that people checking these kind of things, and sending the bugs to the developers, you can't put much stock in the actual contest, simply because they get to win the machine they hack. Who wouldn't pick the Mac first?
I am an Apple noob (2017) and have been using Windows all my life. I found a Macbook Air lying in the house. I read tips on how to get past userid. Stumbled into Safari within 2 mins.
 
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.