Info

You are currently browsing the Alan Spicer Marine Telecom Blog weblog archives for the day 2. April 2010.

Calendar
April 2010
M T W T F S S
« Mar   May »
 1234
567891011
12131415161718
19202122232425
2627282930  
Categories
Latest Postings
Links
Archives
Meta

Archive for 2. April 2010

Pwn2Own Champ Tells Apple, Microsoft to Bug Off

2. April 2010 by admin.

http://www.pcworld.com/article/192439/pwn2own_champ_tells_apple_microsoft_to_bug_off.html

Pwn2Own Champ Tells Apple, Microsoft to Bug Off

Pwn2Own hacking contest winner won’t hand over 20 flaws he found by fuzzing Mac OS, Microsoft Office and Adobe Reader.

Gregg Keizer

Mar 25, 2010 4:16 pm

The only researcher to “three-peat” at the Pwn2Own hacking contest said today that security is such a “broken record” that he won’t hand over 20 vulnerabilities he’s found in Apple’s, Adobe’s and Microsoft’s software.

Instead Charlie Miller will show the vendors how to find the bugs themselves.

Miller, who yesterday exploited Safari on a MacBook Pro notebook running Snow Leopard to win $10,000 in the hacking challenge, said he’s tired of the lack of progress in security. “We find a bug, they patch it,” said Miller. “We find another bug, they patch it. That doesn’t improve the security of the product. True, [the software] gets incrementally better, but they actually need to make big improvements. But I can’t make them do that.”

Using just a few lines of code, Miller crafted what he called a “dumb fuzzer,” a tool that automatically searches for flaws in software by inserting data to see where the program fails. Fuzzing is a common technique used not only by outside researchers, but by developers to spot bugs before they release the software. Microsoft, for example, has long touted, and used, fuzzing as part of its Security Development Lifecycle (SDL), the term for its in-house process of baking security into products as they’re created.

Miller’s fuzzer quickly uncovered 20 vulnerabilities across a range of applications as well vulnerabilities in Apple’s Mac OS X 10.6, aka Snow Leopard, and its Safari browser. He also found the flaws in Microsoft’s PowerPoint presentation maker; in Adobe’s popular PDF viewer, Reader; and in OpenOffice.org, the open-source productivity suite.

Today, Miller was to take the floor at CanSecWest, the Vancouver, British Columbia-based security conference that also hosts Pwn2Own, to demonstrate how he found the vulnerabilities. He hoped Apple, Microsoft and other vendors would listen to what he has to say.

“People will criticize me and say I’m a bad guy for not handing over [the vulnerabilities], but it actually makes more sense to me to not tell them,” Miller said. “What I can do is tell them how to find these bugs, and do what I did. That might get them to do more fuzzing.” That, Miller maintained, would mean more secure software.

(more at the link above…)

Alan’s Note: There are many that will come out and say things about Apple or Microsoft being more vulnerable, Apple Fell First, Microsoft Falls Harder, blah … blah … blah … The real take out of this whole thing is that none of them are perfect. None of them are non-vulnerable. The real benefit over this thing is that each of them will learn from the security expert “hackers” and improve their products. I think that as long as there is software, there will be bugs, there will be exploits, and year after year these security expert “hackers” will keep coming out and winning contests showing that these computers (including portable smart phones) can be “owned” by an attacker … if given the appropriate opportunity.

Everyone should practice safe computing every day. I wouldn’t be in the habit of allowing anyone physical access to your computing devices, portable or stationary. Also I wouldn’t be in a habit of clicking on links, going to web sites, received via email or other forms of communications (e.g. Text Messaging, Twitter, Facebook, … and in general Social Networking sites et al. Because a huge part of hacking, of exploiting, is Social Engineering … = Tricking you into doing things that you SHOULD NOT do.) because as my friend in Orlando, Florida says:
“That’s how they get yah!”

Alan Spicer Telecom / Alan Spicer Marine Telecom

…Coming to a theater near you!

communications (at) marinetelecom.net

+1 954 683 3426

Posted in Main | No Comments »

Top 10 April Fools’ Day Fake News Items for 2010

2. April 2010 by admin.

http://www.pcworld.com/article/193113/top_10_april_fools_day_fake_news_items_for_2010.html?tk=nl_dnx_h_crawl

Top 10 April Fools’ Day Fake News Items for 2010
Ian Paul

Apr 1, 2010 9:57 am

Artwork: Chip TaylorIt’s April Fools’ Day and tech firms and other online destinations are putting their best practical jokes forward.

Here is my top 10 list of April Fools’ jokes for April 1, 2010.

(more at the link above… including Google Animal Translator from Google UK, and the Topeka - Google Name Change spoof.)

Alan Spicer Marine Telecom

communications (at) marinetelecom.net

+1 954 683 3426

Posted in Main | No Comments »

|