: Hacker Embarrasses Microsoft, Apple and Adobe



The Tony Show
03-25-10, 05:50 PM
Every year at the CanSecWest Security Conference for software developers, they have a contest called "Pwn2Own", where they invite computer security experts and hackers to try and find security holes in fully patched Macs, PCs, and more recently iPhones and Laptops. They give away a $10,000 prize and free hardware to anyone who can crack their systems.

The same guy, Charlie Miller, has won the last three years, embarrassing companies like Apple by breaking into their supposedly secure programs in a matter of minutes or even seconds. He was the first person to hack both the iPhone 3GS and the new Mac OS using a technique called "fuzzing" (the article explains it). Normally he tells them how he did it and leaves with his prize, but this year was different:

He refused to tell them where the holes were, but instead told them how he found them, and that they need to learn how to do it themselves.


"People will criticize me and say I'm a bad guy for not handing over [the vulnerabilities], but it actually makes more sense to me to not tell them," Miller said. "What I can do is tell them how to find these bugs, and do what I did. That might get them to do more fuzzing." That, Miller maintained, would mean more secure software.

What really disappointed Miller was how easy it was to find these bugs. "Maybe some will say I'm bragging about finding the bugs, that I can kick ass, but I wasn't that smart. I did the trivial work and I still found bugs."

He went into the project figuring that he wouldn't find any vulnerabilities with the dumb fuzzer. "But I found bugs, lots of bugs. That was both surprising and disappointing." And it also made him ask why vendors like Microsoft, Apple and Adobe, which have teams of security engineers and scores of machines running fuzzers looking for flaws, hadn't found these bugs long ago.

One researcher with three computers shouldn't be able to do beat the efforts of entire teams, Miller argued. "It doesn't mean that they don't do [fuzzing], but that they don't do it very well."This guy is awesome. (http://www.computerworld.com/s/article/9174120/Pwn2Own_winner_tells_Apple_Microsoft_to_find_their _own_bugs?taxonomyId=17)

Florian
03-25-10, 06:21 PM
wow....that guy is full of win.


F

V-Eight
03-25-10, 07:50 PM
Its true though, if you just give someone the answer they never learn.