Home page logo
/

dailydave logo Dailydave mailing list archives

PWN to OWN (was Re: How Apple orchestrated web attack on researchers)
From: Dragos Ruiu <dr () kyx net>
Date: Tue, 20 Mar 2007 18:00:17 -0700


OK,  I'm still grumpy about not getting any decent OSX security 
presentations - not because the vulnerabilities aren't there but 
because of legal threats and Apple's general anti-disclosure stance
(I would call it brushing the dirt under the carpet but...:). I've been
trying to involve Apple folks in the security community for years
now with little success. Daniel's post reminded me of the EUSecWest
incident....

What's even worse is the latest ad campaign from Apple, which
smacks a little of the hubris of the Oracle "Unbreakable" 
fiasco - funny, but essentially trivializing security to the 
masses with that humor.

So, let's see how well a default OSX install really does in a room
full of security researchers. How long can a default OSX install
survive? How much Apple 0day is really floating out there 
undisclosed?

We've done contests with cool tech toys a lot at CanSecWest.
(Yes, there is a sword this year :) This year I'm goign to run
a practical experiment with one, and make a little political 
point.

At CanSecWest this year I'm going to run a contest called 
"PWN to OWN" - the prizes are two pimp new loaded Macbook Pro's.
They will be set up on their own AP, default install, conference 
attendees will be able to walk up to it and connect to the AP
ethernet or go in over WiFi. If you exploit it, you get to go home 
with it. I'll be taking bets on how long it takes. :)

There are more rules that will be posted on our site (the jist
of it is, limit one per person, can't use the same vuln for both,
the contest has progressive rules over the three days, there
are victory conditions like an ssh connection out of the machine
and contents of a file on the hard-drive), but it will be interesting 
to see exactly how long they last in the "jungle" as it were. If they 
last the three days, they become the prizes for best  lightning 
talk and best speaker as selected by the audience.

This promises to be much more fun than capturing "flags." :-)
And a quantitative experiment on the real security of OSX.

cheers,
--dr

(BTW Apple's recent attitudes really sadden me, because I used
to be a Apple-diehard-fanboy-otaku. I used to sticker the Wintendo 
PCs I was forced to use with seven color stickers, and my first copy 
of Inside Macintosh, from the summer of 1984, came from Apple
photocopied in a three ring binder because it wasn't a book yet.
For the record, I am mostly agnostic, I think _all_ our OSes suck
in various ways - but after soliciting OSX talks specifically and
seeing them get shut down, and watching MoAB be trivialized
and spin-controlled, that's why I'm picking on Apple here. It's
for their own good - and all our betterment if they get the point.)

On March 20, 2007 07:38:10 am Daniel wrote:
Firstly I'm not a mac head, i use a tool call Apple. It has it's
problems just like my Mamiya camera and my toilet. Lets keep the
insults down to a mature level yeah?

On 3/20/07, Daniel <daniel () ugc-labs co uk> wrote:
Tell me George, if you owned a mega corporation and you had two
researchers threatening to drop a few % from your share price, what
would you do? Open up your arms, give them a free macbook and see
millions lost on the FTSE/Nasdaq?

Yea, lets just lie about everything and cover it up. That always works
out well....

Again welcome to how business is done. 8/10 current top FTSE 100
companies today make use of aggressive tactics to ensure survival,
why is IT and this industry any different?

Apple's PR protected the brand, same as Bush protected his brand and
Billy G protected his brand. This is business 101 and it's time for
security and security researchers to realise the golden years are
long gone in todays litigation market. I can't just walk into Ford
and say that all american cars are crap, blow up and kill people
without expecting some force, so why do researchers think they can
get away with it with this "we are protecting the world" approach?

That comparison makes no sense at all. You are comparing two people
finding a flaw in wireless drivers with blowing up and killing people.

This is where you miss the point, it's about BRAND PROTECTION. Yes
the world would be much better if everyone was open, but that doesn't
happen in the real world. Oracle still bills it's database server as
unbreakable, are they lying?

Every Machead I debate this with says the same thing. They argue about
how Full Disclosure is bad for everyone and how all of us are wrong
and unethical for releasing flaws to the public if a company doesn't
patch a flaw in a timely and appropriate manner. I'd like to remind
you that this isn't the first incident where Apple has lied to the
public about the seriousness of a flaw to protect themselves.

If you actually knew me, you know I support full disclosure. I'm not
some wet behind the "oooh mummy got me a hacking exposed book, i can
hack like Dave A now" kid, I've been in this damn industry for a long
time now. I can give you countless other examples of companies who
have protected their brand like Apple have done. It's not right, it's
not clever but this has been happening since the early 1900's (Coke
is good for you, can fix all your health problems, oooh smoking
hasn't killed anyone, Firestone tyres are totally safe USA!)

You (and the rest of the Apple community that thinks this way) need to
wake up. Would you rather us find flaws and keep them to ourselves if
the vendor decides not to fix it?

Again assumptions are being made about me. I've found flaws, I was
due to talk about them this month at EUSecWest but things happened
that prevented me from doing so. I've spent loads on lawyers and
would have rather spent it on buying a new hasselblad. Do you know me
at all?

Thats how the blackhat community
works, they find flaws and keep them to themselves for later use. The
blackhat community doesn't give a crap about what the corporations
think, they have no rules to abide by. If they find a flaw, they keep
it to themselves and use it when they deem necessary.

Educating anyone on daily dave who actually has been on this list for
longer than 1 year on how the "blackhat" community works is funny. Us
old farts remember gov-boi and the "blackhat" sites like hack.co.za,
hell I even hosted the site back in the day, so yes I'm fully aware
of how this community works, again please stop thinking im 19 years old.

There is a good
chance that a number of these flaws were already known by the blackhat
community.  Do you feel safe knowing that blackhats have their own
private collection of exploits that they can use against you? Would
you rather they continue to have a collection of unpatched flaws?
Instead of binding the hands of white hats with legal and political
garbage, you should be encouraging them to find and disclose flaws,
not cover them up and hide them. People need to be aware of the risk
to their information.

Security research has changed since the 90's, especially in modern
america and europe. You cannot disclose information today and not
expect some legal challenge. David and Co found this out the hard
way, which I do feel for them. This is one reason I will never report
on any issue i find anymore, It's not worth it.

Don't get me wrong. I'm all for responsible disclosure, but Apple has
shown time and time again that they will not act responsibly in
return. The community needs to be aware of the risks and if Apple
won't tell the truth, then the community will.

- Cisco
- Microsoft
- Lotus
- Oracle

Shall I go on? Hell ask Dave L or Cesar  about how responsible Oracle
have been, I don't see any hate articles addressed to Mary Ann.
Before i retired from IT, 12 years of experience taught me that every
damn IT company lies. Apple isn't doing something new, why do you
think RFP wrote his original policy back in the day?

Blackhats already have the advantage, why give them one more by
binding our hands? Do you REALLY want that risk?

You have totally missed the point of my mail. Everyone in this
wireless cock-up handled it wrong. Dave and Co did it for the media,
Apple should have come clean and christ knows, BLOGGERS CAN'T be
expected to have the same journalistic integrity that traditional
media does.

This industry is at a crossroads. We need to grow up and mature and
realise that for every action there is a reaction. Companies are no
longer willing to accept some researcher blurting out some issue, no
matter how serious it is, without taking into consideration the
financial implications.

--
Bow Sineath - bow.sineath () gmail com

_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave



-- 
World Security Pros. Cutting Edge Training, Tools, and Techniques
Vancouver, Canada    April 18-20 - 2007    http://cansecwest.com
pgpkey http://dragos.com/ kyxpgp
_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]