Charlie Miller thinks it should still be so easy to find software security bugs. I agree.
Computerworld - The only researcher to "three-peat" at the Pwn2Own hacking contest said today that security is such a "broken record" that he won't hand over 20 vulnerabilities he's found in Apple's, Adobe's and Microsoft's software.
Instead Charlie Miller will show the vendors how to find the bugs themselves.
In the latest Pwn2Own contest Firefox, Safari, iPhone and IE8 all fell to hackers. The IE8 hack was especially impressive because it was done on Win7 and involved beating Microsoft's Data Execution Prevention security mechanism.
Google Chrome survived alone among the major browsers. Curiously, Google released 11 patches right before Pwn2Own. Did Google do this in order to give hackers less time to find new vulnerabilities? Is Chrome really the most secure browser as some suggest?
In the browser I use most (Mozilla Firefox) I have both Java and Flash completely disabled. The browser itself is already a big enough security risk. Why add more? I fire up a different browser to watch a video on Youtube or some other site that has a Flash video I really want to watch. I do not miss Java applets. But if the need ever arises I'll make an exception and fire up a browser I have installed that will handle Java. Otherwise, why run the risk?
Since the vendors are so lame we need to take additional precautions as users. Look at the MS Internet Explorer bug that enabled Chinese hackers (probably working for the Chinese military) to break into corporate networks. They sucked out source code from
An article in Wired points to a US government web site broadband.gov which has a test (as a Java plug-in) that tests your broadband speed. The Federal Communications Commission is going to use the results of the test aggregated across large numbers of users to find out the real effect internet access speeds people have - as distinct from what their broadband providers say they have. The site asks for your address so as to correlate speed by location.
The site is very slow at the time of this writing. My guess is a lot of people found out about it at once and it isn't built to scale. Let me know in comments if you have been able to use it successfully and what speed you get.
Ripping off intellectual property.
Hackers who breached Google and other companies in January targeted source-code management systems, security firm McAfee asserted Wednesday. They manipulated a little-known trove of security flaws that would allow easy unauthorized access to the intellectual property the system is meant to protect.
The software-management systems, widely used at businesses unaware that the holes exist, were exploited by the Aurora hackers in a way that would have enabled them to siphon source code, as well as modify it to make customers of the software vulnerable to attack. It’s akin to making yourself a set of keys in advance for locks that are going to be sold far and wide.
I hear rumors that the hackers actually got into hundreds of corporations. Anyone know if that is the case?
If corporations wanted to get serious about security they'd ditch Internet Explorer, switch to Firefox or Google Chrome, and avoid Flash too. Also, upgrade to Win 7 if using Windows. XP is much less secure. To get really safe switch to Linux on a non-x86 processor.