It Keeps On Ticking
Engadget reports on the results of the “Pwn 2 Own” hackers competition in which people were given a week to take control of several machines with the individual who bypassed the security features on the machine being awarded the machine they “pwnd”.
In the end a Sony Vaio running Ubuntu Linux was still on the table.
The Mac Air was claimed in 2 minutes, and the Vista SP1 in 2 days, but Linux survived the week. This wasn’t about viruses or worms, this competition was to actually take over the computer. The Mac fell to a Safari exploit, and Vista, apparently, to a Java weakness. The Vista winners admitted that they had to start from scratch because they hadn’t expected that SP1 would be installed.
12 comments
That SP1 really helped the Vista machine. Maybe Microsoft can use that in marketing. With our new upgrade, our operating system can resist hackers for up to two days!
Given that they having been pushing Vista as the answer to security problems, at least they can show progress.
It’s sort of obvious that people arrived prepared, because no one cracks a machine in two minutes unless the software is already written.
Sure, but in the real world, this is how secure a machine is, because it’s not like those cracks were created specially for this competition.
One may assume that now that SP1 is cracked, it is cracked in less than two minutes now.
Where are all the Mac apologists? 😈
I’m not a computer partisan: I don’t much care what kind of computer I use, as long as it does the job and doesn’t fall to hackers in two minutes. Oh, wait…
Actually some of them probably were designed for this contest because this was at a security conference and a lot of the people involved spend their paying hours defending systems with the same skill set required to hack them.
Any network can be cracked because there has to be two-way traffic, the “sweet spot” is where it is more trouble than it’s worth to do it, and the network isn’t overly affected by the restrictions.
Truly high security systems are a pain in the neck to use because everyone has to restart with new codes if there’s an anomaly during connections. Some satellite-based synchronous systems are almost unusable during solar flare activity because the timing and quality of the signals is affected. There’s always a trade off.
That said, whatever these guys did, others can do now that they know it’s possible.
Seymour Cray said he hired graduate students to work on his supercomputers because they hadn’t learned what was impossible to do, so they just did it.
It’s like nuclear weapons – they are really simple once you know what will happen. Staying alive while building one is the hard part.
I was following this competition closely. Having finished working as an Apple certified service center manager about two years ago, and working in security for a couple decades. the results were little surprise.
I use various flavors of linux, and a hardened XP behind a linux gateway.
There was a crew out of Thailand called simply the Tiger Team that were either admired or feared depending whether you were a client or a target. They were never known to fail. For varying amounts starting around the $10k mark, they guaranteed success. I haven’t heard much about them for a few years. I suspect they went deep under cover after a couple of internationally famous hacks. 🙂
It’s interesting to me that many renowned (and usually anonymous) hackers are Aussies. 🙂
It is a much misunderstood and fascinating World they inhabit, and there is a curious *war* being waged there. Many Gov & Corp’s fear them, and yet understand their potential value to them. I suspect this is the main reason there has been no real concerted effort to hunt black-hat (or grey) hackers. But the rules are vastly different in the Digital Underworld. 🙂
That quote by Cray is quite correct Bryan. 🙂 And I learned it a couple decades ago when hiring staff for a major project. I had to ask myself “How do I find people with the skills and experience to do something that has never been done before?” Of course, I couldn’t. I need people who hadn’t yet learned that word ‘impossible’ yet. So I hired mostly graduates. We won several awards over the next few years. They were a very good team. The way the education system is today, I doubt I could do that again. Sad.
Cheers!
As for Aussies hacking, it’s probably the desert and the long distances – there’s not much else to do. The desert does that to you.
A lot of the better hackers get hired off the books, so it is in no one’s “interest” that they get prosecuted. Most of those who actually get nailed aren’t that good, but they know how to give an interesting interview, or their lawyer does.
The bulk of people in most professions are held back by “conventional wisdom” that tells what can and can’t be done, so they don’t ever “go for it”. To be honest, there aren’t many places you can work that reward innovation.
The value of a degree may be dropping, but the people are as intelligent as ever, if they get a chance to show it.
It’s true that people are just as intelligent today (some proof to the contrary notwithstanding), but the difference between the level of basic skills training and subject knowledge is different from 20 years ago. Intelligence counts for a lot (though common sense is just as important and in short supply), but innovation does need a solid understanding of basic principals and of the subject area. We also were taught skills and basic knowledge of other subject areas, some by choice (the so called *minors*). I chose psychology & history, which most people would say have nothing to do with industrial design & electronics. 🙂 I chose them because a) I was interested, b) I knew that no matter what I chose to do, I would have to deal with people, c) I wanted to have a diverse range of skills to broaden my mind and not be narrowly focussed on a single skill. I thank my Mother for that! It wasn’t my idea, and she was 100% correct. 🙂 I learned as an Engineer that it’s 60% (at least) understanding people and dealing with people. And it’s why, amongst other knowledge and skills, that I ended up in Intel for a time. I chose people for my project with a similar diverse skill set. One programmer for example had studied law originally, and decided he preferred computers to people. LOL He was Singaporean and brilliant! I miss that crew. They were the best I ever worked with.
Cheers!
One of the problems I’ve noticed in our computer degrees is a reduction in teaching the underlying basics like machine code and assembler, with more emphasis on the upper level languages. Sometimes you need to talk directly to the machine to get something done because the compiler designers didn’t think is would be needed.
My formal BS is computers is with “super” minors in social sciences and Slavic languages and literature, and the bulk of my graduate work in Russian culture. If I had been at a different university I could have been awarded both a BA and a BS, but it was too late to change horses and I was only doing it to make filling out an employment application easier, anyway. Most HR/personnel departments can’t figure out that 400 semester hours is more than a bachelor’s degree, so I was catering to their lack of knowledge.
In most of the universities in the US they have created special courses in the humanities for tech majors to fulfill requirements without requiring people to actually learn much about the field. This has resulted the garbage that passes as manuals and help files – the people who create them can’t write in non-technical English. It is pointless to connect the world when people can’t write in a comprehensible manner.
Over-specialization tends to reduce communication. You need translators to re-write things from jargon to general English.
The claim is that there have been so many advances that you can’t teach everything, which I understand, and it is a valid statement, but if you don’t know the basics, how can’t you understand what came afterward?
It’s easy to see why you ended up in the game then! 😀
You are correct, and I like your choices. 🙂 I was torn between language and history. Originally, I planned to study language, because I supposed it would be an excellent prerequisite for studying history! 🙂 But the language course was full that year.
I understand about going to the *right* school too. I wish I’d known before I entered the school I finally chose. After graduating I got a job with DEC then with GD. GD sponsored me to complete my post grad studies (Masters). But I discovered that because of the school and recent changes n the system, it was marked as a *Masters equivalent* rather than an official Masters degree. *shrug* Bureaucrats… May they all rot in hell!
The military paid for the Russian/Slavic courses, including the graduate level courses at the Defense Language Institute.
My last official university course was the “Introduction to Computer Science”. When I originally took the intro course they used BASIC. Well, the university used BASIC in the course for non-majors, but the course for majors used Pascal. I asked if I could just write a Pascal compiler and forget the course, but I had to take it. I taught the bloody intro course for two years as an adjunct, so it was a bit annoying, but bureaucracies just check boxes.
I was slated to take the graduate level course in Russian at Syracuse University which granted Masters to graduates, but the Defense Language Institute decided to offer the course, so all I got was a certificate of completion. The Institute is fully accredited, but it doesn’t grant degrees. Who knows why organizations do what they do?