 
rudnicke
Premium
join:2004-10-23
Rantoul, IL
clubs: | Wow! That didn't take long at all. | |
|
 | 
LiamJunket
Premium
join:2002-03-03
Ocean City, NJ
 ·Comcast
| Re: Wow! said by rudnicke  :That didn't take long at all. This is already a known Safari exploit and is not unique to the iPhone. And the Safari browser for the Mac and for Windows already have patches. It does bring up the question on how Apple will provide updates to iPhone applications and how often.
--
--
Internet News
My BLOG
My Web Page | |
|
| | 
aliasrlz
Premium
join:2000-09-01
the world
| Re: Wow! said by LiamJunket :said by rudnicke :That didn't take long at all. This is already a known Safari exploit and is not unique to the iPhone. And the Safari browser for the Mac and for Windows already have patches. It does bring up the question on how Apple will provide updates to iPhone applications and how often. The same way the iPod software is updated .... when it is docked via iTunes. Do some reading people! | |
|
| 
Likeapple
@rr.com | Like compairing Apple's OS to WINDOWS .. .the comercial states oh we (apple os) don't get viruses like windows does.
SO much for that FAT BOY! | |
|
ColorBASIC
8-bit Fun
Premium
join:2006-12-29
Corona, CA | Ouch Patch Apple patch! | |
|
ender7074
join:2006-11-21
Saint Louis, MO | Lies! It must be a lie! Apple products are never hacked and NEVER can get any type of malware or virus. Thats a Windows only problem. At least thats what the Apple fanboys tell everyone. | |
|
| sirghost
citywide
join:2005-07-23
Phoenix, AZ | Re: Lies! Most apple fanboys will admit that they can get hacked, etc. They simply pass it off as being a bonus feature that thier stuff has. | |
|
| satellite68
join:2007-04-11
Louisville, KY
| said by ender7074 :It must be a lie! Apple products are never hacked and NEVER can get any type of malware or virus. Thats a Windows only problem. At least thats what the Apple fanboys tell everyone. LOL. Hilarious! | |
|
| 
starreem
Premium
join:2000-12-22
Raleigh, NC
clubs:
| I think if you actually ask the Apple folks, yea, they can be hacked. But the difference between Apples and PCs, is a vulnerability on an Apple, requires some sort of user intervention to exploit. Windows machines can be exploited with no user inervention at all. Even the article states the exploit tricked users into opening up a malicious web-site.
--
From the Depths of Lurk | |
|
| | BosstonesOwn
join:2002-12-15
Everett, MA
clubs: | Re: Lies! Which all newer windows virus issues have been also. Rather awkward isn't it ? | |
|
| | Ahrenl
join:2004-10-26
North Andover, MA
 ·Verizon FIOS
| Actually it says:
take control of iPhones through a WiFi connection or by tricking users into going to a Web site that contains malicious code. Looks like if you have ayour wifi connection open, they can get in as well. I guess you could say that takes user intervention, but so does plugging the network cable/enabling the wifi on your Wintel laptop. | |
|
|
ColorBASIC
8-bit Fun
Premium
join:2006-12-29
Corona, CA
2 edits | Show me where malware or virus in the wild hosed Apple products?
The difference between Mac and Pee Cee is Pee Cee threats appear in the wild where Mac threats don't.
When/if these unpatchable lab-only exploits ever appear in the wild, I as a Mac user will worry about it.
Meanwhile, Apple products aren't being hosed, except by a scant few security researchers in their labs.
--
Macintosh Users Group Serving the Inland Empire | |
|
| | 
kapil
The Kapil
join:2000-04-26
Chicago, IL | Re: Lies! Yes, thanks to a concept us IT and Security folk call security-through-obscurity.
There isn't as much malware targeted at Apple products because the criminals profit more by targeting Windows machines since there are many more of them. | |
|
| | |
ColorBASIC
8-bit Fun
Premium
join:2006-12-29
Corona, CA
| Re: Lies! said by kapil :Yes, thanks to a concept us IT and Security folk call security-through-obscurity. There isn't as much malware targeted at Apple products because the criminals profit more by targeting Windows machines since there are many more of them. I believe that is certainly part of it. Part if it is the amount of user intervention required for propagation as was the case with the LEAP-A worm where it required user installation like any other program including providing admin privs. The biggest is that these lab discovered exploits are often quickly patched making propagation impossible.
But the simple fact that OS X users don't face threats from the wild won't stop Windows user FUD about these threats (which was the subject of the OP).
No one denies that exploits exist, only that the exploits are ever exploited in the wild.
--
Macintosh Users Group Serving the Inland Empire | |
|
| | | 
WileEC
mindtaker, macky cat, etc.
join:2002-02-07
Yonkers, NY
·Verizon FIOS
1 edit | Yes, basically what he's saying is that nobody cares about the 300 or so flip flop wearin', hippie mac users. They don't have anything to steal anyway. 
All major corporations run Windows based PCs and/or servers. 99% of households all over the world run MS Windows, including now even on Macs (guess those 300 flip flop wearin hippies can't deal with the complete lack of entertainment software).
So what hacker would bother exploiting less than 1% of total computers worldwide? (for the slow, those be macs).
And however prevalent malware is on Windows, it is also easily completely avoidable if you make some simple changes starting with using a 3rd party browser such as Firefox, using a good hardware router/firewall and avoid opening emails/attachments from senders you don't know (even if you really really really want that v1a.gra). I don't even run anti-virus on my Win XP pc 99% of the time because I don't need to. It's been that way for YEARS and I don't have issues. (oh, and I'm an expert - I rip malware off other's people's PCs, so I know what I'm talkin' bout)
What the Mac people will NEVER understand is that I don't want some pre-packaged overpriced hardware that Steve Jobs signed off on... I prefer to build my own system, from scratch using components of my choice. And its choice that is sorely missing from the Mac camp. Which is ironic considering how they advertised Macs as the answer to "the draconian PC" back in the days.. lol.
The iPhone is just another example of an overpriced, unnecessary device that flocks of the stupid bought into just to have the latest sex substitute they can show off to their other virgin friends who weren't stupid enough to buy one. I mean, a) to wait in line to buy A PHONE and b) to pay 5~6 hundred dollars for that PHONE doesn't exactly make the those who purchased them geniuses.
--
Experience one of the most beautiful women on earth at PetraCentral! | |
|
| | | | Necronomikro
join:2005-09-01 | Re: Lies! I disagree about your statement regarding corporations all using windows pcs and servers. That is not true. A lot of corporations are using linux now, for their servers. And a few are even using it for their workstations. | |
|
| | | | |
WileEC
mindtaker, macky cat, etc.
join:2002-02-07
Yonkers, NY
·Verizon FIOS
1 edit | Re: Lies! dream on... even if a major corp uses unix/linux servers, chances are they are not using unix/linux exclusively. A lot of popular client/server software MUST run from Windows servers, or on Windows PCs, period. And as far as unix/linux workstations/desktops... name one Fortune 1000 company that uses unix/linux workstations/desktops on every desk.
--
Experience one of the most beautiful women on earth at PetraCentral! | |
|
| | | | | | 
Maxo
Your tax dollars at work.
Premium,VIP
join:2002-11-04
Tallahassee, FL
clubs:
 ·Embarq
| Re: Lies! said by WileEC :dream on... even if a major corp uses unix/linux servers, chances are they are not using unix/linux exclusively. A lot of popular client/server software MUST run from Windows servers, or on Windows PCs, period. And as far as unix/linux workstations/desktops... name one Fortune 1000 company that uses unix/linux workstations/desktops on every desk. If you don't think businesses take Linux seriously you should read »www.informationweek.com/showArti···20900300
Linux as a mainstream desktop OS for businesses (and in the home) is certainly not something too many are taking seriously. There are some exceptions such as the Ernie Ball company. The two problems I think is the lack of software development for corporate software, and the second being a lack of knowledgeable people in the IT field for using Linux as a desktop OS in a corporate environment. Meanwhile MCSEs are a dime a dozen.
--
"Padre, nobody said war was fun now bowl!" - Sherman T Potter
»www.cafepress.com/maxolasersquad
»maxolasersquad.com/
»maxolasersquad.com/network/ My DSL Network Guide
»myspace.com/mlsquad | |
|
| | | | | | |
WileEC
mindtaker, macky cat, etc.
join:2002-02-07
Yonkers, NY
·Verizon FIOS
| Re: Lies! said by Maxo :If you don't think businesses take Linux seriously ... Its not a matter of me not thinking businesses take Linux seriously. I didn't say that or anything remotely similar. In fact, the fortune 100 company I'm with uses Unix and Linux, but at least 90% of its servers are Windows based, and so are 99.99% of its desktops. Like I said, even if a major corp is using unix/linux, chances are its not being used exclusively.
--
Experience one of the most beautiful women on earth at PetraCentral! | |
|
| | | | |
| | | | dda
Premium
join:2003-12-29
Bolton, MA
| said by WileEC :So what hacker would bother exploiting less than 1% of total computers worldwide? (for the slow, those be macs). Mac sales make up about 5.8% in the US and about 2.3% in the rest of the world.
said by WileEC :What the Mac people will NEVER understand is that I don't want some pre-packaged overpriced hardware that Steve Jobs signed off on... I talked to the other 299 flip-flop wearin' hippies and none of us really care what you want. If you want to build your own PC from components of your choice more power to you; perhaps I'm missing where people are trying to force you to get a Mac or an iPhone. If you don't want to buy a Mac, I strongly suggest not buying one; that seems to keep everyone happy. | |
|
| | | 
BuriedCaesar
It's Not Polite To Stare.
join:2004-03-27
Richardson, TX
·AT&T U-Verse
·AT&T Yahoo
| said by kapil :Yes, thanks to a concept us IT and Security folk call security-through-obscurity. There isn't as much malware targeted at Apple products because the criminals profit more by targeting Windows machines since there are many more of them. 23+ million estimated installed base for Mac OS X is considered "obscure"? I suppose the converse of this overly-used and simplistic concept is "insecurity-through-ubiquity"? Maybe also known as "job security"?
Or, maybe, are those criminals also profiting perhaps because targeting a Windows machine is just flat easier from a security standpoint?
And, the first person to successfully create something (anything) that will not require some sort of significant user interaction before wreaking even the mildest havoc on a Mac will effectively shake the entire computer universe to its very core. And become immortal in the process. You don't think they're out there trying right now? I don't believe that for a second.
--
That was preposterous! Utter Nonsense! Totally unsupportable drivel! You can't be serious!....Um, what did you say? | |
|
| | | |
ColorBASIC
8-bit Fun
Premium
join:2006-12-29
Corona, CA
| Re: Lies! You can't take attackers as a sum. When each individual choice to deploy an exploit is made, they're going to do what will give them the biggest impact. In that sense, Mac OS X population is obscure because it's not big enough to get the desired results.
--
Macintosh Users Group Serving the Inland Empire | |
|
| | | | |
BuriedCaesar
It's Not Polite To Stare.
join:2004-03-27
Richardson, TX
·AT&T U-Verse
·AT&T Yahoo
| Re: Lies! said by ColorBASIC :Mac OS X population is obscure because it's not big enough to get the desired results. Then why all the hubbub? Why does just about every mainstream news outlet practically fall over themselves any time there is even the slightest hint that the Mac OS might have been compromised in some tiny, insignificant manner, that, to date, hasn't affected even ONE Mac separate and apart from whatever testing environment in which the exploit or flaw or hole or whatever you want to call it was created?
Seems a bit out of proportion.
--
That was preposterous! Utter Nonsense! Totally unsupportable drivel! You can't be serious!....Um, what did you say? | |
|
| | | | | | 
JoeG4
join:2001-12-16
945941
 ·Vonage
| Don't like it, don't buy it. Nobody's asking you to. I've been on the fricken internet for quite a while now, and it seems every time the A word is mentioned, a few things come up:
1. The whole "Macs are just as insecure!" BS.
2. In result, security in obscurity
3. Nothing proven
4. Someone comes along, or a whole slew of "diplomats" that give their unsolicited opinion on why Apple customers are evangelist freaks and how they have macophobia, and then give a long-ass explanation about how Apple stuff isn't for them
5. I come along, and say to the #5s, who cares? I sure don't.
6. I use every OS I can get my hands on, prefer OS X, and don't give a crap otherwise.
7. I don't run anything outside of a firewall on the router as far as protection is concerned, and with our 6 macs (and 4 PCs), there hasn't been an issue with any of them - in the many years we've had all of the above
8. F all of you armchair security experts
9. Anyone who uses the word enterprise in these discussions is a jack***
10. There is no #10. | |
|
| | | | | | |
Yawn
@cgocable.net | Re: Don't like it, don't buy it. Nobody's asking you to. I stopped at one. | |
|
| | | bmn
? ? ?
Premium,ExMod 2003-06
join:2001-03-15
hiatus
·Packet8
| said by kapil :Yes, thanks to a concept us IT and Security folk call security-through-obscurity Uhm, no. That may have been true back in the pre-OS X days, but that isn't the case any more. OS X is basically the same OS that the hackers are using, just with a pretty GUI and some nice apps.
--
Prove it...
Save the Internet Time (NTP) service, use the pool. | |
|
| | | macaholic
Premium
join:2003-08-31
Jackson Heights, NY
1 edit | windows coders put backdoors into their code to make their lives easier regarding coding.... but these little short cuts mean the user is not even aware when something is installed. Even Vista has some of this "legacy" code.
Vista addresses this by popping up a confirm window whenever something runs... (whether its run before or has the checksum). The end result is the user clicks yes all the time without even reading...
MaxOSX requires a user to enter a password whenever a program tries to install an application or if a program is about to change a system setting... its a little more picky. So the enduser knows the program/website is doing something naughty...
very simple.
This is why worms and virii are harder to implement and have much less bang for the buck on Apple hardware.
I use both window and osx... and I can say hands down Mac OSX which is debian unix based has nifty concepts of user permissions and admin user privs. OSX is a much more hardened OS than any version of Windows can hope to be....
Ben
--
"You don't subject minority rights to a referendum." Justice Minister Irwin Cotler of Canada | |
|
| | ender7074
join:2006-11-21
Saint Louis, MO
·AT&T Southeast
·Charter Pipeline
| said by ColorBASIC :Show me where malware or virus in the wild hosed Apple products? The difference between Mac and Pee Cee is Pee Cee threats appear in the wild where Mac threats don't. When/if these unpatchable lab-only exploits ever appear in the wild, I as a Mac user will worry about it. Meanwhile, Apple products aren't being hosed, except by a scant few security researchers in their labs. Spoken like a true Apple zombie. Why make any kind of virus or malware for a platform that is less than 10% of the total platforms out there? Oh and by the way, note the humor in my original post or did I touch a nerve? I have yet to hear any Appleite admit to ANY kind of security issue, from hacking to outright virus infestation, ever.
Personally I could give a warm crap about how secure/un-secure Crapandtoss computers are. I'll never own one or any other piece of Apple equipment, and not because I hate Apple or anything like that, I've just got no use for a gimped and expensive computer or highly overpriced peripherals. | |
|
| | | 
WALL_E
Premium
join:2003-05-28
USA
| Re: Lies! I'm an "Appleite" and I admit that this is a security issue that Apple should take care of as soon as possible, regardless of whether or not an exploit exists ITW. So there!  | |
|
| | | | |
| | | 
kyler13
Is your fiber grounded?
join:2006-12-12
Arnold, MD
| said by ender7074 :I'll never own one or any other piece of Apple equipment, and not because I hate Apple or anything like that, I've just got no use for a gimped and expensive computer or highly overpriced peripherals. Amen to that. I had a family member that ran a small graphic design business with a Mac, and I provided hardware/software support. What an expensive nightmare that was. Second to that, my in-laws recently bought a new Dell and had serious problems. They returned it and were excited about getting a new Mac (after playing with a demo in a Mac store). They went back to the store to talk options and prices. Needless to say, they now own an HP. | |
|
| | |
ColorBASIC
8-bit Fun
Premium
join:2006-12-29
Corona, CA
2 edits | Way to dodge the question so I'll ask again.
Show me where malware of a virus in the wild hosed Apple products?
A lab only exploit isn't a security issue for USERS. It becomes a security issue for USERS if the exploit makes it to the wild.
--
Macintosh Users Group Serving the Inland Empire | |
|
| | | |
See 18 replies to this post |
|
| | | g3ski
join:2004-07-19
San Francisco, CA
| said by ender7074 :.... Why make any kind of virus or malware for a platform that is less than 10% of the total platforms out there? True that most exploits are now injected to create botnets to do nefarious things. Thus targeting windows users who are the majority of computers makes sense. Most malware runs on XP right now, it's got the biggest penetration, and it's easy to do. (OS X and vista are more secure out of the box.)
If it were easy to create malware for the mac, it would be done also do supplement the botnets. You really think they wouldn't do something easy that would add to their profit. It's just that not a single person on the planet has proven that it's "easy" to build a malware exploit for OS X.
Both Vista and OS X are HUGE targets for the small number of hackers who still care to be the guy who cracks those systems in easy and unique ways. These hackers are working on exploiting OS X and Vista constantly. | |
|
| | ydoucare
join:2003-03-12
Rensselaer, IN
·Embarq
 ·Millenicom
·Sprint Mobile Broa..
| said by ColorBASIC :Show me where malware or virus in the wild hosed Apple products? The difference between Mac and Pee Cee is Pee Cee threats appear in the wild where Mac threats don't. When/if these unpatchable lab-only exploits ever appear in the wild, I as a Mac user will worry about it. Meanwhile, Apple products aren't being hosed, except by a scant few security researchers in their labs. I love how it's always "MAC" vs "PC" and not Windows VS OS X, etc. | |
|
| | | ender7074
join:2006-11-21
Saint Louis, MO
·AT&T Southeast
·Charter Pipeline
| Re: Lies! Kind of ironic now since they all run on basically the same equipment. My absolute favorite was listening to this idiot I worked with go on and on about how crappy PC based architecture is and how the Power PC was going to take over all. This conversation happened a week or so before Intel and Apple announced their unholy marriage. The same idiot, day after this announcement, was going on and on about how great Intel was and how good their equipment is. That was the typical Mac attitude at work. Apparently since Cap'n Steve likes it now its better than sliced bread. | |
|
| | | | |
| | |
| | |
Maxo
Your tax dollars at work.
Premium,VIP
join:2002-11-04
Tallahassee, FL
clubs:
·Embarq
| Re: Lies! said by jaa :I have yet to see any pc exploit in "the wild" destroy my data or obtain my information. Never had any of my friends ever say this happened. In fact, I can't even remember any news reports about someone's pc getting hacked and having their personal information compromised, or data lost. This iphone story is the closest I can remember. Why would people bother looking for technical exploits to gat personal information, when it is so much easier to just ask people for it? Pay »Security Cleanup a visit.
--
"Padre, nobody said war was fun now bowl!" - Sherman T Potter
»www.cafepress.com/maxolasersquad
»maxolasersquad.com/
»maxolasersquad.com/network/ My DSL Network Guide
»myspace.com/mlsquad | |
|
| |
| |
ColorBASIC
8-bit Fun
Premium
join:2006-12-29
Corona, CA
| Re: Lies! said by Maxo :said by ender7074 :It must be a lie! Apple products are never hacked and NEVER can get any type of malware or virus. Thats a Windows only problem. At least thats what the Apple fanboys tell everyone. LOL. Hilarious! The exact same thing that is said every time a security flaw is found in a Mac product. Show us where it's happened outside a lab or conference? There is a huge difference between a lab only exploit discovery and that exploit being used in the wild.
A lab only exploit isn't a threat to users. It's not a threat to users unless the unpatchable vulnerability is exploited in the wild which we never see with OS X. The reasons are numerous and can include quick patching, low population and difficult propagation.
--
Macintosh Users Group Serving the Inland Empire | |
|
| | |
Maxo
Your tax dollars at work.
Premium,VIP
join:2002-11-04
Tallahassee, FL
clubs:
·Embarq
1 edit | Re: Lies! said by ColorBASIC :said by Maxo :said by ender7074 :It must be a lie! Apple products are never hacked and NEVER can get any type of malware or virus. Thats a Windows only problem. At least thats what the Apple fanboys tell everyone. LOL. Hilarious! The exact same thing that is said every time a security flaw is found in a Mac product. Show us where it's happened outside a lab or conference? There is a huge difference between a lab only exploit discovery and that exploit being used in the wild. A lab only exploit isn't a threat to users. It's not a threat to users unless the unpatchable vulnerability is exploited in the wild which we never see with OS X. The reasons are numerous and can include quick patching, low population and difficult propagation. I was clearly poking fun at ender7074 and satellite68 ! These same two posts show up in every single thread that involves a problem with Mac equipment. | |
|
| | | | ender7074
join:2006-11-21
Saint Louis, MO | Re: Lies! Now I dont post on EVERY Mac/Apple issue... Just the ones I see. It's soooooo much fun to get em riled up. | |
|
| | | |
| | | | stridr69
join:2003-05-19
San Luis Obispo, CA | Re: Lies! Actually, that looks like the owner's manual for the iPhone to me. | |
|
| |
|
ComputerExpert
@rr.com | They actually can get malware but the only thing is Apple made that kind of opperating system so confusing and different that nobody can figure out how to make malware for it! | |
|
Hackintosh
join:2007-06-29
Bonsall, CA | orly.. Sneaky iPhone.. | |
|
|
| bmn
? ? ?
Premium,ExMod 2003-06
join:2001-03-15
hiatus
·Packet8
| Re: Whoa....how about some critical thinking? said by sborsch :
Ahh....let's not just leap to the conclusion that this is some sort of *serious* threat until there is some critical thinking. Critical thinking, much less thinking in general, is largely a thing of the past in this country... You are asking too much from some of these people by expecting them to actually understand what they are talking about before they comment on it.
--
Prove it...
Save the Internet Time (NTP) service, use the pool. | |
|
|
| |
| | |
| | |
| | | 
Subaru
1-3-2-4
Premium
join:2001-05-31
Greenwich, CT
clubs: | Re: News? This was talked about almost a month ago first of all why are you quoting me? | |
|
sporkme
drop the crantini and move it, sister
Premium,MVM
join:2000-07-01
Morristown, NJ
·Optimum Online
| Root is moot... This flaw has nothing to do with the browser or anything else running as root. Even if Safari (and all the other user apps) were running as user "bob", once bob's Safari is hijacked, it need not be running as root to look at bob's addresses, music, etc.
The root issue is certainly something to give one pause (although it's not that uncommon in the embedded OS world), but it doesn't seem to have anything to do with this possible exploit... | |
|
sailor
Premium
join:2003-10-21
Long Island
2 edits |  Researchers seek cash for software flaws
___________________________
Researchers seek cash for software flaws
For some security researchers who uncover flaws in leading computer programs, a nod of appreciation from software companies is no longer enough. Now they want money.
Critics say the purity of research is in jeopardy as discoveries are shopped around instead of submitted directly to software vendors so they can quickly develop a fix.
"I don't like there being an incentive to turn this into a market," said Bruce Schneier, chief technology officer for security company BT Counterpane. "Then you create incentives for the bad guys to start finding this stuff and selling it, and if the bad guys charge more, the good guys have to charge more."
Some companies already have been offering payments for such information — hundreds or thousands of dollars depending the severity of the flaw — and a Swiss-based auction site opened this month to encourage bidding for such knowledge.
Software vendors so far have refrained from purchasing the information themselves, reluctant to encourage extortion — researchers holding out or threatening to sell to criminals unless they get the right price.
A black market has long existed for trading information about vulnerabilities in software from Microsoft Corp., Cisco Systems Inc. and other vendors of products crucial to running computers and sending data over the Internet. The information could then be used to break into systems holding credit card numbers or secretly plant spying software within a company's network.
Experts say government agencies also have been buying such knowledge — not to warn the public but potentially to break into computers for national security or criminal investigations. Charlie Miller, a former National Security Agency employee, said one agency he wouldn't name paid him $50,000 in September.
To keep up, security company iDefense, now part of VeriSign Inc., pioneered the "white hat" market for exploits about five years ago, creating the Vulnerability Contributor Program to reward legitimate researchers who submit information on flaws. TippingPoint, a unit of 3Com Corp., followed with a similar program three years later.
In both cases, the security companies buying the information then work with vendors and avoid disclosing the flaws publicly until a fix is developed. The information is valuable because the security companies can sometimes use the knowledge to protect their own customers in the interim.
Although researchers historically have shared knowledge for free, "there's been a market that has naturally evolved where this information is power," said Ken Durham, director of the rapid response team with VeriSign-iDefense. "Our concern is people would start to turn to the dark side unless they had a responsible avenue."
Terri Forslof, who runs TippingPoint's Zero Day Initiative, said programs like hers can never pay as much as the black market, but most legitimate researchers are willing to accept smaller payments knowing the buyer would handle the information responsibly.
The newly opened auction site, WabiSabiLabi, doesn't require buyers to work with vendors on a fix before disclosing the flaw. Operators of the site say they try to validate both buyers and sellers — for example, requiring copies of passports and bank account information — but many people remain skeptical.
"You potentially do not know who is buying that vulnerability," said Mark Miller, Microsoft's director of security response communications. "The potential for customer risk can be increased."
Roberto Preatoni, strategic director for WabiSabiLabi, said criminals have no need for his site because they can remain anonymous in the black market. He also said his auction functions more like eBay Inc.'s site in connecting buyer and seller, and thus questions of legal liability and disclosure are strictly between those parties.
So far, the amount of vulnerability research that's sold pales in comparison to what's submitted directly to vendors or discovered by the vendors' own research staff. But there are signs the market is growing.
"It's new territory. It's uncharted," said Russell Smoak, head of Cisco's Product Security Incident Response Team. "I have been approached by researchers that have asked (for payment) and to date, we've said no."
Charlie Miller, now the principal security analyst at Independent Security Evaluators, said the demands for payments stem from frustrations that vendors' in-house researchers "are making a lot of money to look for bugs and whenever someone from the outside finds something, they don't get paid anything."
Preatoni described his auction as a way for researchers to receive what their knowledge is truly worth, saying the security industry is currently built on top of research that is undervalued.
Matthew Murphy, who received hundreds of dollars for each of about a dozen submissions to iDefense's program, said that while payments aren't enough to replace a full-time job, they earned him enough in high school to buy his parents a new computer and give him spending money for dinner with friends.
But Miller, after trying to sell two separate vulnerabilities himself including the $50,000 one to the government, concluded it wasn't worth the trouble. He said it was difficult identifying potential buyers, and in one case the vendor had fixed the problem before he could complete the sale.
"I would have loved to start a business out of it," he said. "One of the lessons I learned is that it's impossible to do that."
And that's been one of the challenges of the WabiSabiLabi auctions. Potential sellers must reveal enough to entice buyers, but revealing too much can help others find the flaw independently, negating its value. Preatoni said the site does verify all claims before starting an auction.
Microsoft, which makes the oft-targeted Windows operating system, said it has no plans to start paying contributors, noting that many researchers have eagerly submitted their findings with only the promise of credit, which can be added to resumes to boost job prospects.
"They've clearly told us that by working with us, that model also works for them," Microsoft's Miller said.
Marc Maiffret, chief technology officer at eEye Digital Security, said he, too, has refrained from paying contributors, saying such sales "are pretty much supporting a market which eventually turns into a bidding war. It drives people not to report (problems) to vendors."
»news.yahoo.com/s/ap/20070721/ap_···ity_info | |
|
|
ColorBASIC
8-bit Fun
Premium
join:2006-12-29
Corona, CA
| Re: Researchers seek cash for software flaws There is a fine line between getting paid and blackmail.
I have no problem with a security researchers getting paid as the company doing the paying benefits greatly from finding these flaws.
It's in the software maker to find any flaws as quickly as possible and it's better to pay a researcher now than take the PR hit later. Especially in Apple, Inc.'s case where a lot is invested in marketing the security reputation and a single lab exploit making it to the wild can kill decades of reputation building.
--
Macintosh Users Group Serving the Inland Empire | |
|
iEvolution
join:2006-06-24
Ogden, UT
1 edit | Yeah nice iPhone I just laugh at the morons that purchased a $600 phone with a 2yr contract when the phone:
Lacks the ability to send SMS Picture Messages
No expandable memory
No notification of new messages unless you open the menu
Can't set a song as a ringer (LOL)
Speaker volume is too low (many complaints there)
Constant freezing or lag when the unit is on too long
Now a exploit? Good job apple, nice phone. Really sounds like they half assed the iPhone. | |
|
|
See 16 replies to this post |
|
Titus Pullo
I came, I saw, I slept
join:2004-06-26
·Embarq
| News and consumer meet and it's not a pretty sight. Let's battle over whether the iPhone sucks or not because that's what increases hit counts: divide and conquer; in this case over silly consumer brand di_k-sizing. Just as Paris Hilton draws people away from whether or not Jimmy can pay his heart attack bill w/no insurance, Apple headlines (as market share increases) draws, once again, that dividing line that acts sorta like a vent pipe so we can choose sides and blow off some steam. But, please, not over the stuff that's really stuck in our crawl --then we might wake up and quit buying this hyped Chinese made crap and live life instead of tossing more money at the 'Toys for Happiness' parade.
But ... I choose not to comment on Apple stuff anymore after the crap I endured in ATM; I'm one of those in the back of the room now that just uses what works and watches this cluster-f*ck of consumerism waft by like farts on a bus.
--
The woman from 1984 put down her hammer for an iMac®, iPod® & iPhone® | |
|
|
See 16 replies to this post |
|
Doctor Four
My other vehicle is a TARDIS
Premium
join:2000-09-05
Dallas, TX | iPh0wn3d Subject pretty much says it all.
IOW, what you will get when a patch becomes available
and the flaw is actively exploited. | |
|
bronxlcsw
join:2005-09-21
Bronx, NY | Whats not hackable these days? I wish someone would figure out a way to hack into experian, transunion and equifax to delete my credit files. | |
|
Windogg
join:2002-07-24
Cambridge, MA
| LIES! There is no flaw! Apple is perfect. This is simply a lie perpetuated by all the haters and wInd0ze (L)users to discredit HRH Jobs. We must track down the heathen that suggested that Apple is flawed and put his head on a platter.
BTW, I do own a Macbook and use it as much as my XP Pro notebook. I just hate all fanatics (Intel, AMD, nVidia, ATI, Linux, Windows, etc) that trumpet their loyalties so loudly that the blinders make them oblivious to reason.
The iPhone has been held so high and has now garnered the attention of security experts. All the more reason to NOT run as root or administrator. Funny how the achilles heel of privleged access laughed at by Mac fanboys for so many years now strikes their beloved brand. | |
|
dvd536
as Mr. Pink as they come
Premium
join:2001-04-27
Phoenix, AZ | All your minutes are belong to us! | |
|
tc1uscg
join:2005-03-09
Saint Clair Shores, MI
| Media.. just gotta love'em Lets see, MEDIA hyped a cell phone just because it was from Crapple. They talking about "how innovative" it was. How it was going to "stand the telcom industry on it's end". Now, they can't wait to find something wrong with it and tear it down. Just like how they cover the Iraq war. The morons are not the ones who bought the phone, it's the people covering it. NBC, CNN, CBS.. you listening?  | |
|
|
Peekay21
@charter.com
| iPhone worries Wow, that didn't take long. I wouldn't want to risk all that info by having an iPhone. I'll stick with my Blackjack, through which I get my music wirelessly through the "M" app from Mercora, and with the other features I have with my phone, I see no reason to switch. Too much hype = big bull's eye... | |
|
raye
Premium
join:2000-08-14
Orange, CA
| Wow I had no idea OS X machines/platforms were so popular Based on how much people have pined away on both sides of this iPhone flaw makes one think that Apple's market share is bearing down on Windows based platforms.
I do not own an iPhone, nor will I in the near future due to only being available on at&t's cell network. That being said, I hope that the innovations in iPhone spur improvementss in the Windows Mobile product, which is crappy and crashes often.
Apple does help out Microsoft in the innovation front on computers as well. Vista SP1 is being dealyed until after OS X Leopard release; perhaps to see what improvementss the supposed (5% market share) competitor Apple is making?
I own both PCs and OS X boxen. I prefer OS X because I know the operating system (FreeBSD based) and I know how to make it reasonably secure. More so than my Windows boxes where I do not know what is under the hood and 0-day is a greater concern. As OS X market share increases, which is inevitably will (no company can keep a 90%+ market share forever), its platform will become a potential breeding ground. I say potential because if OS X stays true to FreeBSD, the attack surface by which to write exploits will be reduced. But with the Web browser it will NEVER be 0% on ANY platform, Windows, Linux or OS X. | |
|
|
|
|
(Post Harry Potter Combat Trauma ) 
·
