Category Archives: Security

Security

Pwn2Own Winner Criticizes Event

Leave a comment

Dr. Charlie Miller says the Pwn2Own event is managed in a way that has dangerous exploits “left over”

Q: A recent article in Computerworld quoted you as being critical of the competition for encouraging the “weaponization” of exploits en masse – can you briefly reiterate your concerns?

A: This is still a concern for me. There is a difference between vulnerabilities and exploits. The former are problems that need to be patched. But an exploit is something that can actually take advantage of the vulnerability to get code running on the system. The biggest difference is that a bad guy can’t do anything with knowledge of a vulnerability by itself, a bad guy needs an exploit.

Normally, researchers report vulnerabilities and don’t bother to actually write exploits. Writing an exploit is hard, time consuming work and doesn’t help the vendor’s patch the bug, so isn’t necessary to make.

However, at pwn2own, you need an exploit that works reasonably well if you hope to win. But, not everyone get’s a chance to win, even if they have an exploit. For each target the names of the people who want to compete are drawn at random. For example, for Safari on OS X this year, 4 people signed up.

After the random drawing, I was fourth in line. So, four of us showed up with Safari exploits, but the first team won (from VUPEN). Now, the contest is over for that target and there are three of us with exploits but nothing to do with them.

I see his point but it is interesting to think that winning somehow de-“weaponizes” an exploit. Even if all the exploits brought to the contest are used in the contest they still would be left over — researchers could say they have “nothing to do with them” afterwards whether they are used or not. The question I would ask is whether they always report the vulnerabilities related to an exploit, even if they do not use the exploit. Perhaps he is really saying that the lottery — not allowing all exploits the chance to win a prize — discourages contestants from disclosing all known vulnerabilities.

Update: Vendor announces fixes for vulnerabilities that were not selected in the lottery:

Apple on Monday patched 56 vulnerabilities, most of them critical flaws that could be used to hijack machines, as part of 2011’s first broad update of Mac OS X.

Among the fixes was one for a vulnerability that four-time Pwn2Own winner Charlie Miller didn’t get a chance to use at the hacking contest earlier this month.

History, Sailing, Security

Lessons From the Great Wave

Leave a comment

A documentary by BBC4 explores views of risk in terms of cultural clues and imagery. It interviews numerous experts to reveal the origins of The Great Wave off Kanagawa print, and shows how it has represented very different things to different people.

Great Wave

The Japanese viewer apparently sees groups of men set together in harmony with nature to achieve success — possibly a spring-time catch of bonito fish for a hard-working crew returning as quickly as possible to a market. The huge, towering wave is not an image of despair but of power and collective effort. Toshio Watanabe, a Japenese Art Historian, explains:

(1:14/10:04) “It’s depicting, basically, speedboats like DHL or FedEx.” […] (9:14/10:04) This is an image of courage and perseverance because the oarsmen have a job to do. “There are so many rowers because they need speed and they are not worried about the waves at all. They are taking it in great stride.”

Dr. David Peat, a Physicist at the Pari Center in Italy (among several others) suggests a very different effect for a viewer from the West. He sees the Great Wave as a moral lesson for an individual, which centers around mortality, anxiety and a fear of the unknown (based on chaos theory):

(5:40/8:25) It’s telling us something about being on the edge of chaos; something about how we live our lives. We have to have regularity and order. But if we have too much then we become dead. So it’s telling us where life lies. It’s telling us something about ourselves. We have to learn how to live on the edge of chaos.

Although it is easy to split the views and categorize them among Far East and Western views, following the BBC’s narrative, it could be split a different way. Those who live in and around water and on small boats may look at the Great Wave as familiar and controllable; while those who spend all their time on land may look at the wave with fear of the unknown — “surf’s up” versus “run”. Which are you?

Energy, Security

Germany Shuts Down Almost 1/2 of its Nuclear Reactors

Leave a comment

Deutsche Welle has had the best coverage I have seen anywhere of the nuclear disaster unfolding in Japan. The interview with analysis of Chernobyl and Three Mile Island, for example, was extremely useful to understand the various risks in different reactors.

They have now announced that Germany is shutting down its older nuclear reactors until an updated security analysis can be completed.

Chancellor Angela Merkel announced Tuesday that seven of Germany’s 17 nuclear power stations would be shut down, at least until the end of a three-month moratorium on the extension of the lifespans of Germany’s nuclear stations.

The decision was made as a direct result of the nuclear disaster currently unfolding at the Fukushima nuclear power plant in Japan.

Merkel is banking on the fact that Japan has brought new risk calculation data to light. Her opposition is not buying it. They accuse her of ignoring the risk before the disaster.

Sigmar Gabriel, head of the Social Democratic Party (SPD) was withering on Merkel’s new plan: “She claimed then that all safety concerns in German nuclear power stations had been cleared up, and she claimed we needed nuclear power in Germany. Now we know that none of that was true.”

With 80% of Germans now said to oppose nuclear energy, it could just be a wise political move but it is still good to see infrastructure security receive serious attention.

The effect of Japan’s unfolding nuclear catastrophe on Germans could not be clearer. After the protests in Baden-Württemberg on Saturday, an estimated 110,000 people demonstrated in 450 German towns on Monday against the extension of nuclear power.

Only 110,000 people? That’s the same size as the growing protests against the Regressive Governor in Madison, Wisconsin.

Up to 100,000 people protested at the Wisconsin state Capitol on Saturday against a new law curbing the union rights of public workers that is seen as one of the biggest challenges in decades facing U.S. organized labor.

Wow, perspective. More Americans are protesting in Wisconsin today than during the Vietnam war; about the same as the number protesting today’s nuclear crisis in Germany.