Nice reporting... leaving out the fact that it was the 2nd day, after several layers of security (that is, by default, usually on) were taken down.
And I don't recall if it was this event, or the one the previous year, where the person that "won" had to have physical access to the machine.
And I don't recall if it was this event, or the one the previous year, where the person that "won" had to have physical access to the machine.
Well, I'm not an Apple owner, but I certainly hope this guy fails. I want all hackers to fail (envisioning very long chain gang and rock breaking sentences for hackers).
Previous year's. Last year's merely required that the contest referees navigate the browser to a prepared website and download and install a file. In addition, they do not tell people that Miller and his team of ex-NSA security experts, worked for three weeks to develop their exploit of Safari and Java, in order to win last year's contest. It was not "compromised in under two minutes" as implied by the hype... that was just the time to implement the exploit after working for three weeks to develop it.
As part of his interview for this article Charlie Miller claims, and is quoted as saying, that OS X does not use ASLR (address space location randomization). That is actually false. OS X Leopard does indeed use ASLR. In addition, it uses Systrace Sandboxing to limit what an application can do. However, Safari is not, at this time, sandboxed and should be.