Researcher Cracks Mac in 10 Seconds

Computerworld ^ | Mar 19, 2009 | Gregg Keize

[Swordmaker]

More on the cracking of Safari on a Mac in 10 Seconds... PING!

Mac Cracked Ping!

If you want on or off the Mac Ping List, Freepmail me.

[Cacique]

Oh my!!

[mnehring]

Not exactly true, he brought in a drive that had a program he had been working on for months..

[TribalPrincess2U]

Well crap.

[Melas]

That’s the way hacking is done. You write subroutines that are reusable, it becomes a hacker’s tool chest. Hacking without a tool chest would be akin to changing a flat without a tire iron.

[Temple Owl]

ping

[Billthedrill]

(Sigh!) Well, at least my Vista PC is safe.

:-p

Let's be honest - there isn't anything that can't be cracked. And these guys are very, very good. It just means that everyone who owns one of any flavor has to take minimal precautions. All holy wars do is to lull people into a false sense of security.

[Swordmaker]

Let's be honest - there isn't anything that can't be cracked. And these guys are very, very good. It just means that everyone who owns one of any flavor has to take minimal precautions. All holy wars do is to lull people into a false sense of security.

Charlie Miller and his two associates are ex-NSA computer security wonks... There may be no better hackers in the world than these three. Miller has made it a crusade to always attack the Mac...

[Swordmaker]

(Sigh!) Well, at least my Vista PC is safe.

Well, in this contest it may well be. But Windows 7 and Internet Explorer 8 fell a few minutes later to another attacker. The same attacker also exploited FireFox on Windows 7 and found a different vulnerability in Safari on the Mac. He got the trifecta...

All of the targeted browsers fell on the first day... in fact in the first hours of the contest.

[Billthedrill]

LOL - I was kidding, you know. I'm not looking forward to learning the ins and outs of IE8 before my users do. And one of my Linux studs came in this AM all bubbly because there's a new version of Evolution being released that supports MAPI. Oh goody. There go the Exchange servers.

As for the guy who got the Firefox/Safari/IE trifecta...I say back off and nuke him from orbit. It's the only way to be sure. :-)

[raybbr]

Hacking without a tool chest would be akin to changing a flat without a tire iron.

I do that all the time. Can't you?

[Melas]

I do that all the time. Can't you?

Nah, I tried to take the lug nuts off with my teeth and all I got were these dentures.

[raybbr]

Nah, I tried to take the lug nuts off with my teeth and all I got were these dentures.

LOL. Next time try a 1/2 ratchet and an impact driver.

[antiRepublicrat]

They really need to change this competition so that you have to start your hack from zero when you get there. If you think of it, this was not good security ethics because this guy knew of a vulnerability for months without notifying the manufacturer.

[Star Traveler]

If one uses OpenDNS, it provides another layer of protection from hacker sites. If someone has been hacked and it has been reported, this will prevent you from stumbling into it...

OpenDNS
http://www.opendns.com/

[dayglored]

> They really need to change this competition so that you have to start your hack from zero when you get there. If you think of it, this was not good security ethics because this guy knew of a vulnerability for months without notifying the manufacturer.

True.

But I want to see a competition that cracks the COMPUTER with an actual machine exploit, not a stupid OPERATOR with a stupid human engineered "Please hit this website and allow the program it downloads to execute."

Good lord. Why do they even bother to mention the type of computer or browser? They're hacking the OPERATOR, not the COMPUTER.

Grrr.

[zeugma]

Miller has made it a crusade to always attack the Mac...

That's because a new MS-Windows exploit isn't news.

[Freedom2specul8]

ok, this is not helping my argument for buying a mac.. :)

[Swordmaker]

ok, this is not helping my argument for buying a mac.. :)

Don't worry about it... it really didn't take 10 seconds. It took less. The 10 seconds were the human reaction time to have the referees navigate to the instructed website and click on the malicious link. Note that there was required human interaction... just as any socially engineered attack requires.

Snow Leopard will have the memory locations being used by this exploit randomized and applications such as Safari sandboxed to avoid such new style attacks.