Computer Hope
Other => Computer News => Topic started by: Computer Hope Admin on March 31, 2010, 04:37:16 PM
-
The first day of the CanSecWest Pwn2Own hacker challenge wrapped up here today with a familiar face going after a familiar target.
And, for the second year in a row, a German hacker known simply as “Nils” exploited a previously unknown vulnerability in Mozilla Firefox to take complete control of a 64-bit Windows 7 machine.
Link (http://blogs.zdnet.com/security/?p=5865)
-
It's interesting to note here that it would appear that the "weak link" in exploiting firefox was firefox itself- simply because firefox was not taking full advantage of some of the features of windows. Could one surmise that this very same technique could work on Firefox running on other platforms?
-
It's possible but since no details were posted hard to say. I'd assume that because he went after Safari on MacOS that it may not be the case, however he could of just went for Safari because it's the default browser. I know one thing for sure if I was Microsoft I'd be paying any amount imaginable to get this guy on my staff and make Windows more secure by just having him find holes.
-
I know one thing for sure if I was Microsoft I'd be paying any amount imaginable to get this guy on my staff and make Windows more secure by just having him find holes.
Second.
-
They already have a lot of security analysts that are at least as good as him, actually. Many of them have blogs.
However it's important to note that the vulnerability is largely firefox's, not Windows; after all, as stated in the article, the biggest stumbling block was in fact mitigating the built in windows protections to prevent exactly what he was trying to do; as well as how ill-fit Firefox is in using those technologies explicitly (relying on Windows' default behaviour, I imagine).
-
Yeah that's true. He didn't come through Internet Explorer, and that's saying a lot.
-
Umm IE8 got creamed as well...
It's always bigger news when it's the Fox...
Story (http://blogs.zdnet.com/security/?p=5855)
-
I stand corrected.
-
Umm IE8 got creamed as well...
It's always bigger news when it's the Fox...
Story (http://blogs.zdnet.com/security/?p=5855)
True, but specifically I was referring to the fact that it was the application(firefox), not the platform(Windows) that had the security problem.
I gave up on Security in IE long ago. It's usable and they certainly are doing better but I think their security analysts must be working elsewhere.
-
This is interesting the only other hacking conference I know of is Defcon are there many others?
-
Another big one is HOPE
http://thenexthope.org/
-
This is the story you never hear about, although it happens a lot, hacking Apple products.
http://blogs.zdnet.com/security/?p=5846&tag=col1;post-5855 (http://blogs.zdnet.com/security/?p=5846&tag=col1;post-5855)
-
could of just went
[rant]
Could have just gone, please!!!
[/rant]
-
When they can hack through a secured firefox on a hardened BSD system, let me know.
-
When they can hack through a secured firefox on a hardened BSD system, let me know.
When FreeBSD is used by people without something to prove let me know.
-
When FreeBSD is used by people without something to prove let me know.
I use a copy of it as a coaster, it works great for that.
-
I use a copy of it as a coaster, it works great for that.
Wait... why would you need to burn something to a disc to use it as a coaster, anyway?
-
Wait... why would you need to burn something to a disc to use it as a coaster, anyway?
It's all in the details BC. It just shows a lack of preparation if you use a blank disc.
-
It's all in the details BC. It just shows a lack of preparation if you use a blank disc.
ahh
well, I heard that some coaster company called "AOL" was giving away free coasters for quite a number of years. ;D
-
Interesting article on the "coaster" company.
http://en.wikipedia.org/wiki/AOL_CDs (http://en.wikipedia.org/wiki/AOL_CDs)
-
ahh
well, I heard that some coaster company called "AOL" was giving away free coasters for quite a number of years. ;D
Yes indeed, I had a whole selection of them. They actually lasted a lot longer than my OS/2 Warp coaster set did.
-
When they can hack through a secured firefox on a hardened BSD system, let me know.
Or on a Linux system.
-
Or on a Linux system.
hardened, of course. the defaults on Linux (and I presume, [Free/Open]BSD) are a lot more secure then most windows installations. MS is certainly doing better since XP SP2 with proper selection of defaults. They finally realized, "hmm, maybe everybody doesn't need to have terminal server running by default" and other silly services that most people would never need or use, but were a security risk.
On the other hand, Windows Vista and 7 can still run nearly any properly written Win32 program; AFAIK Linux (and Mac OS) are less forgiving in that regard. There is certainly some leeway there as well, though.
It's not just backward compatibility of public interfaces that Windows provides, either. Sometimes application developers rely on totally undocumented behaviour (http://blogs.msdn.com/oldnewthing/archive/2003/12/23/45481.aspx). Since, inevitably, a program that worked fine with a previous version of windows suddenly not working on a new version (when the windows developers so foolishly think they can change the undocumented internals) is blamed on the new version of windows, it usually falls to MS to fix it (since the program developer already has the customers money in most cases).
Now, that being said, there is no such thing as an undocumented function in Linux or FreeBSD, since, at the very least, the source is available. On the other hand, that doesn't mean that such functions won't change in future versions; but when that happens it usually falls to the programs original creator that was calling the function to fix the issue (which is alright, since it was almost certainly free, so the developer doesn't "already have their customers money").
So I guess, in a way, Microsoft, while basically saying "don't use this function" for a lot of stuff, will "fix" the issues that arise of somebody does if that somebody's product is popular enough; if Wordperfect, for example, crashed catastrophically when tested on 98 but worked fine on 95, MS would usually fix the problem, not Corel- simply because the problem, in many users eyes, was the new version of windows.
It's really more a religious issue in a lot of ways; as can be illustrated easily via the comments on the blog post I linked to. Each Operating System, (Mac, Linux & BSD and variants, Windows) subscribes to a different paradigm, and these paradigms clash on a lot of issues- including the backward compatibility one illustrated in the blog post. It is these paradigm shifts that drive a wedge between devotees of each sub-culture.
-
I use a copy of it as a coaster, it works great for that.
Chances are you have no experience using any BSD system.
Using it as a coaster will make it stick to your coffee table or desk and ruin it.
I take it that you failed physics.
hardened, of course. the defaults on Linux (and I presume, [Free/Open]BSD) are a lot more secure then most windows installations. MS is certainly doing better since XP SP2 with proper selection of defaults. They finally realized, "hmm, maybe everybody doesn't need to have terminal server running by default" and other silly services that most people would never need or use, but were a security risk.
On the other hand, Windows Vista and 7 can still run nearly any properly written Win32 program; AFAIK Linux (and Mac OS) are less forgiving in that regard. There is certainly some leeway there as well, though.
It's not just backward compatibility of public interfaces that Windows provides, either. Sometimes application developers rely on totally undocumented behaviour (http://blogs.msdn.com/oldnewthing/archive/2003/12/23/45481.aspx). Since, inevitably, a program that worked fine with a previous version of windows suddenly not working on a new version (when the windows developers so foolishly think they can change the undocumented internals) is blamed on the new version of windows, it usually falls to MS to fix it (since the program developer already has the customers money in most cases).
Now, that being said, there is no such thing as an undocumented function in Linux or FreeBSD, since, at the very least, the source is available. On the other hand, that doesn't mean that such functions won't change in future versions; but when that happens it usually falls to the programs original creator that was calling the function to fix the issue (which is alright, since it was almost certainly free, so the developer doesn't "already have their customers money").
So I guess, in a way, Microsoft, while basically saying "don't use this function" for a lot of stuff, will "fix" the issues that arise of somebody does if that somebody's product is popular enough; if Wordperfect, for example, crashed catastrophically when tested on 98 but worked fine on 95, MS would usually fix the problem, not Corel- simply because the problem, in many users eyes, was the new version of windows.
It's really more a religious issue in a lot of ways; as can be illustrated easily via the comments on the blog post I linked to. Each Operating System, (Mac, Linux & BSD and variants, Windows) subscribes to a different paradigm, and these paradigms clash on a lot of issues- including the backward compatibility one illustrated in the blog post. It is these paradigm shifts that drive a wedge between devotees of each sub-culture.
The code has to be submitted and tested. The 32bit Windows applications are a different set of system calls, dependencies, and other general functions. This is for emulation. As for using older programs and binaries on a nix system, install the required components.
There are 32 bit system libraries for 64 bit systems; but, this is only for x86/64 systems. You want something else such as sparc on powerpc or mips on arm, then use qemu.
Development is open and the results are published to the public. If there is change, all can see it.
You are talking about a function but such term does not exist. If something is broken in the FreeBSD ports tree, it won't build.
If a security flaw is found, it is published.
If it's OpenBSD, it is made to be more secure.
The other two beasts are their own monsters.
You should give FreeBSD a spin.
Downside is you will have to follow a console install at first.
Upside is that you will learn a system from using it.
-
You should give FreeBSD a spin.
Downside is you will have to follow a console install at first.
Upside is that you will learn a system from using it.
I downloaded a DVD ISO the other day... don't have a spare system, but I'm installing it in a VM as I type this :).
-
You should give FreeBSD a spin.
Downside is you will have to follow a console install at first.
Upside is that you will learn a system from using it.
I'm very interested in trying FreeBSD. Does the console us BASH commands like Linux? If so I shouldn't have too many problems. And I hardly ever see software available for it, or can it use Linux software (.debs)?
-
I'm very interested in trying FreeBSD. Does the console us BASH commands like Linux?
you can install BASH as the shell... as far as I can tell that's the default.
And I hardly ever see software available for it, or can it use Linux software (.debs)?
Don't know about the package type it takes, but there isn't any shortage of software.
-
http://forums.debian.net/viewtopic.php?f=16&t=27227
Read this howto completely.
-
Chances are you have no experience using any BSD system.
Using it as a coaster will make it stick to your coffee table or desk and ruin it.
I take it that you failed physics.
Wrong on both counts. This one's for you.
[recovering disk space - old attachment deleted by admin]
-
Quantos.... seriously, how is that productive...
-
I like the picture.
It's cute. I have a sense of humor.
BC, Quanto stated that he also has experience working with BSD systems.
Perhaps he can help you.
Remember these simple rules:
Read the handbook. If need be use google and add freeBSD and handbook to the query.
Search the mailing lists. I'm on quite a few and they are helpful. You know the basic rule: search before you ask and present everything when you do.
Questions about the guide or the system?
-
Well, it sounds very interesting. I'll try it in a few weeks. And I'll let you know what I think.
So I install it via command line? Do I then choose to install GNOME, KDE or what?
-
And does it have some sort of Package/Software manager (Linux way) to install stuff from or do you download apps (Windows way) from the net and install them?
Also how difficult would you say BSD is compared to the average Linux distro (Say Fedora or Mandriva for example)?
-
You have two options to add software: building from ports and package add.
No, these are source packages. You build them according to your needs.
-
The basic command for port building are:
make, make config, make depends, make install, and make clean.
You can use a combination of commands with the ampersand:
cd /usr/ports/emulators/qemu && make config && make install clean.
You could use the pkg_add- I don't for the mot part but that's because I like watching it compile- along with the variables.
-
So what is better, FreeBSD or PC-BSD?
-
Ok.
Yes, by the command line.
Different from a Linux distro. Hmm.
Have you ever built a program from source? A tar.gz or bz2 file?
My opinion is FreeBSD but that is because I like the challenge.
You could install PC BSD if you want an instant system.
That's your choice.
Hmm.
Are you going to be running this on real or virtual hardware?
If real, then PCBSD until you are comfortable with it.
If virtual, then make two instances and run one then the other. You can stop and switch.
This way you see both the assembly and the finished product.
-
Ok.
Yes, by the command line.
Different from a Linux distro. Hmm.
Have you ever built a program from source? A tar.gz or bz2 file?
My opinion is FreeBSD but that is because I like the challenge.
You could install PC BSD if you want an instant system.
That's your choice.
Hmm.
Are you going to be running this on real or virtual hardware?
If real, then PCBSD until you are comfortable with it.
If virtual, then make two instances and run one then the other. You can stop and switch.
This way you see both the assembly and the finished product.
No, I have never built a program from source, never could figure out how. I have always wanted to though. I've tried following instructions before but always failed somehow.
Probably virtual hardware. What are the hardware requirements? The only real hardware I could run it on is a old AMD K6-2 350 Mhz, 256 RAM machine.
So you recommend FreeBSD? What BSD is most user friendly? What BSD is best for overall use?
PC-BSD
DesktopBSD
FreeBSD
OpenBSD
DragonFly BSD
NetBSD
-
And does it have some sort of Package/Software manager (Linux way) to install stuff from...
I see that PC-BSD uses package management like Linux.
-
DesktopBSD is basically dead. The maintainer has left it open to whoever.
NetBSD requires a little work and porting it means running only in console mode sometimes.
PCBSD is your best bet.
OPenBSD isn't for you, yet and Dragonfly requires more studying.
FreeBSD is the easiest to deal with out of the normal BSDs.
-
PCBSD is your best bet.
FreeBSD is the easiest to deal with out of the normal BSDs.
Okay, so if FreeBSD is the easiest to deal with, why would PCBSD be my best bet?
-
If you want an "instant" system, then PCBSD; but, since you listed the specs, use FreeBSD.
Run it minimalized.
You can run xfce4 on it or one of the box managers. Xcdroast for burning. Use the Linux compat layer if you need to run flash and use the normal noscript and optimized firefox settings.
Reason I said best bet is because you haven't done much as far as compiling. That machine you mentioned won't run PCBSD but it will run one of the main BSDs.
-
Thanks for the info. I'll probably get PCBSD for a VM and FreeBSD to run on my old rig.
XFCE wouldn't run well on such an old computer I think, I'd like to use either LXDE or Enlightenment. Will they work with BSD?
I'm thinking about dual-booting FreeBSD with Lubuntu on my older PC. Which is best to install first?
-
If they are in the ports tree.
BSD, look in the howto.
Try it first on the vm.
-
8.0-RELEASE-i386-bootonly.iso 42.7 MB
8.0-RELEASE-i386-disc1.iso 625.2 MB
8.0-RELEASE-i386-dvd1.iso.gz 1.7 GB
8.0-RELEASE-i386-livefs.iso 244.2 MB
8.0-RELEASE-i386-memstick.img 880.4 MB
And which Free BSD disc should I download? I'd rather have one that can I fit on a CD, but at the same time when I install software on BSD (however you do that) I don't want to download much off the net. What is the difference between disc1.iso and dvd1.iso? Will the DVD have lots of software on it so I won't have to download as much? And is there such a thing as a FreeBSD Live CD?
A lot of questions I know, but my knowledge of BSD is very low.
-
You need an internet connection to build FreeBSD.
If you want a complete with everything system, you have to build it.
It's best to use the bootonly.iso and set up your system that way. Networking gets configured this way.
If you have a stand alone system that you won't connect at all, then use the dvd.
Software installation is covered here, the howto, and the FreeBSD handbook plus a lot of web hints.
Disc1 is a basic system. DVD1 has enough to setup a working desktop environment.
Yes there is. Use distrowatch or frozentech for the lists and search through them.