Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Chrome falls in first five minutes at Pwn2Own vulnerability contest
5 views
Skip to first unread message
idle
Mar 9, 2012, 8:22:46 AM3/9/12
to
"We wanted to show that Chrome was not unbreakable. Last year, we saw a
lot of headlines that no one could hack Chrome. We wanted to make sure
it was the first to fall this year," said VUPEN co-founder and head of
research Chaouki Bekrar.
http://nakedsecurity.sophos.com/2012/03/08/chrome-pw2own-vulnerabilit/?utm_source=Naked+Security+-+Sophos+List&utm_medium=email&utm_campaign=7b5d746824-naked%252Bsecurity
--
idle
http://www.youtube.com/watch?v=wTayQhIkB58&feature=related
lot of headlines that no one could hack Chrome. We wanted to make sure
it was the first to fall this year," said VUPEN co-founder and head of
research Chaouki Bekrar.
http://nakedsecurity.sophos.com/2012/03/08/chrome-pw2own-vulnerabilit/?utm_source=Naked+Security+-+Sophos+List&utm_medium=email&utm_campaign=7b5d746824-naked%252Bsecurity
--
idle
http://www.youtube.com/watch?v=wTayQhIkB58&feature=related
Message has been deleted
Stephen Wolstenholme
Mar 9, 2012, 10:48:09 AM3/9/12
to
On Fri, 9 Mar 2012 05:22:46 -0800, idle <id...@mycomputer.com> wrote:
>"We wanted to show that Chrome was not unbreakable. Last year, we saw a
>lot of headlines that no one could hack Chrome. We wanted to make sure
>it was the first to fall this year," said VUPEN co-founder and head of
>research Chaouki Bekrar.
>
What a stupid contest. I know a champion runner. Lets have a contest
>"We wanted to show that Chrome was not unbreakable. Last year, we saw a
>lot of headlines that no one could hack Chrome. We wanted to make sure
>it was the first to fall this year," said VUPEN co-founder and head of
>research Chaouki Bekrar.
>
to see what happens if someone shoots him in the leg!
Steve
--
Neural Network Software. http://www.npsl1.com
EasyNN-plus. Neural Networks plus. http://www.easynn.com
SwingNN. Forecast with Neural Networks. http://www.swingnn.com
JustNN. Just Neural Networks. http://www.justnn.com
Message has been deleted
Dustin
Mar 9, 2012, 11:19:40 AM3/9/12
to
H-Man <Sp...@bites.fs> wrote in news:jjd78p$knb$1...@dont-email.me:
> On Fri, 9 Mar 2012 05:22:46 -0800, idle wrote:
>
>> "We wanted to show that Chrome was not unbreakable. Last year, we
>> saw a lot of headlines that no one could hack Chrome. We wanted to
>> make sure it was the first to fall this year," said VUPEN co-founder
>> and head of research Chaouki Bekrar.
>>
>> http://nakedsecurity.sophos.com/2012/03/08/chrome-pw2own-vulnerabilit
>> /?utm_source=Naked+Security+-+Sophos+List&utm_medium=email&utm_campai
>> gn=7b5d746824-naked%252Bsecurity
>
> Not really a fair test as it was specifically targeted. OTOH, that's
> what happens when one makes bold and arrogant statements. Thanks for
> posting this Idle, I found it interesting.
>
That was the point. Chrome had been proclaimed unhackable. A targetted
attack is the way to go in this case. It serves several purposes, shows a
vulnerability which renders the software far from "unhackable". Double
shot of egg on developers face for being so arrogant with the claims.
An "unhackable" app wouldn't be vulnerable to a targetted attack as it
would have no exploitable zones. Obviously, in reality this is impossible.
Too many variables. Nothing is unhackable.
--
Character is doing the right thing when nobody's looking. There are too
many people who think that the only thing that's right is to get by, and
the only thing that's wrong is to get caught. - J.C. Watts
> On Fri, 9 Mar 2012 05:22:46 -0800, idle wrote:
>
>> "We wanted to show that Chrome was not unbreakable. Last year, we
>> saw a lot of headlines that no one could hack Chrome. We wanted to
>> make sure it was the first to fall this year," said VUPEN co-founder
>> and head of research Chaouki Bekrar.
>>
>> http://nakedsecurity.sophos.com/2012/03/08/chrome-pw2own-vulnerabilit
>> /?utm_source=Naked+Security+-+Sophos+List&utm_medium=email&utm_campai
>> gn=7b5d746824-naked%252Bsecurity
>
> what happens when one makes bold and arrogant statements. Thanks for
> posting this Idle, I found it interesting.
>
That was the point. Chrome had been proclaimed unhackable. A targetted
attack is the way to go in this case. It serves several purposes, shows a
vulnerability which renders the software far from "unhackable". Double
shot of egg on developers face for being so arrogant with the claims.
An "unhackable" app wouldn't be vulnerable to a targetted attack as it
would have no exploitable zones. Obviously, in reality this is impossible.
Too many variables. Nothing is unhackable.
--
Character is doing the right thing when nobody's looking. There are too
many people who think that the only thing that's right is to get by, and
the only thing that's wrong is to get caught. - J.C. Watts
Craig
Mar 9, 2012, 11:24:55 AM3/9/12
to
On 03/09/2012 07:53 AM, H-Man wrote:
>
Uh - that's not at all what I got from this. Pwn2Own and Pwnium are two
celebrated contests funded and designed by companies such Google and
Mozilla to do exactly what this article describes. This is a storied
part of open source community history: bounties. E.g.
http://www.theregister.co.uk/2010/07/20/google_bug_bounty/
Google readily paid the chap $60K for a service they've been soliciting
from hackers for years now. And they began rolling out the fix the very
next day. Compare that with MSIE development.
Kudos to Google, Mozilla and other F/OSS communities for willingly
putting their products to the test.
--
-Craig
http://pricelesswarehome.org/
> On Fri, 09 Mar 2012 15:48:09 +0000, Stephen Wolstenholme wrote:
>
>> On Fri, 9 Mar 2012 05:22:46 -0800, idle<id...@mycomputer.com> wrote:
>>
>>> "We wanted to show that Chrome was not unbreakable. Last year, we saw a
>>> lot of headlines that no one could hack Chrome. We wanted to make sure
>>> it was the first to fall this year," said VUPEN co-founder and head of
>>> research Chaouki Bekrar.
>>>
>> What a stupid contest. I know a champion runner. Lets have a contest
>> to see what happens if someone shoots him in the leg!
>>
>> Steve
>
> Maybe so, but it does show Google that people in glass houses ...
>
>> On Fri, 9 Mar 2012 05:22:46 -0800, idle<id...@mycomputer.com> wrote:
>>
>>> "We wanted to show that Chrome was not unbreakable. Last year, we saw a
>>> lot of headlines that no one could hack Chrome. We wanted to make sure
>>> it was the first to fall this year," said VUPEN co-founder and head of
>>> research Chaouki Bekrar.
>>>
>> What a stupid contest. I know a champion runner. Lets have a contest
>> to see what happens if someone shoots him in the leg!
>>
>> Steve
>
>
Uh - that's not at all what I got from this. Pwn2Own and Pwnium are two
celebrated contests funded and designed by companies such Google and
Mozilla to do exactly what this article describes. This is a storied
part of open source community history: bounties. E.g.
http://www.theregister.co.uk/2010/07/20/google_bug_bounty/
Google readily paid the chap $60K for a service they've been soliciting
from hackers for years now. And they began rolling out the fix the very
next day. Compare that with MSIE development.
Kudos to Google, Mozilla and other F/OSS communities for willingly
putting their products to the test.
--
-Craig
http://pricelesswarehome.org/
occam
Mar 9, 2012, 12:11:49 PM3/9/12
to
On 09/03/2012 16:48, Stephen Wolstenholme wrote:
> On Fri, 9 Mar 2012 05:22:46 -0800, idle <id...@mycomputer.com> wrote:
>
>> "We wanted to show that Chrome was not unbreakable. Last year, we saw a
>> lot of headlines that no one could hack Chrome. We wanted to make sure
>> it was the first to fall this year," said VUPEN co-founder and head of
>> research Chaouki Bekrar.
>>
> What a stupid contest. I know a champion runner. Lets have a contest
> to see what happens if someone shoots him in the leg!
I know a champion runner who claims he has legs of steel. Lets shoot the
> On Fri, 9 Mar 2012 05:22:46 -0800, idle <id...@mycomputer.com> wrote:
>
>> "We wanted to show that Chrome was not unbreakable. Last year, we saw a
>> lot of headlines that no one could hack Chrome. We wanted to make sure
>> it was the first to fall this year," said VUPEN co-founder and head of
>> research Chaouki Bekrar.
>>
> What a stupid contest. I know a champion runner. Lets have a contest
> to see what happens if someone shoots him in the leg!
leg and see if that is so. (A better analogy, methinks.)
Message has been deleted
Message has been deleted
John Corliss
Mar 9, 2012, 3:12:49 PM3/9/12
to
H-Man wrote:
> I had no idea, thanks for the enlightenment. Did they get their monies
> worth?
Fuck all this. The issue with Google Chrome isn't so much whether or not
it's secure from outside forces, but rather whether or not the *end
user* is secure from Google's data collecting and squealing with feeling
to the feds.
--
John Corliss BS206. No ad, CD, commercial, cripple, demo, nag, share,
spy, time-limited, trial or web wares, OR warez for me, please.
Freeware- legally obtainable, local install computer programs which you
may use at no cost, monetary or otherwise, for as long as you wish. I
filter out Google Groups posts (because of Googlespam) and posts from
rogue and-or anonymizing services because forger-trolls use them.
> worth?
Fuck all this. The issue with Google Chrome isn't so much whether or not
it's secure from outside forces, but rather whether or not the *end
user* is secure from Google's data collecting and squealing with feeling
to the feds.
--
John Corliss BS206. No ad, CD, commercial, cripple, demo, nag, share,
spy, time-limited, trial or web wares, OR warez for me, please.
Freeware- legally obtainable, local install computer programs which you
may use at no cost, monetary or otherwise, for as long as you wish. I
filter out Google Groups posts (because of Googlespam) and posts from
rogue and-or anonymizing services because forger-trolls use them.
Craig
Mar 9, 2012, 4:58:19 PM3/9/12
to
On 03/09/2012 12:12 PM, John Corliss wrote:
aspect, probably dwarfs $60K. And thanks for the kind words wrt my post
in this.
@John - No, don't fuck it all because, we can ignore Google's role in
this conversation altogether. Mozilla, Apache and hundreds of other
communities effectively use bounties.
fwiw,
--
-Craig
http://pricelesswarehome.org/
> H-Man wrote:
>> I had no idea, thanks for the enlightenment. Did they get their monies
>> worth?
>
> Fuck all this. The issue with Google Chrome isn't so much whether or not
> it's secure from outside forces, but rather whether or not the *end
> user* is secure from Google's data collecting and squealing with feeling
> to the feds.
>
@H-Man - I'm guessing so. MSIE staffing costs, just for its security
>> I had no idea, thanks for the enlightenment. Did they get their monies
>> worth?
>
> Fuck all this. The issue with Google Chrome isn't so much whether or not
> it's secure from outside forces, but rather whether or not the *end
> user* is secure from Google's data collecting and squealing with feeling
> to the feds.
>
aspect, probably dwarfs $60K. And thanks for the kind words wrt my post
in this.
@John - No, don't fuck it all because, we can ignore Google's role in
this conversation altogether. Mozilla, Apache and hundreds of other
communities effectively use bounties.
fwiw,
--
-Craig
http://pricelesswarehome.org/
Message has been deleted
»Q«
Mar 9, 2012, 6:17:57 PM3/9/12
to
On Fri, 9 Mar 2012 11:38:28 -0700
H-Man <Sp...@bites.fs> wrote:
> On Fri, 09 Mar 2012 08:24:55 -0800, Craig wrote:
>
H-Man <Sp...@bites.fs> wrote:
> On Fri, 09 Mar 2012 08:24:55 -0800, Craig wrote:
>
> I had no idea, thanks for the enlightenment. Did they get their monies
> worth?
In terms of good publicity, I'd say so. Tech bloggers are beside
> worth?
themselves over it taking hackers so long to exploit Chrome and Google
such a short time to push a fix to users.
I hadn't known that Chrome devs were claiming it was invulnerable to
everything, but to a hacker of any hat color, that's just a
tongue-in-cheek challenge.
»Q«
Mar 9, 2012, 6:27:09 PM3/9/12
to
On Fri, 9 Mar 2012 15:03:10 -0700
H-Man <Sp...@bites.fs> wrote:
> Personally, like you I am assuming, I avoid anything Google. Got an
> Android phone a while back, had no idea what I was in for!
Now, now, their business model depends on you giving up control of all
information you send or receive through GoogleOS. Everyone knows
you're not supposed to complain about business models. ;)
H-Man <Sp...@bites.fs> wrote:
> Personally, like you I am assuming, I avoid anything Google. Got an
> Android phone a while back, had no idea what I was in for!
Now, now, their business model depends on you giving up control of all
information you send or receive through GoogleOS. Everyone knows
you're not supposed to complain about business models. ;)
Shadow
Mar 9, 2012, 8:44:10 PM3/9/12
to
On Fri, 9 Mar 2012 08:23:06 -0700, H-Man <Sp...@bites.fs> wrote:
>http://nakedsecurity.sophos.com/2012/03/08/chrome-pw2own-vulnerabilit/?utm_source=Naked+Security+-+Sophos+List&utm_medium=email&utm_campaign=7b5d746824-naked%252Bsecurity
Where's the guy that advertises Chrome here every other day ?
Kat bit his tongue ?
:)
[]'s
--
Don't be evil - Google 2004
We have a new policy - Google 2012
>http://nakedsecurity.sophos.com/2012/03/08/chrome-pw2own-vulnerabilit/?utm_source=Naked+Security+-+Sophos+List&utm_medium=email&utm_campaign=7b5d746824-naked%252Bsecurity
>
>Not really a fair test as it was specifically targeted. OTOH, that's what
>happens when one makes bold and arrogant statements.
Which reminds me .....
>Not really a fair test as it was specifically targeted. OTOH, that's what
>happens when one makes bold and arrogant statements.
Where's the guy that advertises Chrome here every other day ?
Kat bit his tongue ?
:)
[]'s
--
Don't be evil - Google 2004
We have a new policy - Google 2012
John Corliss
Mar 10, 2012, 4:22:14 AM3/10/12
to
Google does. However, I must say that I don't like the unholy alliance
between Mozilla and Google.
> fwiw,
No Craig, I disagree. We can't ignore Google's role in this conversation
because they produced the software being discussed.
Bear
Mar 10, 2012, 8:14:40 AM3/10/12
to
=?UTF-8?B?wrtRwqs=?= <box...@gmx.net> wrote in
news:20120309171...@fuchsia.remarqs.net:
I'd vote this the best response :)
--
Bear
http://bearware.info
The real Bear's header path is:
news.sunsite.dk!dotsrc.org!filter.dotsrc.org!news.dotsrc.org!not-for-
mail
news:20120309171...@fuchsia.remarqs.net:
--
Bear
http://bearware.info
The real Bear's header path is:
news.sunsite.dk!dotsrc.org!filter.dotsrc.org!news.dotsrc.org!not-for-
Bear
Mar 10, 2012, 8:15:56 AM3/10/12
to
occam <oc...@127.0.0.1> wrote in news:jjddki$saq$1...@dont-email.me:
Why not race him? You guys really don't get it.
Craig
Mar 10, 2012, 1:52:11 PM3/10/12
to
On 03/10/2012 01:22 AM, John Corliss wrote:
> Craig wrote:
>> John Corliss wrote:
>>> H-Man wrote:
>>>>
>>>> I had no idea, thanks for the enlightenment. Did they get their monies
>>>> worth?
>>>
>>> Fuck all this. The issue with Google Chrome isn't so much whether or not
>>> it's secure from outside forces, but rather whether or not the *end
>>> user* is secure from Google's data collecting and squealing with feeling
>>> to the feds.
>>
>> @H-Man - I'm guessing so. MSIE staffing costs, just for its security
>> aspect, probably dwarfs $60K. And thanks for the kind words wrt my post
>> in this.
>>
>> @John - No, don't fuck it all because, we can ignore Google's role in
>> this conversation altogether. Mozilla, Apache and hundreds of other
>> communities effectively use bounties.
>
> None of them engage in demographic data collection to the extent that
> Google does. However, I must say that I don't like the unholy alliance
> between Mozilla and Google.
>
>> fwiw,
>
> No Craig, I disagree. We can't ignore Google's role in this conversation
> because they produced the software being discussed.
I expressed myself poorly. I meant, in the context of discussing
> Craig wrote:
>> John Corliss wrote:
>>> H-Man wrote:
>>>>
>>>> I had no idea, thanks for the enlightenment. Did they get their monies
>>>> worth?
>>>
>>> Fuck all this. The issue with Google Chrome isn't so much whether or not
>>> it's secure from outside forces, but rather whether or not the *end
>>> user* is secure from Google's data collecting and squealing with feeling
>>> to the feds.
>>
>> @H-Man - I'm guessing so. MSIE staffing costs, just for its security
>> aspect, probably dwarfs $60K. And thanks for the kind words wrt my post
>> in this.
>>
>> @John - No, don't fuck it all because, we can ignore Google's role in
>> this conversation altogether. Mozilla, Apache and hundreds of other
>> communities effectively use bounties.
>
> None of them engage in demographic data collection to the extent that
> Google does. However, I must say that I don't like the unholy alliance
> between Mozilla and Google.
>
>> fwiw,
>
> No Craig, I disagree. We can't ignore Google's role in this conversation
> because they produced the software being discussed.
*bounties*, we don't need to "fuck all this." If a company which uses
the bounty system is outside the bounds of (whatever norm), then of
course: act accordingly.
I just wanted to comment on the bounty system; how prevalent and deeply
rooted it is in different development communities.
hth,
--
-Craig
http://pricelesswarehome.org/
Spamblk
Mar 10, 2012, 5:49:19 PM3/10/12
to
Craig <netbu...@REMOVEgmail.com> wrote in
news:jjg7sr$iq3$1...@dont-email.me:
> I expressed myself poorly. I meant, in the context of discussing
> *bounties*, we don't need to "fuck all this."
We may not in this thread *need* to "fuck all this.", but that still means
we *can* "fuck all this.", particularly in relation to Chrome and privacy.
NB Chrome and other browsers are important tools in the gathering of
personal information and subsequent indefinite storage on a server
somewhere.
<snip>
news:jjg7sr$iq3$1...@dont-email.me:
> I expressed myself poorly. I meant, in the context of discussing
> *bounties*, we don't need to "fuck all this."
we *can* "fuck all this.", particularly in relation to Chrome and privacy.
NB Chrome and other browsers are important tools in the gathering of
personal information and subsequent indefinite storage on a server
somewhere.
<snip>
>
> I just wanted to comment on the bounty system; how prevalent and deeply
> rooted it is in different development communities.
Indeed. Its akin to seeking out the services of external consultants.
> I just wanted to comment on the bounty system; how prevalent and deeply
> rooted it is in different development communities.
Message has been deleted
Shadow
Mar 11, 2012, 8:27:58 AM3/11/12
to
On Sun, 11 Mar 2012 00:53:04 -0500, WaIIy <WaIIy@(nft).invalid> wrote:
>On Fri, 09 Mar 2012 12:12:49 -0800, John Corliss <q34w...@yahoo.com>
>wrote:
+10
>On Fri, 09 Mar 2012 12:12:49 -0800, John Corliss <q34w...@yahoo.com>
>wrote:
>
>>Fuck all this. The issue with Google Chrome isn't so much whether or not
>>it's secure from outside forces, but rather whether or not the *end
>>user* is secure from Google's data collecting and squealing with feeling
>>to the feds.
>
>Bingo, brother.
>>Fuck all this. The issue with Google Chrome isn't so much whether or not
>>it's secure from outside forces, but rather whether or not the *end
>>user* is secure from Google's data collecting and squealing with feeling
>>to the feds.
>
+10
0 new messages