The three time repeat hacking contest winner;Charlie Miller, of the annual Pwn2own contest is tired of the way that computer industry companies tries to fix it flaws and bugs. That is why he won't tell Microsoft, Apple and Adobe about the 20 flaws and vulnerabilities it has in its software. Instead he will show and teach them how to find the bugs themselves. He recently just won $10,000 in the hacking challenge and has been the winner the past 3 years.
He states that he wants change and says that he is tired of the lack of progress in software security. He talks about companies making patches here and there,which makes the software perform better but its doesn't improve the security of the product. Miller finds the mistakes of the software by using what is called a "dumb fuzzer", a tool that automatically looks for flaws in software by inserting data to see where the program fails. Miller found vulnerabilities in Apples Mac OS 10.6 and safari browser, Microsoft's PowerPoint presentation maker and in Adobe's PDF viewer and Reader.
Miller demonstrated how he came to finding the bugs in front of Microsoft,Apple and other vendors in hopes that the companies would listen and improve of their security standards. He knows he might seem like a bad guy in some peoples eyes but he wants them to take initiative and do more fuzzing to improve on security. Maybe this the way to put the pressure on companies to do so.
We need people like him in the industry. I think I remember from Dr. Lee's infrastructure and security class that he is referred to as a "white hacker". Lucky for Apple that he has good morals and isn't hacking to be malicious. And in the long run it will motivate companies like Apple and Microsoft to develop stronger platforms because it has to be really embarrassing that this guy finds their flaws so easily.
ReplyDelete"White hacking" is still illegal. Yes, it is a helpful methodology, but theoretical knowledge should *really* be the only thing that they are passing on. IE how they would hack, rather than the results of them hacking.
ReplyDeleteI think the pressure is almost necessary though, look at how many times people have had their computers hacked maliciously. I used to have to reset my computer once every 6 months because of another virus or something bad happening. They should hire people like this to destroy the software, but then allow them to find ways to make it better.
ReplyDeleteThis guy is a genius. Funny that it takes a 3rd party to teach these companies about their own software. This guy should be running the company and then we might not have to spend so much money securing our systems ourselves.
ReplyDeleteWhy isn't he making a ton of money on speaking engagements all over the place? He doesn't have to show the companies where their software is broken. He should be teaching their security staff how to detect the problems.
ReplyDeleteIts good atleast he is letting them know that there vulnerabilities in the systemm. I am in favor of white hacking because it does help us to learn better beacuse sometimes somebody else testing our software helps just like proof reading.
ReplyDelete