Ubuntu unpwned as CERN prepares to destroy Earth

After three days of determined hacking and pwning, during which time the Mac and then the Windows machine toppled, only the box running Ubuntu remained standing. The Pwn2Own contest at CanSecWest pitted the three machines against hackers, with the prizes being the computers themselves. Cue smug Linux users and apologists of the other two camps. And the odd impartial commenter, of course:

The only machine truly secure from remote exploits is the one not connected to the Internet and locked in a vault.

Additionally, the user is as important a part of the machine's security as the OS is, if not more. All the security in the world won't protect a user from their own actions.

Dive Fox

---

Weather it's flash or nvidia drivers; proprietary code is a security problem. It's all right when it works but I'd feel safer if all those who put these little black boxes in the linux platform would open source them or be replaced with things like gnash (when it's finished) and the nvidia nouvou driver.

Otherwise there will always be something you'll never be sure of security wise.

Martin Owens

---

Be nice to knowhow many hours were spent on creating each hack.

That would give some indication of a) the difficulty of finding the explot and b) any hacker bias for/against an OS as I doubt equal time was spent on the Linux hack as it's much more sexy to hit the big guys

toxic monkey

---

Although this competition does have some interesting and useful points - and a largely unnoticed one is that "new and shiny" doesn't always equate to "safe and sound" (pricey new hardware and OS often are "protected" for a while by their scarcity on the ground) - it pretty much sews up what most IT professionals have known for years: a "home" platform, regardless of its merits, will fall to a determined hack when it is attacked. This is why major ISPs are removing as much damaging capability on their consumer networks as quickly as possible. Reduce the attack surface from the little farmers with their pitchforks and torches, and everyone can sleep tonight.

Hence the topic: what about a serious server pwn2own contest? Get three major server vendors - like IBM, HP, Sun, etc. - to provide a nice mid-class server platform configured for a "typical" firewall task. A web server, mail server, ecommerce server, etc. Three different OS and hardware platforms (Power/AIX, Intel/Windows, SPARC/Solaris), also patched and configured by the vendors to spec. Then let the games begin: whoever can get the target server to spew unauthorized scripting (should be a suitably innocuous script provided as the test piece by the event organizers) wins. Get the vendors to kick into the kitty for a prize (most competitors won't REALLY want a blade server and disk farm to take home, will they?) and see what come out of this.

I think this would be an important twist in that we'd see what the world would look like if it were reduced to a Utility Computing cloud, with end-users effectively defanged and all work housed inside the Fortress Data Center. I'm sure the result would show the World is not safer in the castle than it is in its huts today. But the lesson needs to go on record just the same.

Mine's the delivery order with 2 pizzas and a twelver of stout, wrapped in the thermal blanket...

Brett Brennan

In a damning indictment of safety of wireless technology, a recent controversial experiment saw a teachers head actually explode when exposed to a deadly cocktail of Wi-Fi transmissions, mobile phone radiation and emissions from a nearby TETRA mast. Okay, not really. But we had some of you going. Admit it.

Ive just taken a sledge hammer to my wireless router. I'm now in a Wi-Fi Cold-spot.

AJ-NI

---

It's all down to focussed microwave radiation.

The phones were acting as an antenna that drew in and focussed the radiation from the school's industrial strength microwave oven (anyone having tried microwave popcorn in one will know that the bag catches fire in a minute or two).

The nature of the phone signals mean that the microwave radiation is reverse-phased which defeats the normal shielding.

The focussed radiation then rapidly boils the fluids in the brain resulting in the usual 'egg in a microwave' situation.

Elmer Phud

---

" .. In the interests of good taste the Reg has refrained from linking to the vid. .. "

You blew it! I was totally suckered in until you gave the game away with that completely ridiculous suggestion!

Anonymous Coward

---

Many years ago, The Guardian published a story about a new automated bus control system for London. All buses were to be driverless, and controlled remotely by operators who would view the traffic through a CCTV mounted in the driver's cab, connected in real time to a video screen in the control centre. One operator in the centre would be able to control up to five buses simultaneously, tests had shown.

I was so taken in, I nearly posted it to risks@csl.sri.com

A few years later, a net-friend who was an aviation specialist published a story that the flight crew on an Airbus A320 had experienced an outage of the flight control system on approach to landing. When they tried to restart the system, it gave a message saying "PIN not recognised". Apparently, this was due to Airbus using second-hand ATM chips to build their on-board systems.

The "incident" turned up a few months later in the final year undergraduate dissertation of one of my software engineering students, quoted without irony as an example of the risks from computer systems.

A few years after that, I broadcast my own story that Airbus had subcontracted the maintenance of the flight control software on the A320 to a third-party support firm. I had just just returned from a meeting in Copenhagen, and said I had seen the story in the Danish magazine "Godaj" ("Hello" in Danish). I said that the head of the third-party support firm was Wolf Larssen (the villain of "The Sea Wolf" by Jack London) and quoted him as saying that he was not worried that the original developers of the flight control system would not give him the source code, since his employees could download the binary and de-compile it.

At least three experts in safety-critical avionics were totally taken in and expressed their concern to the discussion group on which I had broadcast the story. I was still receiving concerned enquiries 5 years later from people who had read it in the archives, and hadn't noticed the date on it.

Moral: Make the spoofs believable, but perhaps not *too* believable! :-)

Peter Mellor