But their most interesting attack focused on the car stereo. By adding extra code to a digital music file, they were able to turn a song burned to CD into a Trojan horse. When played on the car’s stereo, this song could alter the firmware of the car’s stereo system, giving attackers an entry point to change other components on the car. This type of attack could be spread on file-sharing networks without arousing suspicion, they believe.
My question would be why try to spread it via file-sharing networks to a CD (or USB for some stereos)? How about figuring out the a station (e.g. SATCOM hacking, XM/Sirius) that a car listens to; then get within range of the car and overpower/interrupt the signal with your own?
Will a malicious digital music file fed to the stereo via satellite download have the same effect as a CD but without the need for physical access?
Q: A recent article in Computerworld quoted you as being critical of the competition for encouraging the “weaponization” of exploits en masse – can you briefly reiterate your concerns?
A: This is still a concern for me. There is a difference between vulnerabilities and exploits. The former are problems that need to be patched. But an exploit is something that can actually take advantage of the vulnerability to get code running on the system. The biggest difference is that a bad guy can’t do anything with knowledge of a vulnerability by itself, a bad guy needs an exploit.
Normally, researchers report vulnerabilities and don’t bother to actually write exploits. Writing an exploit is hard, time consuming work and doesn’t help the vendor’s patch the bug, so isn’t necessary to make.
However, at pwn2own, you need an exploit that works reasonably well if you hope to win. But, not everyone get’s a chance to win, even if they have an exploit. For each target the names of the people who want to compete are drawn at random. For example, for Safari on OS X this year, 4 people signed up.
After the random drawing, I was fourth in line. So, four of us showed up with Safari exploits, but the first team won (from VUPEN). Now, the contest is over for that target and there are three of us with exploits but nothing to do with them.
I see his point but it is interesting to think that winning somehow de-“weaponizes” an exploit. Even if all the exploits brought to the contest are used in the contest they still would be left over — researchers could say they have “nothing to do with them” afterwards whether they are used or not. The question I would ask is whether they always report the vulnerabilities related to an exploit, even if they do not use the exploit. Perhaps he is really saying that the lottery — not allowing all exploits the chance to win a prize — discourages contestants from disclosing all known vulnerabilities.
Apple on Monday patched 56 vulnerabilities, most of them critical flaws that could be used to hijack machines, as part of 2011’s first broad update of Mac OS X.
Among the fixes was one for a vulnerability that four-time Pwn2Own winner Charlie Miller didn’t get a chance to use at the hacking contest earlier this month.
Publishing visual poetry as a frozen gif image makes a lot of sense when you consider how little integrity control one has in publishing with markup languages like HTML, even with style sheets.
A documentary by BBC4 explores views of risk in terms of cultural clues and imagery. It interviews numerous experts to reveal the origins of The Great Wave off Kanagawa print, and shows how it has represented very different things to different people.
The Japanese viewer apparently sees groups of men set together in harmony with nature to achieve success — possibly a spring-time catch of bonito fish for a hard-working crew returning as quickly as possible to a market. The huge, towering wave is not an image of despair but of power and collective effort. Toshio Watanabe, a Japenese Art Historian, explains:
(1:14/10:04) “It’s depicting, basically, speedboats like DHL or FedEx.” […] (9:14/10:04) This is an image of courage and perseverance because the oarsmen have a job to do. “There are so many rowers because they need speed and they are not worried about the waves at all. They are taking it in great stride.”
Dr. David Peat, a Physicist at the Pari Center in Italy (among several others) suggests a very different effect for a viewer from the West. He sees the Great Wave as a moral lesson for an individual, which centers around mortality, anxiety and a fear of the unknown (based on chaos theory):
(5:40/8:25) It’s telling us something about being on the edge of chaos; something about how we live our lives. We have to have regularity and order. But if we have too much then we become dead. So it’s telling us where life lies. It’s telling us something about ourselves. We have to learn how to live on the edge of chaos.
Although it is easy to split the views and categorize them among Far East and Western views, following the BBC’s narrative, it could be split a different way. Those who live in and around water and on small boats may look at the Great Wave as familiar and controllable; while those who spend all their time on land may look at the wave with fear of the unknown — “surf’s up” versus “run”. Which are you?
a blog about the poetry of information security, since 1995
