pop-culture for the people

It’s been a rough a rough couple of weeks to be a celebrity!  Who’s next?  Tony Danza?  Paris Hilton?  Yolanda Vega?!  Nobody is safe!

First we’ve got David Carradine who was apparently into some seriously kinky kungfuckery.  Turns out it was his own Five Fingers of Death that done him in.  Unless of course you believe the nonsense his family claims he was trying to uncover some deadly undercover kung fu assassins (no I’m not making this shit up!).

Then Ed McMahon (who now rests peacefully in a hermetically sealed mayonnaise jar, never before seen by human eyes, sealed by Funk and Wagnall’s on their porch since noon today) cashed in his oversized price check a few days ago.  Hopefully he’s playing second fiddle to God these days:

Farrah Fawcett, who lets face it, was famous more for her ability to create many an awkward teenage-boy violation-of-personal-privacy when bedroom doors were opened without knocking, than her ability to fight crime.  I can think of worse ways to go but jeeze, anal cancer?  That’s seriously right up there.

Michael Jackson moon walked off stage and was Gone Too Soon.

And to wrap it all up BILLY MAYS died today too.  I get a sneaking suspicion that heaven is fairly squeaky clean (no nead for Orange Glo, OxiClean or Zorbeez) so I hope he finds a hobby for eternity.  If anything I would have thought Vince “Sham Wow” would have slapchopped his way into the hereafter first (rather than slapchopping hookers).  I guess we’ll be seeing fewer of these great parody videos:

I really hope that’s it for now.  A little too much celebrity death for my liking.  May they all rest in peace.

I’ve been following the TippingPoint Pwn2Own contest for the last couple of years.  Last year a researcher from ISE named Charlie Miller used an exploit in a Perl library included in WebKit, the base code for Apple’s Safari browser and won a cash price for his effort.  In the press it was claimed he “hacked Safari in mere seconds”.  In truth it took a lot more time than that to devise the exploit and only seconds to execute it.

This year he did it again with another preplanned exploit which he says he discovered while researching last years bug.  Again he won a cash prize of $10,000.  And again it was claimed that Safari is exploited in seconds.

In an interview with ZDNet he said: “I never give up free bugs. I have a new campaign. It’s called NO MORE FREE BUGS. Vulnerabilities have a market value so it makes no sense to work hard to find a bug, write an exploit and then give it away,” Miller told ZDNet. “Apple pays people to do the same job so we know there’s value to this work.”

I have a major problem with his philosophy and feel this is a dangerous precedent to set and a bastardization of the goals of security in the fist place.  I feel he has an obligation to inform Apple and not dangle a dollar amount for the how-to.

Sure he should be paid for his time and effort which is why he works at a security firm.  This contest is basically bonus money and about bragging rights.  Sitting on a bug puts the safety of other users at risk.  But he is basically demanding bribe money for bugs. Who is to say he wouldn’t give up his research to the highest bidder? I’m sure there are blackhat groups like those in Russia and China that would pay handsomely for some juicy exploits like this.

Yes there is a long history of security firms hiring hackers and there have been many questions of whether that is a good idea.  But security firms should take notice of this philosophy and not employee those who engage in this kind of behavior. It’s bad form for his employer and makes the security industry as a whole look bad by proxy. Would you hire a security company that employees hackers who blackmail for bugs to work on your systems?  If we hired his firm while I was working IT at a large New York bank I would advised my boss to make sure he’s not on our project (and perhaps hire an entirely different firm altogether).

I’ve been in a discussion with other users about this.  There seems to be a split in viewpoint, one side saying he should let Apple and the WebKit developers know about this exploit for the betterment of everyone (for free).  The other side feels this is purely about capitalism and he has no moral or ethical obligation to tell anyone.

Some have likened it to seeing a crack in a bridge that might fail.  Are you obligated to inform someone of the problem?  What if Dan Kaminsky demanded $1 million (Dr. Evil laugh) to divulge details on the DNS BIND problem?  People would be after his head and his career would be over.  This isn’t about capitalism vs. communism as some have suggested.  It is about right and wrong.  Charlie Miller is on the wrong side of this equation.

-Hollywood

I’ve been noticing a lot of blog spam on here lately so I turned the comment system off for now.  Also found spam abuse and weird linking on the gallery pages so I updated the software and patched a number of things.  I’ve also completely blocked China and Russia from the site as they are the source for most of the bot attacks I’m seeing.  Sorry Chinese and Russian folks but them’s the breaks.  Tell your comrades to stop and maybe I’ll unblock ya.

Right now I’m reworking the site and finally getting it out of its neglected state.  I’ve gotten so sick of the way the site looked but was too busy to work on it so I let it rot.  Hopefully the research I’m doing into some real upgrades for the site will pan out.  As always I’ve got big things planned but we’ll see how reality and plans work out…

-Hollywood