Apple + Security & Privacy + Software & Apps

Charlie Miller, the security researcher who recently hacked a Mac in ten seconds (using an exploit he had developed over a period of several months prior to the hacking contest), answered some questions from ZDNet’s Ryan Naraine. Miller explained a bit about how he works, about this type of hacking contest, and whether he has told Apple about the bug he exploited to win the contest. One comment to note:

I never give up free bugs. I have a new campaign. It’s called NO MORE FREE BUGS. Vulnerabilities have a market value so it makes no sense to work hard to find a bug, write an exploit and then give it away.  Apple pays people to do the same job so we know there’s value to this work. No more free bugs.

He discusses the “value” of bugs – ie, how much they can be sold for (but doesn’t say to whom he sells them), and claims that Apple’s Safari is quite easy to hack. As for why Google’s Chrome browser wasn’t hacked, Miller said:

I didn’t think anyone would get go after Chrome, IE or Firefox.  It’s all economics. It’s only hard or easy compared to what someone would pay.  If Pwn2Own offered $1 million per bug for Chrome, there would be a line of people here looking to bankrupt them.

Food for thought…