Dino Dai Zovi , the New York - found security researcher who took home $ 10,000 in a extremely - publicized MacBook Pro hijack on April 20 , has been at the center of a week ’s worth of controversy about the security of Apple ’s operating system . In an e - post audience with Computerworld , Dai Zovi lecture about how finding exposure is like fishing , the chances that someone else will stumble on the still - unpatched bug , and what operating system — Windows Vista or Mac OS X — is the sturdiest when it come to security .

Friday , the vulnerability was first name as within Safari , but by Monday , QuickTime was tagged . Why the discombobulation ?

I sleep together exactly where the vulnerability was when I drop a line the effort ; that is part of the introductory vulnerability research normally necessitate to write a reliable exploit . I purposely did not reveal where precisely the vulnerability was in monastic order to forestall others from black eye engineering the vulnerability from those details . ab initio , I was only revealing that the vulnerability pretend Safari on Mac OS X , the target of the contest . However , now ZDI [ 3com TippingPoint ’s Zero Day Initiative ] has been willing to publicly reveal that it affects many more system configurations , include all Java - enable internet browser on Mac OS X and Windows if QuickTime is instal .

As you were working with the vulnerability and exploit , did you bed that it would impact non - Mac OS cristal system ?

I had surmise that it might regard other platforms run QuickTime , but I did not have time to face into it .

You found the vulnerability and crafted an exploit within 9 or 10 hour . And you ’ve said ‘ there was blood in the water . ’ Does that mean you had a head start — in other Word , prior research — or was it all built from scratch ? Is it really that easy to hollow up a exposure ?

I had found other vulnerabilities in Mac OS X and even QuickTime in the past , so I had some familiarity with the code , but I only discovered this exposure that night . My quote that there was “ lineage in the water ” denote to the fact that there were reports of other vulnerabilities in QuickTime , and even Java - related vulnerabilities in QuickTime over the last few twelvemonth . In my experience , if a certain software package has had vulnerability in the past , it is more likely to contain other unexplored vulnerability .

Halvar Flake and Dave Aitel , two prominent security researchers , use the sportfishing metaphor to explain vulnerability determination . Some days you go out and catch nothing , some days you capture something outstanding . Sometimes you hear about some heavy sportfishing happening in a flow somewhere and there are pile of Pisces to catch until everyone else starts fishing there and the flow becomes overfished . In this display case , I suspected that there would be good fishing in QuickTime and I got lucky and found something good in a light amount of time . This is far from the first time that I ’ve gone fishing for vulnerabilities , however .

After the positive ID of the exposure , there were some unconfirmed claims that your feat had been snatched at CanSecWest . Although those reports have been ignore , what can you tell us about how you protect your findings ? And what are the chances that someone will severally stab out the vulnerability based on the limited information made public ?

I do everything that I consider reasonable to protect my security system research . I keep exploits in code disk image that are only mounted when necessary on hardened systems that are not always powered on . I am very conservative in what details I share and with whom in monastic order to tightly control knowledge of the exposure . I often give my exploit non - obvious code name so that I can refer to them over non - encrypted channels without disclose anything about them . [ But ] with the details that have been secrete so far , I trust that is a very real possible action that someone may be able to independently dig out the exposure , but it wo n’t exactly be trivial and I hope that whoever does act responsibly with it .

With the ongoing ‘ Mac OS X is good ’ vs. ‘ You ’re in disaffirmation ’ debate , what would you advocate to a Mac substance abuser as reasonable security forethought ?

I recommend that Mac users make their primary substance abuser a non - admin account , utilise a separate keychain for important passwords , and salt away tender document in a disjoined encrypted disc image . I recall these are passably straightforward footprint that many users can take to well protect their sensitive information on their estimator .

As a researcher who work often in Mac OS X , what ’s your take on the amount of information that Apple releases when it patches vulnerability ?

I think that the amount of information that Apple release with its patch is sufficient in the level of particular for a knowledgeable substance abuser to fix the criticality of the vulnerability . They do not , however , provide guidance on the grade of criticality of the security department update for less expert users . I do not think this is too much of an takings , though , as I believe that the vast majority of user should but patch the surety vulnerabilities as soon as possible regardless of their criticality .

How crucial in this case was it that 3com TippingPoint step up with a $ 10,000 pillage ? Would you have annoy if the prize money had not been there ?

For me the challenge , specially with the time restraint , was the substantial draw play . I also desire that the hot demonstration of a Mac OS ex effort would provide some much needed severe grounds in the recent Mac security debates .

From your enquiry on both platforms , is there a winner between Mac OS X 10.4 and Vista on security department ?

I have found the code quality , at least in term of surety , to be much good overall in Vista than Mac OS X 10.4 . It is obvious from take note sham components in security piece that Microsoft ’s Security Development Lifecycle ( SDL ) has resulted in few vulnerability in fresh - written code . I hope that more software trafficker espouse their lead in developing proactive software protection growing methodologies .

What are you spending most of your time on these days ? Last October , for instance , there were news fib that mention you demo a VM rootkit to developers at Microsoft .

I late co - author a book , The Art of Software Security Testing : Identifying Software Security Flaws , which was just issue by Addison - Wesley Professional in December . Also since around that time , I have been managing information security for a fiscal firm in New York City . I do still drop some of my free clip researching software system vulnerability , VM hypervisor rootkits , and 802.11 wireless guest protection .