Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

Three-time Pwn2Own winner knocks hacking contest rules

Gregg Keizer | Feb. 28, 2011
Miller takes contest to task, says it encourages researchers to 'weaponize' exploits that may not be taken off the table

FRAMINGHAM 28 FEBRUARY 2011 - Organizers of Pwn2Own on Sunday defended the hacking contest's rules after a three-time winner criticized the challenge for encouraging researchers to "weaponize" exploits.

The contest, which starts March 9, pits researchers against four browsers -- Apple's Safari, Google's Chrome, Microsoft's Internet Explorer (IE) and Mozilla's Firefox -- as well as against smartphones running Apple's iOS, Google's Android, Microsoft's Windows 7 Phone and RIM's BlackBerry OS.

By Pwn2Own's rules, the first researcher to hack Firefox, IE or Safari, or each of the smartphones, wins a cash prize of $15,000. Taking down Chrome earns $20,000.

The order in which researchers will tackle a target is assigned by a random drawing, and the contest is winner-take-all: Only the first to hack a browser or smartphone walks off with the money.

And that has Charlie Miller, an analyst for the Baltimore-based consulting firm Independent Security Evaluators (ISE), -- and the only researcher to have won at Pwn2Own three years running -- upset.

"I'm disappointed in how many people have signed up [for Pwn2Own] and how few will win prizes," Miller said in an interview Friday. "What happens to all these other exploits that don't win?"

Miller drew the fourth, and final spot for Safari, the browser he's exploited each of the last three years at Pwn2Own. Along with Dion Blazakis, who also works for ISE, Miller is slated to go second in the iPhone hacking challenge.

Being first at Pwn2Own is critical to success, since the level of competition is so stiff, a fact noted not only by Miller but also by Dan Holden, the director of HP TippingPoint's DVLabs, the contest's sponsor, in a separate interview Friday.

Miller's point is that with so many contestants -- TippingPoint has said this year's list is the largest ever -- some researchers will go home empty-handed. But the vulnerabilities they find and the exploits they create will not be taken off the market.

As per Pwn2Own rules, TippingPoint's Zero Day Initiative (ZDI) bug bounty program acquires the rights to the winning vulnerabilities and exploits, and swears the researcher to secrecy. ZDI then reports the bugs to the corresponding vendor, and gives that vendor six months to patch the problem before releasing any information to the public.

"There's no way I'm gonna show my exploit if someone wins ahead of me," said Miller, pointing to the Safari category, where he said it's very unlikely the browser will survive three other contestants' attacks. "So I'm not going to report that vulnerability."

 

1  2  Next Page 

Sign up for Computerworld eNewsletters.