Three-time Pwn2Own winner knocks hacking contest rules

Miller takes contest to task, says it encourages researchers to 'weaponize' exploits that may not be taken off the table

By , Computerworld |  Security, pwn2own

Organizers of Pwn2Own on Sunday defended the hacking contest's rules after a three-time winner criticized the challenge for encouraging researchers to "weaponize" exploits.

The contest, which starts March 9, pits researchers against four browsers -- Apple's Safari, Google's Chrome, Microsoft's Internet Explorer (IE) and Mozilla's Firefox -- as well as against smartphones running Apple's iOS, Google's Android, Microsoft's Windows 7 Phone and RIM's BlackBerry OS.

By Pwn2Own's rules, the first researcher to hack Firefox, IE or Safari, or each of the smartphones, wins a cash prize of $15,000. Taking down Chrome earns $20,000 .

The order in which researchers will tackle a target is assigned by a random drawing, and the contest is winner-take-all: Only the first to hack a browser or smartphone walks off with the money.

And that has Charlie Miller, an analyst for the Baltimore-based consulting firm Independent Security Evaluators (ISE), -- and the only researcher to have won at Pwn2Own three years running -- upset.

"I'm disappointed in how many people have signed up [for Pwn2Own] and how few will win prizes," Miller said in an interview Friday. "What happens to all these other exploits that don't win?"

Miller drew the fourth, and final spot for Safari, the browser he's exploited each of the last three years at Pwn2Own. Along with Dion Blazakis, who also works for ISE, Miller is slated to go second in the iPhone hacking challenge.

Being first at Pwn2Own is critical to success, since the level of competition is so stiff, a fact noted not only by Miller but also by Dan Holden, the director of HP TippingPoint's DVLabs, the contest's sponsor, in a separate interview Friday.

Miller's point is that with so many contestants -- TippingPoint has said this year's list is the largest ever -- some researchers will go home emhanded. But the vulnerabilities they find and the exploits they create will not be taken off the market.


Originally published on Computerworld |  Click here to read the original story.
Join us:
Facebook

Twitter

Pinterest

Tumblr

LinkedIn

Google+

Answers - Powered by ITworld

ITworld Answers helps you solve problems and share expertise. Ask a question or take a crack at answering the new questions below.

Join us:
Facebook

Twitter

Pinterest

Tumblr

LinkedIn

Google+

Ask a Question
randomness