pwn2own: the stakes just got higher

pwn2own picture from CanSecWests site

Update, March 27: Macbook Air pwned and owned — in two minutes!

Update, March 28: Vista laptop pwned via an Adobe Flash vulnerability.

Update, April 16: Apple issues Safari patch.

Props to the winners — and to Ubuntu Linux, which emerged unpwned!

(originally posted March 26)

SecurityFocus’ Robert Lemos reports:

On Monday, security firm Tipping Point agreed to offer up to $20,000 as a prize to the first person to compromise each of three laptops running popular operating systems in the second annual PWN2OWN Competition at the CanSecWest conference, which takes place in Vancouver this week. The boost in the bounties came after researchers criticized the company for the more modest prizes announced last week. The first person to compromise any of three laptop computers — running the latest versions of Apple’s Mac OS X, Microsoft Windows Vista and Ubuntu Linux — will receive the prize money and the laptop.

The winner has to find a previously-undisclosed vulnerability on real-world systems running the latest patches. As conference organizer Dragos Ruiu’s announcement says, “Any exploit successfully used in this contest would also compromise a significant percentage of the internet connected hosts.” Tipping Point’s Terri Forslof gives more context — and history, too, with an acknowledgement of the controversy around winner Dino Dai Zovi’s exploit of an Apple QuickTime flaw.

A lot of attention will be on Apple this year as well: they’ve just released a monster security update (80+ CVEs) along with another 13 fixes for cross-site scripting flaws in Safari. On top of that they’ve antagonized the open-source community by distributing a new version of Safari to people who had signed up for iTunes security updates … and of course Dino’s the defending winner ….

Then again with the release of Vista SP1 having garnered so much attention due to driver reliability problems, attention will be on Microsoft as well — and deservedly so: while they’ve made major progress on security, they’re the biggest target out there. My friend Sarah Blankinship is the Microsoft person-of-spoke for pwn2own, and I was talking with her right after she burned the CD with Vista Ultimate for the contest. In addition to an exploit lab and Vulnerability Discovery Demystified, the CanSecWest Security Masters Dojo of masterclasses before the conference featured a two-day “defend the flag” event on attacking and defending Windows systems; will this make people more or less likely to focus on Vista? We shall see.

[By the way, I certainly don't mean to single out Apple and Microsoft. The current list of ten most recentUS-CERT advisories has updates from Mozilla, Cisco, Novell, VLC, MIT (for Kerberos), and VMWare as well, and their cyber security alerts for this year also include Abobe and Sun. If you're looking for vulnerabilities, it's a target-rich environment on all platforms.]

Especially at a time when entire countries and subcontinents vanish from the Internet for days at a time due to cyberattacks and cuts in fiber-optic cables, and human rights organizations are under attack by malicious hackers, computer security’s a serious business. Fun contests like pwn2own play an important role by harnessing security researchers’ and software vendors’ natural competitiveness in a win/win way. Vulnerabilities found here get reported back to the vendors and fixed; and while the prizes are less than researchers might get on the public or grey markets, there’s also major cred — and of course bragging rights.

Dan Goodin adds in The Register:

CanSecWest’s Pwn2Own contests are useful because they allow us to isolate the technical strengths and weaknesses of a given platform from its popularity. Acrimonious debate has fomented for years about whether the high number of real-world Windows exploits – compared to those of OS X, Linux and other operating systems – is a natural consequence of having a 90-percent chunk of the market or the result of sloppy and insecure coding practices at Microsoft.

There’s at least some merit to the argument that organized cyber crime gangs – just like makers of popular games Half-Life 2 and Crysis – don’t write for the Mac and Linux because the smaller market shares make it impossible to get a return on the investment. The Pwn2Own contest, by offering a considerable incentive for exploits of these platforms, helps to neutralize the economic variable.

Of course it’s important not to generalize from the result of any one contest. Still, it’s an interesting data point that’s very complementary to other indications like the number of US-CERT advisories issued, number of vulnerabilities patched, price for vulnerabilities on the markets, and industry opinion.

Another valuable contribution from pwn2own, the Security Dojo, and other activities around CanSecWest including the parties: the connections that get created and knowledge that’s shared between security researchers, software vendors, IT admins, and the rest of the ecosystem. And it’s not just here. A lot of these people will be making at other stops on the “conference circuit”: RSA in a couple of weeks, and Blue Hat, EUSecWest, phNeutral over the next few months. One way to think of this is in terms of the “organizing without organizations” lens from Here Comes Everybody; others might prefer to see it as adding new arcs and strengthening weights in the “social graph” of the security community. In the end, the result is more people working steadily more effectively together towards the shared goal of making our computer-based systems more secure.

So let the games begin!

jon

PS: for those of you keeping score at home: disciplines this essay touches on include economics (vulnerability markets), pedagogy (participative learning), sociology, geopolitics, and ludology — as well as graph theory. When it comes to security, computer science is indeed a social science.