It’s the most anticipated matchup in the hacker world: Linux versus Mac OS X versus Vista. Who will get hacked first?
That’s what organizers of the CanSecWest security conference hope to discover this week as they give show attendees a shot at hacking into the three laptops they’ve put on display here in Vancouver.
The catch? They have to use a brand-new ‘zero day’ attack that nobody has seen before. The prize? US$20,000, plus you get to keep the laptop.
Show organizers are calling the contest PWN 2 OWN. Pwn (which rhymes with own) is a hacker term meaning to take control of a computer.
$20,000 may sound like a lot of money, but show attendees say that top-quality computer attack code could easily fetch that much, either from the security vendors like iDefense or Tipping Point who purchase this type of software, or from one of the three-letter U.S. government agencies said to be in the market for this type of code as well.
Charlie Miller, best known as one of the Independent Security Evaluators researchers who first hacked the iPhone last year, said he’s participating, not for the cash prize, but for the thrill of seeing whether or not he can be first to hack one of the computers. “For me it’s the Super Bowl of security research,” he said. “I’m a competitive guy.”
By late Wednesday — the first day of the contest, nobody had even tried to hack the three laptops. This wasn’t exactly a surprise to the contest’s organizers because on day one attackers were only allowed to use network-based attacks that involved no user interaction. Those type of attacks are extremely rare these days.
Miller said that he will drop his exploit code on the MacBook Air Thursday, once the rules relax a bit and the hackers are allowed to try attacks that require user action such as visiting a malicious Web site or opening an e-mail.
There is a downside to waiting until Thursday, however. The prize money drops in half each day. If no one has claimed the laptops by Friday, the prize bottoms out at $5,000 and organizers will start installing non-standard software on the machines to see if they can be compromised through programs such as Skype.
Last year’s contest generated a lot of attention, but it featured only one laptop: a MacBook Pro. It was won by researcher Dino Dai Zovi, who wasn’t at the conference, but asked a friend to run his attack on the machine. Dai Zovi showed up in person at CanSecWest this year, however, making him another prime candidate to win the prize.
With three laptops to chose from, this year, the 2008 contest is a bit of a horse race.
“It will be interesting to see which one goes first,” said Aaron Portnoy, a researcher with TippingPoint, the company that has put up the prize money. “We’ve tried really hard to make sure the attack surface is the same on all of them.”