March 23, 2009 1:56 PM

For those who aren't up to speed, Pwn2Own is a competition held at CanSecWest for the last two years. The first contestant who can hack into one of a couple of laptops prepared for the competition wins a cash prize, and gets to keep the laptop. Both years the winner was a security researcher named Charlie Miller (no relation), leading to occasional amusing instances of mistaken identity.

I have nothing against my namesake, but I must say I find the premise of the competition annoying.

It is incredibly hard to believe that any security researcher is going to find a new exploit against a given operating system and set of applications over the course of a few hours of competition. It is far more likely, and has been the case so far, that competitors show up with exploits already prepared. This year's competition came down purely to a roll of the dice: which researcher would get the chance to pull their “here’s one I prepared earlier” from the oven first?1

Or to put it more bluntly, Pwn2Own provides a cash incentive for security researchers to keep vulnerabilities secret in the hope they will remain unpatched until competition day.

1 The cynic in me wonders how random the process was that selected the most headline-friendly result: “Last year’s winner hacks Safari again!”


Did you see the ArsTechnica coverage?

Selected Quote: "Miller said that the vulnerability he used in the contest was one that he had originally found while preparing for the contest last year. Instead of disclosing it at that time, he decided to save it for the contest this year, because the contest only pays for one bug per year."

The competition doesn't appear to add much to the overall security of the products in question. As you said, the discoverer of an exploitable bug will hang on to it (for years it seems) in order to try to get more money out of it. They will even hold on to non-exploitable bugs in the hopes that they may become exploitable in the future. In this sense the competition is actually detracting from the product's security or at least delaying its improvement.

One thing it has shown is that when the payoff is equal for all targets (i.e $5,000 or a laptop), attackers will concentrate on the easiest target. This partially validates the argument that Macs are only safer because the payoff for making a Mac virus is less.

Hmmm... actually, some of these browsers would have to have been running on a Mac. Not all prizes are equal. I wonder how many people targeted the Mac-based browsers so that their prize would be a Mac...

I didn't read anything about Firefox on Windows being hacked this year. In fact, the two headline acts (Charlie Miller and Nils) appear to be the only two who won anything at all. It seems the hat order was irrelevant. One other guy made two exploits but had to break the rules to use them an so didn't get anything for his troubles.

Charlie also mentioned in an interview afterward that Nils could have made a lot more from his exploits than what he did by selling them somewhere else. He estimated that the IE 8 bug alone could be worth more than $50,000. That may also explain the focus on Safari. These people are doing it for the headlines, not the money. Safari bugs can't be sold for as much and hence are worth more as publicity.

Hi ya Mr.Charles Miller,
Congratulation for winning in the "Pwn2Own"Contest.
I Just Heard About your news in my country news paper.

Well... You Taking just 10second to hack Apple Mac,I had to say that you're pro .

'People Who Admire You'

Previously: The Time Out Corner

Next: Earth Hour, 2009