Pwn2Yawn

by Charles Miller on March 23, 2009

For those who aren't up to speed, Pwn2Own is a competition held at CanSecWest for the last two years. The first contestant who can hack into one of a couple of laptops prepared for the competition wins a cash prize, and gets to keep the laptop. Both years the winner was a security researcher named Charlie Miller (no relation), leading to occasional amusing instances of mistaken identity.

I have nothing against my namesake, but I must say I find the premise of the competition annoying.

It is incredibly hard to believe that any security researcher is going to find a new exploit against a given operating system and set of applications over the course of a few hours of competition. It is far more likely, and has been the case so far, that competitors show up with exploits already prepared. This year's competition came down purely to a roll of the dice: which researcher would get the chance to pull their “here’s one I prepared earlier” from the oven first?1

Or to put it more bluntly, Pwn2Own provides a cash incentive for security researchers to keep vulnerabilities secret in the hope they will remain unpatched until competition day.

1 The cynic in me wonders how random the process was that selected the most headline-friendly result: “Last year’s winner hacks Safari again!”

Previously: The Time Out Corner

Next: Earth Hour, 2009