Hacking is usually an ‘underground’ sport, something nerdy Eastern Europeans do in their mother’s basements. The only time a hacker would come together to meet another hacker would be on an IRC channel. Not so anymore, with conventions like Defcon, Blackhat, and CanSecWest.
CanSecWest has an interesting contest. A hacking contest. The targets are the most common browsers: IE, Firefox, Chrome, and Safari. A new feature this year is the addition of smartphone hacking: Apple iOS, Windows Phone 7, Google Android, and BlackBerry OS. In total there is $125,000 in cash prizes. Another cool aspect of the competition: if you hack the computer running the target browser, you get to keep the laptop.
Like any good contest, there are the favorites. Charlie Miller, a software analyst from Baltimore has won the contest 3 times before. In 2009 Miller took down Safari running on an Apple in 10 seconds! He scored $10,000 and a laptop for his troubles. “Nils” (The contest allows anonymous entries) – a German computer science student, won last year, cracking Firefox, Safari, and Chrome in less than 10 minutes. In 2009, Nils broke the encryption for IE 8 the day before it was released, netting a new Sony laptop and $5k. George Hotz, the 21 year old who broke the Playstation 3’s copy protection (not to mention being the first person to ever jailbreak the iPhone) will be competing this year.
The biggest challenge this year is Google’s Chrome browser. Chrome runs in a ‘sandbox’ mode in Windows (basically insulating bugs in Chrome from affecting the underlying Windows system.) Google has put up $20,000 if someone can break Chrome’s sandbox mode in the first day.
Contests like this just aren’t cool in the computer security world. They provide vendors with information on how to improve the security of their products. When someone hacks a browser/device they also share technical information on how they did it with the contest organizers, TippingPoint. Details on the hacks aren’t released to the public until the vendor has time to fix the bug.
Pwn2Own runs during the CanSecWest conference, being held in Vancouver CA between March 9-11 2011.
