For the second year running, a security researcher has exploited a weakness in Safari on a Mac to win a contest to see how quickly a user could hack into a computer.
Charlie Miller, the winner of the Pwn2Own contest at the CanSecWest conference this week in Vancouver, BC, arrived with a prepared exploit to use in hacking Safari running on Mac OS X. His prize? A cool $5,000 and the laptop he cracked, not bad for a few minutes worth of work. The contestants this year were had a choice of two systems to hack. The first was a Sony Vaio running Windows Seven pre-release beta and using the Internet Explorer 8, Firefox, and Google’s newest Chrome browsers. The second was a MacBook running OS X with the Safari and Firefox browsers.
The idea behind Pwn2Own is that it gives an idea of how difficult it is to hack into a personal computer, and further which system is easiest to hack into. Last year’s contest included a Linux system as well as a Windows PC and a Mac running OS X. As it transpired, however, no one was willing to put in the time necessary to develop tools to break into the Linux platform, so there was no Linux target in this year’s contest, according to a Computerworld story.
The problem with this contest is that it is attended primarily by security analysts who have identified security shortcomings (primarily in browsers and browser add-on software) as a part of their jobs but have not yet reported them. While this does in some ways simulate the real world in that a hacker could also find the security holes, it does not mirror the way the security world actually works.
The people doing the best at these contests are the very security experts that are being paid to find security holes before the hackers do and report them to the company producing the software. That way, the holes are closed before they can ever be used for malevolent purposes, or at the least the exposure periods are very brief.
In the end, this seems to be more about publicity than it is about exposing security holes so that they can be patched. This situation is a little like paying extra for protection from your local police department or the FBI. The people being paid to learn the tricks learn a new one, then use it to claim the prize, then report the security flaw. The ethics of that seem pretty fuzzy to me.