Laptops 1, Hackers 0 as $20,000 prize goes unclaimed in hack challenge

Computerworld - The first day of a hacker challenge that pits researchers against a trio of laptops, with thousands of dollars in prize money on the line, ended without a winner, the contest sponsor said Thursday.

"We had only one attempt at the remote configuration of the machines," said Terri Forslof, manager of security response at 3Com Corp.'s TippingPoint unit. The vulnerability research company put up the prize money for "Pwn to Own," the hacker contest being held at CanSecWest, a security conference that opened Wednesday in Vancouver, British Columbia. "There was a lot of limelight and attention, newspapers, TV and radio broadcasts, and so I'm not sure if that played a part in scaring people away."

All three laptops running the latest versions of Windows Vista Ultimate, Mac OS X 10.5 and the Ubuntu Linux remained standing by day's end, Forslof reported.

Pwn to Own's rules for Wednesday required researchers to break into one of the three machines using a remote code-execution exploit of a zero-day -- or previously unknown -- vulnerability. At stake: the laptop and a cash prize of $20,000.

When the challenge resumes at 12:30 p.m. PDT, the laptops' exposure to attack will be expanded: Hackers will be allowed to attack any client-side applications installed by default on the computers. That means exploits relying on duping a user into following a link in an e-mail or visiting a malicious Web site -- the typical way criminals compromise computers in the real world -- will be permitted starting this afternoon. The prize for second-day exploits, however, drops to $10,000, half the amount on the table yesterday.

After consulting with the CanSecWest organizers, TippingPoint simplified the prize awards just before the conference opened to make it a "best of the best" challenge that offered only one cash prize per laptop. To balance the reduction in the number of prizes, TippingPoint doubled the dollar amounts of the top two awards. For instance, when the second-annual Pwn to Own was conceived, TippingPoint set $10,000 as the top prize and said it would issue multiple $5,000 awards.

If no one hacks into a machine today, several popular third-party applications will be added to the laptops, giving researchers more ways to break in. The case prize drops to $5,000 on Friday.

But Forslof expects to be handing out a check today. "I've heard a lot of buzz, a lot of talk about this vulnerability or that one that people say they have," she said.

Last year's CanSecWest made headlines with the debut of Pwn to Own, which was won by Dino Dai Zovi and Shane Macaulay when they hacked the one MacBook in the challenge. Their exploit of an unknown QuickTime vulnerability made even more news when some Apple users refused to accept the results and claimed that the attack was bogus.

This year's contest features three systems: a Sony Vaio VGN-TZ37CN running Ubuntu 7.10, a Fujitsu U810 notebook running Windows Vista Ultimate SP1 and an Apple MacBook Air running OSX 10.5.2.