At this year’s CanSecWest, there are three computers set up for open hacking, one running Vista, one running OSX, and one running Ubuntu Linux. Hacks must be done with a new zero-day exploit (that is, it can’t be an already known-about crack).
Organizers have worked to make the attack surface area the same on each system. That’s important because each OS comes with a different amount of pre-installed software — from Vista’s “it’s up to you to install anything useful” to OSX’s “We’ll give you a common set of simple tools” to Ubuntu’s “What do you want to do today? It’s already installed or available with a click.”
Day 1, the cracks must only be done over the network in non-user-interactive mode, and the prize is $20,000
Day 2, the cracks must only be done against software which is already installed, but it can involve tricking the user. Prize is $10,000
Day 3, the cracks can be done against a suite of commonly installed software, but the prize is only $5,000.
Update: Two minutes into day two, the Macbook Air was the first of the three systems to fall, due to an exploit against Safari.
Update 2: Late into the third day, the Vista laptop fell to a exploit against Adobe Flash. Ubuntu wins the contest.
#1 by Brian at March 28th, 2008
2 minutes?
He must have had a hack prepared.
That’s cheating, it may not actually be cheating, but it is against the spirit of the rules.
#2 by eric stevens at March 28th, 2008
He did have the hack prepared. His instructions to the contest organizers were, “Visit this url: http://…“, hack accomplished.
I don’t think it’s cheating or contrary to the spirit, since zero day’s don’t come along every day, and people could have prepared exploits in advance for any of the platforms.
I do wonder though what they would have done if 5 people had been standing there at the start of the 2nd contest day, each with a usable exploit against the same machine. Who wins, do they split the money?