It's the most anticipated matchup in the hacker world: Linux versus Mac OS
X versus Vista. Who will get hacked first?

That's what organizers of the CanSecWest security conference hope to discover
this week as they give show attendees a shot at hacking into the three laptops
they've put on display here in Vancouver.

The catch? They have to use a brand-new 'zero day' attack that nobody has seen
before. The prize? US$20,000, plus you get to keep the laptop.

Show organizers are calling the contest PWN
2 OWN. Pwn (which rhymes with own) is a hacker term meaning to take control
of a computer.

$20,000 may sound like a lot of money, but show attendees say that top-quality
computer attack code could easily fetch that much, either from the security
vendors like iDefense or Tipping Point who purchase this type of software, or
from one of the three-letter U.S. government agencies said to be in the market
for this type of code as well.

Charlie Miller, best known as one of the Independent Security Evaluators researchers
who first hacked the iPhone last year, said he's participating, not for the
cash prize, but for the thrill of seeing whether or not he can be first to hack
one of the computers. "For me it's the Super Bowl of security research,"
he said. "I'm a competitive guy."

By late Wednesday -- the
first day of the contest, nobody had even tried to hack the three laptops.
This wasn't exactly a surprise to the contest's organizers because on day one
attackers were only allowed to use network-based attacks that involved no user
interaction. Those type of attacks are extremely rare these days.

Miller said that he will drop his exploit code on the MacBook Air Thursday,
once the rules relax a bit and the hackers are allowed to try attacks that require
user action such as visiting a malicious Web site or opening an e-mail.

There is a downside to waiting until Thursday, however. The prize money drops
in half each day. If no one has claimed the laptops by Friday, the prize bottoms
out at $5,000 and organizers will start installing non-standard software on
the machines to see if they can be compromised through programs such as Skype.

Last year's contest generated a lot of attention, but it featured only one
laptop: a MacBook Pro. It was won by researcher Dino Dai Zovi, who wasn't at
the conference, but asked a friend to run his attack on the machine. Dai Zovi
showed up in person at CanSecWest this year, however, making him another prime
candidate to win the prize.

With three laptops to chose from, this year, the 2008 contest is a bit of a
horse race.

"It will be interesting to see which one goes first," said Aaron
Portnoy, a researcher with TippingPoint, the company that has put up the prize
money. "We've tried really hard to make sure the attack surface is the
same on all of them."

Related reading

- One
year after Mac hack contest, Linux & Vista may be tested

- Hack-A-Mac
contest and the Mac faithful

- $10,000
Mac hack affects Windows too

IDG News Service

• Email
• Print
• Share
  • Slashdot
  • Digg
  • Stumble
  • Reddit
  • Newsvine