PWN 2 PAWN: Why the Vista hacker turned to eBay
When Shane Macaulay tried to sell
the Fujitsu U810 laptop he won
in a hacking contest last week, it seemed almost like an April Fool's joke.
He said that a top quality hacker could probably examine the machine's hard
drive and dig up the unpatched zero-day exploit code he had used to compromise
the computer in the PWN
2 OWN contest that he'd just won. "This laptop is a good case study
for any forensics group/company/individual that wants to prove how cool they
are, and a live example, not canned of what a typical incident responce sitchiation
[sic] would look like," he wrote in his listing.
At first blush, this seemed like a clear violation of both the rules of the
contest's sponsor, TippingPoint, and of eBay's terms of service, and his listing
was pulled within hours by eBay staff. The company said it had to go because
it could have harmed users.
But Macaulay says that was never his intent. In a Tuesday interview with IDG
News he explained that Adobe Systems plans to patch his Flash bug on April 8,
the day his auction was set to end, and so he would have been practicing responsible
disclosure, releasing details of a flaw that had already been patched. The following
is an edited version of this interview.
IDG News Service: Why did you try to sell this laptop on eBay?
Shane Macaulay: I wanted to get a sense for what a market price would
be for a zero-day exploit. It's really hard to get that. To get a true price
on it violates the policy of eBay, so I had to make limited disclosures to them
and then limited disclosures to the vendors and other groups to allow that to
happen.
IDGNS: Why were you wondering about that?
Macaulay: I've been involved in several attempts to make a sale of these sorts
of items to groups that have presented themselves to me as being legitimate
users of these things. You give them the exploit or the zero-day code and they
want to evaluate it themselves before they pay you. So you can imagine how that
goes. You have no leverage in your sale and they change their price... and the
person who spent all this time and investment personally into this item loses
the ability to make any money.
IDGNS: Were you surprised that eBay took your auction down?
Macaulay: No, because I was a little rushed in my posting. I've got
an e-mail group list [at eBay] that I was going to apply to earlier in the process
and at least apprise them of the background story, and say, "Hey this is
going to be in line with the disclosure process of this vendor and [contest
sponsor TippingPoint's] Zero Day Initiative. So by the time this closes, it's
going to be non-zero-day."
It was going to afford me the chance to get at least a bidding process where
the bidders were bidding while it was zero day.
IDGNS: What do you mean by "non-zero-day?
Macaulay: That the patch was going to be available and possibly even
automatically rolled out to the users of this software. Today there's no defense.
You, the user of this software are going to get hacked. By the time the auction
would have closed, it would have been non-zero-day and it would have been patched.
IDGNS: So the auction was sent to end on April 8. When is the patch
supposed to come out then?
Macaulay: On the 8th.
IDGNS: You said earlier that this flaw would work on 90 percent of systems
out there. Why target Vista?
Macaulay: I had just done a lot of my work in the past on Windows. I'm
a very avid Linux users, but I haven't been working on Linux exploits since
2001. I'm really good at the Windows platform right now because that's where
I've been focusing all my attention for almost a decade. To go back to Linux
now would be too much of a learning experience.
IDGNS: A lot has been made of this contest by fans of different operating
systems. What would you take away from this?
Macaulay: People want to believe that they're right about what they're
using. They're very much attached to it and they use it every day, and they
really want to believe that they're doing the right thing. There's no difference
in my mind between any of them.
IDGNS: Are you going to enter the contest next year?
Macaulay: Yeah, get the trifecta going on. I've already got a number
of things probably that I could use.
IDGNS: What operating system will you target?
Macaulay: Maybe Linux, just for fun.
IDG News Service
Symantec Backup Exec 12 and Backup Exec System Recovery 8 deliver industry leading Windows data protection and system recovery. Download this whitepaper to find out the top reasons to upgrade and how to get continuous data protection and complete system recovery.
Data and system loss — from a hard drive failure, malicious attack, natural disaster, or simple human error — can happen anytime. Don’t leave your business vulnerable. Make sure you have a secure recovery strategy in place. Symantec's latest backup and system recovery technology can efficiently restore critical applications, individual emails and documents and even restore your entire system in minutes in the event of a loss.
Businesses face a growing challenge to ensure that the IT environment is properly protected. Backup Exec 12 integrates with other applications in the Symantec family of products, to complement your current data protection strategy, keep your data securely backed up and make it recoverable when you need it most.
VMware ESX Server in the Enterprise
By Edward L. Haletky
Published Dec 29, 2007 by Prentice Hall.
Enter now! | Official rules | Sample chapter
Green IT
By Toby Velte, Anthony Velte, Robert C. Elsenpeter
To be published Oct. 10, 2008 by McGraw Hill Professional
Enter now! | Official rules | About the book
