The winner of a recent
hacking contest is offering the computer he broke into for sale on eBay,
possibly with the Microsoft Vista attack code he used intact.

In a Monday
listing, Shane Macaulay is selling the Fujitsu U810 laptop he won last Friday
during the CanSecWest PWN
2 OWN contest. His listing claims that exploit code could probably still
be extracted from the machine. Although he make no guarantees, he wrote, "My
successfull [sic] exploitation of Vista SP1 remotely, is most likely still present."

"This laptop is a good case study for any forensics group/company/individual
that wants to prove how cool they are, and a live example, not canned of what
a typical incident responce sitchiation [sic] would look like."

Starting bid? $0.01.

Macaulay, a researcher with the Security Objectives consultancy, claims that
his Adobe Flash exploit will affect 90 percent of computers worldwide.

He was one of two hackers to claim laptops and cash prizes for penetrating
systems during last week's contest. Organizers offered Vista, Mac OS, and Linux-based
laptops for the taking, along with prizes that varied from $5,000 to $20,000,
depending on the difficulty of the exploit. By Friday, however, only the Linux
laptop remained unbreached.

Although he listed his laptop just hours before April 1, a date that is usually
met with widespread Internet pranking, Macaulay said the listing is no joke.
According to him, he's simply looking to see what an unpatched exploit might
fetch in the open market."I figure this is a good way to see... [what]
an exploit for something that only a limited amount of people know about, is
worth," he said in an e-mail interview.

"The system was delivered to me as my prize. I'm free to use it as I see
fit," he added.

One hacker who knows Macaulay said that the April 1 listing is "a bit
coincidental," but that he may not be worried about forfeiting the $5,000
in prize money TippingPoint paid him for his hack. "He makes good money,"
said Marc Maiffret, an independent security researcher, in an instant message
interview. "It's all just funny to him."

If he's not playing an April Fool's joke, Macaulay may be running afoul of
both the PWN 2 OWN contest rules, which prohibit disclosure of bug information
prior to a patch. He may also be violating eBay's user
agreement, which say that users may not "distribute viruses or any
other technologies that may harm eBay, or the interests or property of eBay
users."

Macaulay had some funny answers when asked about these issues.

On the eBay terms of service problem, he said that he knew "some highups,"
at the company and was "confident, when I speak with eBay they will grant
me a waiver."

And does TippingPoint know about what he's doing? "I believe at some level,"
he answered. "I'm sure things might change as the word percolates to the
executives. Maybe I shouldn't have sold the [TippingPoint] bag with the laptop!!"

IDG News Service

• Email
• Print
• Share
  • Slashdot
  • Digg
  • Stumble
  • Reddit
  • Newsvine