PWN 2 OWN contest lets hackers choose Vista, OS X or Linux
by Darren Murph 
posted Mar 27th 2008 at 9:40AM
Last year's PWN 2 OWN contest at the CanSecWest security conference went over way better than expected (read: exploits were glorified), so this year, organizers have spiced things up by letting hackers have their way with three separate machines. The Linux, OS X and Vista-based rigs were all setup as similarly as possible in order to "make sure the attack surface was the same on all of them." For attendees in Vancouver, there sits a $20,000 top prize -- which dwindles with each passing day as restrictions on attacks ease up -- but it can only be acquired if an all new zero-day cyber roundhouse kick is used. Anyone here going to give it a go? You get to keep the freshly victimized laptop too, you know.
Filed under: Laptops
Reader Comments (Page 1 of 2)
Talon Trax @ Mar 27th 2008 9:43AM
Is there a hacker school?
Do I look indie yet @ Mar 27th 2008 9:48AM
Yes, it's like a secret guild. You hack someone's computer and the hackmother will come to you in the middle of the night and ask if you wish to join.
Kamokazi @ Mar 27th 2008 10:19AM
Actually there is a training program where you can become a Certified Ethical Hacker:
http://www.eccouncil.org/CEH.htm
josh @ Mar 27th 2008 10:27AM
"Certified Ethical Hacker"
There are many, many security certifications. None of them are training to become a hacker, but rather a very loose test of you security knowledge (considering they are multiple choice scantron tests they don't even test if you could do something in practice, just that you know the correct bubble to fill in. Also, the various certifications having varying degrees of depth). The books and courses that train for the certification train for the tests (I say this having the CEH and currently working on my CISSP). There are dozens of better security books that familiarize people with attack concepts, but the best way to learn is to read that material and then socialize with people who know a great deal more (either on the internet, or the app/host/network security guys at your company), pretty much like all other knowledge.
highjumpman @ Mar 27th 2008 11:04AM
"Are you ethical?" "Yeah, and I got a certificate to prove it!"
On another note, when will they introduce Certified Ethical Politicians?
Robert @ Mar 27th 2008 11:05AM
@Do I look indie yet
You are wrong, one of the voices of the hackmother will visit you
Mobius_1 @ Mar 27th 2008 12:22PM
"Ethical politician" is rather more oxymoronic than ethical hacker
IndiaTech @ Mar 27th 2008 5:18PM
@do i look indie yet
Just like Harry Potter?
z @ Mar 29th 2008 4:17PM
Here are two links to get you started:
http://www.2600.com/
http://www.cisco.com/en/US/products/hw/routers/ps259/index.html
Flashpoint @ Mar 27th 2008 9:47AM
First prize will likely go to someone with Autism.
Kris Janssen @ Mar 27th 2008 10:48AM
Nahhh.... they're all too busy counting cards!
Wapner, WAPNER!!!!
sayid @ Mar 27th 2008 9:55AM
Can you say bring out the whips.
chainofcommand02 @ Mar 27th 2008 9:55AM
Everybody's gonna want a shot at the MBA, of course.... The Linux and Windows machines won't get any love. Or hate, since they're hacking into them??!
Jason @ Mar 27th 2008 10:32AM
"Pwn (which rhymes with own) is a hacker term meaning to take control of a computer."
Niiiice...
Zeus.:God @ Mar 27th 2008 10:41AM
Actually, "pwn" is "own"... Only a typo- thats the way it was started and it's been a stupid meme ever since...
Kind of like "zOMG". The Z key was accidentally hit on the way to the Shift button.
Kingus @ Mar 27th 2008 11:31AM
I wonder what kind of memes would've been born from mainstream dvorak use.
Mobius_1 @ Mar 27th 2008 12:36PM
Good question! We might end up with ;MG or YWN
http://en.wikipedia.org/wiki/Image:KB_United_States_Dvorak.svg
Datacide @ Mar 27th 2008 3:24PM
And here I was thinking it was short for pawn. I guess this line makes more sense now: 'pwn teh box'
sayid @ Mar 27th 2008 9:58AM
Can you say bring out the whips.
sayid @ Mar 27th 2008 11:33AM
sorry double post.
Predator.Z6 @ Mar 27th 2008 2:35PM
How did you manage to say sorry double post when you could've just not posted the second time? :confuse:
Ohanes @ Mar 27th 2008 10:15AM
it looks like those macs are running tiger not leopard what gives! or is it just a random shot of people using macs?
mcatrage @ Mar 27th 2008 10:22AM
The picture is from last years event. If you check the link in the article engadget reused the picture.
Flashpoint @ Mar 27th 2008 12:23PM
TRUE HACKERS don't use Operating systems us regular people get from stores.
TRUE HACKERS build better versions of their hacked OS and rename it with a custom handle.
Gian @ Mar 27th 2008 12:50PM
@Flashpoint:
You don't know what the hell you're talking about, do you? A smart coder can use any OS to his/her dirty work, though I would avoid a Windows box in an effort at efficiency.
Besides, most hacks are much simpler than security people would like to admit.
Gian
Erick @ Mar 27th 2008 4:57PM
@Flashpoint
I dont want to make it seem like im picking on your, but dang dude. You don't really have a clue what you are talking about. A hacker will use what ever gets the job done. Be it vista, Ubuntu or Tiger. To paint hackers with such a broad brush saying they are above simple consumer oriented operating systems tells me you watch too much "The Net" and "Matrix". Man.
Ohanes @ Mar 27th 2008 10:15AM
it looks like those macs are running tiger not leopard what gives! or is it just a random shot of people using macs?
Mark @ Mar 27th 2008 10:15AM
20k prize? after taxes in canada? .. anyone?
OneLove @ Mar 27th 2008 10:21AM
$10
Aural-Sets @ Mar 27th 2008 10:39AM
OneLove:
19.6k The U.S. Dollar is tanking.
Rob @ Mar 27th 2008 10:44AM
no tax on prize winnings in Canada. if you win $20000 you keep it all, unlike the states.
rv @ Mar 27th 2008 11:12AM
Thats crazy. If you were to win a 100 million dollar jackpot, 40 mill is taxed away here, I believe. No tax would be sweet, but then again, I've (sadly) never won a jackpot.
Jason Miller @ Mar 28th 2008 9:26AM
We've actually been at parity for a bit now - so it would be almost the same here as in the states. Also, Canada DOES deduct taxes from lottery-obtained income. (4% I believe).
Flashpoint @ Mar 27th 2008 10:16AM
I want someone to hack the oil companies and redistribute their billions back into the pockets of people who don't even drive cars, but, must suffer air pollution.
Mark @ Mar 27th 2008 10:22AM
ok hero.
y3k.nik @ Mar 27th 2008 10:26AM
Robin Hood much?
Please don't tell me you are sitting down on your computer wearing green tights, cause honestly, I really don't want that image in my mind.
Kamokazi @ Mar 27th 2008 10:28AM
Yes, because we all know that no other products they consume produce air pollution. And then we can go after Gun, Tobacco, and Alcohol companies for killing people. Because it's totally their fault for forcing people to buy and abuse their products. Because we can't hold individuals responsible for their own actions. Everyone would be perfect without evil companies making us buy their crap.
Erick @ Mar 27th 2008 10:38AM
@Flashpoint
After bypassing your mom's belkin firewall, I would add a bunch of bookmarks to your FF to various economic resources that would educate you on how capitalism works and how it benefits you more than a communist system of taking one person's money and handing to another person who doesn't deserve it.
Then I would modify your DNS settings so that all the blogs and forums you attempt to go to forward to sesamestreet.com because its apparent you need that more than we need you contributing to this blog.
giuliop @ Mar 27th 2008 11:08AM
http://pbfcomics.com/?cid=PBF205-Robin_Hood.jpg
letstakeawalk @ Mar 27th 2008 1:11PM
Hmm, how can I use a computer to take the profits earned by an oil company, and then put them into my own account?
Better call my stockbroker and ask what software he's using. You do realize the oil companies are publicly-owned and traded, right? That means anybody can be making profits right now, as long as they own stock.
Whingnut @ Mar 27th 2008 1:36PM
Just because you don't drive a car doesn't mean you don't use oil. How do you think the generators that produce the energy used by the computer you're typing on operate? Odds are you're not using solar, hydro, wind, or nuke. And even if you were, do you think that equipment was manufactured in a 100% green facility?
James @ Mar 27th 2008 10:31AM
looks like no one has won yet on the first day of the contest. perhaps day two will reap something.
see: http://dvlabs.tippingpoint.com/blog/2008/03/26/day-one-cansecwest-pwn-to-own-results
Aitor @ May 10th 2008 7:30PM
2 thoughts:
1. There is no posible way to setup Windows to behave like OS X or Linux, they would to rewrite the whole thing :-P
2. I know the most powerful DoS attack for Windows ever (sadly, I can't travel to USA right now and win the prize) --> just turn on the Windows machine and wait ;-D
simon @ Mar 27th 2008 1:05PM
the contest is in Vancouver
Adam @ Mar 27th 2008 1:10PM
LOL
True, a BSOD is imminent!!!
The Dude @ Mar 27th 2008 4:00PM
Watch out you guys, this guy's got jokes.
palehorse @ Mar 27th 2008 11:45AM
I'd simply like to see a breakdown of each of the configs after the event.. how the hell can you set up a Linux box JUST LIKE a Winblows box that is set up JUST LIKE an OSX box!? The differences between the OS' just seem too profound to make that possible...
weird.
josh @ Mar 27th 2008 12:35PM
There is some level of baseline you can setup. For example, have the default firewall enabled in Vista, OS X, with default settings (so you can test the secure defaults), OR set it up so that they all have the same firewall rules. Likewise you can keep UAC on to mimic sudo. The complexity comes from what applications are installed. Try and make sure that each as the same type of default applications (Firefox for linux, IE 7 for Vista, Safari for OS X) to mimic what the average user is likely to choose on each of those systems. If you were trying to come up with a baseline workstation environment you could do a pretty good job creating comparable systems.
palehorse @ Mar 27th 2008 12:57PM
I guess it's the word "linux," being the most generic, that gave me the most pause. Security on random linux builds has always been entirely dependent on libary versions, active services, service versions, etc.
IOW, since there's really no "default install" for linux, it's hard to imagine a direct comparison to such an install in Vista or OSX.
The main reason I'd like to see the specific builds is so that I can recreate them for use in my own pentest lab(s) and wargaming at work... ;)
josh @ Mar 27th 2008 2:01PM
Well, you do have default installs for various distros. For example Ubuntu installs with certain apps by default, as does redhat, etc.