Gallery

How sexy is hacking?

Posted on 21 Jun 2010 at 17:48

Hacking is very sexy, says Davey Winder, and we should be grateful for the hacking contests that make it sexier and help keep hackers away from the dark side

Bad news if you fancied earning a few thousand dollars: the annual Pwn2Own hacking contest has come and gone for 2010.

Held alongside the CanSecWest security conference in Vancouver at the end of March, Pwn2Own has become famous – or infamous – for offering financial rewards to those that can perform particular hacks on the most popular hardware and software, devices, clients and operating systems.

A ripple of sensational coverage might just spark a bigger ripple of concern among security companies

You can guarantee that tech journalists (me included) as well as the broader media will garner a few sensational headlines from the couple of days’ worth of hacking activity on display. I’m not apologising, because a ripple of sensational coverage might just spark a bigger ripple of concern among those security companies whose products have been so speedily and completely trashed in the contest.

Far too often there’s no real explanatory content in such stories, which may simply reflect the fact that these kinds of exploits lie way beyond the technical understanding of most reporters. What you tend to get is either a rehashed press release or, worse still, a rehashed copy of someone else’s rehashed press release, with the addition of a bizarre headline to attract more eyeballs. I always try to go a little deeper (within whatever constraining brief I’ve been given by my publisher).

For example, when the iPhone was compromised this year in 20 seconds flat, the newsfeeds filled up with “iPhone hacked in 20 seconds” stories, most of which said nothing more than that a couple of hackers had exploited a previously unpublished vulnerability to compromise the iPhone. Few mentioned the intense hacking efforts, occupying anything from weeks to months, that had gone on before Pwn2Own in order to discover that vulnerability and exploit it so quickly on the day, which is why I preferred the headline: “The truth behind that 20-second iPhone hack”.

In this particular case I asked whether this “truth” really meant that the iPhone was insecure, seeing as many of the quick story creators were pretty much telling you not to use an iPhone because your data wasn’t safe. My conclusion was that, until Apple addresses this vulnerability, the iPhone is theoretically insecure, but only under some fairly specific circumstances and only related to certain very specific datasets.

Furthermore, this 20-second hack was actually into the Safari browser running on an iPhone rather than into the underlying iPhone OS itself.

This is hardly news: when the MacBook fell victim to hacker Charlie Miller, he also used Safari to make that happen, and when Windows 7 64-bit fell it was Internet Explorer 8 that did the pushing. Web browsers rather than OSes are the easy targets, and the weakest link as far as hackers are concerned.

A security conundrum

All of this made me ponder a broader question: namely, whether Pwn2Own and similar hacking contests and conferences are of any real value to the security community, or whether they simply serve to make hackers and hacking sexier.

Let’s look at some of the prizes on offer at Pwn2Own 2010: the total prize pool stands at $100,000 for 2010, with $40,000 of that allocated to the web browser side of things and $10,000 up for grabs to the first hacker to break Internet Explorer, Firefox, Safari and Google Chrome (although I doubt anyone will claim the latter, as Chrome’s sandbox approach makes it a particularly difficult target for this kind of exploit).

Download a year of Davey Winder's Online Security columns by heading to our Free Downloads site