Gallery

How sexy is hacking?

Posted on 21 Jun 2010 at 17:48

Hacking is very sexy, says Davey Winder, and we should be grateful for the hacking contests that make it sexier and help keep hackers away from the dark side

A more interesting – and, I’ll admit, somewhat controversial – retort is to ask yourself how many times you’ve read stories about “security researchers” reporting vulnerabilities to an insecure product’s vendor, only for months to pass without any patch or fix being released, often without any contact from the company concerned beyond an initial “we’ll look into that” response.

I’ve even read accounts of vendors that apply the legal sledgehammer approach to such researchers, pointing out that what they’ve done is illegal and threatening them with legal action if they continue to make the details public.

The right profile

Is it any wonder then that both serious security researchers and white-hat hackers (who, believe it or not, do care about the security of the products they hack and the data of the people who use them) would turn to a more high-profile forum that’s more likely to retain the attention of such companies? And if they can earn a bit of money and some community kudos along the way, why not?

There’s absolutely no doubt in my mind that events such as Pwn2Own and the various Black Hat conferences throughout the year do an important job in creating that security focal point. If you don’t believe me, just scan the technical news stories in the weeks before any of these events and I’ll guarantee there will be story after story about vulnerabilities being patched and vendors working on fixes for exploits that are due to be demonstrated the following week.

What Pwn2Own actually does is hold up a mirror to the vendor security development world, and what it reflects is rather ugly

You can be sure that the timing of such releases isn’t a coincidence, and the fact that the vendors concerned all send representatives to Pwn2Own ready to take possession of the winning exploit code from TippingPoint speaks volumes about how important this contest actually is in the security landscape.

So what lessons should we be taking away from Pwn2Own? Well, the major one has to be that – and I’m sorry to all the Mac users out there who think that only Windows is insecure – all platforms suffer from security vulnerabilities. The difference is that, out in the real world of financially driven exploits, only those platforms with the biggest market share are seen as worth attacking, because it’s those platforms that promise the biggest return on investment.

When I did my hacking some 20 years ago it was all about discovery and exploration, doing it for the thrill of the chase and to learn something new, but those innocent days are long gone. Cybercrime is now a business, and a bloody big business at that, and consequently hacking is mainly about the bottom line nowadays.

All of which means that just because some platform isn’t being hacked, it doesn’t mean that it isn’t susceptible to hacking, only that no-one can currently be bothered. That’s the myth that Pwn2Own blows apart. Indeed, in 2010 and in 2009 it was Apple’s, not Microsoft’s, products that fell first. Many security experts I know, including hackers, confide that they deliberately use the browsers with the smallest market share because they’re the most secure, even if they’re easily exploitable.

As for that question I posed in the title of this column: how sexy is hacking? The answer would appear to be very sexy indeed – and getting sexier all the time. And this isn’t a bad thing, so long as the sexy hackers remain away from the dark side and keep their white hats on (or at least some sexy shade of grey).

Perhaps the real problem, and hence the question we should be asking, isn’t how sexy these hackers are but why the security teams at the major software and hardware vendors aren’t equally hot? If, as in the case of Charlie Miller, one man with a laptop can expose vulnerabilities in the latest browsers with relative ease year after year, why can’t these multinational corporations with their multimillion-dollar budgets and hundred-strong teams of security experts find the same holes? What Pwn2Own actually does is hold up a mirror to the vendor security development world, and what it reflects is rather ugly.

Download a year of Davey Winder's Online Security columns by heading to our Free Downloads site