"Ethical Hackers" Attack Browsers, Operating Systems

Starting today, hackers from across North America are launching multiple attacks on the browsers and operating systems people use to peruse the Internet every day, with the singular goal of exploiting their weaknesses to get their hands on some cash.

But there’s no need to swear off online shopping in hopes of protecting your credit card numbers; this is part of an “ethical hacking” contest called Pwn2Own featured at CanSecWest, which starts today and runs through Friday in Vancouver.

Contest entrants are given three days to pry their way into several widely used browsers (Chrome, Firefox, Safari and IE), operating systems (Windows 7 and Mac OS X Snow Leopard) and mobile phone operating systems (Windows Phone 7, iOS, Blackberry 6 OS and Android). Prizes include cash – up to $20,000, depending on the program compromised – and the machine the hacker compromises. After the contest, the developer is made aware of the vulnerabilities and fixes them before the contest details are made public.

Apple and Google have been preparing for this for weeks, scouring their programs’ code and releasing patches for security vulnerabilities by the dozen, including 25 Chrome updates this morning. Microsoft and Apple both felt the sting of defeat last year, though perhaps it was sharper for Bill Gates’ company, whose fully patched 64-bit hasn’t released any updates for IE in advance of Pwn2Own.

Critics of ethical hacking worry about participants going rogue – that is, being tempted to selfishly exploiting those weaknesses with malicious purpose. Others point to the fact that, while the maneuvering that goes in during the contest is legal, many participants do research ahead of time, meaning they come into the contest having exploited a program without the developers’ permission. This is illegal under current law – a felony, in fact. Some would even argue that these actions are analogous to breaking into a car to go for a joyride: While you’re not doing anything inherently harmful to the car, you’re still using someone else’s property without their permission.

But I disagree. If we left security wholly to the developers, we’d be much more vulnerable to attacks. No matter how innovative a company is – yes, even Google – it’s still going to suffer from a limited perspective simply because of human nature: A group of people working on a project is going to develop habits of thinking that they’re not even going to notice. Tapping “grassroots” hackers, who see the code from a different angle, to exploit vulnerabilities gets people who aren’t hemmed in by those thought processes looking at code’s weaknesses. And when they compromise a program, everyone’s digital possessions become more secure.

Posted by Laura Williams on Mar 09, 2011


  • The Z-Wave Alliance Focuses on the Residential Market The Z-Wave Alliance Focuses on the Residential Market

    Mitchell Klein serves as the executive director of the Z-Wave Alliance, an industry organization that drives numerous initiatives to expand and accelerate the global adoption of smart home and smart cities applications. In this Podcast, we talk about the 2022 State of the Ecosystem, and the fact that technology has brought about almost unimaginable residential security resources. The Alliance also provides education resources as well as looking at expanding technology.

Digital Edition

  • Security Today Magazine - May June 2022

    May / June 2022

    Featuring:

    • The Ying and Yang of Security
    • Installing Smart Systems
    • Leveraging Surveillance
    • Using Mobile Data
    • RIP Covid-19

    View This Issue

  • Environmental Protection
  • Occupational Health & Safety
  • Infrastructure Solutions Group
  • Spaces4Learning
  • Campus Security & Life Safety