"Ethical Hackers" Attack Browsers, Operating Systems
Starting today, hackers from across North America are launching multiple attacks on the browsers and operating systems people use to peruse the Internet every day, with the singular goal of exploiting their weaknesses to get their hands on some cash.
But there’s no need to swear off online shopping in hopes of protecting your credit card numbers; this is part of an “ethical hacking” contest called Pwn2Own featured at CanSecWest, which starts today and runs through Friday in Vancouver.
Contest entrants are given three days to pry their way into several widely used browsers (Chrome, Firefox, Safari and IE), operating systems (Windows 7 and Mac OS X Snow Leopard) and mobile phone operating systems (Windows Phone 7, iOS, Blackberry 6 OS and Android). Prizes include cash – up to $20,000, depending on the program compromised – and the machine the hacker compromises. After the contest, the developer is made aware of the vulnerabilities and fixes them before the contest details are made public.
Apple and Google have been preparing for this for weeks, scouring their programs’ code and releasing patches for security vulnerabilities by the dozen, including 25 Chrome updates this morning. Microsoft and Apple both felt the sting of defeat last year, though perhaps it was sharper for Bill Gates’ company, whose fully patched 64-bit hasn’t released any updates for IE in advance of Pwn2Own.
Critics of ethical hacking worry about participants going rogue – that is, being tempted to selfishly exploiting those weaknesses with malicious purpose. Others point to the fact that, while the maneuvering that goes in during the contest is legal, many participants do research ahead of time, meaning they come into the contest having exploited a program without the developers’ permission. This is illegal under current law – a felony, in fact. Some would even argue that these actions are analogous to breaking into a car to go for a joyride: While you’re not doing anything inherently harmful to the car, you’re still using someone else’s property without their permission.
But I disagree. If we left security wholly to the developers, we’d be much more vulnerable to attacks. No matter how innovative a company is – yes, even Google – it’s still going to suffer from a limited perspective simply because of human nature: A group of people working on a project is going to develop habits of thinking that they’re not even going to notice. Tapping “grassroots” hackers, who see the code from a different angle, to exploit vulnerabilities gets people who aren’t hemmed in by those thought processes looking at code’s weaknesses. And when they compromise a program, everyone’s digital possessions become more secure.
Posted by Laura Williams on Mar 09, 2011