tag:blogger.com,1999:blog-3024470480937744884.post7901406257405293758..comments2024-03-18T04:40:58.042-07:00Comments on Security: On the failings of Pwn2Own 2012Chris Evanshttp://www.blogger.com/profile/01004765479735675808noreply@blogger.comBlogger9125tag:blogger.com,1999:blog-3024470480937744884.post-38735706853592483752012-11-05T09:26:16.407-08:002012-11-05T09:26:16.407-08:00I'd hope the point of the contest was more tha...I'd hope the point of the contest was more than "to show that you can be hacked regardless of platform". As any 2-bit technologist will tell you, this is true even without entertaining examples. We don't need a contest for that, actually I'd hope no such contest existed. As it's essentially handing out cash prizes, for the purpose of preparing live exploits. Which would remain unpatched, until caught later in their cycle. Some might not have been developed at that time, giving the loopholes more time to be closed. Full-Disclosure is the only way the contest is truly beneficial. AT least for reasons other than entertainment, excluding the benefit of dark organizations.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-3024470480937744884.post-18162787064965098392012-04-02T13:58:48.067-07:002012-04-02T13:58:48.067-07:00perhaps i'm misreading these infosec business ...perhaps i'm misreading these infosec business marketting scams (see: pissing match) which seem to be about whose software is better in protecting the world from unknown adversaries. however, i thought the concept of these contests was to show that you can be hacked regardless of platform. due to how cheap exploitation has gotten over the years, seeing the skills of different defense contractors compete in an exploit-writing contest is a win as now there's more information out there. there's now content for media people such as google to be able to discuss on. especially now since this "trade" has escalated into a different order of business within the past couple of years.<br /><br />having more of this type of data actually opens up a chance to know your enemies (like csoghian is able to write about). and, it's incredibly useful data if you know that your enemy commonly does "research" at a national level. the end-goal appears to be a live demonstration of an arms race in a format that people could be entertained in. but likewise, it would be just as entertaining if representatives from non-democratic locations would be interested in demonstrating their skillsets/pockets.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-3024470480937744884.post-16465420316265575312012-03-31T09:46:07.949-07:002012-03-31T09:46:07.949-07:00I have this theory, that, no matter what the prize...I have this theory, that, no matter what the prize is, some exploit researcher (with a 37.8% chance of it being the grugq) will complain that the market value of the exploit is much higher than the prize offered in an attempt to inflate the estimation of exploit pricing - regardless of whether that researcher actually has an example of said exploit or not.dragosrhttps://www.blogger.com/profile/12757478640621945246noreply@blogger.comtag:blogger.com,1999:blog-3024470480937744884.post-77734705715909100992012-03-30T23:25:51.928-07:002012-03-30T23:25:51.928-07:00Another concern is that Google sponsoring $60k for...Another concern is that Google sponsoring $60k for sandbox escapes with Pwnium for sure means that noone sane would ever submit them at $3133.70 in the rewards program. Regardless if $60k is enough, $3133.70 isn't - especially now that you set the bar higher.<br /><br />Instead people that do think $60k is worth it will wait for the next year, causing people to be unprotected for a lot longer than if the $60k-for-sandbox-escape reward was permanent as the rewards program.Jimmy Bergmanhttps://www.blogger.com/profile/02625815363920651804noreply@blogger.comtag:blogger.com,1999:blog-3024470480937744884.post-62954861983038888562012-03-30T17:07:59.768-07:002012-03-30T17:07:59.768-07:00There is no upper limit could be set here. Some pe...There is no upper limit could be set here. Some people would go for 60k but some others would not. FYI, I sold a reliablel 0day Firefox exploit for 120k last month.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-3024470480937744884.post-8065398476442426372012-03-30T16:23:34.473-07:002012-03-30T16:23:34.473-07:00@Anonymous: Vincenzo and Willem both have good pay...@Anonymous: Vincenzo and Willem both have good paying jobs in the security industry and they decided to go for the 30k USD in Pwn2Own. And they're both smarter than 95% of the cats out there; so some people with a real job in IT security do go for less than 60k USD.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-3024470480937744884.post-71905126234348308932012-03-30T08:17:29.873-07:002012-03-30T08:17:29.873-07:00@Anonymous: thanks for the comment! I actually had...@Anonymous: thanks for the comment! I actually had some interesting exchanges with researchers (with real jobs ;-) after Pwnium. One guy thought he might be able to do something at the $40k level and the other one the $60k level. The logistics simply weren't in line for them this time.Chris Evanshttps://www.blogger.com/profile/01004765479735675808noreply@blogger.comtag:blogger.com,1999:blog-3024470480937744884.post-79136155548123887422012-03-30T08:00:34.425-07:002012-03-30T08:00:34.425-07:00You forget to mention one important thing.
The on...You forget to mention one important thing.<br /><br />The only people participating in PWNIUM were: someone from a poor poor country where 60k USD is a lot of money and the other one, whose identity you keep hidden, is a student.<br /><br />While both might be security researchers they do not have well paid jobs in the security industry. Fact is that everybody with a real job in IT security did not go for the 60k USD.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-3024470480937744884.post-78930410803532889222012-03-30T01:20:29.066-07:002012-03-30T01:20:29.066-07:00and the firefox bug was actually also already know...and the firefox bug was actually also already known and fixed...<br /><br />https://www.mozilla.org/security/announce/2012/mfsa2012-19.htmlsasonoreply@blogger.com