Paying hackers to do their work

Sometimes the world of security is just too funny. I wanted to share with you a little touch on a recent hacker event to crack a Macintosh computer. Now before you go, oh, he's a Mac head, keep in mind that I'm agnostic to the OS. Actually, out of my home, I'm running a Linux server, 3 PCs and 1 Mac that has probably outlived its time. I see the weaknesses in all these machines, but this little story just cracked me up.

In a note to a friend who is interested in all things 'computer', and who works as an occassional Macintosh computer tech (what can I say? He's into video production, and the Macs seem to have a stronghold there), I relay a funny little press release:


>To: MacDudeinAtlanta
> From: Geoff
>I thought you would enjoy the irony of this press release. ... They
> actually have to pay a hacker $10,000 just to get them to hack a Mac.
> Here's the release from a very excited PR person:
> Sent: Friday, April 20, 2007 6:35 PM
> To: Geoff
> Subject: First Mac Hacked at CanSecWest
> One OSX box has been exploited at the third day of CanSecWest! At this
> point there is an exploitable flaw in Safari which can be triggered
> within a malicious web page. Of course all of the latest security
> patches have been applied. This one is 0day folks. Technical details
> will be forthcoming as the winner works out the release. There is
> still one more Mac to go. (the same flaw cannot be used again, but
> other Safari bugs are allowed). The hackers are Shane Macaulay and
> Dino Dai Zovi.
> The contest PWN to OWN launched at CanSecWest yesterday asked hackers
> to exploit two Apple Macs. Last night Tipping Point upped the ante
> and provided a $10,000 sponsorship for the first hacker to exploit one
> of the Apple Macs.

Well MacDudeinAtlanta writes back and loves the humor of this:

> From: MacDudeinAtlanta
> Sent: Monday, April 23, 2007 8:34 AM
> To: Geoff Kohl
> Subject: Re: First Mac Hacked at CanSecWest
> Yup, they had to force someone to go to a website:
> "As originally planned, the rules for the hack a mac contest
> were 
relaxed on Friday after nobody had won the contest on
> the previous 
days. In the relaxed set of rules, a URL was
> provided that exposed 
Safari to a "specially-constructed Web
> page" which allowed the hacker to gain shell access to the
> MacBook."


Personally, I think something is very wrong when an anti-malware security provider like TippingPoint will pay a significant wage to get someone to find a new security hole. But I guess for TippingPoint, that's a way to drive some business to their services. I still think it smells funny.