Google Puts a Whopping $20K on the Line to Crowdsource Chrome Security
Google's $20,000 reward for a successful Chrome hack might just be a clever -- and cheap -- way for the company to find new talent and shore up Chrome security. It amounts to exploitation, said Fairfield University publicist Joan Grant. "Yes, it's good PR. But it's also a chance to suck the brains of hungry hackers who want to make a name for themselves, and maybe pay a few bills. $20K is chump change for Google."
Feb 3, 2011 11:57 AM PT
Ever hunting for a better digital vaccine, HP's TippingPoint DVLabs announced a partnership with Google Wednesday that has the scions of search cosponsoring a hacking contest at the CanSecWest security conference in March.
"This is a part of the 4th annual Pwn2Own contest," Google spokesperson Eitan Bencuya told TechNewsWorld. "The complete rules and explanation are detailed on the Pwn2Own contest's blog."
Successfully hack into the Chrome Web browser, and Google will fork over US$20,000 and a Chrome CR-48 notebook. The contest shouldn't be confused with hacking into Chrome OS on a CR-48 notebook, however. Hackers will be attacking Chrome running on Windows 7 or Mac OS X.
Some call the contest a cheap way to discover software vulnerabilities and new talent. Others call it an elaborate vote of confidence from the Big G itself. To Scott Vernick, a privacy and data security attorney with Fox Rothschild, the prize is probably a little of both.
"Better buzz, better security and a better vibe with hip technorati -- Google's recent change in leadership signals its intent to remain cutting edge, and security continues to be top of mind for the computer behemoth," Vernick told TechNewsWorld. "Offering a prize, particularly related to Google code, not only means better security, but also reinforces Google's image as the company to beat."
Chrome's Web browser incorporates "sandbox protection": A digital sieve segregates malicious or suspicious scripts so they can't attack the browser or the computer it's running on.
Escaping the sandbox is supposed to challenge hackers at a keyboard in much the same way sand traps challenge Tiger Woods on the golf course -- but for far fewer prize dollars. Like Tiger striking at that little white ball, Pwn2Own contestants will hack away at their digital scripts, trying to get them ether-borne for a birdie, smack in the center of Google-written code.
And that's only for contest day one. Absent success, on days 2 and 3 Google will continue to mine for hacks with $10,000 for a non-Google code escape and another $10,000 for the bug that brings it all down.
Tech pundits are praising Google as the first browser vendor to throw down such a heady gauntlet -- the largest Pwn2Own award ever, and for hacking a browser that's never been hacked. Safari, Firefox, Internet Explorer -- all brought down at Pwn2Own. But not Chrome.
"Exploitation" was the word Fairfield University publicist Joan Grant used, however, viewing the contest through the lens of experienced public relations.
"You can see that a mile away," she told TechNewsWorld. "Yes, it's good PR. But it's also a chance to suck the brains of hungry hackers who want to make a name for themselves, and maybe pay a few bills. $20K is chump change for Google."
Grant may be onto something.
"After Peter Vreugdenhil demonstrated his IE8 hack last year, we relocated him from the Netherlands to join our team," DVLabs security research manager Aaron Portnoy boasts in the Pwn2Own announcement.
DVLabs is adding $105,000 to this year's contest -- still a bargain by professional recruitment standards.
Pwn2Own 2011 "will focus on two main technologies: web browsers and mobile devices," Portnoy explained. "Each contestant will have a 30-minute time slot in which to complete their attempt, not counting time to set up possible network or device prerequisites."
Apple, Mozilla, Microsoft and Google will offer up their browsers for attack, alongside Dell's Venue Pro running Windows 7; iPhone 4 running iOS; BlackBerry Torch 9800 running BlackBerry 6 OS; and Nexus S running Android 2.3 (Gingerbread) in the mobile device category.
"A successful attack against the mobile devices must require little to no user interaction and must compromise useful data from the phone," Portnoy explained. The more malicious, the better, such as "silently calling long-distance numbers, eavesdropping on conversations, and so forth -- any attack that can incur a cost upon the owner."
Successful hacks net competitors $15,000 and a laptop or mobile, depending on the contest. Google, of course, is sweetening the pot for Chrome hackers only.
"If I knew enough about technology, I'd hack in and tell them to keep their change," Fairfield's Grant quipped. "Apple never asks for this kind of thing, but maybe Steve Jobs doesn't have to. His stuff is just too good."