IT security is not a game, so it’s kind of weird that anyone should treat it as such.
And yet a few weeks ago, a IT conference in Vancouver called CanSecWest included a hacking contest where attendees were challenged to find a vulnerability in the MacBook Pro laptops. One man succeeded in finding a hole in QuickTime, was paid US$100,000 by a vendor called TippingPoint for his trouble. That contest has raised concern among some analysts at research firm Gartner Inc., which published a note urging the industry to bring such things to an end.
“Public vulnerability research and ‘hacking contests’ are risky endeavours, and can run contrary to responsible disclosure practices, whereby vendors are given an opportunity to develop patches or remediation before any public announcements,” analysts Rich Mogull and Greg Young wrote. They are absolutely right, of course, and it takes courage to say this at a time when vulnerability research is still driven in large part by the dream of solving a problem that has left others stumped. IT security is a constant contest between attackers and victim, and the ones staged at CanSecWest are really just window dressing.
Tipping Point has taken the “Hey, nobody’s lost an eye yet” approach. The company did not host the contest, an executive said, and only ponied up the prize money (which of course made it much more attractive) at the last minute. Tipping Point also maintained that the network used for the program was tightly secured and that no users were harmed through the exercise.
So what? The issue isn’t whether the winner of the contest immediately took advantage of the exploit to take down early adopters of the MacBook Pro. The fact is that the results of vulnerability research are not just something to be studied by academia. They are intellectual property, and in many ways the most dangerous kind. In this case, the information about the QuickTime hole was properly forwarded to Apple, but there’s no reason to believe that other contests would follow the same protocol, nor is there a standard practice to determine who would be responsible for doing so. For an area of data security that requires vigilant governance, hacking contests generally speaking have little accountability to the wider industry.
Tipping Point and CanSecWest might have done better to respond with a detailed explanation of the rules behind the contest. Their failure to do so suggests there either weren’t any, or that they were very rule-of-thumb. Worse yet, they might not have written anything down or had those participating sign anything that would give them any legal obligations towards affected users.
Maybe this isn’t the point. Perhaps a hacking contest is simply like a way to generate ideas and get people working collectively to make sure our hardware and software is rock-solid. If someone manages to prove it isn’t, though, who are we really rooting for?