advertisement
advertisement

How Effective Are Paid Hacking Contests?

The developers of messaging app Telegram believe their service is airtight. They’ll pay good money to the hacker that proves them wrong–but how much do hacking contests ever prove?

How Effective Are Paid Hacking Contests?
[Image: Flickr user Madzia Bryll]

Telegram, a two-month-old messaging app for iOS and Android, promises heavily encrypted, self-destructing messages and an open data protocol–and it’s putting up some cash to prove its mettle.

advertisement
advertisement

To win, hackers must intercept a daily message between Telegram founders Nikolai and Pavel Durov containing a secret email address, and send them a message explaining how for a $200,000 prize to be paid in Bitcoin. Regardless of whether or not someone is able to pull it off, Telegram and its users win, argue the Durov brothers–who previously created VKontakte, Russia’s largest social network.

This an approach that several tech companies are adopting in order to make their digital security airtight. But it has its critics, and it has had them for a long time. In 1998, cryptographer Bruce Schneier wrote about the effectiveness of contests as a metric for security:

“Contests, if implemented correctly, can provide useful information and reward particular areas of research. But they are not useful metrics to judge security. I can offer $10K to the first person who successfully breaks into my home and steals a book off my shelf. If no one does so before the contest ends, that doesn’t mean my home is secure. Maybe no one with any burgling ability heard about my contest. Maybe they were too busy doing other things…Maybe they did break into my home, but took a look around and decided to come back when there was something more valuable than a $10,000 prize at stake. The contest proved nothing.”

Durov acknowledges this, and to that end has stated that the contest will remain open–with a cash prize that increases over time–for this very reason. But skeptics on Hacker News point out that the contest asks hackers to follow specific rules–rules that a legitimate attacker or government agency wouldn’t play by.

However, contests are still regularly held by tech companies all the time, and they do result in exposed vulnerabilities despite their limitations. January of this year, Google held its third annual Pwnium competition, offering up to $150,000 to hackers who were able to exploit Chrome OS in its own high-stakes hacking challenge. While no one was able to fully exploit the OS by the deadline, a competitor known as Pinkie Pie was able to submit a partial exploit, which won him $40,000. Google, of course, patched his exploits promptly.

Also similar is the Zero Day Initiative, which seeks to reward security researchers for responsibly disclosing vulnerabilities. They’ve partnered with Dragos Ruiu of the CanSecWest security conference–whose recent work has led to the discovery of “airborne” computer viruses–to host Pwn2Own, a contest that challenges hackers to exploit any unknown vulnerabilities they can find in a range of software and mobile devices for a cash prize. A number of winners claimed prizes this year, as did several in the mobile-focused spinoff contest in Tokyo last September.

But past winners of such contests haven’t always spoken well of them. Three-time Pwn2Own winner Charlie Miller has criticized the structure of the contest, stating in 2011 that several competitors who don’t win according to the guidelines still leave with viable exploits. This came one year after Miller refused to hand over more than 20 vulnerabilities he found in the prior contest, telling Computer World that it doesn’t result in any real progress in security.

advertisement

“We find a bug, they patch it,” said Miller. “We find another bug, they patch it. That doesn’t improve the security of the product. True, [the software] gets incrementally better, but they actually need to make big improvements. But I can’t make them do that.”

Hat tip: The Next Web

advertisement
advertisement