Technology

'Hacking Challenge' Winners Allege $43,000 Contest Rip-Off


It must have seemed a masterstroke of marketing genius at the time. A

formerly-obscure security software company organizes a series of

high-profile contests aimed at showing that even with a sizable cash prize

dangling as a reward, the world's best hackers can't crack a Web server

protected by the company's flagship product.

The only problem: the world's best hackers did just that. And now more than

eighteen months after the Polish white hat hacker group Last Stage of

Delirium (LSD) conquered the Argus Systems Group's fifth, and apparently

last, "Hacking Challenge," the winners say the company still hasn't paid

most of the $48,000 prize, raising the ugly specter of fraud in a contest

that some security experts already criticized as a corporate publicity

stunt.

"We spent the last half year looking for a lawyer of some sort, a law

agency," said LSD member Tomasz Ostwald in a telephone interview.

"Unfortunately because we're located here in Poland, which is very far away

from the States, it isn't so easy."

Until LSD came along, hacking contests had been good to Argus. The company's "PitBull"

line of security software and appliances had successfully defended against

four earlier challenges, the first at the 2000 DefCon hacker convention in

Las Vegas where Argus won the conference's virtual Capture the Flag

competition and the genuine respect of attendees. The company went on to

prevail in the "OpenHack" contest put on by eWeek magazine, withstanding, by

its count, 5.25 million attacks from 200,000 hackers. And in March of last

year it squeezed out a narrow victory when a hacker named Bladez gained

control of a contest machine protected by an early version of the PitBull LX

product, but missed the competition's deadline by four hours.

Everything changed for Argus in April, 2001 with their fifth Hacker

Challenge, organized in association with security consulting firm Integralis and hardware vendor Fujitsu Siemens, and timed to

coincide with the Infosecurity Europe conference in London. The competition

revolved around Argus' then-undefeated Pitbull Secure Web Appliance, a

machine running sophisticated security enhancements to the Unix kernel

built on the "trusted operating system" model cherished by the Pentagon.

The rules of the challenge were simple: Argus released an account name and

password for the contest Web server, and invited all comers to log in and

attempt to escalate their privileges on the machine. To win the prize of

35,000 British pounds ($48,000) an attacker had to modify one of two

protected Web sites running from the server, and be the first to provide

Argus with a complete and verifiable technical description of the hack. The

winner, if any, was to be paid by May 15th, 2001.

'THE BEST AND BRIGHTEST'. LSD's four-man team set up a makeshift laboratory to duplicate the target

environment, and began devising an attack. Working together, they quickly

developed a clever tactic that hinged on a tricky exploitation of a bug in

the underlying Solaris x86 operating system. Less than 24 hours after the

contest began, they'd gained complete control of the contest machine.

The group's victory made headlines in

the technology press, and Argus heartily congratulated LSD, even while

downplaying the significance of the winning hack. "We freely admit that in

this instance PitBull did not protect the system from this exploit. Guilty

as charged," the company wrote in a statement. "But the

absence of PitBull would have exposed the system to thousands of

other substantially less complicated attacks. ..."

If there's one thing that the competition proved, the company said, it's

"that the 'best and brightest' hackers are not necessarily only the illegal

ones -- the ones who would refuse to expose themselves. The members of the

LSD team: Michal Chmielewski, Sergiusz Fonrobert, Adam Gowdiak, and Tomasz

Ostwald, represent a breed of ethical hackers that are conscientious,

professional, and extremely knowledgeable. These guys are awesome -- and I'm

sure are the match of any hacker alive. Bravo boys! Well done indeed!"

Today those hackers say that

Argus was less forthcoming with the prize money than with the plaudits.

"We received one payment for something like $4,000 dollars, and a second one

early this year was $1,000," says Ostwald, the group's spokesman. "We

received $5,000 in sum, over the last eighteen months."

Instead of paying the group, Ostwald says, company CEO Randy Sandone asked

LSD to settle for an amount less than the full prize money, in exchange for

faster payment. The group declined. Over the next 12 months Argus made

various other proposals, including a proposed installment plan of $250 a

month -- which would have paid out the prize over 14 years. Finally, early

this year, LSD sent Argus a formal request for payment in full, Ostwald

says. In response, the company simply stopped dealing with them.

Deception and Delays Alleged

Contacted by a reporter, the receptionist at the Illinois-based company said

CEO Sandone was no longer with Argus, and referred inquiries to CTO Paul

McNabb. McNabb didn't return repeated phone calls on LSD's allegations made

over the course of several days.

But a former Argus employee, speaking on condition of anonymity, confirmed

LSD's account, and described a long pattern of manipulation and false

promises aimed at cheating the contest winners.

"There were people within Argus that wanted to pay these guys, but they

weren't people who could actually write the check," said the former

employee, who claims to have left the company on good terms. "I know they

were -- and still are -- having financial problems, and instead of being

straight with these guys, they were playing games... I couldn't tell you the

reason for it, there was plenty of money going to other things."

Rather than pay them outright, the privately-held company proposed hiring

the group as overseas consultants, and paying them the prize money as salary

over time, says the ex-employee. "I didn't see the point of that." The

company also used a simple delaying tactic to keep the potential scandal

bottled up, convincing the hackers that their continued silence was the

price of eventually getting the prize money, the former employee says.

"Argus convinced them to not go public by promising to pay them, and then

didn't."

Argus never held a sixth Hacking Challenge, though it still promotes its

victories -- and admits to its loss -- on the company Web site. Some

security pros say good riddance, believing that even honestly-run contests

do little to prove that a product is secure in the real world. "They don't

make much sense," says Bruce Schneier, CTO of Counterpane Internet Security.

"There's not much value in them."

Ostwald and LSD say that such match-ups can only prove that a system is

insecure -- not the opposite. But the group has some advice for other

companies thinking of pitting their invulnerable software against the

ingenuity of the hacker community: Don't bet more than you can afford to

lose.

"Right now we seriously doubt that the prize money was already prepared,"

says Ostwald. "What we assumed was that when somebody announces a challenge,

they've got the prize money already prepared for it, and have taken into

account that someone might win it." By Kevin Poulsen


Coke's Big Fat Problem
LIMITED-TIME OFFER SUBSCRIBE NOW

(enter your email)
(enter up to 5 email addresses, separated by commas)

Max 250 characters

Sponsored Links

Buy a link now!

 
blog comments powered by Disqus