http://online.securityfocus.com/news/1717

By Kevin Poulsen
SecurityFocus
November 26, 2002

It must have seemed a masterstroke of marketing genius at the time. A
formerly-obscure security software company organizes a series of
high-profile contests aimed at showing that even with a sizable cash
prize dangling as a reward, the world's best hackers can't crack a Web
server protected by the company's flagship product.

The only problem: the world's best hackers did just that. And now more
than eighteen months after the Polish white hat hacker group Last
Stage of Delirium (LSD) conquered the Argus Systems Group's fifth, and
apparently last, "Hacking Challenge," the winners say the company
still hasn't paid most of the $48,000 prize, raising the ugly specter
of fraud in a contest that some security experts already criticized as
a corporate publicity stunt.

"We spent the last half year looking for a lawyer of some sort, a law
agency," said LSD member Tomasz Ostwald in a telephone interview.
"Unfortunately because we're located here in Poland, which is very far
away from the States, it isn't so easy."

Until LSD came along, hacking contests had been good to Argus. The
company's "PitBull" line of security software and appliances had
successfully defended against four earlier challenges, the first at
the 2000 DefCon hacker convention in Las Vegas where Argus won the
conference's virtual Capture the Flag competition and the genuine
respect of attendees. The company went on to prevail in the "OpenHack"
contest put on by eWeek magazine, withstanding, by its count, 5.25
million attacks from 200,000 hackers. And in March of last year it
squeezed out a narrow victory when a hacker named Bladez gained
control of a contest machine protected by an early version of the
PitBull LX product, but missed the competition's deadline by four
hours.
 
Everything changed for Argus in April, 2001 with their fifth Hacker
Challenge, organized in association with security consulting firm
Integralis and hardware vendor Fujitsu Siemens, and timed to coincide
with the Infosecurity Europe conference in London. The competition
revolved around Argus' then-undefeated Pitbull Secure Web Appliance, a
machine running sophisticated security enhancements to the Unix kernel
built on the "trusted operating system" model cherished by the
Pentagon.

The rules of the challenge were simple: Argus released an account name
and password for the contest Web server, and invited all comers to log
in and attempt to escalate their privileges on the machine. To win the
prize of 35,000 British pounds ($48,000) an attacker had to modify one
of two protected Web sites running from the server, and be the first
to provide Argus with a complete and verifiable technical description
of the hack. The winner, if any, was to be paid by May 15th, 2001.

'The Best and Brightest' LSD's four-man team set up a makeshift
laboratory to duplicate the target environment, and began devising an
attack. Working together, they quickly developed a clever tactic that
hinged on a tricky exploitation of a bug in the underlying Solaris x86
operating system. Less than 24 hours after the contest began, they'd
gained complete control of the contest machine.

The group's victory made headlines in the technology press, and Argus
heartily congratulated LSD, even while downplaying the significance of
the winning hack. "We freely admit that in this instance PitBull did
not protect the system from this exploit. Guilty as charged," the
company wrote in a statement. "But the absence of PitBull would have
exposed the system to thousands of other substantially less
complicated attacks. ..."

If there's one thing that the competition proved, the company said,
it's "that the 'best and brightest' hackers are not necessarily only
the illegal ones -- the ones who would refuse to expose themselves.
The members of the LSD team: Michal Chmielewski, Sergiusz Fonrobert,
Adam Gowdiak, and Tomasz Ostwald, represent a breed of ethical hackers
that are conscientious, professional, and extremely knowledgeable.
These guys are awesome -- and I'm sure are the match of any hacker
alive. Bravo boys! Well done indeed!"

Today those hackers say that Argus was less forthcoming with the prize
money than with the plaudits.

"We received one payment for something like $4,000 dollars, and a
second one early this year was $1,000," says Ostwald, the group's
spokesman. "We received $5,000 in sum, over the last eighteen months."

Instead of paying the group, Ostwald says, company CEO Randy Sandone
asked LSD to settle for an amount less than the full prize money, in
exchange for faster payment. The group declined. Over the next 12
months Argus made various other proposals, including a proposed
installment plan of $250 a month -- which would have paid out the
prize over 14 years. Finally, early this year, LSD sent Argus a formal
request for payment in full, Ostwald says. In response, the company
simply stopped dealing with them.

Deception and Delays Alleged

Contacted by a reporter, the receptionist at the Illinois-based
company said CEO Sandone was no longer with Argus, and referred
inquiries to CTO Paul McNabb. McNabb didn't return repeated phone
calls on LSD's allegations made over the course of several days.

But a former Argus employee, speaking on condition of anonymity,
confirmed LSD's account, and described a long pattern of manipulation
and false promises aimed at cheating the contest winners.

"There were people within Argus that wanted to pay these guys, but
they weren't people who could actually write the check," said the
former employee, who claims to have left the company on good terms. "I
know they were -- and still are -- having financial problems, and
instead of being straight with these guys, they were playing games...
I couldn't tell you the reason for it, there was plenty of money going
to other things."

Rather than pay them outright, the privately-held company proposed
hiring the group as overseas consultants, and paying them the prize
money as salary over time, says the ex-employee. "I didn't see the
point of that." The company also used a simple delaying tactic to keep
the potential scandal bottled up, convincing the hackers that their
continued silence was the price of eventually getting the prize money,
the former employee says. "Argus convinced them to not go public by
promising to pay them, and then didn't."

Argus never held a sixth Hacking Challenge, though it still promotes
its victories -- and admits to its loss -- on the company Web site.
Some security pros say good riddance, believing that even honestly-run
contests do little to prove that a product is secure in the real
world. "They don't make much sense," says Bruce Schneier, CTO of
Counterpane Internet Security. "There's not much value in them."

Ostwald and LSD say that such match-ups can only prove that a system
is insecure -- not the opposite. But the group has some advice for
other companies thinking of pitting their invulnerable software
against the ingenuity of the hacker community: Don't bet more than you
can afford to lose.

"Right now we seriously doubt that the prize money was already
prepared," says Ostwald. "What we assumed was that when somebody
announces a challenge, they've got the prize money already prepared
for it, and have taken into account that someone might win it."

-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomoattrition.org with 'unsubscribe isn'
in the BODY of the mail.

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]