The 2022 edition The famous (or infamous, depending on your point of view) Pwn2Own contest will begin later today in Vancouver, British Columbia.
(In fact, this is a so-called “hybrid” event this year, so that entrants who can’t or don’t want to travel, due to coronavirus or environmental reasons, can participate from afar.)
Many vendors have offered financial rewards for hacking their various products, this year Possible goals Being:
- Virtualization: Oracle Virtual Box, VMware Workstation, VMware ESXI, Microsoft Hyper-V Client.
- Browser: Google Chrome, Microsoft Edge, Apple Safari, Mozilla Firefox.
- Enterprise apps: Adobe Reader, Office 365 ProPlus.
- Server: Microsoft RDP / RDS, Exchange, SharePoint, Samba.
- Endpoint OSes: Ubuntu Desktop, Windows 11. (Privilege height only)
- Enterprise Contact: Zoom, Microsoft team.
- Automatic: A classification based on the Tesla 3 car.
Surprisingly, the Server And Enterprise apps The section just attracted Zero Every hacker this year.
Browser And Virtualization Similarly unintersting is considered, it seems, just right One Everyone enters with Firefox and Safari and a lone hacker enters the virtual box.
Windows 11 and Ubuntu Linux are attracted Seven And Five Recurring entry; Four Contestants will take a pop in teams; And Two Various aspects of Tesla 3 will be discussed.
A hacking lottery
Pwn2Own’s rule is Somewhat strangeGiven that some entrants may not actually compete at all.
Tesla hackers (two different categories), plus browsers and virtualization intranets, all must take a turn, as they are the only competitors in their category.
Either they succeed in their allotted half-hour slot, and claim their reward, or they fail and return home empty-handed.
Everyone else’s participation depends on what has already happened.
Pwn2Own is not like a time-trial sporting event (think of downhill skiing), where if the first entrant loses the current world record and seems to have set an unbeatable time, they still have to wait until the final competitor. They ended up finding out if their early times were good enough.
In Pwn2Own, by contrast, the first entrant to complete the course wins the prize and closes the category for everyone else – if it’s downhill skiing, the first skier doesn’t have to break a record to win now, they just exceed a pre-determined time limit. Or go down without crossing.
Speed is not completely unimportant in Pwn2Own. You have a maximum of three attempts to show that your hack actually works, each lasting a maximum of five minutes and you get a total of 30 minutes to complete your three attempts. In other words, you need to be fully prepared to write your research properly. Pwn2Own is clearly not a movie-style “hack-it-live-and-see-what-happens” event. You just have to be more discriminating with the help you render toward other people. Ironically, the most dramatic entries aren’t the ones where the contestant hacks the system in the end and frantically hacks the system with extra time, which can usually happen in Hollywood. Among the hacks that become the biggest blows, usually the visually well-prepared intruders simply walk into the system, launch their subtle well-researched attacks with a single click or command, and succeed directly without any apparent drama.
The downside of popularity
The order of the lottery makes a big difference to the contestants.
Seventh entrants in the Windows 11 division, for example, can’t win only by the best, or fastest, or some other high achievement – they can only win if the previous six entrants fail completely, and then their hack works.
However, check out this place for results, which will finally be known on Friday 2022-05-20 at 14:00 Vancouver time (currently UTC-7).
The last day, in fact, could be a complete washout, because Friday is only set to hack Team, Windows and Linux, and all those prizes could be over and dusted off by the end of today!
The Hack order In Pwn2Own 2022 as follows:
- Today, however, some later: Team, vibox, team, firefox, windows, linux, team, safari, linux, windows
- Tomorrow: Tesla (infotainment), Windows, Linux, Tesla (diagnostics), Windows, Linux
- Friday: Team, Windows, Linux, Windows, Windows
What do you think?
For this “winner takes everything and everyone else takes their exploit home” approach, what do you think?
Do these types of hacking speculators improve the cyber security situation by promoting the discipline needed for complete and well-documented research, so that the underlying issues are properly disclosed, not simply patched?
Or do they work against cybersecurity in real life, delaying the initial release of partial results that could have been fixed a few months ago had it not been for competitive purposes?
Leave your comments in the comments below …
