Pwnium 2014

In an announcement that sounds like it somehow came out of the Wild West via The Matrix, Google is offering a $2.71828 million bounty for Chrome OS hackers. But call off the posse, Tex—the bounty is not on the heads of the hackers themselves. Instead, the reward will be given to any computer security expert who can hack Google’s browser-based Chrome OS at the upcoming Pwnium 4 hacking contest.

For hackers to qualify for a part or all of the bounty, they must provide a functional exploit code able to consistently compromise a Hewlett-Packard- or Acer-built Google Chromebook (i.e., a code that leaves the device in the hacker’s control even after a reboot), as well as details on the vulnerabilities put into play. A similar contest was held at last year’s Pwnium, at which $40,000 was awarded to a hacker who created a partial exploit of an Intel-powered Chromebook.
This is Crazy?

To me, this seems counterintuitive. Why would a major tech company want people to hack their operating system? (We aren’t all crypto-anarchists after all!) I know at least part of the reason is to help said company find any security vulnerabilities in their products, but it also looks an awful lot like these companies are promoting potentially illegal and damaging activities. After the recent news that Target and various other major companies were hacked—exposing millions of customers’ bank account information and other vital details—doesn’t encouraging hackers seem a bit misguided?

It’s a bit like asking bank robbers to rob your bank, telling them they can keep the money if they succeed, and thanking them for it, all while doing nothing to stop them. This whole mess is the exact opposite of what Google should be doing.

Here’s my idea of how it should go down: Google hosts this “contest,” with all contestants in a single locked room to “prevent leaks” or whatever—they probably legitimately don’t want these hackers’ secrets to get out, so that part’s not too hard to swallow. Then, when the first of the hackers makes some kind of breakthrough, the Google team checks it out, sees what he did, logs it, etc. The contest is not over, though, so the rest of the hackers keep on hacking as the first “winner” is given his prize, then lead out of the room.

At this point, I have two different thoughts on how it should continue. One: the hacker is taken away and locked in a tiny cell at Google HQ, made to hack for rest of his days to help Google further improve their security. The other hackers in the contest would meet similar fates—they hack something but good, get their “reward,” and never seen the sky again except on Google Maps Street View.

Or, option two: The winner is lead out of the room and shot, the sound being completely audible to the rest of the competitors. They’d likely shrug it off the first time—“That wasn’t a gunshot, was it? Must’ve been something else”—and keep hacking. But after the second or third hacker is done away with, the rest of them in the room start to think: “Maybe I should stop. If I keep hacking, they’ll kill me.” The Google goons facilitating the contest could make it seem like everything’s okay, but subtly suggest that, yeah, keep hacking and you’re finished. And now Google has a bunch of information on you and knows where you live. So maybe don’t be a hacker any more, ever. Scare ‘em straight, if you will.

I have no doubt that Google has the money and the power to successfully pull off either scenario. They’ll either have a bunch of talented hackers to do their security testing for them, for free, in perpetuity; or they’ll have eliminated a bunch of troublemakers—or scared them off hacking—who knew how to expose the weaknesses in their product. Either way, it’s a win for Google. Talk about pwned.

Pwnium 4 is scheduled to take place on March 12, 2014, at the 14th annual CanSecWest conference in Vancouver, British Columbia.