Google offers US$2 million in bug hunt competition to be hosted in KL

• Google offers US$2 million in prize money at HITB to hold Chrome vulnerability testing competition
• Chooses Kuala Lumpur–based HITB for its large audience, hopes to tap new stream of regional experts

SECURITY researchers on cyberspace, take note: On the back of a successful “Pwnium” competition held in March, Google is doubling its total prize offering to a cool US$2 million for the second edition of the contest, dubbed Pwnium 2. The event will be held on Oct 10 in conjunction with the Hack in the Box (HITB) security conference held in Kuala Lumpur, Malaysia.

Pwn is a slang term in the cyber community to mean “taking over one’s computer or compromising a PC" for the sole purpose of controlling the device.
 
HITB is celebrating a decade of organizing world-class security conferences and live competitions. To commemorate 10 years of playing host to the brilliant minds that have helped shaped the security landscape to where it is today, HITBSecConf2012 – Malaysia will be welcoming back on stage over 42 of its most popular speakers from the last 10 years. 
 
These popular security luminaries include John ‘Captain Crunch’ Draper, the founders of The Pirate Bay, Mikko Hypponen, DNS guru Paul Vixie and OpenBSD creator Theo de Raadt.

Homegrown outfit HITB also organizes a European iteration of its conference called HITBSecConf -- Amsterdam. Dhillon Andrew Kannabhiran, founder and CEO of HITB, said he’s very happy and especially honored that Google has chosen HITBSecConf2012 -- Malaysia to host Pwnium 2.
 
“It’s all the more exciting now that the collective prize money has been doubled to US$2 million,” he told Digital News Asia (DNA) in an e-mail.
 
Chris Evans, Google security engineer, noted that the main goal of Pwnium competition is to make end-users safer.
 
Speaking to DNA via e-mail, Evans said, “We achieve this by carefully studying and learning from any submissions [from such competitions]."
 
Asked what are his expectations for Pwnium 2 given that the first Pwnium was very successful, Evans said merely getting just one good submission would be a wonderful success.
 
“We've given researchers more notice this time, many of whom have indicated they have started looking already,” he said. “So we hope for multiple submissions.”
 
Dhillon added, “HITBSecConf's attendees come from all corners of the globe and if I were a betting man, I'd say researchers from the United States, China, Vietnam, South Korea or Japan would be the ones likely to walk away a little richer. 

“[However] it would be great to see a Malaysian winner in the fray too [but] while I don’t think this would happen, I hope to be surprised,” he said, throwing the gauntlet.
 
Evans also said that the search giant is excited about the HITB event because it is large (in terms of number of attendees) as well as it being the 10th anniversary special edition.
 
Google also hopes to attract submissions from different segments of the security community because of the new geographic location it is held in, Evans added.
 
On how far the security industry has come since first organizing HITB 10 years ago, Dhillon (pic) said HITB itself has come a long way since its humble beginnings and it owes this all to the tireless efforts of volunteers who have "given up blood, sweat, tears, as well as countless man hours to grow HITB into what is now one of the most respected security events on the planet."
 
“The security industry as a whole has of course evolved tremendously over the last 10 years. We went from network layer attacks to host-based to desktop to client-side.
 
“Of course, now we have to worry about things like the cloud, smartphones that are as powerful as laptops, and social network security. The attack surface is growing bigger and bigger each day
 
“Let's not forget that 10 years ago, you also didn't have 3G, 4G, Wimax, LTE (Long Term Evolution), NFC (Near Field Communication) and the multitude of wireless technologies that you see today.”
 
Asked what the state of the local security industry was like, Dhillon said that Malaysia’s security research landscape is unfortunately still lacking. Apart from a handful of individuals, the local situation is quite disheartening, he said.
 
“There simply aren't enough homegrown skilled computer researchers here,” he stressed. “I put the blame squarely on the shortcomings within the education system – a system in which rote based-learning is preferred over real research.”
 
Details revealed
 
In a blog posting Wednesday, Google’s Evans said that this year’s Pwnium 2 competition’s prize money will be doubled to US$2 million. The complete breakdown of the prize reward are as follows:
 

• US$60,000: “Full Chrome exploit”: Chrome / Win7 local OS user account persistence using only bugs in Chrome itself.

• US$50,000: “Partial Chrome exploit”: Chrome / Win7 local OS user account persistence using at least one bug in Chrome itself, plus other bugs. For example, a WebKit bug combined with a Windows kernel bug. 

• US$40,000: “Non-Chrome exploit”: Flash / Windows / other. Chrome / Win7 local OS user account persistence that does not use bugs in Chrome. For example, bugs in one or more of Flash, Windows or a driver.

• $Panel decision: “Incomplete exploit”: An exploit that is not reliable, or an incomplete exploit chain. For example, code execution inside the sandbox but no sandbox escape; or a working sandbox escape in isolation. For Pwnium 2, we want to reward people who get “part way” as we could definitely learn from this work. Our rewards panel will judge any such works as generously as we can.

 
Asked what efforts were being made to secure the world’s most popular browser, Evans said Google has made significant efforts, which include the following:
 

• A new sandbox for the Flash plug-in that is probably the strongest Flash sandbox available;

• Some leading protections for HTTPS pages; and 

• Thousands of cores of compute resource running internal testing.

 
HITB will be held at from 9am to 6.30pm at the Intercontinental Hotel on Oct 10 and 11, and  Digital News Asia is amongst the official online media for the event. To register for HITB, go to HITB registration or e-mail HITB conference if you have queries.