Pre-hacked machine a violation of PWN to OWN rules? Ebay's? April 1's?
By Robert McMillan
April 1, 2008 (IDG News Service) The winner of a recent hacking contest is offering the computer he broke into for sale on eBay, possibly with the Microsoft Vista attack code he used intact.
In a Monday listing, Shane Macaulay is selling the Fujitsu U810 laptop he won last Friday during the CanSecWest PWN 2 OWN contest. His listing claims that exploit code could probably still be extracted from the machine. Although he make no guarantees, he wrote, "My successfull [sic] exploitation of Vista SP1 remotely, is most likely still present."
"This laptop is a good case study for any forensics group/company/individual that wants to prove how cool they are, and a live example, not canned of what a typical incident responce sitchiation [sic] would look like."
Starting bid? $0.01.
Macaulay, a researcher with the Security Objectives consultancy, claims that his Adobe Flash exploit will affect 90 percent of computers worldwide.
He was one of two hackers to claim laptops and cash prizes for penetrating systems during last week's contest. Organizers offered Vista, Mac OS, and Linux-based laptops for the taking, along with prizes that varied from $5,000 to $20,000, depending on the difficulty of the exploit. By Friday, however, only the Linux laptop remained unbreached.
Although he listed his laptop just hours before April 1, a date that is usually met with widespread Internet pranking, Macaulay said the listing is no joke. According to him, he's simply looking to see what an unpatched exploit might fetch in the open market."I figure this is a good way to see... [what] an exploit for something that only a limited amount of people know about, is worth," he said in an e-mail interview.
"The system was delivered to me as my prize. I'm free to use it as I see fit," he added.
One hacker who knows Macaulay said that the April 1 listing is "a bit coincidental," but that he may not be worried about forfeiting the $5,000 in prize money TippingPoint paid him for his hack. "He makes good money," said Marc Maiffret, an independent security researcher, in an instant message interview. "It's all just funny to him."
If he's not playing an April Fool's joke, Macaulay may be running afoul of both the PWN 2 OWN contest rules, which prohibit disclosure of bug information prior to a patch. He may also be violating eBay's user agreement, which say that users may not "distribute viruses or any other technologies that may harm eBay, or the interests or property of eBay users."
Macaulay had some funny answers when asked about these issues.
On the eBay terms of service problem, he said that he knew "some highups," at the company and was "confident, when I speak with eBay they will grant me a waiver."
And does TippingPoint know about what he's doing? "I believe at some level," he answered. "I'm sure things might change as the word percolates to the executives. Maybe I shouldn't have sold the [TippingPoint] bag with the laptop!!"