March 21, 2009

pwn2own confusion

There seems to be a little bit of confusion of what it means when a browser does or does not get exploited at Pwn2Own that I think warrants some clarification.

First, the people winning at Pwn2Own are professionals, extremely talented and dedicated professionals. They have the time and the smarts to find and exploit holes in probably any Internet connected software. They're not amateurs. They get paid for this difficult work.

Because the work is often time-consuming, difficult, and takes a very specific set of expertise, they don't go after every hole and every exploit in every piece of Internet connected software. They work in a marketplace that prioritizes, through personal and company fame, and through cold hard cash, which exploits are most valuable.

In practice, that means that some exploits are worth a lot more than others. A really good IE exploit can fetch tens of thousands of dollars. A Firefox exploit is also worth a lot but probably somewhat less than an IE exploit. A Safari exploit is certainly worth less and it's hard to know if a Chrome or Opera exploit is worth any cash at all.

So, if you're a security researcher and you're picking a target you're going to weight the difficulty of the task and the cash payout (or in the case of Pwn2Own, the marketing/promotional value as well.)

Second, finding and exploiting security holes in browsers is not childsplay. It takes a lot of hard work by some very very talented people.

If, for example, there's no money to be had from Opera, OmniWeb, Epiphany, or Netscape exploits in the exploit marketplace, these skilled researchers won't be spending any time learning those browsers and trying to come up with exploits. (And the Pwn2Own contest doesn't even offer prizes for those browsers.)

So, Opera for example might be really really secure or really really insecure or somewhere in the middle and we just can't tell from the number of known exploits or from this contest because none of those people care about Opera.

Third, if they want to win, these security researchers don't come to the contest armed with only their wits. They bring exploits that they've already discovered and perfected and that they're willing to "give up" for the prize machine, the money and/or fame.

This all means that whether or not a browser "falls" in the Pwn2Own contest is really not a test of the browser's comparative security. There are a lot of factors at play and reducing something as complex as user safety online to the results of a contest like Pwn2Own or the number of disclosed flaws would be a huge disservice people who are already having a difficult time understanding online security.

update: I'm not singling out Ryan at Ars, I actually think he wrote a fine article. It's a lot of the surrounding posts and commentary that's most confused and or confusing.

Posted by asa at 11:19 AM