So you think you're a big-time hacker, huh? Well, Google is inviting you to show up at the CanSecWest security conference on March 7 in Vancouver, Canada, to see if you can crack your way into Chrome OS. And, to make it worth your time, Google is offering a pi worth of cash rewards. That's a total prize package of $3.14159 million. I thought that would get your attention.
Along with supporting the Pwn2Own Web browser hacking competition, Google is inviting hackers to try their luck with Chrome OS. According to Chris Evans, the tech lead of the Google Chrome Security Team, Google is putting its Linux-based desktop operating system to the test because, "Security is one of the core tenets of Chrome, but no software is perfect, and security bugs slip through even the best development and review processes. That's why we've continued to engage with the security research community to help us find and fix vulnerabilities."
The rules of the game are: "The attack must be demonstrated against a base (Wi-Fi) model of the Samsung Series 5 550 Chromebook running the latest stable version of Chrome OS. Any installed software (including the kernel and drivers, etc) may be used to attempt the attack. For those without access to a physical device, note that the Chromium OS developer's guide offers assistance on getting up and running inside a virtual machine."
In addition, the "Standard Pwnium rules apply: the deliverable is the full exploit plus accompanying explanation and breakdown of individual bugs used. Exploits should be served from a password-authenticated and HTTPS-supported Google property, such as Google App Engine. The bugs used must not be known to us or fixed on trunk. We reserve the right to issue partial rewards for partial, incomplete, or unreliable exploits."
At this time, only the Pwnium rules for the last go-around are available. Other than the details about the prize amounts I expect the rules will otherwise be the same.
The prizes are:
$110,000: browser or system level compromise in guest mode or as a logged-in user, delivered via a web page.
$150,000: compromise with device persistence--guest to guest with interim reboot, delivered via a web page.
That's real money. I don't know about you, but if I were a serious security and operating system hacker, I'd be working on my hacks now and packing my bags for Vancouver.