It must have seemed a masterstroke of marketing genius at the time. A
formerly-obscure security software company organizes a series of
high-profile contests aimed at showing that even with a sizable cash prize
dangling as a reward, the world's best hackers can't crack a Web server
protected by the company's flagship product.
The only problem: the world's best hackers did just that. And now more than
eighteen months after the Polish white hat hacker group Last Stage of
Delirium (LSD) conquered the Argus Systems Group's fifth, and apparently
last, "Hacking Challenge," the winners say the company still hasn't paid
most of the $48,000 prize, raising the ugly specter of fraud in a contest
that some security experts already criticized as a corporate publicity
"We spent the last half year looking for a lawyer of some sort, a law
agency," said LSD member Tomasz Ostwald in a telephone interview.
"Unfortunately because we're located here in Poland, which is very far away
from the States, it isn't so easy."
Until LSD came along, hacking contests had been good to Argus. The company's "PitBull"
line of security software and appliances had successfully defended against
four earlier challenges, the first at the 2000 DefCon hacker convention in
Las Vegas where Argus won the conference's virtual Capture the Flag
competition and the genuine respect of attendees. The company went on to
prevail in the "OpenHack" contest put on by eWeek magazine, withstanding, by
its count, 5.25 million attacks from 200,000 hackers. And in March of last
year it squeezed out a narrow victory when a hacker named Bladez gained
control of a contest machine protected by an early version of the PitBull LX
product, but missed the competition's deadline by four hours.
Everything changed for Argus in April, 2001 with their fifth Hacker
Challenge, organized in association with security consulting firm Integralis and hardware vendor Fujitsu Siemens, and timed to
coincide with the Infosecurity Europe conference in London. The competition
revolved around Argus' then-undefeated Pitbull Secure Web Appliance, a
machine running sophisticated security enhancements to the Unix kernel
built on the "trusted operating system" model cherished by the Pentagon.
The rules of the challenge were simple: Argus released an account name and
password for the contest Web server, and invited all comers to log in and
attempt to escalate their privileges on the machine. To win the prize of
35,000 British pounds ($48,000) an attacker had to modify one of two
protected Web sites running from the server, and be the first to provide
Argus with a complete and verifiable technical description of the hack. The
winner, if any, was to be paid by May 15th, 2001.
'THE BEST AND BRIGHTEST'. LSD's four-man team set up a makeshift laboratory to duplicate the target
environment, and began devising an attack. Working together, they quickly
developed a clever tactic that hinged on a tricky exploitation of a bug in
the underlying Solaris x86 operating system. Less than 24 hours after the
contest began, they'd gained complete control of the contest machine.
The group's victory made headlines in
the technology press, and Argus heartily congratulated LSD, even while
downplaying the significance of the winning hack. "We freely admit that in
this instance PitBull did not protect the system from this exploit. Guilty
as charged," the company wrote in a statement. "But the
absence of PitBull would have exposed the system to thousands of
other substantially less complicated attacks. ..."
If there's one thing that the competition proved, the company said, it's
"that the 'best and brightest' hackers are not necessarily only the illegal
ones -- the ones who would refuse to expose themselves. The members of the
LSD team: Michal Chmielewski, Sergiusz Fonrobert, Adam Gowdiak, and Tomasz
Ostwald, represent a breed of ethical hackers that are conscientious,
professional, and extremely knowledgeable. These guys are awesome -- and I'm
sure are the match of any hacker alive. Bravo boys! Well done indeed!"
Today those hackers say that
Argus was less forthcoming with the prize money than with the plaudits.
"We received one payment for something like $4,000 dollars, and a second one
early this year was $1,000," says Ostwald, the group's spokesman. "We
received $5,000 in sum, over the last eighteen months."
Instead of paying the group, Ostwald says, company CEO Randy Sandone asked
LSD to settle for an amount less than the full prize money, in exchange for
faster payment. The group declined. Over the next 12 months Argus made
various other proposals, including a proposed installment plan of $250 a
month -- which would have paid out the prize over 14 years. Finally, early
this year, LSD sent Argus a formal request for payment in full, Ostwald
says. In response, the company simply stopped dealing with them.
Deception and Delays Alleged
Contacted by a reporter, the receptionist at the Illinois-based company said
CEO Sandone was no longer with Argus, and referred inquiries to CTO Paul
McNabb. McNabb didn't return repeated phone calls on LSD's allegations made
over the course of several days.
But a former Argus employee, speaking on condition of anonymity, confirmed
LSD's account, and described a long pattern of manipulation and false
promises aimed at cheating the contest winners.
"There were people within Argus that wanted to pay these guys, but they
weren't people who could actually write the check," said the former
employee, who claims to have left the company on good terms. "I know they
were -- and still are -- having financial problems, and instead of being
straight with these guys, they were playing games... I couldn't tell you the
reason for it, there was plenty of money going to other things."
Rather than pay them outright, the privately-held company proposed hiring
the group as overseas consultants, and paying them the prize money as salary
over time, says the ex-employee. "I didn't see the point of that." The
company also used a simple delaying tactic to keep the potential scandal
bottled up, convincing the hackers that their continued silence was the
price of eventually getting the prize money, the former employee says.
"Argus convinced them to not go public by promising to pay them, and then
Argus never held a sixth Hacking Challenge, though it still promotes its
victories -- and admits to its loss -- on the company Web site. Some
security pros say good riddance, believing that even honestly-run contests
do little to prove that a product is secure in the real world. "They don't
make much sense," says Bruce Schneier, CTO of Counterpane Internet Security.
"There's not much value in them."
Ostwald and LSD say that such match-ups can only prove that a system is
insecure -- not the opposite. But the group has some advice for other
companies thinking of pitting their invulnerable software against the
ingenuity of the hacker community: Don't bet more than you can afford to
"Right now we seriously doubt that the prize money was already prepared,"
says Ostwald. "What we assumed was that when somebody announces a challenge,
they've got the prize money already prepared for it, and have taken into
account that someone might win it." By Kevin Poulsen