'Hacking Challenge' Winners Allege $43,000 Contest Rip-Off
It must have seemed a masterstroke of marketing genius at the time. A formerly-obscure security software company organizes a series of high-profile contests aimed at showing that even with a sizable cash prize dangling as a reward, the world's best hackers can't crack a Web server protected by the company's flagship product.
The only problem: the world's best hackers did just that. And now more than eighteen months after the Polish white hat hacker group Last Stage of Delirium (LSD) conquered the Argus Systems Group's fifth, and apparently last, "Hacking Challenge," the winners say the company still hasn't paid most of the $48,000 prize, raising the ugly specter of fraud in a contest that some security experts already criticized as a corporate publicity stunt.
"We spent the last half year looking for a lawyer of some sort, a law agency," said LSD member Tomasz Ostwald in a telephone interview. "Unfortunately because we're located here in Poland, which is very far away from the States, it isn't so easy."
Until LSD came along, hacking contests had been good to Argus. The company's "PitBull" line of security software and appliances had successfully defended against four earlier challenges, the first at the 2000 DefCon hacker convention in Las Vegas where Argus won the conference's virtual Capture the Flag competition and the genuine respect of attendees. The company went on to prevail in the "OpenHack" contest put on by eWeek magazine, withstanding, by its count, 5.25 million attacks from 200,000 hackers. And in March of last year it squeezed out a narrow victory when a hacker named Bladez gained control of a contest machine protected by an early version of the PitBull LX product, but missed the competition's deadline by four hours.
Everything changed for Argus in April, 2001 with their fifth Hacker Challenge, organized in association with security consulting firm Integralis and hardware vendor Fujitsu Siemens, and timed to coincide with the Infosecurity Europe conference in London. The competition revolved around Argus' then-undefeated Pitbull Secure Web Appliance, a machine running sophisticated security enhancements to the Unix kernel built on the "trusted operating system" model cherished by the Pentagon.
The rules of the challenge were simple: Argus released an account name and password for the contest Web server, and invited all comers to log in and attempt to escalate their privileges on the machine. To win the prize of 35,000 British pounds ($48,000) an attacker had to modify one of two protected Web sites running from the server, and be the first to provide Argus with a complete and verifiable technical description of the hack. The winner, if any, was to be paid by May 15th, 2001.
'THE BEST AND BRIGHTEST'. LSD's four-man team set up a makeshift laboratory to duplicate the target environment, and began devising an attack. Working together, they quickly developed a clever tactic that hinged on a tricky exploitation of a bug in the underlying Solaris x86 operating system. Less than 24 hours after the contest began, they'd gained complete control of the contest machine.
The group's victory made headlines in the technology press, and Argus heartily congratulated LSD, even while downplaying the significance of the winning hack. "We freely admit that in this instance PitBull did not protect the system from this exploit. Guilty as charged," the company wrote in a statement. "But the absence of PitBull would have exposed the system to thousands of other substantially less complicated attacks. ..."
If there's one thing that the competition proved, the company said, it's "that the 'best and brightest' hackers are not necessarily only the illegal ones -- the ones who would refuse to expose themselves. The members of the LSD team: Michal Chmielewski, Sergiusz Fonrobert, Adam Gowdiak, and Tomasz Ostwald, represent a breed of ethical hackers that are conscientious, professional, and extremely knowledgeable. These guys are awesome -- and I'm sure are the match of any hacker alive. Bravo boys! Well done indeed!"
Today those hackers say that Argus was less forthcoming with the prize money than with the plaudits.
"We received one payment for something like $4,000 dollars, and a second one early this year was $1,000," says Ostwald, the group's spokesman. "We received $5,000 in sum, over the last eighteen months."
Instead of paying the group, Ostwald says, company CEO Randy Sandone asked LSD to settle for an amount less than the full prize money, in exchange for faster payment. The group declined. Over the next 12 months Argus made various other proposals, including a proposed installment plan of $250 a month -- which would have paid out the prize over 14 years. Finally, early this year, LSD sent Argus a formal request for payment in full, Ostwald says. In response, the company simply stopped dealing with them.
Deception and Delays Alleged Contacted by a reporter, the receptionist at the Illinois-based company said CEO Sandone was no longer with Argus, and referred inquiries to CTO Paul McNabb. McNabb didn't return repeated phone calls on LSD's allegations made over the course of several days.
But a former Argus employee, speaking on condition of anonymity, confirmed LSD's account, and described a long pattern of manipulation and false promises aimed at cheating the contest winners.
"There were people within Argus that wanted to pay these guys, but they weren't people who could actually write the check," said the former employee, who claims to have left the company on good terms. "I know they were -- and still are -- having financial problems, and instead of being straight with these guys, they were playing games... I couldn't tell you the reason for it, there was plenty of money going to other things."
Rather than pay them outright, the privately-held company proposed hiring the group as overseas consultants, and paying them the prize money as salary over time, says the ex-employee. "I didn't see the point of that." The company also used a simple delaying tactic to keep the potential scandal bottled up, convincing the hackers that their continued silence was the price of eventually getting the prize money, the former employee says. "Argus convinced them to not go public by promising to pay them, and then didn't."
Argus never held a sixth Hacking Challenge, though it still promotes its victories -- and admits to its loss -- on the company Web site. Some security pros say good riddance, believing that even honestly-run contests do little to prove that a product is secure in the real world. "They don't make much sense," says Bruce Schneier, CTO of Counterpane Internet Security. "There's not much value in them."
Ostwald and LSD say that such match-ups can only prove that a system is insecure -- not the opposite. But the group has some advice for other companies thinking of pitting their invulnerable software against the ingenuity of the hacker community: Don't bet more than you can afford to lose.
"Right now we seriously doubt that the prize money was already prepared," says Ostwald. "What we assumed was that when somebody announces a challenge, they've got the prize money already prepared for it, and have taken into account that someone might win it."
By Kevin Poulsen