, SecurityFocus 2002-11-26
Eighteen months after Argus Systems challenged the hacker world to crack its PitBull security product in a much-ballyhooed global contest, the winners say they're still waiting for their prize money.
The only problem: the world's best hackers did just that. And now more than eighteen months after the Polish white hat hacker group Last Stage of Delirium (LSD) conquered the Argus Systems Group's fifth, and apparently last, "Hacking Challenge," the winners say the company still hasn't paid most of the $48,000 prize, raising the ugly specter of fraud in a contest that some security experts already criticized as a corporate publicity stunt.
"We spent the last half year looking for a lawyer of some sort, a law agency," said LSD member Tomasz Ostwald in a telephone interview. "Unfortunately because we're located here in Poland, which is very far away from the States, it isn't so easy."
Until LSD came along, hacking contests had been good to
Everything changed for Argus in April, 2001 with their fifth Hacker Challenge, organized in association with security consulting firm
The rules of the challenge were simple: Argus released an account name and password for the contest Web server, and invited all comers to log in and attempt to escalate their privileges on the machine. To win the prize of 35,000 British pounds ($48,000) an attacker had to modify one of two protected Web sites running from the server, and be the first to provide Argus with a complete and verifiable technical description of the hack. The winner, if any, was to be paid by May 15th, 2001.
'The Best and Brightest'
LSD's four-man team set up a makeshift laboratory to duplicate the target environment, and began devising an attack. Working together, they quickly developed a clever tactic that hinged on a tricky exploitation of a bug in the underlying Solaris x86 operating system. Less than 24 hours after the contest began, they'd gained complete control of the contest machine.
The group's victory made
If there's one thing that the competition proved, the company said, it's "that the 'best and brightest' hackers are not necessarily only the illegal ones -- the ones who would refuse to expose themselves. The members of the LSD team: Michal Chmielewski, Sergiusz Fonrobert, Adam Gowdiak, and Tomasz Ostwald, represent a breed of ethical hackers that are conscientious, professional, and extremely knowledgeable. These guys are awesome -- and I'm sure are the match of any hacker alive. Bravo boys! Well done indeed!"
Today those hackers
"We received one payment for something like $4,000 dollars, and a second one early this year was $1,000," says Ostwald, the group's spokesman. "We received $5,000 in sum, over the last eighteen months."
Instead of paying the group, Ostwald says, company CEO Randy Sandone asked LSD to settle for an amount less than the full prize money, in exchange for faster payment. The group declined. Over the next 12 months Argus made various other proposals, including a proposed installment plan of $250 a month -- which would have paid out the prize over 14 years. Finally, early this year, LSD sent Argus a formal request for payment in full, Ostwald says. In response, the company simply stopped dealing with them.
Deception and Delays Alleged
Contacted by a reporter, the receptionist at the Illinois-based company said CEO Sandone was no longer with Argus, and referred inquiries to CTO Paul McNabb. McNabb didn't return repeated phone calls on LSD's allegations made over the course of several days.
But a former Argus employee, speaking on condition of anonymity, confirmed LSD's account, and described a long pattern of manipulation and false promises aimed at cheating the contest winners.
"There were people within Argus that wanted to pay these guys, but they weren't people who could actually write the check," said the former employee, who claims to have left the company on good terms. "I know they were -- and still are -- having financial problems, and instead of being straight with these guys, they were playing games... I couldn't tell you the reason for it, there was plenty of money going to other things."
Rather than pay them outright, the privately-held company proposed hiring the group as overseas consultants, and paying them the prize money as salary over time, says the ex-employee. "I didn't see the point of that." The company also used a simple delaying tactic to keep the potential scandal bottled up, convincing the hackers that their continued silence was the price of eventually getting the prize money, the former employee says. "Argus convinced them to not go public by promising to pay them, and then didn't."
Argus never held a sixth Hacking Challenge, though it still promotes its victories -- and admits to its loss -- on the company Web site. Some security pros say good riddance, believing that even honestly-run contests do little to prove that a product is secure in the real world. "They don't make much sense," says Bruce Schneier, CTO of Counterpane Internet Security. "There's not much value in them."
Ostwald and LSD say that such match-ups can only prove that a system is insecure -- not the opposite. But the group has some advice for other companies thinking of pitting their invulnerable software against the ingenuity of the hacker community: Don't bet more than you can afford to lose.
"Right now we seriously doubt that the prize money was already prepared," says Ostwald. "What we assumed was that when somebody announces a challenge, they've got the prize money already prepared for it, and have taken into account that someone might win it."