Google sets $2.7m Pwnium prize for cunning cracks for Chrome OS The fourth Pwnium hacking competition will be held in March, and this year Google is offering some major prizes for anyone who can subvert its Chrome OS. And, for the first time, it's not as picky about its hardware. "Past Pwnium competitions have focused on Intel-based Chrome OS devices, but this year researchers can choose …
Google, being an ad company, has made Chrome and Chrome OS very friendly to online ads and plugins by default. I wonder if they would be much harder to crack the way I run them:
- AdBlock Plus, HTTPS Everywehere, and Ghostery extensions installed with all possible cookies and ads blocked;
- all plug-ins click-to-play only;
- java disabled
- all but whitelisted cookies destroyed on browser exit
I'm assuming that most pwnage will be due to the insecure nature of the default setup?
...and see your box ravaged just the same. Of the 2.5 successes that "Pinkie Pie" has had at previous Pwnium contests, at least 1.5 look as if they would have worked against your sort of config (and just possibly the other one would too - although you're blocking plugins & scripting code it was exploiting a defect in the controlling when native client code was allowed to run, so maybe it would bypass NoScript too).
It's worth a coffee-break to go through the details of the attacks - they're scary-good:
http://blog.chromium.org/2012/05/tale-of-two-pwnies-part-1.html
http://blog.chromium.org/2013/03/pwnium-3-and-pwn2own-results.html
http://blog.chromium.org/2012/10/pwnium-2-results-and-wrap-up_10.html
Holy Cow! That pinkie pie dude is freaking brilliant.
However, looks like my Chromebook would have been safe from all his attempts at pwnage. Two of them only worked against Chrome on a Windows machine, and his Chrome OS exploits were only partial exploits - he was able to point out some vulnerabilities, but he wasn't able to gain control of the system.
But there's no doubt - that dude is brilliant beyond belief.
@JDX - "Well done, you've metaphorically made yourself safe from athlete's foot by hobbling yourself."
I've hobbled myself by getting rid of ads and non-white-listed cookies and auto-play flash videos? You've got a weird definition of the term "hobbled".
"That figure's not random by the way, just Google geekery in action again. It's the value of the natural logarithm to the base e, although there's been some rounding in Mountain View's interpretation of the figure."
And someone else's interpretation in a finite number of digits doesn't round?
Go on, stop teasing.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
