Google Pledges Pi Million Dollars In Pwnium 3 Prizes

← Back to Stories (view on slashdot.org)

Google Pledges Pi Million Dollars In Pwnium 3 Prizes

Posted by samzenpus on Monday January 28, 2013 @10:20AM from the puns-are-fun dept.

chicksdaddy writes "Google cemented its reputation as the squarest company around Monday (pun intended), offering prizes totaling Pi Million Dollars — that's right: $3.14159 million greenbacks — in its third annual Pwnium hacking contest, to be held at the CanSecWest conference on March 7 in Vancouver, British Columbia. Google will pay $110,000 for a browser or system level compromise delivered via a web page to a Chrome user in guest mode or logged in. The company will pay $150,000 for any compromise that delivers 'device persistence' delivered via a web page, the company announced on the chromium blog. 'We believe these larger rewards reflect the additional challenge involved with tackling the security defenses of Chrome OS, compared to traditional operating systems,' wrote Chris Evans of Google's Security Team."

60 comments

Min score:

Reason:

Sort:

First by Anonymous Coward · 2013-01-28 10:21 · Score: 0

Be squared...
Needs to go to the cents... by sconeu · 2013-01-28 10:22 · Score: 4, Insightful

$3,141,592.65 whould be better.

--
General Relativity: Space-time tells matter where to go; Matter tells space-time what shape to be.
1. Re:Needs to go to the cents... by Obfuscant · 2013-01-28 11:06 · Score: 1
  
  I'd settle for e million.
2. Re:Needs to go to the cents... by Anonymous Coward · 2013-01-28 11:28 · Score: 1
  
  $3,141,592.65 whould be better.
  Dude, why are you putting so much emphasis on the h?
Square? by stewsters · 2013-01-28 10:23 · Score: 1

Squarest? -1 troll? I would have gone well rounded.
1. Re:Square? by Anonymous Coward · 2013-01-28 10:42 · Score: 0
  
  Squarest? -1 troll? I would have gone well rounded.
  
  To be fair, the person who wrote the article is just a reporter and probably failed at math in an American school.
  From the article:
  
  I'm an experienced writer, reporter and industry analyst with a decade of experience covering IT
First by Anonymous Coward · 2013-01-28 10:24 · Score: 0

I think this idea is good because exploits on the open market are worth a lot less than what they are offering.
Exploits are worth more... by Anonymous Coward · 2013-01-28 10:28 · Score: 0

Aren't exploits worth more than this?
Cost of business by girlintraining · 2013-01-28 10:35 · Score: 3, Interesting

For exploits like that, the black market still pays somewhat better than Google is. All I'm saying is, if I were sitting on a chrome exploit that allowed remote code execution, I wouldn't sell it for a measily $150 grand. That's worth a couple million, easy.

--
#fuckbeta #iamslashdot #dicemustdie
1. Re:Cost of business by kwerle · 2013-01-28 10:36 · Score: 2
  
  I'll bite:
  Where? Who is paying that kind of money?
2. Re:Cost of business by bobthesungeek76036 · 2013-01-28 10:38 · Score: 1
  
  And you would have to pay taxes on the $150K...
  
  --
  Karma: Bad
3. Re:Cost of business by SomePgmr · 2013-01-28 10:44 · Score: 1
  
  http://www.forbes.com/sites/andygreenberg/2012/03/23/shopping-for-zero-days-an-price-list-for-hackers-secret-software-exploits/
  Chrome: $80-200k
  Of course, one is legal and legit and the other is pretty evil. So for some people I imagine it's the only real option.
4. Re:Cost of business by SomePgmr · 2013-01-28 10:52 · Score: 1
  
  I really should have said, I don't know that there's anything illegal about selling an exploit to your own government, even if it's through a broker (as is the case in the article).
  But comparatively evil? I would say so. I think I'd rather get paid pretty well and just have Google fix the software for everyone.
  Such activities are out of my league anyway, though.
5. Re:Cost of business by girlintraining · 2013-01-28 10:54 · Score: 3, Insightful
  
  Chrome: $80-200k
  Keep in mind, that's the sale price; It does not mean you get it exclusively. You can sell it to multiple parties, unlike Google.
  
  --
  #fuckbeta #iamslashdot #dicemustdie
6. Re:Cost of business by Anonymous Coward · 2013-01-28 11:09 · Score: 0
  
  Although there is a bit more risk dealing with that kind of business, and getting such payments even after you have found buyer(s).
7. Re:Cost of business by RedHackTea · 2013-01-28 11:31 · Score: 1
  
  Eh, I'd rather take the money legally.
  
  How will you make the swap between money and code? You'll have to make 100% sure that the buyer is not an undercover FBI agent. If he's not, then you'll have to make 100% sure that you can trust the middleman so that you don't get gutted like a pig (buyer pays middleman half of what he would pay you for this). If the buyer and middleman check out, then you'll have to have a mechanism/person to verify the money. If all of that checks out, you'll never be able to put that money in the bank. You'll have to keep it under your mattress or move to another country.
  
  So if you already have money (to buy the "verifiers" and bodyguards) and "good" connections and you no longer wish to see your friends/family (and don't mind looking over your shoulder for "black helicopters" for the rest of your life), then you're fine. Wait a second... Code Monkies are generally loners/outcasts... have a decent paying job... and are always paranoid anyway...
  
  See you guys later!
  
  --
  The G
8. Re:Cost of business by cheater512 · 2013-01-28 11:35 · Score: 1
  
  Who says you can't 'sell' it to Google too? They don't need to know it was you who sold it to botnet makers.
9. Re:Cost of business by DrEldarion · 2013-01-28 11:46 · Score: 1
  
  It's not just about the money. You get:
  1) Assurance that you'll actually get paid instead of completely ripped off.
  2) Assurance that you won't be found out and brought up on legal charges.
  3) The publicity that comes with Google publishing your name as someone who's better than they are at finding vulnerabilities.
  4) The money.
10. Re:Cost of business by bobthesungeek76036 · 2013-01-28 11:51 · Score: 1
  
  Maybe you should read the article:
  "...Each price assumes an exclusive sale, the most modern version of the software, and, of course, not alerting the software’s vendor..."
  
  --
  Karma: Bad
11. Re:Cost of business by DragonWriter · 2013-01-28 12:25 · Score: 1
  
  For exploits like that, the black market still pays somewhat better than Google is.
  Yes, but if you get caught, you can lose anything you got paid (as the profits of crime) plus go to jail.
  Whereas if you sell to Google, you get money, publicity that you can use openly outside of the black market world, and you don't have to worry about going to jail for it.
  Also, some people have moral codes which would discourage selling exploits on the black market, but not seeking rewards through something like Pwnium.
12. Re:Cost of business by girlintraining · 2013-01-28 16:50 · Score: 1
  
  Maybe you should read the article:
  Oh, I read it. I also saw a rather large blinking red arrow over the word "Assumed" that comes from real world experience with such things, unlike the journalist. Expecting a criminal to keep up his end of the bargain when there's potentially millions to be made selling to multiple parties is like expecting a terrorist to care his car bomb is taking up TWO parking spaces.
  
  --
  #fuckbeta #iamslashdot #dicemustdie
13. Re:Cost of business by webmistressrachel · 2013-01-28 20:32 · Score: 1
  
  I'm quite sure that any terrorist is likely to ensure that he takes great care over how his car bomb is parked, right down to the number of spaces.
  First, he wants to ensure that bomb damages the target, and even more importantly the bomb has to go off.
  Do you think somebody handbraking untidily across car parking spaces and jumping out in the way you imply isn't going to arouse suspicion? Obviously, he's unlikely to want to be caught, too, your analogy simply isn't working. Also, a lot of 'criminals' want to "go straight" and Google is offering them a perfect opportunity here.
  
  --
  This tagline was transcoded to result in at least one smirk. If you experience failure to smirk, please consult your Gen
14. Re:Cost of business by jopsen · 2013-01-28 21:26 · Score: 1
  
  It's not just about the money. You get:
  1) Assurance that you'll actually get paid instead of completely ripped off. 2) Assurance that you won't be found out and brought up on legal charges. 3) The publicity that comes with Google publishing your name as someone who's better than they are at finding vulnerabilities. 4) The money.
  5) The ability to sleep at night.
  
  (Having a clear conscious isn't worthless, after all money is only money)
15. Re:Cost of business by girlintraining · 2013-01-28 22:04 · Score: 1
  
  Do you think somebody handbraking untidily across car parking spaces and jumping out in the way you imply isn't going to arouse suspicion?
  In many locales, parking a car correctly and legally is out of the ordinary. Also... they tend to blow them up as soon as they're out of range... so I don't think anyone's going to call the bomb squad because someone double-parked... at least not before the boom.
  
  --
  #fuckbeta #iamslashdot #dicemustdie
16. Re:Cost of business by RivenAleem · 2013-01-29 05:41 · Score: 1
  
  Isn't that what separates criminals from the rest of us? I know that I could earn more money doing illegal activities than where I work right now.
17. Re:Cost of business by Anonymous Coward · 2013-01-29 08:26 · Score: 0
  
  NSA, FBI, Chinese Government, the mafia. They all need 0-days and have plenty of cash.
18. Re:Cost of business by webmistressrachel · 2013-01-29 11:47 · Score: 1
  
  "In many locales, parking a car correctly and legally is out of the ordinary"
  I'm not sure how many high-profile terrorist targets thare are where parking properly would be out of the ordinary - but I'm pretty sure there's not many. Dump your van near our big mall in Manchester and you'd have people onto you fairly quickly. Through a combination of pedestrianisation and planned parking, the risk to the mall is greatly reduced. Can you town say this? Maybe if it's "out of the ordinary" to park normally near where you live, you need to look at your local planning and "safety by design, not force" policies.
  
  --
  This tagline was transcoded to result in at least one smirk. If you experience failure to smirk, please consult your Gen
Pi Million Dollars? by Anonymous Coward · 2013-01-28 10:39 · Score: 5, Funny

That just ain't rational.
1. Re:Pi Million Dollars? by steelfood · 2013-01-28 11:33 · Score: 3, Informative
  
  At least it's real.
  
  --
  "If a nation expects to be ignorant and free in a state of civilization, it expects what never was and never will be."
2. Re:Pi Million Dollars? by Anonymous Coward · 2013-01-28 11:46 · Score: 1
  
  It's like, transcendental, man.
mis-misread that headline by beep54 · 2013-01-28 10:40 · Score: 0

At first, it looked like Goolge was offering a million dollars to the (Rasberry) Pi and I was gonna joke on that, but....
1. Re:mis-misread that headline by YurB · 2013-01-28 11:50 · Score: 1
  
  Same here.
That amount by Anonymous Coward · 2013-01-28 10:47 · Score: 0

is irrational
They're going to have a problem with that. by EmagGeek · 2013-01-28 10:48 · Score: 1, Funny

pi * 10E6 != 3141592.65
Rounding by tanujt · 2013-01-28 10:49 · Score: 1

The bank is going to round that pi up.

It'll be more like a pie.
Cheapskates by bistromath007 · 2013-01-28 10:57 · Score: 1

Are you telling me Google can't afford tau million dollars?
1. Re:Cheapskates by Nemyst · 2013-01-28 11:04 · Score: 1
  
  Google were never really into taoism, but they sure like pie.
I'd like a slice of that Pi, please. by plalonde2 · 2013-01-28 11:13 · Score: 2

But if they were really trying to be correct they'd have made the price Tau dollars.
Chrome is not full of holes... by Anonymous Coward · 2013-01-28 11:31 · Score: 0

Reading comments here one would think that because such an exploit could potentially be worth more on the black, illegal, market, then it means everyone finding an exploit shall sell it to the mafia. So they kneejerk thinking: "software can never be secure, Chrome is full of holes and they're all for sale on the black market".
This is so wrong. That's not how it works.
The way it works is this: because Google is offering lots of money for exploits, there are a *lot* of white-hat security hackers that are going to try to find an exploit. These people would never have tried to hack Chrome with the intent to sell their exploit on the black market.
My guess is that very few exploits are going to be found because security was at least somehow in the mind of the Chrome developers (something that is sadly not true for most devs out there: security seems to nearly always be an afterthought).
I'll make a better one: find me one buffer overflow in the seL4 microkernel and I'll sell my appartment and give the money + all my economy to you. Wanna try? Oh, that's too bad: it has been formally proven that the seL4 microkernel is immune to buffer overflows using automated proof verification software (it found 160 bugs in 7 500 lines of code, but they've all been fixed now).
So, please, people... Stop thinking sofware insecurity and exploits are a fatality. They're not. It's just that hardly anyone does conceive software with security in mind.
Better than 'e' by Anonymous Coward · 2013-01-28 11:39 · Score: 0

It would have been more appropriate to be a Googol".
The Tau of Pi by aNonnyMouseCowered · 2013-01-28 11:59 · Score: 2

We settle for Pi when you can have Tau?
http://tauday.com/
1. Re:The Tau of Pi by chronokitsune3233 · 2013-01-28 17:54 · Score: 1
  
  I was just about to mention this. :-)
  Tau > Pi
  
  --
  I have been a captive in America my entire life. Everybody and everything uses customary units instead of metric.
2. Re:The Tau of Pi by Anonymous Coward · 2013-01-28 20:08 · Score: 0
  
  I agree with your general point about tau but exp(i * tau/2) is -1 not 1 and exp(i * tau) - 1 = 0
3. Re:The Tau of Pi by Anonymous Coward · 2013-01-29 01:08 · Score: 0
  
  Well obviously you're not going to get neat equations by blindly substituting tau/2 for pi without even simplifying.
  If you don't think tau/2 * r^2 is more elegant than pi * r^2 you don't do much math. Sure, it's slightly longer symbolically, but no one ever argued that all uses of Tau would make equations shorter, just that in general it's more semantically clear. So go on, *why* is the area of a circle pi * r^2 ? Is it obvious? Do you find it easy to visualize? Remember, pi is the ratio of circumference to diameter, not radius, so you've got a bit of juggling with your 2s and your halfs .... ...or you could just use tau, which is in terms of radius, which makes your equation tau/2 * r^2, which is familiar to anyone who's done calculus for more than a month as the integral of tau * r. Why tau * r? Because tau is a unit of measurement of *angles*, and one tau is a complete circle. So you sweep a radius through a complete circle and integrate it. Intuitive and straightforward.
  As for Euler's formula, most people have no idea what it means and are not qualified to comment on its relative elegance with respect to alternative formulations. e ^ (theta * i) rotates around the origin on the complex plane. It starts at (1,0) and completes a revolution every time theta hits a multiple of tau (once again, a tau equals a complete turn). If you plug pi into theta, it only rotates halfway around, stopping at (-1,0). Adding a 1 thus does push it "right" and bring it across to 0, but is that really elegant? As another anonymous coward points out, e^(tau*i) - 1 = 0 just as well, by bringing it round a *complete* circle and then pushing it "left" to the middle.
Cracking, not hacking by YurB · 2013-01-28 12:04 · Score: 2

This is a cracking contest: the goal is to break stuff. If the goal was to write a new compiler or OS, then I would call it hacking. Yep, only geeks use that word that way, but isn't Slashdot a geeky site? I believe it's a good idea to promote the distinction between hacking and cracking, because otherwise Gnu/Linux (and possibly things like Wikipedia) could be called 'cancer' again. And yet they are the opposite.
1. Re:Cracking, not hacking by MatrixCubed · 2013-01-28 12:56 · Score: 1
  
  RTFW
  And stop being so goddamn pedantic.
2. Re:Cracking, not hacking by Anonymous Coward · 2013-01-28 16:33 · Score: 0
  
  The word has both meanings now. Get over it.
3. Re:Cracking, not hacking by YurB · 2013-01-28 20:01 · Score: 1
  
  Someone has to be "goddamn pedantic".
4. Re:Cracking, not hacking by YurB · 2013-01-28 20:12 · Score: 2
  
  Exactly. It has both meanings, but most people don't know that. If we used the word more carefully, we'd be educating more people that there's some difference between those hackers who have built Gnu/Linux, and those who and steal money from bank accounts. The problem is that most people don't know the other meaning. Why not let them know by occasionally using the 'cr' instead of 'h'? It's only one extra byte.
5. Re:Cracking, not hacking by Anonymous Coward · 2013-01-28 21:09 · Score: 0
  
  Keep fighting the good fight. We should not lose our language. We used to have freedom fighters, and are now left with terrorists.
  Moreover, peers would have no reason to not reciprocate respect.
6. Re:Cracking, not hacking by MatrixCubed · 2013-01-29 04:08 · Score: 1
  
  You're absolutely right. Thanks for making the world a better place, one nitpick at a time.
Raspberry Pi by argee · 2013-01-28 13:01 · Score: 1

Here, for a few seconds, I thought they were donating a million dollars to the
Raspberry Pi people. A noble cause in itself.
Alas, further reading disavowed me of *that* idea.
1. Re:Raspberry Pi by arth1 · 2013-01-29 00:33 · Score: 1
  
  Here, for a few seconds, I thought they were donating a million dollars to the
  Raspberry Pi people. A noble cause in itself.
  What would be noble about it?
  Noble isn't a synonym for "donating to a non-profit".
Wouldn't that be the roundest company? by fwc · 2013-01-28 16:53 · Score: 1

After all, a square company wouldn't know anything about circles....
Msoft by empties · 2013-01-28 21:35 · Score: 1

Meanwhile, Microsoft is offering a free copy of Windows 8 to anyone who cracks Windows 8. Accounting for pi percent of their anemic sales.
Apple should do this by TheSkepticalOptimist · 2013-01-29 02:30 · Score: 1

Apparently Google is being sued in the EU because they found a way to exploit Safari's security and put device persistent cookies in spite of privacy settings.
Of course, Apple would go bankrupt if people actually started poking at Safari security.

--
I haven't thought of anything clever to put here, but then again most of you haven't either.