Comments for Over $3M in Prizes to Hack Google Chrome

Comment from BlueRaja on 2013-02-15

2013-02-15T23:02:00Z

@Zen You must be new here.

Comment from Baylink on 2013-02-12

2013-02-12T20:57:25Z

For my part, I like the Don Knuth riff.

Comment from Nick P on 2013-02-08

2013-02-08T16:13:12Z

@ TLA

Nice ideas. I'll add that it helps to make the target look more interesting. Make it seem like an obscure lab or organization in DOD. Or a company with valuable intellectual property that big Chinese/Russian firms could use. Plant some connections between the fake site and a real one they're probably reading. Then wait.

Comment from TLA on 2013-02-08

2013-02-08T09:35:44Z

To make it shorter: setup a honeypot to grab the 0day Google is paying for.

This is nice because this is taking a bug from the black market to the vendor. And this makes money.

The TLA are already making honeypot, but won't sell such 0days to vendors like you may do now.

Comment from TLA on 2013-02-08

2013-02-08T08:34:12Z

Want to cash in Google's money without actual research ?

(1) setup a chrome OS as a blog server paraphrasing articles about fortune of China's leaders.
(2) firewall any non-http inbound connection with an OpenBSD computer (or other secure computer, see http://www.schneier.com/blog/archives/2013/02/... for details).
(3) publish on the blog that you regularily visit english.cri.cn to check that they don't write about it.
(4) increase your visibility through Search Engine Poisoning, comments at NYTimes newspaper, private mail to NYTimes under China's scrutiny, ...
(5) publish the OS version of your blog server.
(6) visit regularily english.cri.cn, and use the OpenBSD box to log all answers.
(7) parse these answers on OpenBSD. This is the difficult step.
(8) sell this 0day exploit to Google.

Comment from Atavia Jones on 2013-02-07

2013-02-08T00:01:50Z

Any sincere commitment to security would mean they offer strong payment regularly, not just with one show where one has to jump through a bunch of hoops to join and get involved with.

The payment I am seeing from these firms is paltry compared to what I see from the government black market. (Which I have never seen is so great, though just from peer talk.)

I do not know about Chrome OS, but the Android OS has some serious weaknesses in it.

If you gain access to the user's Google credentials, you can gain access to their Google Play site where you can force upload from the web remotely whatever programs you wish onto their system.

Google does not encrypt their credentials in their mail application's database -- which is not secured permissions wise.

And they have a lot of sites where someone could steal their cookies. Like one sees with this recent Yahoo hack.
Their main sites are very hard core secured at the web level, but not so with all of their far flung sites of the same domain.

(Their main sites' security is not so secure when combined with certain Android applications.)

I strongly doubt Chrome OS is "all that", and if it was, they would feel confident in offering stronger monetary rewards all the time.

Comment from Nick on 2013-02-07

2013-02-07T18:19:20Z

@Bob
I agree, but look into Kaspersky products when you get some time. And don't forget our 'own' Adobe products.

But Kaspersky database of file hashes from their customers is still one of the coolest file correlation techniques I have seen for off line social network analysis.

Comment from Bob on 2013-02-07

2013-02-07T16:34:23Z

google chrome itself is a trojan horse. they do lots of nasty things in the name of Update!
if you install any google product just a command from general is enough to spy your machine (as most of people have at least one google product installed like chrome or gmail plugin...)

Comment from Zen DDoS Protection on 2013-02-07

2013-02-07T16:19:25Z

Well I do believe that will help a little bit. I doubt that anyone will exploit an updated version of Google Chrome this year, the automatic update with the sandbox makes it very secure.

BTW, in last year Edition, VUPEN hacked into chrome and declined to reveal how they escaped the sandbox. They said they were going to sell the code instead, what happened with the code?

Zen DDoS Protection

Comment from TLA on 2013-02-07

2013-02-07T15:22:55Z

This will also increase prices to pay by governemental agencies (TLA) buying exploits for Chrome OS, to more that $150000. TLA have an annual objective of 0day exploits to buy, and billions of $.

Result: more people will try to develop exploits of Chrome OS. But Chrome OS won't be safer.

Google's $3141590 cannot compete with them.

Comment from JohnJ on 2013-02-07

2013-02-07T13:20:49Z

Alternate headline: "A Million Pis for Chrome Crackers"

On a more serious note, when vendors subject their products to scrutiny - in the security arena or otherwise - it is almost always good for consumers.