Google Pledges Pi Million Dollars In Pwnium 3 Prizes

chicksdaddy writes "Google cemented its reputation as the squarest company around Monday (pun intended), offering prizes totaling Pi Million Dollars — that's right: $3.14159 million greenbacks — in its third annual Pwnium hacking contest, to be held at the CanSecWest conference on March 7 in Vancouver, British Columbia. Google will pay $110,000 for a browser or system level compromise delivered via a web page to a Chrome user in guest mode or logged in. The company will pay $150,000 for any compromise that delivers 'device persistence' delivered via a web page, the company announced on the chromium blog. 'We believe these larger rewards reflect the additional challenge involved with tackling the security defenses of Chrome OS, compared to traditional operating systems,' wrote Chris Evans of Google's Security Team."

Needs to go to the cents...

[sconeu]

$3,141,592.65 whould be better.

Re:

[Obfuscant]

I'd settle for e million.

Re:

[Anonymous Coward]

$3,141,592.65 whould be better.

Dude, why are you putting so much emphasis on the h?

The Tau of Pi

[aNonnyMouseCowered]

We settle for Pi when you can have Tau?

http://tauday.com/ [tauday.com]

Re:

[chronokitsune3233]

I was just about to mention this. :-)

Tau > Pi

Square?

[stewsters]

Squarest? -1 troll? I would have gone well rounded.

Cost of business

[girlintraining]

For exploits like that, the black market still pays somewhat better than Google is. All I'm saying is, if I were sitting on a chrome exploit that allowed remote code execution, I wouldn't sell it for a measily $150 grand. That's worth a couple million, easy.

Re:

[kwerle]

I'll bite:
Where? Who is paying that kind of money?

Re:

[SomePgmr]

http://www.forbes.com/sites/andygreenberg/2012/03/23/shopping-for-zero-days-an-price-list-for-hackers-secret-software-exploits/ [forbes.com]

Chrome: $80-200k

Of course, one is legal and legit and the other is pretty evil. So for some people I imagine it's the only real option.

Re:

[SomePgmr]

I really should have said, I don't know that there's anything illegal about selling an exploit to your own government, even if it's through a broker (as is the case in the article).

But comparatively evil? I would say so. I think I'd rather get paid pretty well and just have Google fix the software for everyone.

Such activities are out of my league anyway, though.

Re:Cost of business

[girlintraining]

Chrome: $80-200k

Keep in mind, that's the sale price; It does not mean you get it exclusively. You can sell it to multiple parties, unlike Google.

Re:

[cheater512]

Who says you can't 'sell' it to Google too? They don't need to know it was you who sold it to botnet makers.

Re:

[bobthesungeek76036]

Maybe you should read the article:

"...Each price assumes an exclusive sale, the most modern version of the software, and, of course, not alerting the software’s vendor..."

Re:

[girlintraining]

Maybe you should read the article:

Oh, I read it. I also saw a rather large blinking red arrow over the word "Assumed" that comes from real world experience with such things, unlike the journalist. Expecting a criminal to keep up his end of the bargain when there's potentially millions to be made selling to multiple parties is like expecting a terrorist to care his car bomb is taking up TWO parking spaces.

Re:

[webmistressrachel]

I'm quite sure that any terrorist is likely to ensure that he takes great care over how his car bomb is parked, right down to the number of spaces.

First, he wants to ensure that bomb damages the target, and even more importantly the bomb has to go off.

Do you think somebody handbraking untidily across car parking spaces and jumping out in the way you imply isn't going to arouse suspicion? Obviously, he's unlikely to want to be caught, too, your analogy simply isn't working. Also, a lot of 'criminals' want to

Re:

[girlintraining]

Do you think somebody handbraking untidily across car parking spaces and jumping out in the way you imply isn't going to arouse suspicion?

In many locales, parking a car correctly and legally is out of the ordinary. Also... they tend to blow them up as soon as they're out of range... so I don't think anyone's going to call the bomb squad because someone double-parked... at least not before the boom.

Re:

[webmistressrachel]

"In many locales, parking a car correctly and legally is out of the ordinary"

I'm not sure how many high-profile terrorist targets thare are where parking properly would be out of the ordinary - but I'm pretty sure there's not many. Dump your van near our big mall in Manchester and you'd have people onto you fairly quickly. Through a combination of pedestrianisation and planned parking, the risk to the mall is greatly reduced. Can you town say this? Maybe if it's "out of the ordinary" to park normally near w

Re:

[bobthesungeek76036]

And you would have to pay taxes on the $150K...

Re:

[RedHackTea]

Eh, I'd rather take the money legally.

How will you make the swap between money and code? You'll have to make 100% sure that the buyer is not an undercover FBI agent. If he's not, then you'll have to make 100% sure that you can trust the middleman so that you don't get gutted like a pig (buyer pays middleman half of what he would pay you for this). If the buyer and middleman check out, then you'll have to have a mechanism/person to verify the money. If all of that checks out, you'll never be able to pu

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[jopsen]

It's not just about the money. You get:

1) Assurance that you'll actually get paid instead of completely ripped off. 2) Assurance that you won't be found out and brought up on legal charges. 3) The publicity that comes with Google publishing your name as someone who's better than they are at finding vulnerabilities. 4) The money.

5) The ability to sleep at night.

(Having a clear conscious isn't worthless, after all money is only money)

Re:

[DragonWriter]

For exploits like that, the black market still pays somewhat better than Google is.

Yes, but if you get caught, you can lose anything you got paid (as the profits of crime) plus go to jail.

Whereas if you sell to Google, you get money, publicity that you can use openly outside of the black market world, and you don't have to worry about going to jail for it.

Also, some people have moral codes which would discourage selling exploits on the black market, but not seeking rewards through something like Pwnium.

Re:

[RivenAleem]

Isn't that what separates criminals from the rest of us? I know that I could earn more money doing illegal activities than where I work right now.

Pi Million Dollars?

[Anonymous Coward]

That just ain't rational.

Re:Pi Million Dollars?

[steelfood]

At least it's real.

Re:

[Anonymous Coward]

It's like, transcendental, man.

Re:

[YurB]

Same here.

They're going to have a problem with that.

[EmagGeek]

pi * 10E6 != 3141592.65

Rounding

[tanujt]

The bank is going to round that pi up.

It'll be more like a pie.

Cheapskates

[bistromath007]

Are you telling me Google can't afford tau million dollars?

Re:

[Nemyst]

Google were never really into taoism, but they sure like pie.

I'd like a slice of that Pi, please.

[plalonde2]

But if they were really trying to be correct they'd have made the price Tau dollars.

Cracking, not hacking

[YurB]

This is a cracking contest: the goal is to break stuff. If the goal was to write a new compiler or OS, then I would call it hacking. Yep, only geeks use that word that way, but isn't Slashdot a geeky site? I believe it's a good idea to promote the distinction between hacking and cracking, because otherwise Gnu/Linux (and possibly things like Wikipedia) could be called 'cancer' again. And yet they are the opposite.

Re:

[MatrixCubed]

RTFW [wikipedia.org]

And stop being so goddamn pedantic.

Re:

[YurB]

Someone has to be "goddamn pedantic".

Re:

[MatrixCubed]

You're absolutely right. Thanks for making the world a better place, one nitpick at a time.

Re:

[YurB]

Exactly. It has both meanings, but most people don't know that. If we used the word more carefully, we'd be educating more people that there's some difference between those hackers who have built Gnu/Linux, and those who and steal money from bank accounts. The problem is that most people don't know the other meaning. Why not let them know by occasionally using the 'cr' instead of 'h'? It's only one extra byte.

Raspberry Pi

[argee]

Here, for a few seconds, I thought they were donating a million dollars to the
Raspberry Pi people. A noble cause in itself.

Alas, further reading disavowed me of *that* idea.

Re:

[arth1]

Here, for a few seconds, I thought they were donating a million dollars to the
Raspberry Pi people. A noble cause in itself.

What would be noble about it?
Noble isn't a synonym for "donating to a non-profit".

Wouldn't that be the roundest company?

[fwc]

After all, a square company wouldn't know anything about circles....

Msoft

[empties]

Meanwhile, Microsoft is offering a free copy of Windows 8 to anyone who cracks Windows 8. Accounting for pi percent of their anemic sales [zdnet.com].

Apple should do this

[TheSkepticalOptimist]

Apparently Google is being sued in the EU because they found a way to exploit Safari's security and put device persistent cookies in spite of privacy settings.

Of course, Apple would go bankrupt if people actually started poking at Safari security.