When China hoards its hackers everyone loses

When China hoards its hackers everyone loses
From Engadget - March 16, 2018

For over a decade Pwn2Own -- happening this week -- has brought together security talent from across the globe in a friendly hacking competition that is a cornerstone of research and advancement on par with Black Hat and Def Con.

China's hackers routinely win, sweeping the board -- notably, the Tencent and Keen teams. Pwn2Own is good-natured, and all in the name of researchers finding big bugs, nabbing great bounties and drawing attention to security holes and zero-days that need to be fixed.

But this year, according to Pwn2Own manager Brian Gorenc, China is no longer allowing its researchers to compete. Prior to the start of Pwn2Own this week, Gorenc told press "There have been regulatory changes in some countries that no longer allow participation in global exploit contests, such as Pwn2Own and Capture the Flag competitions."

One thing's for certain: yearly champions Tencent's Keen Labs and Qihoo 360's 360Vulcan team are nowhere to be found and Trend Micro, the conference organizer, has confirmed to Engadget that there are no Chinese competitors in this year's competition.

Stuck behind the Great Firewall

A spokesperson from Trend Micro told us via email, "If regulatory changes do prevent certain countries from participating, we would expect it to be across many events and not just Pwn2Own. These regulatory changes likely apply to other types of competitions."

It's a worrying development in the direction of isolationism and away from the benefits of competition in the spirit of improving security for all. It comes at a time when relations between the US and China strain under the weight of Huawei security concerns, which are not at all new, but are certainly coming to a head as American companies sever business ties with the firm.

It definitely puts all eyes on Def Con, which is having its first Chinese conference in early May. When reached for comment, the organization was still observing these developments.

The wider infosec community was just plain disappointed. Microsoft Edge Security hacker Jonathan Norman said in a tweet that the decision to keep China's hackers out of Pwn2Own was "depressing" because he "Worked really hard preparing for this year and wanted to see the results." Others said it just was not going to be the same without Keen participating, and they are not wrong.

One could argue that Pwn2Own makes everyone more secure. It's a contest that lights a fire under fat boys like Microsoft, Google, Apple, VMware, Mozilla and others, who routinely release big security patches immediately before the event. In addition, those behind Pwn2Own note that "There have been instances of teams filing bug reports with vendors prior to the contest in the hopes of killing competitor's exploits."

Pwn2Own was formed by Trend Micro's Zero Day Initiative, an organization to "encourage the reporting of zero day vulnerabilities responsibly to the affected vendors." They wrote in a blog post on Pwn2Own's tenth anniversary:

Would movement towards more secure software like this happen without Pwn2Own? Possibly, but Pwn2Own serves as an annual forcing function for vendors. It's an annual assessment of the state of security as we pit the best vendors have to offer against some of the best security researchers in the world.

A special edition of "Hoarders"

Divided we falter


Continue reading at Engadget »