How much is a browser vulnerability worth? There's certainly good money to be made if the prizes on offer for disclosing exploits at this year's Pwn2Own contest are anything to go by.
The infamous hackathon held at the CanSecWest bash in early March will offer more than $500,000 in prize money to those able to confound browser security.
The largest prizes will go to contestants that can successfully compromise Google Chrome on Windows 7 or IE 10 on Windows 8 – either of which are worth $100,000.
That Google's Chrome features so far up the prize-money stakes may be down to its return as a co-sponsor.
Last year, Google famously withdrew its sponsorship offer for Pwn2Own, complaining that the competition rules would allow entrants to demonstrate hacks that defeated a browser's sandbox security feature, without having to share the full details of the exploit. It set up its own rival hacking competition in response.
At the time, Pwn2Own organisers, the Zero Day Initiative argued that the market value for sandbox escapes far exceeded the prize money on offer.
This year, the prize money has gone up, but it appears that Google's return to the fold comes at the expense of greater openness.
“Upon successful demonstration of the exploit, the contestant will provide HP ZDI a fully functioning exploit and all the details of the vulnerability used in the attack,” wrote Brian Gorenc, a security researcher at HP DVLabs, which oversees the ZDI team, one the blog announcing this year's competition.
In another change, a further pot of prize money will be allocated to contestants that demonstrate exploits via third-party plug-ins.
But will hackers be persuaded that the prize money is enough?
Last year's stand out team - the exploit writers from French security firm Vupen, who cracked Chrome in a matter of minutes - described the changes in terms and conditions as "frustrating".
But Chauoki Bekar, chief executive of Vupen told V3 it was likely that his team would be back - although it may consider going after different targets.
"For now, we have registered for all targets and depending on how many of them we are allowed to go after and on whether the full technical details and codes are provided by ZDI to the vendor or kept private for their internal research use, we will decide if we will pwn a specific browser or plugin, pwn them all, or do not participate at all," he said.
The change in Pwn2Own entry conditions was prompted by the increasing sophistication of exploits, said DVLabs' Gorenc.
“We do not believe that a lone bug is enough to fully compromise a target, given all the advances in mitigation approaches. Because we’re asking our researchers to disclose more than we have in the past, we have increased their compensation this year," he told V3.
07 Nov 2012
Google's latest update to the Chrome browser will give users up to 25 percent more battery life, the company has claimed.
The update uses GPU-accelerated video decoding to divert most of the power being used during video playback to a computers graphics processor. Google says the method increases battery life by allowing computers to use less CPU computing power during video playback.
"In our tests, the battery lasted 25 percent longer when GPU-accelerated video decoding was enabled," said Google software engineer Ami Fischman in a blog post.
"Now Chrome users on Windows will experience longer battery life so they don't get cut off while watching their favourite YouTube video on repeat."
While the extended battery life sounds great, it should be noted that it only works for Windows users with dedicated GPUs. If you're a notebook user using a GPU that shares its processing power you are out of luck.
In addition to the extended battery life, the Chrome update also comes with Do Not Track support. The controversial feature inserts a line of code into the browser which allows users to send a message to websites telling them that they don't want to be tracked by cookies.
Do Not Track was announced for Chrome last September but only became official with the latest update.
The battle for hearts and minds in the video communications space continues to heat up, after news emerged that Google plans to add video chat within Chrome.
Henrik Andreasson, a Google programmer, explained in a blog post that it would be possible to build video-chat tools into Chrome by offering full support for the Web Real Time Communications (RTC) standard in the browser.
"We are working hard to provide full RTC support in Chrome all the way from WebKit down to the native audio and video parts," he said.
"When we are done, any web developer shall be able to create RTC applications, like the Google Talk client in Gmail, without using any plug-ins but only WebRTC components that runs in the sandbox."
The idea of making video calls directly through the browser is certainly appealing, removing the need for add-ons and plug-ins of which many are unaware or unsure, and instead putting the power to call straight into the hands of the end user.
Cisco, Skype/Microsoft and others are all promoting their own video technologies, and the key issue will remain interoperability. No-one will buy or use a system if they can't chat to someone else using a different operating system, browser or even telepresence unit.
On this point, an earlier blog post by Google engineering director Rian Liebenberg detailing the launch of the WebRTC code, said the company would talk with other browser manufacturers and standards bodies to ensure they could interoperate.
"We'll be working closely with other browser developers such as Mozilla and Opera to implement this technology for use by the broader web community," he said.
"In addition, we've collectively engaged with the standards communities such as IETF and W3C working groups to define and implement a set of standards for real-time communications."
So, your mum ringing up for a face-to-face chat while you're surfing the web in your underpants? Get ready, it's going to happen ...
26 May 2011
But, at the last minute, the Information Commissioner's Office (ICO), which is tasked with enforcing the changes, announced that firms have a year to sort their sites out before it will take any action.
Information Commissioner Christopher Graham said on Wednesday that the organisation would take this approach, but that it is not an example that companies should blindly follow, explaining that the ICO will use examples from other sites to shape its guidance.
"Every web site is different, and prescriptive and universal 'to do' lists would only hinder rather than help businesses to find a solution that works best for them and their customers," he said.
"The initial advice that we issued earlier this month will continue to be supplemented with real-life examples as they come in."
ICO home page asking users' permission to store cookies on their computers.