[Just as I was getting ready to send this, eBay pulled the auction, for
the record I did bid $200.01 hoping for a real good deal on a laptop. :) - WK]
By Robert McMillan
IDG News Service
The winner of a recent hacking contest is offering the computer he broke
into for sale on eBay, possibly with the Microsoft Vista attack code he
In a Monday listing , Shane Macaulay is selling the Fujitsu U810
laptop he won last Friday during the CanSecWest PWN 2 OWN  contest.
His listing claims that exploit code could probably still be extracted
from the machine. Although he make no guarantees, he wrote, "My
successfull [sic] exploitation of Vista SP1 remotely, is most likely
"This laptop is a good case study for any forensics
group/company/individual that wants to prove how cool they are, and a
live example, not canned of what a typical incident responce sitchiation
[sic] would look like."
Starting bid? $0.01.
Macaulay, a researcher with the Security Objectives consultancy, claims
that his Adobe Flash exploit will affect 90 percent of computers
He was one of two hackers to claim laptops and cash prizes for
penetrating systems during last week's contest. Organizers offered
Vista, Mac OS, and Linux-based laptops for the taking, along with prizes
that varied from $5,000 to $20,000, depending on the difficulty of the
exploit. By Friday, however, only the Linux laptop remained unbreached.
Although he listed his laptop just hours before April 1, a date that is
usually met with widespread Internet pranking, Macaulay said the listing
is no joke. According to him, he's simply looking to see what an
unpatched exploit might fetch in the open market."I figure this is a
good way to see... [what] an exploit for something that only a limited
amount of people know about, is worth," he said in an e-mail interview.
"The system was delivered to me as my prize. I'm free to use it as I see
fit," he added.
One hacker who knows Macaulay said that the April 1 listing is "a bit
coincidental," but that he may not be worried about forfeiting the
$5,000 in prize money TippingPoint paid him for his hack. "He makes good
money," said Marc Maiffret, an independent security researcher, in an
instant message interview. "It's all just funny to him."
If he's not playing an April Fool's joke, Macaulay may be running afoul
of both the PWN 2 OWN contest rules, which prohibit disclosure of bug
information prior to a patch. He may also be violating eBay's user
agreement , which say that users may not "distribute viruses or any
other technologies that may harm eBay, or the interests or property of
Macaulay had some funny answers when asked about these issues.
On the eBay terms of service problem, he said that he knew "some
highups," at the company and was "confident, when I speak with eBay they
will grant me a waiver."
And does TippingPoint know about what he's doing? "I believe at some
level," he answered. "I'm sure things might change as the word
percolates to the executives. Maybe I shouldn't have sold the
[TippingPoint] bag with the laptop!!"
The IDG News Service is a Network World affiliate.
All contents copyright 1995-2008 Network World, Inc
Subscribe to InfoSec News