EBay yanks sale of laptop with Vista attack code
- 02 April, 2008 08:43
Shane Macaulay's attempt to sell a hacked laptop complete with Windows Vista attack code did not last long.
EBay pulled the listing within hours of its appearance Monday, saying that it could have harmed users. "You can't sell anything that would do harm," said a spokeswoman for eBay's public relations agency.
The company removed the listing between 11 p.m. Monday and 12:30 a.m. Tuesday, Pacific Time, after eBay employees noticed the post. "It was the wording of the listing that caught the attention of the trust and safety experts who monitor the site," the spokeswoman said.
Macaulay won last week's PWN 2 OWN hacking contest at the CanSecWest conference in Vancouver. He had offered the laptop he broke into for sale, claiming that his exploit code could probably still be extracted from the machine.
"This laptop is a good case study for any forensics group/company/individual that wants to prove how cool they are, and a live example, not canned of what a typical incident responce sitchiation [sic] would look like," his listing stated.
Although the laptop was listed on eBay just before April 1, a traditional day of Internet pranks, Macaulay insisted it was legitimate.
Macaulay, a researcher with the Security Objectives consultancy, was one of two hackers to claim laptops and cash prizes for penetrating systems during last week's contest. Organizers offered Vista, Mac OS and Linux-based laptops for the taking, along with prizes that varied from US$5,000 to US$20,000, depending on the difficulty of the exploit. By Friday, however, only the Linux laptop remained unbreached.
Though the laptop he hacked runs Vista, Macaulay claimed that his Adobe Flash Player exploit will affect 90 percent of computers worldwide. He won a US$5,000 cash prize, courtesy of 3Com's TippingPoint division, and the Fujitsu U810 laptop he had hacked into for his work.
Had Macaulay been able to sell his laptop before Adobe patched the issue, he would have violated his contract with TippingPoint, said Terri Forslof, the company's manager of security response. "We would have disqualified him from the program," she said.
The laptop had not been hit with any other attack code during the course of the contest, she added. "He was the only person who tried," she said.