Ebay pulls the plug

Apr 2, 2008 10:57 GMT  ·  By

The laptop running a copy of Windows Vista Ultimate Service Pack 1 hacked in the CanSecWest PWN2OWN 2008 challenge was listed for sale on Ebay but failed to conduct to a successful sale. The starting bid for the auction of the Fujitsu U810 running Vista Ultimate SP1, claimed as part of the prize of the security researchers that hacked it at the CanSecWest Vancouver 2008 at the end of the past week, was set at $0.01. However, the item did not last long enough on Ebay for the auctioning bid war to reach the end. In fact, the online auction site took down the laptop arguing that it was infringing the site's terms of agreement.

Before it was pulled down the listing for the hacked Vista SP1 laptop read: "This laptop is a good case study for any forensics group/company/individual that wants to prove how cool they are, and a live example, not canned of what a typical incident responce sitchiation would look like." Now, Ebay only shows the following message: "this listing (280214168502) has been removed or is no longer available. Please make sure you entered the right item number. If the listing was removed by eBay, consider it cancelled. Note: Listings that have ended more than 90 days ago will no longer appear on eBay."

Shane Macaulay is a researcher with Security Objectives. You are able to see him in the image at the top of this article along with friend Alexander Sotirov. After winning the Fujitsu U810 laptop with Vista Ultimate SP1 by exploiting a zero-day vulnerability in Adobe Flash, Macaulay offered the "spoils of war" via Ebay. Macaulay stated that he simply wanted to see how much would his zero-day exploit be worth on the open market. Macaulay was helped by Derek Callaway (from Security Objectives) and Alexander Sotirov to hack Windows Vista Ultimate SP1, and back in 2007 he and security researcher Dino Dai Zovi hacked and won the Mac offered at the last year's PWN2OWN competition.

A spokesperson for Ebay explained that the site had pulled the Vista SP1 laptop listing due to the fact that it violated the restriction not to sell items that can potentially cause harm. At the same time, Macaulay appears to have broken his non-disclosure agreement with TippingPoint, sponsor of the hacking challenge via the Zero Day Initiative. Macaulay did not have the rights to disclose any details about the zero-day vulnerability in Flash until Adobe had patched it.