While sports fans across North America are busy obsessing about U.S. college basketball’s March Madness or the race to make the NHL playoffs, many in the computer industry are watching a competition in Vancouver, one trying to add fuel to the debate about which computer operating system is the most secure.

The second annual PWN2OWN hacking contest takes place during CanSecWest, a computer-security conference that runs from March 26 to 28 at the Renaissance Vancouver Hotel Harbourside. (In computer-security circles, PWN—a misspelling of own—is slang for controlling or corrupting a computer.) In the contest, three laptops run Windows Vista, Mac OS X, and Linux Ubuntu, a popular open-source operating system; the first competitor to hack one of the laptops gets to keep it and wins a cash prize.

“I’m curious to see which one will go first,” Dragos Ruiu, a local computer-security consultant and one of the organizers of CanSecWest, said in a phone interview with the Georgia Straight. “I’ve heard all kinds of theories and I’m thinking of opening a sports book or a betting pool on it. It’s really been a bit of a spectacle.”

Vancouverite Shane Macaulay and his New York friend Dino Dai Zovi won last year’s PWN2OWN contest, which focused solely on cracking Apple’s Mac OS X operating system. Dai Zovi worked all night to create a file that, when executed, was able to remotely control a MacBook by exploiting a vulnerability in the QuickTime media program. After the success of last year’s contest, CanSecWest organizers decided to not just pit hackers against each other but have operating systems square off to see which one is the most secure.

Hackers will use each operating system’s e-mail, Web browser, and instant-messaging programs—the same programs that most users have on their desktops—as entry points. Said Ruiu: “This will be a really typical laptop, what 95 percent of computers in the world have. This is a very fair test. It will be interesting to see what happens when people have the financial incentive to hack them.”

Indeed, the financial incentive for hackers extends far beyond the prizes—ranging from $5,000 to $20,000—offered to the winners of the PWN2OWN contest. Over the past decade, an entire industry has arisen around “white hat” hackers, also known as ethical hackers, who find weaknesses in computer programs and networks before “black hat” hackers can exploit them.

Hacking remains a felony in Canada and many countries around the world, but it is legal for companies to hire ethical hackers to breach computer networks. Many in the industry blanch at the use of the phrase “ethical hacker”, preferring to refer to themselves as “security consultants” or “penetration testers”. Whatever they’re called, this new generation of security professionals has built an industry on the old bromide that it takes a thief to catch a thief.

Many companies hire full-time hackers to test the strength of their network security. Others buy information about system vulnerabilities from freelance security researchers. Information about some system flaws has sold for as much as US$75,000, the kind of payday that dwarfs the prize money awarded in the Vancouver contest. In 2006, Microsoft fixed 17 security flaws reported by freelance hackers who gave the information to a third party after being paid a “flaw bounty”.

The boom in computer security has come in part because of the increase in malicious hacking, which is proving increasingly costly. In a 2007 survey by the U.S.–based Computer Security Institute, 46 percent of respondents reported a serious security incident in the previous year. The average annual loss from a security breach was $350,424.

CanSecWest organizer Will Whittaker admitted that many of today’s white-hat hackers honed their skills while lurking in decidedly grey areas, driven by a natural curiosity and a bit of mischief. “I think a large part of the community probably got dragged into it doing stupid stuff as a kid: cracking games, writing viruses, or defacing Web sites,” Whittaker said in a phone interview from Victoria. “Somewhere along the line, they realized that they could make real money at it.”

Although many of the current crop of ethical hackers are self-taught, there are organizations—such as the U.S.-based EC-Council—that offer ethical-hacking certificates. Conferences like CanSecWest have arisen so security professionals can share the latest information in the constantly shifting world of the computer industry.

Such organizations and conferences are a far cry from the days when the industry was not nearly so structured or safe. Before the industry grew, countless hackers worked on their own time to find “exploits”, often notifying companies of weaknesses or posting them on the Internet in the hope they would be fixed before black-hat hackers exploited them. Instead of being thanked, some ended up being sued or arrested. Ruiu believes that such draconian measures resulted from a fear of technology. “I call them the hacker witch hunts,” he said. “Before people understood what all this stuff was, anybody who could do anything with a computer was like a black-magic wizard. Not a lot of people understood this stuff. People were like, ‘Oh, my God. He got a computer to do what? He must have done something wrong.’ ”

Over time, however, many large corporations learned that the best way to deal with hackers and their command of technology was to put them on the payroll. Although there is still plenty of malicious hacking taking place in countries where people have fewer economic opportunities and laws are less stringent, most hackers in North America wear white hats. “All the hacking you see nowadays is professional,” Dai Zovi said from New York, where he works as a security manager for a financial firm. “All hacking has either been monetized or criminalized. There’s very little grey area.”

Dai Zovi is in Vancouver to compete once again in the PWN2 OWN match. The contest, which was created as a lark, has actually helped boost Internet security. Nine days after Macaulay and Dai Zovi hacked into a MacBook using QuickTime, Apple released a security patch (although many security professionals questioned whether or not the patch actually solved the problem). According to Ruiu, there are rumours that Microsoft, Apple, and Linux released security patches before this year’s contest in order to thwart competitors.

Although many observers treat PWN2OWN like a sporting event, Dai Zovi refused to make bold predictions about defending his title. He did say that he’s up for whatever the big operating systems throw at him. Hackers like Dai Zovi love the cat-and-mouse game that has computer programmers watching their every move, and vice versa. The game is even more fun now that the computer industry is handing them paycheques instead of arrest warrants.

“Because of the rise in the security industry, it’s very easy to get a job,” Dai Zovi said. “Say you’re an 18- or 19-year-old and you have these hacking skills. You have two options: you could either break into things, get some thrills, and risk going to jail, or you can get a high-paying job where you get to break into high-profile things. It’s a no-brainer.”