Hacker group finds faults in crack challenge

[InfoSec News <isn () C4I ORG>]

http://www.it.fairfax.com.au/breaking/20010307/A27390-2001Mar7.html

Wednesday, March 7, 2001, 10:46
By BARRY PARK, FAIRFAX IT

Hacker advocacy group 2600 Australia has called on a Perth company to
honor its promise to donate $US1 million to charity after its network
security device remained uncracked after a 30-day public trial.

Secure Systems, which has developed a hardware-based network security
device called the Silicon Data Vault, said earlier this year it would
donate $1 million to the United States-based Make-a-Wish Foundation if
the device was cracked within a 30-day period ending at midnight on
February 28, but only if the technology was onsold to a developer.

It said if the device was cracked, Secure Systems would donate
$US10,000 to the charity of the cracker's choice.

However, 2600 Australia yesterday criticised the company's decision to
move the cracking challenge into a second phase, which was to have
launched on the company's website yesterday.

Do you guys really think that proving something cannot be broken by a
meagre 30 participants in two to three weeks is sufficient evidence on
which to base what appear to be claims of unbreakable security? 2600
Australia spokesman Grant Bayley said in an e-mail to the company.

'I don't think this challenge is by any means a fair one because the
parameters in which entrants are forced to operate are nothing like
those which a serious commercial or military buyer would be subjected
to when performing an evaluation prior to purchase or embedded use,
Bayley said.

Anyone at Secure Systems ever considered that the value of the
information protected by SDV when put into widespread usage is greater
than the US$10,000 reward being offered?

If you broke it and were so inclined, wouldn't you wait until the
product was in widespread use and privately dine on the morsels
'protected' by it? he said.

Bayley said crackers would also gain physical access to a device to
study how it was built, which also could give clues to how its
security could be circumvented.

The Australian reported yesterday that 30 attempts on cracking the
Vault during the challenge's timeframe had failed.

It said Secure Systems had now moved the information to a Linux-based
system, and that crackers would have to identify themselves before
logging into the Vault system.

Secure Systems has been contacted for comment.

ISN is hosted by SecurityFocus.com
---
To unsubscribe email LISTSERV () SecurityFocus com with a message body of
"SIGNOFF ISN".