Vulnerability Development mailing list archives
Re: Cons and Security Validation
From: Crispin Cowan <crispin () WIREX COM>
Date: Tue, 6 Feb 2001 23:37:21 -0800
Blue Boar wrote:
Me sitting on an exploit doesn't serve anybody. So far I really like the work going into the Immunix project. I'd hate to see you guys pull what some would see as a marketing scam. Don't get me wrong.. nothing wrong with having your box as a target in CTF... what would be wrong would be Immunix later saying it's secure based on lack of a breakin during CTF.
Thanks very much for your praise and feedback. It's kind of intriguing; we became interested in CTF contests precisely because I have major problems with the validity of Internet hack-me challenges like the Argus OpenHack, although Argus was graceful enough to say the right things in their public statements on the signficance of OpenHack. So to broaden the question: what WOULD be the ideal way to demonstrate the validity of the technology? We actually do have an internal staff position of Adversary, who regularly tests our tech. against whatever relevant exploits we can find. But some kind of external validation is needed; "we're secure because we say so" is crap. We'd love to hear suggestions from the communit, especially this community. BB's suggestion of hack.immunix.com is a good one, but I'm not sure how much it differs from the usual hack-me contest. How do other people feel about that? This is a VERY hard problem. From our discussions a month back, a secure thingie is a thingie that does what it is supposed to, and nothing else. Proving the "nothing else" part is astonishingly difficult. The academic community basically failed completely on that one, and punted to the BS in the Orange Book, which is really just a recitation on some motherhood and apple pie guidelines for good security design and good software engineering implementation. You can get an A1 secure rating and still be vulnerable. Thanks, Crispin -- Crispin Cowan, Ph.D. Chief Research Scientist, WireX Communications, Inc. http://wirex.com Free Hardened Linux Distribution: http://immunix.org
Current thread:
- Re: Cons and Security Validation, (continued)
- Re: Cons and Security Validation Crispin Cowan (Feb 07)
- Re: Cons and Security Validation Pavel Slavin (Feb 07)
- Re: Cons and Security Validation Crispin Cowan (Feb 07)
- Re: Cons and Security Validation Blue Boar (Feb 06)
- Re: Cons and Security Validation Greg KH (Feb 06)
- Re: Cons and Security Validation Blue Boar (Feb 06)
- Re: Cons and Security Validation Crispin Cowan (Feb 07)
- Re: Cons and Security Validation Dan Kaminsky (Feb 07)
- Re: Cons and Security Validation Matt Barringer (Feb 07)
- Re: Cons and Security Validation H D Moore (Feb 08)
- Re: Cons and Security Validation Crispin Cowan (Feb 10)
- Re: Cons and Security Validation Greg KH (Feb 06)
- Re: Cons and Security Validation Crispin Cowan (Feb 07)
- Re: Cons and Security Validation Robert A. Seace (Feb 07)
- Re: Cons and Security Validation Blue Boar (Feb 08)
- Re: Cons and Security Validation Michel Kaempf (Feb 08)
- Re: Cons and Security Validation Blue Boar (Feb 08)
- Re: Cons and Security Validation Pavel Kankovsky (Feb 13)
- Re: Cons and Security Validation Robert A. Seace (Feb 07)