Hacker shootouts? Not!

[mea culpa <jericho () DIMENSIONAL COM>]

Forwarded From: darek.milewski () us pwcglobal com

NETWORK WORLD FUSION FOCUS: JIM REAVIS on SECURITY
Today's Focus: Hacker shootouts?  Not!
12/10/99
By Jim Reavis

I personally like the idea of companies sponsoring hacker challenges,
where a box is set up on the 'Net for ingenious hackers to test their
skills and win a prize.  These challenges can be educational - for the
hacker, the sponsor and sometimes for the product vendors as well.  I
would like to see more hacker challenges, bugs bounties and crypto
algorithm cracking contests.

However, it is completely irresponsible and unbelievable to see hacker
shootouts that pit one operating system against another.  Such was the
case in September when PC Week Labs sponsored HackPCWeek.com, where a
Windows NT server was pitted against a Linux server in a test to find
which operating system was more secure.  Unfortunately, these types of
shootouts serve only to obfuscate the real issues of operating system
security, confuse those trying to learn about the technical differences
between the operating systems and further polarize the proponents of Linux
and NT.

Four days after the challenge was initiated, the Linux system was
compromised by an add-on CGI script with improper security checks - not by
the core operating system.  In providing an explanation of the hack, PC
Week Labs revealed that they did not install any of the 21 security
patches for Red Hat 6; however they did install Service Pack 5 for NT.
Their reasoning?  It was too difficult to install the individual patches,
but Service Pack 5 comes in one easy file.

Their perverse reasoning could be described as defining deviancy down -
systems administrators must be lazy and sloppy so we will be sloppy as
well.  PC Week Labs does not seem to be aware that service packs on NT are
not necessarily a systems administrator's paradigm.  The service packs are
very famous for fixing some things, but breaking others;  consequently,
many systems administrators are more comfortable staying behind a service
pack level and utilizing post-SP hotfixes to take a more targeted approach
to solving problems.

It is clear from PC Week Labs' explanation of their setup rationale that
service packs are an ideal service management solution - that would be
news even to many NT advocates.  PC Week Labs is guilty of making unwise
generalizations about how either of the operating systems are or should be
securely implemented.

So what did PC Week Labs prove?  As many veterans of the computer security
industry will say, you cannot prove security, only insecurity.  Providing
total systems assurance is a complicated process that cannot be emulated
in a contest.  When it comes to using any computer system for the purpose
of securing sensitive data, the contribution the technology makes to that
equation pales in comparison to the contribution the people must make.
People make the difference in information security, and a solitary
shootout will do more to establish the competency of the test developers,
not the products themselves.  Unfortunately, HackPCWeek.com proved very
little.

What are good hacker challenges to conduct?  Vendors that challenge
hackers to find flaws in their own products, or very specific algorithms,
are doing a positive thing.  Microsoft, for one, should be applauded for
the Windows 2000 beta test site the firm ran on its own.  This is a
terrific way to get the product out of their developers' and beta testers'
hands and into those with the talents to hack NT's vulnerabilities.  We
only wish that this effort was more extensive and that Microsoft would
have offered nice rewards to successful participants.

Vulnerabilities found on a beta product in a hacker challenge are
vulnerabilities that won't show up in the released product.  Code-breaking
challenges like RSA's Data Encryption Standard challenge are enormously
useful, as they give us concrete data on the amount of processing power
required to crack a widely used crypto algorithm.  To be sure, vendors use
marketing spin to claim that their own hacker challenge has proven the
superiority of their own products, but we all know that vendors are
supposed to be biased, and we can filter out the noise.  However, contests
from a presumably unbiased authority need to be much more carefully
constructed, and need to have objective goals.  Computer magazines have
done competitive product reviews for a long time, and the accepted
protocol is to bend over backwards to be fair.  Subjectively patching one
operating system, but not the other, is troubling and damaging to PC Week
Labs' credibility.

There are many IT decision makers who want to get to the facts about which
operating system they should be using now, and in the future.  Facts are
sometimes hard to come by, and unfortunately, a hacker shootout does not
provide any facts. A hacker shootout serves only to further polarize the
respective NT and Linux camps.  Ultimately, HackPCWeek.com appears to be a
base attempt to capitalize on the Linux-NT debate, without providing
something useful for IT decision makers.

I personally want to see more hacker challenges. Nothing would please me
more than to see talented hackers making a living off of these contests,
while we all learn from the results.  What did we really learn from the
HackPCWeek.com exercise?  If you are looking to hire a Linux administrator
and you receive a resume listing PC Week Labs as prior experience - you
might want to pass.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
FOR RELATED LINKS -- Click here for Network World's home page:
http://www.nwfusion.com
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Getting the drop on network intruders, Network World, 10/04/99
http://www.nwfusion.com/reviews/1004trends.html

Hacker alert, Network World, 09/27/99
http://www.nwfusion.com/buzz99/buzzintel.html

Defending against cyberattack, Network World, 08/23/99
http://www.nwfusion.com/news/1999/0823cyberattack.html

Start-up's 'decoy' server helps track down hackers, Network World,
08/09/99
http://www.nwfusion.com/archive/1999/72100_08-09-1999.html

Archive of Network World Fusion Focus on Security newsletters:
http://www.nwfusion.com/newsletters/sec/

Other security-related articles from Network World:

Viruses to crash New Year's bash: Remedies include shutting down e-mail
systems, Network World, 12/6/99
http://www.nwfusion.com/news/1999/1206y2k.html

Network World interview: Cisco's John Chambers, Network World, 12/6/99
http://www.nwfusion.com/news/1999/1206chambers.html

About the author
----------------
Jim Reavis, the founder of SecurityPortal.com
(http://securityportal.com/), is an analyst with over
10 years' experience consulting with Fortune 500 organizations on
networking and security-related technology projects.

Questions or comments?
----------------------
* For editorial comments, write Charley Spektor,
Managing Editor at: cspektor () nww com
* For advertising information, write Jamie Kalbach,
Account Executive at: jkalbach () nww com
* For all other inquiries, write Christine Rhoder,
Circulation Marketing Manager at: crhoder () nww com

Subscription Services
---------------------
You can subscribe or unsubscribe to any of your e-mail newsletters by
updating your form at: http://www.nwfusion.com/focus/subscription.html

For subscription changes that cannot be handled via the web, please send
an email to our customer service dept: listnews () gaeta itwpub1 com

Network World Fusion is part of IDG.net, the IDG Online Network.
IT All Starts Here: http://www.idg.net

Copyright Network World, Inc., 1999


----------------------------------------------------------------
The information transmitted is intended only for the person or entity to
which it is addressed and may contain confidential and/or privileged
material.  Any review, retransmission, dissemination or other use of, or
taking of any action in reliance upon, this information by persons or
entities other than the intended recipient is prohibited.   If you received
this in error, please contact the sender and delete the material from any
computer.

ISN is sponsored by Security-Focus.COM