Vulnerability Development mailing list archives
Re: Kill the DOG and win 100 000 DM
From: "Jeffrey W. Thompson" <thompson () ARGUS-SYSTEMS COM>
Date: Wed, 8 Nov 2000 15:25:15 -0600
Hi, Jay Tribick let me know that you guys were having a discussion of the PitBull hacking contest going on right now on this list so I thought I would join and offer myself for questions and whatnot. To introduce myself, my name is Jeff Thompson (aka Mythrandir) and I am a Software Evangelist and Visionary for Argus Systems Group who is the company that makes the PitBull technology. I am entirely technical so I will be able to address technical discussion thoroughly, but I should also be able to answer some more general business questions as well. However, I suspect that most people on this list will prefer the technical side of me. :) I've read through all of the posts regarding the contest and I wanted to address several of them at once. I should make note that I am not in charge of this contest, though I was one of the people involved in pen-testing it (and hopefully we did a good job!). I hope you'll indulge me a little bit here, as this should clear up a number of things. The first concern that I read about was in regards to the value of such a contest. The question was specifically asking what a contest like this would "prove" and that it is no substitute for secure coding and operations procedures. I agree with the poster that these contests do not prove anything. They are not intended to be an absolute statement of a products security. Rather, these contests do a couple things. First they expose people to a technology and raise awareness about it. These contests also put the products up on the line for individuals to test. [Hacking Contests] As a security professional I for one am very happy to have an opportunity to examine a companies product, particularly in an extremely unfriendly environment such as a hacking contest. This does not replace a due diligence examination of the product and a strong look into its technology to understand its strengths and limitations. If you were to go out and buy the Argus PitBull product solely based on it winning a contest I would be happy that our company got your money, but I would prefer you used it because you were confident in its utility and understood why you needed. People who understand the technology are far more likely to recommend it to others. In regards to secure coding practices, I wholeheartedly agree. I don't care how many contests a company wins, if it has shoddy code then it will fail. Argus in fact takes this very seriously, as we put our products through an independent evaluation with the Common Criteria. CC has essentially replaced the old B1 type certifications in the US and in Europe with a new method of evaluation. The end result is similar. We place all of our documentation, product binaries, and source code in the hands of a third party who will verify that we do what we say we do. This is also in addition to rigid source code controls we practice internally (particularly in regards to internal source code reviews). As it may interest people, I should mention that Argus is planning a future hacking contest where we will be setting up a complex set of systems that will all be serving multiple services (http, telnet, ftp, smtp, dns, e-commerce server, database, finger, imap, pop, etc, etc..) Several of the machines will allow people to log in directly from the beginning of the contest. The intent of the contest is to demonstrate how trusted operating system security can be used in a complex environment to protect itself from attack. It is also worth noting that this contest will be of significantly increased length. [Overhead] There was a question in regards to the system and it being bogged down.
From what I've seen this is really just a function of DOS attacks and
the system simply taking a beating. The last performance testing that was done on the PitBull product (as I recall) showed a less than 5% degredation in performance due to enhancing security functionality. [Argus Revolution] As has been mentioned on the list, Argus does make its product available for free for individual non-commercial use. Currently, the product that is available on the web site is the Solaris 7 product (MU3 version). We should have the latest MU4 release up there soon for people who want to use the most current software with the latest patches. As it may interest people, we are currently developing a Linux based product as well, and information will be made available on the corporate site and Revolution site as soon as it becomes available. I believe that the above addresses the questions that I saw. I am of course happy to discuss them in greater length with anyone who wants to, either on the list or in private email. Obvisouly, if anyone has other questions I'll happily try to answer them. Now, more importantly I'd be happy to discuss Trusted Operating Systems security, PitBull, my penetrating B1 systems speech, and hacking methodologies on these types of systems with anyone who is interested. This is the fun part of these contests! Cheers, Jeff Jeff Thompson Software Evangelist and Visionary Argus Systems Group, Inc.
Current thread:
- Fw: Re: Kill the DOG and win 100 000 DM, (continued)
- Fw: Re: Kill the DOG and win 100 000 DM Guilherme Mesquita (Nov 07)
- Re: Kill the DOG and win 100 000 DM John Herron (Nov 08)
- Re: Kill the DOG and win 100 000 DM Mark (Nov 08)
- Re: Kill the DOG and win 100 000 DM Robert Collins (Nov 08)
- Re: Kill the DOG and win 100 000 DM Scott Fagg (Nov 08)
- Re: Kill the DOG and win 100 000 DM Jon Larimer (Nov 09)
- Re: Kill the DOG and win 100 000 DM Jay Tribick (Nov 09)
- Re: Kill the DOG and win 100 000 DM Michael Wojcik (Nov 09)
- Re: Kill the DOG and win 100 000 DM Sherrod, Andrew (Nov 09)
- Re: Kill the DOG and win 100 000 DM Ghory, Zeshan A (Nov 09)
- Re: Kill the DOG and win 100 000 DM Jeffrey W. Thompson (Nov 10)
- Re: Kill the DOG and win 100 000 DM Lincoln Yeoh (Nov 11)
- Re: Kill the DOG and win 100 000 DM Jeffrey W. Thompson (Nov 11)
- Re: Kill the DOG and win 100 000 DM Jay Tribick (Nov 11)
- Re: Kill the DOG and win 100 000 DM Jeffrey W. Thompson (Nov 11)
- Re: Kill the DOG and win 100 000 DM Lincoln Yeoh (Nov 11)
- Re: Kill the DOG and win 100 000 DM Mark (Nov 12)
- Re: Kill the DOG and win 100 000 DM Jeffrey W. Thompson (Nov 15)
- Re: Kill the DOG and win 100 000 DM Lincoln Yeoh (Nov 15)
- Re: Kill the DOG and win 100 000 DM Lincoln Yeoh (Nov 11)
- Re: Kill the DOG and win 100 000 DM Jay Tribick (Nov 11)
- Re: Kill the DOG and win 100 000 DM Jeffrey W. Thompson (Nov 11)