Re: Kill the DOG and win 100 000 DM

["Jeffrey W. Thompson" <thompson () ARGUS-SYSTEMS COM>]

Hi,

Jay Tribick let me know that you guys were having a discussion of the
PitBull hacking contest going on right now on this list so I thought I
would join and offer myself for questions and whatnot.  To introduce
myself, my name is Jeff Thompson (aka Mythrandir) and I am a Software
Evangelist and Visionary for Argus Systems Group who is the company that
makes the PitBull technology.  I am entirely technical so I will be able
to address technical discussion thoroughly, but I should also be able to
answer some more general business questions as well.  However, I suspect
that most people on this list will prefer the technical side of me. :)

I've read through all of the posts regarding the contest and I wanted to
address several of them at once.  I should make note that I am not in
charge of this contest, though I was one of the people involved in
pen-testing it (and hopefully we did a good job!).  I hope you'll
indulge me a little bit here, as this should clear up a number of
things.

The first concern that I read about was in regards to the value of such
a contest.  The question was specifically asking what a contest like
this would "prove" and that it is no substitute for secure coding and
operations procedures.  I agree with the poster that these contests do
not prove anything.  They are not intended to be an absolute statement
of a products security.  Rather, these contests do a couple things.
First they expose people to a technology and raise awareness about it.
These contests also put the products up on the line for individuals to
test.

[Hacking Contests]
As a security professional I for one am very happy to have an
opportunity to examine a companies product, particularly in an extremely
unfriendly environment such as a hacking contest.  This does not replace
a due diligence examination of the product and a strong look into its
technology to understand its strengths and limitations.  If you were to
go out and buy the Argus PitBull product solely based on it winning a
contest I would be happy that our company got your money, but I would
prefer you used it because you were confident in its utility and
understood why you needed.  People who understand the technology are far
more likely to recommend it to others.

In regards to secure coding practices, I wholeheartedly agree.  I don't
care how many contests a company wins, if it has shoddy code then it
will fail.  Argus in fact takes this very seriously, as we put our
products through an independent evaluation with the Common Criteria.  CC
has essentially replaced the old B1 type certifications in the US and in
Europe with a new method of evaluation.  The end result is similar.  We
place all of our documentation, product binaries, and source code in the
hands of a third party who will verify that we do what we say we do.
This is also in addition to rigid source code controls we practice
internally (particularly in regards to internal source code reviews).

As it may interest people, I should mention that Argus is planning a
future hacking contest where we will be setting up a complex set of
systems that will all be serving multiple services (http, telnet, ftp,
smtp, dns, e-commerce server, database, finger, imap, pop, etc, etc..)
Several of the machines will allow people to log in directly from the
beginning of the contest.  The intent of the contest is to demonstrate
how trusted operating system security can be used in a complex
environment to protect itself from attack. It is also worth noting that
this contest will be of significantly increased length.

[Overhead]
There was a question in regards to the system and it being bogged down.
> From what I've seen this is really just a function of DOS attacks and
the system simply taking a beating.  The last performance testing that
was done on the PitBull product (as I recall) showed a less than 5%
degredation in performance due to enhancing security functionality.

[Argus Revolution]
As has been mentioned on the list, Argus does make its product available
for free for individual non-commercial use.  Currently, the product that
is available on the web site is the Solaris 7 product (MU3 version).  We
should have the latest MU4 release up there soon for people who want to
use the most current software with the latest patches.  As it may
interest people, we are currently developing a Linux based product as
well, and information will be made available on the corporate site and
Revolution site as soon as it becomes available.

I believe that the above addresses the questions that I saw.  I am of
course happy to discuss them in greater length with anyone who wants to,
either on the list or in private email.  Obvisouly, if anyone has other
questions I'll happily try to answer them.

Now, more importantly I'd be happy to discuss Trusted Operating Systems
security, PitBull, my penetrating B1 systems speech, and hacking
methodologies on these types of systems with anyone who is interested.
This is the fun part of these contests!

Cheers,

Jeff

Jeff Thompson
Software Evangelist and Visionary
Argus Systems Group, Inc.