Vulnerability Development mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Cons and Security Validation

From: Greg KH <greg () WIREX COM>
Date: Tue, 6 Feb 2001 23:19:52 -0800
On Tue, Feb 06, 2001 at 09:15:17PM -0800, Blue Boar wrote:

I get really annoyed by hacking contests that are only for a few days
or a week.  I want to play, but I rarely have time at the moment
of the contest.  The prize amount isn't a factor for me for whether
I'll participate or not.  If I really want a prize, I'll get my own
copy of Pitbull or Immunix, run it on a lab machine, and develop a
private exploit.  Then I'll sit on the exploit until contest time.


I can't speak for Crispin here, but all of the technical staff at WireX
are very against hack contests, Crispin being one of the leading
opponents of them.  That's not what he's talking about here.


Me sitting on an exploit doesn't serve anybody.  So far I really like
the work going into the Immunix project.  I'd hate to see you guys
pull what some would see as a marketing scam.  Don't get me wrong..
nothing wrong with having your box as a target in CTF... what would be
wrong would be Immunix later saying it's secure based on lack of a breakin
during CTF.


We wouldn't do that (or if we do, we _deserve_ ridicule).  It'd just be
fun to put our box up as a target in CTF.  Give us an opportunity to see
creative things that we didn't think of.  Give us new ideas for things
to do to make Linux more secure.  And have fun while doing it,
interacting with people who take breaking boxes seriously.  It's also
nice to get out of the office and go to a nice conference.

Although your hack.immunix.org suggestion is a good idea, Crispin used
to have a "secret" on the immunix.org server for anyone to try to
report.  Have to check to see if it's still there...

thanks,

greg k-h

--
greg@(kroah|wirex).com
http://immunix.org/~greg
Previous By Date Next
Previous By Thread Next

Current thread: