Re: Cons and Security Validation

[Crispin Cowan <crispin () WIREX COM>]

Greg KH wrote:

> > Me sitting on an exploit doesn't serve anybody.  So far I really like
> > the work going into the Immunix project.  I'd hate to see you guys
> > pull what some would see as a marketing scam.  Don't get me wrong..
> > nothing wrong with having your box as a target in CTF... what would be
> > wrong would be Immunix later saying it's secure based on lack of a breakin
> > during CTF.
>
> We wouldn't do that (or if we do, we _deserve_ ridicule).  It'd just be
> fun to put our box up as a target in CTF.

Actually, we are looking for more than fun.  We need some external validation.
For that, satisfying my prejudices is not a sufficient condition (although in
practice, it is a necessary condition :-)


> Although your hack.immunix.org suggestion is a good idea, Crispin used
> to have a "secret" on the immunix.org server for anyone to try to
> report.  Have to check to see if it's still there...

That was gauntlet.cse.ogi.edu.  It wasn't exactly a secret, as I announced it
during a StackGuard talk at LinuxExpo (Raleigh) in 1999, and mentioned it on
line from time to time for a while after.  After four months with zero
contacts, we took it down and put the machine to other uses.  No prize was
offered (other than props :-) as it was an academic exercise, hence the .edu
address.  The lack of response to this challenge is part of why I'm skeptical
of on-line hack-me contests.

Crispin

--
Crispin Cowan, Ph.D.
Chief Research Scientist, WireX Communications, Inc. http://wirex.com
Free Hardened Linux Distribution:                    http://immunix.org