Vulnerability Development mailing list archives

Re: Cons and Security Validation

From: Glen Messenger <GlenM () MATRIXOZ COM AU>
Date: Wed, 7 Feb 2001 16:55:43 +0800

I believe this would be an exceptional idea. I once held a "hack-me"
competition within our office here, which was an amazing success, with
an approximated 75% of security, admin and technical support staff
joining in.

True, more work and brainstorming may be needed to ensure the legitamacy
of such a contest.

What you should do is request input on a large scale from the relevant
community for any and all information which may be of some use.


-----Original Message-----
From: Crispin Cowan [mailto:crispin () WIREX COM]
Sent: Wednesday, February 07, 2001 6:58 PM
To: VULN-DEV () SECURITYFOCUS COM
Subject: Re: Cons and Security Validation


Greg KH wrote:

Me sitting on an exploit doesn't serve anybody.  So far I really like
the work going into the Immunix project.  I'd hate to see you guys
pull what some would see as a marketing scam.  Don't get me wrong..
nothing wrong with having your box as a target in CTF... what would be
wrong would be Immunix later saying it's secure based on lack of a

breakin

during CTF.


We wouldn't do that (or if we do, we _deserve_ ridicule).  It'd just be
fun to put our box up as a target in CTF.


Actually, we are looking for more than fun.  We need some external
validation.
For that, satisfying my prejudices is not a sufficient condition (although
in
practice, it is a necessary condition :-)

Although your hack.immunix.org suggestion is a good idea, Crispin used
to have a "secret" on the immunix.org server for anyone to try to
report.  Have to check to see if it's still there...


That was gauntlet.cse.ogi.edu.  It wasn't exactly a secret, as I announced
it
during a StackGuard talk at LinuxExpo (Raleigh) in 1999, and mentioned it on
line from time to time for a while after.  After four months with zero
contacts, we took it down and put the machine to other uses.  No prize was
offered (other than props :-) as it was an academic exercise, hence the .edu
address.  The lack of response to this challenge is part of why I'm
skeptical
of on-line hack-me contests.

Crispin

--
Crispin Cowan, Ph.D.
Chief Research Scientist, WireX Communications, Inc. http://wirex.com
Free Hardened Linux Distribution:                    http://immunix.org

Current thread:

Re: Cons and Security Validation, (continued)
- - - Re: Cons and Security Validation Matt Barringer (Feb 07)
    - Re: Cons and Security Validation H D Moore (Feb 08)
    - Re: Cons and Security Validation Crispin Cowan (Feb 10)
  - Re: Cons and Security Validation Crispin Cowan (Feb 07)
    - Re: Cons and Security Validation Robert A. Seace (Feb 07)
    - Re: Cons and Security Validation Blue Boar (Feb 08)
    - Re: Cons and Security Validation Michel Kaempf (Feb 08)
    - Re: Cons and Security Validation Blue Boar (Feb 08)
    - Re: Cons and Security Validation Pavel Kankovsky (Feb 13)
- Re: Cons and Security Validation Jose Nazario (Feb 11)
- Re: Cons and Security Validation Glen Messenger (Feb 07)
- Re: Cons and Security Validation Robert G. Ferrell (Feb 07)
- Re: Cons and Security Validation Rowe, Michael CONT (Feb 07)
  - Re: Cons and Security Validation Robert A. Seace (Feb 07)