Vulnerability Development mailing list archives
Re: Cons and Security Validation
From: Glen Messenger <GlenM () MATRIXOZ COM AU>
Date: Wed, 7 Feb 2001 16:55:43 +0800
I believe this would be an exceptional idea. I once held a "hack-me" competition within our office here, which was an amazing success, with an approximated 75% of security, admin and technical support staff joining in. True, more work and brainstorming may be needed to ensure the legitamacy of such a contest. What you should do is request input on a large scale from the relevant community for any and all information which may be of some use. -----Original Message----- From: Crispin Cowan [mailto:crispin () WIREX COM] Sent: Wednesday, February 07, 2001 6:58 PM To: VULN-DEV () SECURITYFOCUS COM Subject: Re: Cons and Security Validation Greg KH wrote:
Me sitting on an exploit doesn't serve anybody. So far I really like the work going into the Immunix project. I'd hate to see you guys pull what some would see as a marketing scam. Don't get me wrong.. nothing wrong with having your box as a target in CTF... what would be wrong would be Immunix later saying it's secure based on lack of a
breakin
during CTF.We wouldn't do that (or if we do, we _deserve_ ridicule). It'd just be fun to put our box up as a target in CTF.
Actually, we are looking for more than fun. We need some external validation. For that, satisfying my prejudices is not a sufficient condition (although in practice, it is a necessary condition :-)
Although your hack.immunix.org suggestion is a good idea, Crispin used to have a "secret" on the immunix.org server for anyone to try to report. Have to check to see if it's still there...
That was gauntlet.cse.ogi.edu. It wasn't exactly a secret, as I announced it during a StackGuard talk at LinuxExpo (Raleigh) in 1999, and mentioned it on line from time to time for a while after. After four months with zero contacts, we took it down and put the machine to other uses. No prize was offered (other than props :-) as it was an academic exercise, hence the .edu address. The lack of response to this challenge is part of why I'm skeptical of on-line hack-me contests. Crispin -- Crispin Cowan, Ph.D. Chief Research Scientist, WireX Communications, Inc. http://wirex.com Free Hardened Linux Distribution: http://immunix.org
Current thread:
- Re: Cons and Security Validation, (continued)
- Re: Cons and Security Validation Matt Barringer (Feb 07)
- Re: Cons and Security Validation H D Moore (Feb 08)
- Re: Cons and Security Validation Crispin Cowan (Feb 10)
- Re: Cons and Security Validation Crispin Cowan (Feb 07)
- Re: Cons and Security Validation Robert A. Seace (Feb 07)
- Re: Cons and Security Validation Blue Boar (Feb 08)
- Re: Cons and Security Validation Michel Kaempf (Feb 08)
- Re: Cons and Security Validation Blue Boar (Feb 08)
- Re: Cons and Security Validation Pavel Kankovsky (Feb 13)
- Re: Cons and Security Validation Robert A. Seace (Feb 07)