Re: Cons and Security Validation

["Rowe, Michael CONT" <Michael.Rowe () CNET NAVY MIL>]

<snip>
Because, once you offer highly
desirable prizes (like, say, a big wad of cash ;-)), then you're going
to attract a whole different set of people coming after your machine;
and, most of them are probably NOT the type you really want to have
testing your security...
</snip>

 I may have missed something, but in the security world, you can now pick
and choose who you want attacking your machines? Someone forgot to tell
me... LoL. I thought the idea was to attract ALL kinds of people and see how
the product holds up under "real world" testing.
~M


-----Original Message-----
From: Robert A. Seace [mailto:ras () SLARTIBARTFAST MAGRATHEA COM]
Sent: Wednesday, February 07, 2001 6:40 AM
To: VULN-DEV () SECURITYFOCUS COM
Subject: Re: Cons and Security Validation


In the profound words of Crispin Cowan:
> We'd love to hear suggestions from the communit, especially this
community.
> BB's suggestion of hack.immunix.com is a good one, but I'm not sure how
much
> it differs from the usual hack-me contest.  How do other people feel about
> that?

        I think the differences are mostly in attitude; but, those turn
out to be important differences...  In all of the contests, there is
a set time limit (usually very short), and a big cash prize...  And,
there's a LOT of hype, announcing and promoting the contest...  And,
at the end, even if they don't come right out and explicitly say,
"We're so secure, that no one on the entire Internet could crack us!",
you still definitely get the impression that's what they are not so
subtly implying...

        But, a semi-permanent server, where it basically remains in play
until cracked (or, better still, comes back up patched after a
successful crack, for another go), has a completely different feel...
Especially, if there's no big media hype screaming about it all
over the place...  (Just a few very low-key announcements in a few
key places, and everyone that cares to know about such things surely
WILL...)  And, as for the prize, you'd definitely be better off just
giving out something fairly nominal (a cash value of, at most, a
couple hundred bucks, I think)...  Because, once you offer highly
desirable prizes (like, say, a big wad of cash ;-)), then you're going
to attract a whole different set of people coming after your machine;
and, most of them are probably NOT the type you really want to have
testing your security...  However, not giving ANYTHING can be seen
as bad too, if you're perceived as a business (rather than just an
independent hobbiest, or something)...  (Eg: "The cheap bastards!
They just want to get a bunch of free security testing, and won't
even offer up anything in return!")  It's a tricky balance for a
business to pull off, I think: on the one hand, offering SOMETHING
relatively cool, so as not to be seen as cheap free-loaders; but,
on the other, not making it something so extravagant as to attract
hordes of greedy script-kiddies, with nothing on their mind other
than winning the big prize (and, who, when none of their ready-made
exploits work to get them in, while likely just try to DoS your
machine with a flood of pointless traffic, in pissed-off retaliation)...
You're probably best off erring on the "cheap" side, and just taking
any hurled insults about your free-loading in stride; the type of
people you want to attract aren't doing it for the prize, anyway...
But, I think it's still nice to reward them with SOMETHING...  And,
in many cases, a little minor fame will probably do...  (Eg: List
their names in your products, as official security testers, or
something...  Or, keep a prominently displayed page, listing their
names, and perhaps let them say a few paragraphs of whatever they
want to...  Or, something along those lines...)  Or, how about a
t-shirt that says, "I cracked Immunix.org, and all I got was this
lousy t-shirt!"? ;-)  If you personalize each one, and keep a
running list of successful penetrations on each successive one,
that could actually be kind of cool... ;-)

--
||========================================================================||
||    Rob Seace    ||               URL              || ras () magrathea com ||
||  AKA: Agrajag   || http://www.magrathea.com/~ras/ || rob () wordstock com ||
||========================================================================||
"The best way to get a drink out of a Vogon is to stick your finger down his
 throat, and the best way to irritate him is to feed his grandmother to the
 Ravenous Bugblatter Beast of Traal." - THGTTG