Vulnerability Development mailing list archives
Re: Cons and Security Validation
From: "Rowe, Michael CONT" <Michael.Rowe () CNET NAVY MIL>
Date: Wed, 7 Feb 2001 11:07:56 -0600
<snip> Because, once you offer highly desirable prizes (like, say, a big wad of cash ;-)), then you're going to attract a whole different set of people coming after your machine; and, most of them are probably NOT the type you really want to have testing your security... </snip> I may have missed something, but in the security world, you can now pick and choose who you want attacking your machines? Someone forgot to tell me... LoL. I thought the idea was to attract ALL kinds of people and see how the product holds up under "real world" testing. ~M -----Original Message----- From: Robert A. Seace [mailto:ras () SLARTIBARTFAST MAGRATHEA COM] Sent: Wednesday, February 07, 2001 6:40 AM To: VULN-DEV () SECURITYFOCUS COM Subject: Re: Cons and Security Validation In the profound words of Crispin Cowan:
We'd love to hear suggestions from the communit, especially this
community.
BB's suggestion of hack.immunix.com is a good one, but I'm not sure how
much
it differs from the usual hack-me contest. How do other people feel about that?
I think the differences are mostly in attitude; but, those turn out to be important differences... In all of the contests, there is a set time limit (usually very short), and a big cash prize... And, there's a LOT of hype, announcing and promoting the contest... And, at the end, even if they don't come right out and explicitly say, "We're so secure, that no one on the entire Internet could crack us!", you still definitely get the impression that's what they are not so subtly implying... But, a semi-permanent server, where it basically remains in play until cracked (or, better still, comes back up patched after a successful crack, for another go), has a completely different feel... Especially, if there's no big media hype screaming about it all over the place... (Just a few very low-key announcements in a few key places, and everyone that cares to know about such things surely WILL...) And, as for the prize, you'd definitely be better off just giving out something fairly nominal (a cash value of, at most, a couple hundred bucks, I think)... Because, once you offer highly desirable prizes (like, say, a big wad of cash ;-)), then you're going to attract a whole different set of people coming after your machine; and, most of them are probably NOT the type you really want to have testing your security... However, not giving ANYTHING can be seen as bad too, if you're perceived as a business (rather than just an independent hobbiest, or something)... (Eg: "The cheap bastards! They just want to get a bunch of free security testing, and won't even offer up anything in return!") It's a tricky balance for a business to pull off, I think: on the one hand, offering SOMETHING relatively cool, so as not to be seen as cheap free-loaders; but, on the other, not making it something so extravagant as to attract hordes of greedy script-kiddies, with nothing on their mind other than winning the big prize (and, who, when none of their ready-made exploits work to get them in, while likely just try to DoS your machine with a flood of pointless traffic, in pissed-off retaliation)... You're probably best off erring on the "cheap" side, and just taking any hurled insults about your free-loading in stride; the type of people you want to attract aren't doing it for the prize, anyway... But, I think it's still nice to reward them with SOMETHING... And, in many cases, a little minor fame will probably do... (Eg: List their names in your products, as official security testers, or something... Or, keep a prominently displayed page, listing their names, and perhaps let them say a few paragraphs of whatever they want to... Or, something along those lines...) Or, how about a t-shirt that says, "I cracked Immunix.org, and all I got was this lousy t-shirt!"? ;-) If you personalize each one, and keep a running list of successful penetrations on each successive one, that could actually be kind of cool... ;-) -- ||========================================================================|| || Rob Seace || URL || ras () magrathea com || || AKA: Agrajag || http://www.magrathea.com/~ras/ || rob () wordstock com || ||========================================================================|| "The best way to get a drink out of a Vogon is to stick your finger down his throat, and the best way to irritate him is to feed his grandmother to the Ravenous Bugblatter Beast of Traal." - THGTTG
Current thread:
- Re: Cons and Security Validation, (continued)
- Re: Cons and Security Validation Crispin Cowan (Feb 10)
- Re: Cons and Security Validation Crispin Cowan (Feb 07)
- Re: Cons and Security Validation Robert A. Seace (Feb 07)
- Re: Cons and Security Validation Blue Boar (Feb 08)
- Re: Cons and Security Validation Michel Kaempf (Feb 08)
- Re: Cons and Security Validation Blue Boar (Feb 08)
- Re: Cons and Security Validation Pavel Kankovsky (Feb 13)
- Re: Cons and Security Validation Jose Nazario (Feb 11)
- Re: Cons and Security Validation Glen Messenger (Feb 07)
- Re: Cons and Security Validation Robert G. Ferrell (Feb 07)
- Re: Cons and Security Validation Rowe, Michael CONT (Feb 07)
- Re: Cons and Security Validation Robert A. Seace (Feb 07)