Vulnerability Development mailing list archives
Re: Cons and Security Validation
From: Blue Boar <BlueBoar () THIEVCO COM>
Date: Wed, 7 Feb 2001 23:13:02 -0800
Crispin Cowan wrote:
Thanks very much for your praise and feedback. It's kind of intriguing; we became interested in CTF contests precisely because I have major problems with the validity of Internet hack-me challenges like the Argus OpenHack, although Argus was graceful enough to say the right things in their public statements on the signficance of OpenHack.
Doesn't matter much what Argus themselves say: "Hackers fail to crack software challenge" http://news.ninemsn.com.au/sci_tech/story_7299.asp?&_ref=574913554 (Side note: I find it pretty intriguing that the Argus software engineers get the prize money for note getting hacked. Talk about singing for your supper.)
We'd love to hear suggestions from the communit, especially this community. BB's suggestion of hack.immunix.com is a good one, but I'm not sure how much it differs from the usual hack-me contest. How do other people feel about that?
My list of the "right way" -Perpetually available box, so I can hack at my leisure -Nominal prize (at least nominal in cash value, obviously my attention must be captured. I would have to be interested in the product, or expect some media, or respect of my peers or something. "Me" in this case is the stereotypical John Q. Hacker.) -Some sort of community glue to enable discussion (web board, mailing list, or something. Again, money tends to make me want to work in private. With no prize, the dates of my posts ensure that I get credit for my ideas.) -Some sort of way in might be necessary. Strangely enough, the Antionline/Happy Hacker contests are done right in many ways. I just can't get on the damn boxes... there's too many people around. If I had to register, that might reduce the noise a bit. -A copy must be available for me to play the home game. If I want to dedicate the hardware, I'll put up my own copy at home to solve the hordes problem, and maybe invite my buddies. For OpenHack, I don't think I could get a copy of those boxes as-configured. -Source is always nice, though not essential. Again, my interest may be more peaked if I have more ways to attack the problem. This type of setup also has other nice side effects. For Immunix, if I have some new Redhat sploit, I now have an Immunix box to try it on. A key point to remember is that you're trying to herd cats, and keep the interests of people who are easily distracted. A way to freshen interest periodically may be needed.
This is a VERY hard problem. From our discussions a month back, a secure thingie is a thingie that does what it is supposed to, and nothing else. Proving the "nothing else" part is astonishingly difficult. The academic community basically failed completely on that one, and punted to the BS in the Orange Book, which is really just a recitation on some motherhood and apple pie guidelines for good security design and good software engineering implementation. You can get an A1 secure rating and still be vulnerable.
Yup. We all give up trying to prove something is secure. (If you haven't by now, you should.) CTF/hacking contests/pen tests, whatever you call it.. just another way to try to gauge relative security of a particular system. BB
Current thread:
- Re: Cons and Security Validation, (continued)
- Re: Cons and Security Validation Blue Boar (Feb 06)
- Re: Cons and Security Validation Greg KH (Feb 06)
- Re: Cons and Security Validation Blue Boar (Feb 06)
- Re: Cons and Security Validation Crispin Cowan (Feb 07)
- Re: Cons and Security Validation Dan Kaminsky (Feb 07)
- Re: Cons and Security Validation Matt Barringer (Feb 07)
- Re: Cons and Security Validation H D Moore (Feb 08)
- Re: Cons and Security Validation Crispin Cowan (Feb 10)
- Re: Cons and Security Validation Greg KH (Feb 06)
- Re: Cons and Security Validation Blue Boar (Feb 06)
- Re: Cons and Security Validation Crispin Cowan (Feb 07)
- Re: Cons and Security Validation Robert A. Seace (Feb 07)
- Re: Cons and Security Validation Blue Boar (Feb 08)
- Re: Cons and Security Validation Michel Kaempf (Feb 08)
- Re: Cons and Security Validation Blue Boar (Feb 08)
- Re: Cons and Security Validation Pavel Kankovsky (Feb 13)
- Re: Cons and Security Validation Robert A. Seace (Feb 07)