Re: Cons and Security Validation

[Blue Boar <BlueBoar () THIEVCO COM>]

Crispin Cowan wrote:
> Thanks very much for your praise and feedback.  It's kind of intriguing; we
> became interested in CTF contests precisely because I have major problems
> with the validity of Internet hack-me challenges like the Argus OpenHack,
> although Argus was graceful enough to say the right things in their public
> statements on the signficance of OpenHack.

Doesn't matter much what Argus themselves say:
"Hackers fail to crack software challenge"
http://news.ninemsn.com.au/sci_tech/story_7299.asp?&_ref=574913554

(Side note: I find it pretty intriguing that the Argus software engineers
get the prize money for note getting hacked.  Talk about singing for
your supper.)

> We'd love to hear suggestions from the communit, especially this community.
> BB's suggestion of hack.immunix.com is a good one, but I'm not sure how much
> it differs from the usual hack-me contest.  How do other people feel about
> that?

My list of the "right way"
-Perpetually available box, so I can hack at my leisure
-Nominal prize (at least nominal in cash value, obviously
my attention must be captured.  I would have to be
interested in the product, or expect some media, or
respect of my peers or something.  "Me" in this case
is the stereotypical John Q. Hacker.)
-Some sort of community glue to enable discussion
(web board, mailing list, or something.  Again, money
tends to make me want to work in private.  With no prize,
the dates of my posts ensure that I get credit for my ideas.)
-Some sort of way in might be necessary.  Strangely enough,
the Antionline/Happy Hacker contests are done right in many
ways.  I just can't get on the damn boxes... there's too many
people around.  If I had to register, that might reduce
the noise a bit.
-A copy must be available for me to play the home game.  If
I want to dedicate the hardware, I'll put up my own copy
at home to solve the hordes problem, and maybe invite my
buddies.  For OpenHack, I don't think I could get a copy of those
boxes as-configured.
-Source is always nice, though not essential.  Again, my interest
may be more peaked if I have more ways to attack the problem.

This type of setup also has other nice side effects.  For Immunix,
if I have some new Redhat sploit, I now have an Immunix box to try
it on.

A key point to remember is that you're trying to herd cats, and
keep the interests of people who are easily distracted.  A way
to freshen interest periodically may be needed.

> This is a VERY hard problem.  From our discussions a month back, a secure
> thingie is a thingie that does what it is supposed to, and nothing else.
> Proving the "nothing else" part is astonishingly difficult.  The academic
> community basically failed completely on that one, and punted to the BS in
> the Orange Book, which is really just a recitation on some motherhood and
> apple pie guidelines for good security design and good software engineering
> implementation.  You can get an A1 secure rating and still be vulnerable.

Yup.  We all give up trying to prove something is secure.  (If you haven't
by now, you should.)  CTF/hacking contests/pen tests, whatever you call
it..
just another way to try to gauge relative security of a particular system.

                                        BB