WebApp Sec mailing list archives

Re: eWeek OpenHack challenge

From: "Kevin Spett" <kspett () spidynamics com>
Date: Wed, 23 Oct 2002 15:55:31 -0400

What are you talking about?  Check out
ftp://ftp.eweek.com/pub/eweek/pdf/printpub/19/41p38.pdf.  There are *ten*
Unix hosts on the OpenHack network, including Linux webservers, database
servers and OpenBSD nameservers, mailserver and firewalls.
Secondly, the focus of this is the web application layer.  We're not talking
about kernel hacking here.  The underlying operating system is largely (yes,
there are minor exceptions) irrelevent.  Just look at the kind of things
they expect people to try-- SQL injection, cross-site scripting, etc.  A
poorly designed web application is breakable regardless of what's running
underneath it.
Also, if the competition is "baseless" and "irrelevent", it's simply because
of the unbelievably ridiculous amount of care that went into the security
preparations.  There are probably only a handful of web applications in the
world that got the security treatment that this thing did.  The only way in
is probably through 0-day holes, and no one's wasting precious 0-day style
on OpenHack, where they'd find out what the issue was and patch it?



Kevin Spett
SPI Labs
http://www.spidynamics.com/

----- Original Message -----
From: "Bryce Porter" <bryce () thewebcircuit com>
To: "David Wong" <david.wong () foundstone com>
Cc: <webappsec () securityfocus com>
Sent: Tuesday, October 22, 2002 6:02 PM
Subject: Re: eWeek OpenHack challenge

this is a joke. they are so narrow in presenting this and they fail to
realize that the majority of web used in commercial applications run on

some

kind of Unix variant like Linux, HP-UX, AIX or some BSD. making a contest
that applies to the minority of commercial applications is pretty shallow
and baseless in my opinion.

----- Original Message -----
From: "David Wong" <david.wong () foundstone com>
To: <webappsec () securityfocus com>
Sent: Monday, October 21, 2002 12:27 AM
Subject: eWeek OpenHack challenge

eWeek is starting the 4th iteration openhack (http://www.openhack.com)
contest this week (http://www.eweek.com/category2/1,3960,600431,00.asp)

This year, it's focused on application security.

Comments?

Current thread:

eWeek OpenHack challenge David Wong (Oct 20)
- Re: eWeek OpenHack challenge Mark Curphey (Oct 22)
- Re: eWeek OpenHack challenge Bryce Porter (Oct 23)
  - Re: eWeek OpenHack challenge Kevin Spett (Oct 23)
  - Re: eWeek OpenHack challenge Vasiliy Boulytchev (Oct 23)
- <Possible follow-ups>
- RE: eWeek OpenHack challenge David Wong (Oct 23)
  - RE: eWeek OpenHack challenge Dave Aitel (Oct 23)
- Re: eWeek OpenHack challenge Marty Block (Oct 23)
  - RE: eWeek OpenHack challenge Bill Martin (Oct 24)
  - Re: eWeek OpenHack challenge Kevin Spett (Oct 24)