RE: eWeek OpenHack challenge

["Bill Martin" <martin.b () attbi com>]

I'd be interested in seeing if eWeek makes it configuration and results
available, regardless of the outcome. Everyone is preaching how important it
is to secure systems, lets see if it is important enough to make that
information available to the organizations that do not have hundreds of
man-hours to invest in on small package.
-bill-

-----Original Message-----
From: Marty Block [mailto:marty () kesem net]
Sent: Wednesday, October 23, 2002 7:58 PM
To: Bryce Porter; David Wong; Kevin Spett
Cc: webappsec () securityfocus com
Subject: Re: eWeek OpenHack challenge


Hi all,
This is a very interesting set of threads. The point of the exercise is
not so much to show how well E.week can harden a unit or set of
units, but that it can be done. What's important but not usually
promoted well in print is the amount of time and effort that goes
into the prep of these systems prior to release. If they (e-week) do
a proper job of enumerating manhours and level of effort, we will
be able to extrapolate the costs of doing so for our employers and
clients. We'll be able to say 'Here's the number of manhours and
type of talent necessary to secure a system against several
thousand hack attempts. How much is compromise of your
system worth in comparrison to this benchmark cost?"

The real value here for us as professionals, tinkerers, enablers
and innovators is that an independent party will have enumerated
the time and effort required to do the right job. (Assuming the
successful hack is fairly arcane in nature...)

My .02.
Thanks,
Marty Block
Kesem Technology


---------- Original Message ----------------------------------
From: "Kevin Spett" <kspett () spidynamics com>
Date:  Wed, 23 Oct 2002 15:55:31 -0400

> What are you talking about?  Check out
> ftp://ftp.eweek.com/pub/eweek/pdf/printpub/19/41p38.pdf.  There
are *ten*
> Unix hosts on the OpenHack network, including Linux
webservers, database
> servers and OpenBSD nameservers, mailserver and firewalls.
> Secondly, the focus of this is the web application layer.  We're not
talking
> about kernel hacking here.  The underlying operating system is
largely (yes,
> there are minor exceptions) irrelevent.  Just look at the kind of
things
> they expect people to try-- SQL injection, cross-site scripting, etc.
A
> poorly designed web application is breakable regardless of
what's running
> underneath it.
> Also, if the competition is "baseless" and "irrelevent", it's simply
because
> of the unbelievably ridiculous amount of care that went into the
security
> preparations.  There are probably only a handful of web
applications in the
> world that got the security treatment that this thing did.  The only
way in
> is probably through 0-day holes, and no one's wasting precious
0-day style
> on OpenHack, where they'd find out what the issue was and
patch it?
> Kevin Spett
> SPI Labs
> http://www.spidynamics.com/
>
> ----- Original Message -----
> From: "Bryce Porter" <bryce () thewebcircuit com>
> To: "David Wong" <david.wong () foundstone com>
> Cc: <webappsec () securityfocus com>
> Sent: Tuesday, October 22, 2002 6:02 PM
> Subject: Re: eWeek OpenHack challenge
>
>
> > this is a joke. they are so narrow in presenting this and they fail
to
> > realize that the majority of web used in commercial applications
run on
> some
> > kind of Unix variant like Linux, HP-UX, AIX or some BSD. making
a contest
> > that applies to the minority of commercial applications is pretty
shallow
> > and baseless in my opinion.
> >
> > ----- Original Message -----
> > From: "David Wong" <david.wong () foundstone com>
> > To: <webappsec () securityfocus com>
> > Sent: Monday, October 21, 2002 12:27 AM
> > Subject: eWeek OpenHack challenge
> >
> >
> > > eWeek is starting the 4th iteration openhack
(http://www.openhack.com)
> > > contest this week
(http://www.eweek.com/category2/1,3960,600431,00.asp)
> > > This year, it's focused on application security.
> > >
> > > Comments?