WebApp Sec mailing list archives
RE: eWeek OpenHack challenge
From: "Bill Martin" <martin.b () attbi com>
Date: Thu, 24 Oct 2002 01:36:03 -0600
I'd be interested in seeing if eWeek makes it configuration and results available, regardless of the outcome. Everyone is preaching how important it is to secure systems, lets see if it is important enough to make that information available to the organizations that do not have hundreds of man-hours to invest in on small package. -bill- -----Original Message----- From: Marty Block [mailto:marty () kesem net] Sent: Wednesday, October 23, 2002 7:58 PM To: Bryce Porter; David Wong; Kevin Spett Cc: webappsec () securityfocus com Subject: Re: eWeek OpenHack challenge Hi all, This is a very interesting set of threads. The point of the exercise is not so much to show how well E.week can harden a unit or set of units, but that it can be done. What's important but not usually promoted well in print is the amount of time and effort that goes into the prep of these systems prior to release. If they (e-week) do a proper job of enumerating manhours and level of effort, we will be able to extrapolate the costs of doing so for our employers and clients. We'll be able to say 'Here's the number of manhours and type of talent necessary to secure a system against several thousand hack attempts. How much is compromise of your system worth in comparrison to this benchmark cost?" The real value here for us as professionals, tinkerers, enablers and innovators is that an independent party will have enumerated the time and effort required to do the right job. (Assuming the successful hack is fairly arcane in nature...) My .02. Thanks, Marty Block Kesem Technology ---------- Original Message ---------------------------------- From: "Kevin Spett" <kspett () spidynamics com> Date: Wed, 23 Oct 2002 15:55:31 -0400
What are you talking about? Check out ftp://ftp.eweek.com/pub/eweek/pdf/printpub/19/41p38.pdf. There
are *ten*
Unix hosts on the OpenHack network, including Linux
webservers, database
servers and OpenBSD nameservers, mailserver and firewalls. Secondly, the focus of this is the web application layer. We're not
talking
about kernel hacking here. The underlying operating system is
largely (yes,
there are minor exceptions) irrelevent. Just look at the kind of
things
they expect people to try-- SQL injection, cross-site scripting, etc.
A
poorly designed web application is breakable regardless of
what's running
underneath it. Also, if the competition is "baseless" and "irrelevent", it's simply
because
of the unbelievably ridiculous amount of care that went into the
security
preparations. There are probably only a handful of web
applications in the
world that got the security treatment that this thing did. The only
way in
is probably through 0-day holes, and no one's wasting precious
0-day style
on OpenHack, where they'd find out what the issue was and
patch it?
Kevin Spett SPI Labs http://www.spidynamics.com/ ----- Original Message ----- From: "Bryce Porter" <bryce () thewebcircuit com> To: "David Wong" <david.wong () foundstone com> Cc: <webappsec () securityfocus com> Sent: Tuesday, October 22, 2002 6:02 PM Subject: Re: eWeek OpenHack challengethis is a joke. they are so narrow in presenting this and they fail
to
realize that the majority of web used in commercial applications
run on
somekind of Unix variant like Linux, HP-UX, AIX or some BSD. making
a contest
that applies to the minority of commercial applications is pretty
shallow
and baseless in my opinion. ----- Original Message ----- From: "David Wong" <david.wong () foundstone com> To: <webappsec () securityfocus com> Sent: Monday, October 21, 2002 12:27 AM Subject: eWeek OpenHack challengeeWeek is starting the 4th iteration openhack
(http://www.openhack.com)
contest this week
(http://www.eweek.com/category2/1,3960,600431,00.asp)
This year, it's focused on application security. Comments?
Current thread:
- eWeek OpenHack challenge David Wong (Oct 20)
- Re: eWeek OpenHack challenge Mark Curphey (Oct 22)
- Re: eWeek OpenHack challenge Bryce Porter (Oct 23)
- Re: eWeek OpenHack challenge Kevin Spett (Oct 23)
- Re: eWeek OpenHack challenge Vasiliy Boulytchev (Oct 23)
- <Possible follow-ups>
- RE: eWeek OpenHack challenge David Wong (Oct 23)
- RE: eWeek OpenHack challenge Dave Aitel (Oct 23)
- Re: eWeek OpenHack challenge Marty Block (Oct 23)
- RE: eWeek OpenHack challenge Bill Martin (Oct 24)
- Re: eWeek OpenHack challenge Kevin Spett (Oct 24)