Forwarded From: William Knowles <erehwon@kizmiaz.dis.org>
[Another lame security stunt, Not worth anyones time. I would love to
see one of these security firms that sponsor these contests to post a
$100,000+ prize in a numbered account with 6-12 months to break the
security of the product in a real world enviroment, and not in the
span of a week on a trade show floor. - William Knowles]
http://www.techweb.com/printableArticle?doc_id=TWB19990512S0029
(TechWeb) [5.12.99] A conference in Singapore is working to show the
dangers of hacking, ironically, by holding a hacking contest with
thousands of dollars in prizes. The international Hackers Zone
competition, which started Wednesday, is offering $10,000 to the first
person to successfully break into servers connected to the Web and running
security products. One server is running security products from Voltaire
Advanced Data Security, while the second server is running software from
Conclave Integrated Security.
Hosted by Infosecurity Asia '99, the computer-security conference that
will be held in Singapore next month, is open to anyone in the world. In
order to prove the success, hackers have to move a file onto the server,
or modify the Web page hosted there, and then send an e-mail describing
their action to an address set up at Yahoo. The conference has promised to
keep the names of all contestants confidential.
The sponsors of the contest sought to point out that they did not endorse
hacking, the general term for breaking into computer networks. Some
computer enthusiast prefer the term "cracker," using the term hacker
instead to refer to any hard-core programmer.
"We consider hacking a criminal offense prosecutable in many countries and
we do not condone such actions," said George Kane, regional director of
Conclave, in a statement.
Dan Farmer, a well-known computer-security expert, said such contests are
not what they're cracked up to be.
"Organizations do this from time to time -- it's not unusual," Farmer
said. "I view them as misguided and modestly dangerous publicity stunts."
There are a number of problems with such contests, he said. For one thing,
the computer set-ups rarely mimic the way a network would be forced to
work in the real world. Thus, he said, some companies use such contest to
tout the invincibility of their systems and say how they foiled the
world's best crackers, even though the world's best hackers probably would
not get involved in something like this.
Companies also get free testing of their systems. For instance, they can
get "attack signatures," digital fingerprints that show how people attack
a certain system. These can be used later to help companies realize when
they are being attacked in the future. Such signatures are hard to get in
the real world. Furthermore, such security testing can be quite expensive.
"10K is chump change in the corporate world," Farmer said.
Farmer is the author of Security Administrator's Tool for Analyzing
Networks, a Unix tool that systems administrators use to test for security
breaches in networks. The program, known as SATAN, caused a stir when it
came out in 1995, prompting Farmer to publish multiple documents through
his website explaining the rationale behind the software. The difference,
Farmer said, is that contests encourage a certain type of behavior.
"They're sending a message that breaking into systems is OK, that they'll
reward the best and brightest," Farmer said.
-o-
Subscribe: mail majordomo@repsec.com with "subscribe isn".
Today's ISN Sponsor: Hacker News Network [www.hackernews.com]
Received on Fri May 14 08:51:13 1999