"Vos, Arjan" wrote:
>
> Hi Joshua,
>
> Don't do it! The contest won't mean a thing! It will show no new or real
> structural vulnerabilities in your www service. Script kiddies might knock
> at your door with their IMAP exploits, but the guys who really know security
> won't spend their (valuable) time to a contest.
Arjan,
Thank you for the excellent reading, and commentary. I would like
further this discussion, at the risk of beating this to death.
I have read the articles you sent, and the firewall list archives,
and the opinions of you and others now, and it seems that most
of the commentary tends to focus on "proving security" as a premise
that is inherently flawed. I would agree.
I am new to sysadmin & security, and with a www site soon to
launch, I have found the mild scans that hit my subnet don't
really have much meat to them. What I'm looking for in
creating a contest to hack the site is in part a crash course
in dealing with hackers trying to break into my system, so that
when the real site is live I will be more seasoned. I would rather
not have my first experience in a successful intrusion when
things matter.
I am not looking to "prove" the security of the site to myself
or others. I understand that if someone where good enough
and spent enough time, he or she _would_ break in. I don't
think that ours is a site that will ever be interesting enough
to warrant that kind of attention, so it will not matter
that we don't get the best of the best trying to break in, from
a little contest with a pitance for a reward.
There is also the argument that a contest will never be as
thorough as a good audit. While I agree, we don't really
have the budget to get any more auditing than what I can
do personally. This self provable security is inherently
flawed... its like playing chess against yourself, never being
more than one move ahead in the game, and ending in a draw.
If I can get just a couple ok hackers as the result of
running a contest, even "script kids" if they have enough scripts,
I might close a couple holes and have that much better
security as a result. These are holes that I myself
wouldn't find, since if I knew about them they wouldn't exist.
I thank you and others for taking the time to discuss this.
I am not decided about running this content, and am taking
all your feedback seriously.
--Joshua
>
> Bruce Schneier wrote about the "fallacy of cracking contests" in his
> december cryptogram, which also applies to your contest ideas...
>
> Gr. Arjan
>
> hmmm.... what the heck.... here it is... :
>
> ------------ From Bruce Schneier's December Cryptogram ----------------
>
> The Fallacy of Cracking Contests
>
> You see them all the time: "Company X offers $1,000,000 to anyone who can
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
