Forwarded From: William Knowles <erehwonat_private> [Another lame security stunt, Not worth anyones time. I would love to see one of these security firms that sponsor these contests to post a $100,000+ prize in a numbered account with 6-12 months to break the security of the product in a real world enviroment, and not in the span of a week on a trade show floor. - William Knowles] http://www.techweb.com/printableArticle?doc_id=TWB19990512S0029 (TechWeb) [5.12.99] A conference in Singapore is working to show the dangers of hacking, ironically, by holding a hacking contest with thousands of dollars in prizes. The international Hackers Zone competition, which started Wednesday, is offering $10,000 to the first person to successfully break into servers connected to the Web and running security products. One server is running security products from Voltaire Advanced Data Security, while the second server is running software from Conclave Integrated Security. Hosted by Infosecurity Asia '99, the computer-security conference that will be held in Singapore next month, is open to anyone in the world. In order to prove the success, hackers have to move a file onto the server, or modify the Web page hosted there, and then send an e-mail describing their action to an address set up at Yahoo. The conference has promised to keep the names of all contestants confidential. The sponsors of the contest sought to point out that they did not endorse hacking, the general term for breaking into computer networks. Some computer enthusiast prefer the term "cracker," using the term hacker instead to refer to any hard-core programmer. "We consider hacking a criminal offense prosecutable in many countries and we do not condone such actions," said George Kane, regional director of Conclave, in a statement. Dan Farmer, a well-known computer-security expert, said such contests are not what they're cracked up to be. "Organizations do this from time to time -- it's not unusual," Farmer said. "I view them as misguided and modestly dangerous publicity stunts." There are a number of problems with such contests, he said. For one thing, the computer set-ups rarely mimic the way a network would be forced to work in the real world. Thus, he said, some companies use such contest to tout the invincibility of their systems and say how they foiled the world's best crackers, even though the world's best hackers probably would not get involved in something like this. Companies also get free testing of their systems. For instance, they can get "attack signatures," digital fingerprints that show how people attack a certain system. These can be used later to help companies realize when they are being attacked in the future. Such signatures are hard to get in the real world. Furthermore, such security testing can be quite expensive. "10K is chump change in the corporate world," Farmer said. Farmer is the author of Security Administrator's Tool for Analyzing Networks, a Unix tool that systems administrators use to test for security breaches in networks. The program, known as SATAN, caused a stir when it came out in 1995, prompting Farmer to publish multiple documents through his website explaining the rationale behind the software. The difference, Farmer said, is that contests encourage a certain type of behavior. "They're sending a message that breaking into systems is OK, that they'll reward the best and brightest," Farmer said. -o- Subscribe: mail majordomoat_private with "subscribe isn". Today's ISN Sponsor: Hacker News Network [www.hackernews.com]
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:23:26 PDT