Forwarded from: security curmudgeon <jerichoat_private> > http://www.eweek.com/article2/0,3959,633769,00.asp > > By Timothy Dyck > October 14, 2002 > timothy_dyckat_private > > With OpenHack 4, eWeek Labs and a group of technology providers are > again entering the security ring to test enterprise systems' > fortitude under real-world conditions. Real world conditions? Yeah.. > Each of the past three OpenHack tests was a challenge to hackers to > take down an e-business Web site built, secured and monitored using > common enterprise applications - and a unique opportunity to test > these applications in the process (see story [1]). With the OpenHack > 4 test site, we're focusing on an area that's becoming increasingly > problem-prone: application security. [snip..] And let's not forget their previous success in running this scam^H^H^H^Hcontest. http://www.attrition.org/security/rant/z/jericho.003.html > Indeed, previously unknown security holes in Web application code > provided unauthorized entry past firewalls and led to the successful > attacks against the OpenHack 1 and OpenHack 2 sites. Web application > programming techniques, therefore, come under close scrutiny in > OpenHack 4. (OpenHack 3, protected by a trusted operating system, > was not successfully hacked.) The third was when Argus put their PitBull software up for part of the challenge. It is quite odd that eweek forgets to mention the following: http://www.wired.com/news/technology/0,1282,42747,00.html by Michelle Delio 10:10 a.m. Mar. 30, 2001 PST A hacker is claming that he has won Argus' ballyhooed OpenHack III competition by cracking its much-vaunted PitBull security system. Argus concedes the crack, but isn't awarding the promised big cash prize. And why aren't they awarding the succesfull hacker? A hacker calling himself Bladez won't receive the 3,000 ($4,250) prize offered by Argus because he says he misunderstood what time the competition ended and was under the impression that he had a few hours left to work. So they will quibble over a couple hours of a time frame, despite this being the farthest thing from real world scenario you could possibly get. I hate to be the one that breaks this to the cluebags over at Argus and Eweek.. but when friday afternoon rolls around, hacker's don't punch out and go home. Was this a one time fluke of Argus? Not at all! http://www.parallaxresearch.com/news/2001/0430/hackers_sink_teeth_into.html Argus Systems Group Inc., which won the recent eWEEK OpenHack III challenge, was dealt a blow this week when a group of Polish crackers hacked into its PitBull software. The company sponsored a hacking challenge at the Infosecurity Europe 2001 conference in London, offering a $50,000 prize to anyone who could hack its PitBull trusted operating system package. > We feel confident, based on the coding and hardening that's been > done, that none of these attacks is possible, and we hope this test > will improve our current OpenHack record of one win and two losses. http://www.eweek.com/article2/0,3959,600435,00.asp This lists the defeat of the first and second, but fails to mention Bladez attack and success, despite being a couple hours late. They fail to mention that Argus failed the challenge for the third contest. - ISN is currently hosted by Attrition.org To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY of the mail.
This archive was generated by hypermail 2b30 : Fri Oct 25 2002 - 04:17:30 PDT