Information Security News mailing list archives
Hacker shootouts? Not!
From: mea culpa <jericho () DIMENSIONAL COM>
Date: Mon, 13 Dec 1999 06:27:26 -0700
Forwarded From: darek.milewski () us pwcglobal com NETWORK WORLD FUSION FOCUS: JIM REAVIS on SECURITY Today's Focus: Hacker shootouts? Not! 12/10/99 By Jim Reavis I personally like the idea of companies sponsoring hacker challenges, where a box is set up on the 'Net for ingenious hackers to test their skills and win a prize. These challenges can be educational - for the hacker, the sponsor and sometimes for the product vendors as well. I would like to see more hacker challenges, bugs bounties and crypto algorithm cracking contests. However, it is completely irresponsible and unbelievable to see hacker shootouts that pit one operating system against another. Such was the case in September when PC Week Labs sponsored HackPCWeek.com, where a Windows NT server was pitted against a Linux server in a test to find which operating system was more secure. Unfortunately, these types of shootouts serve only to obfuscate the real issues of operating system security, confuse those trying to learn about the technical differences between the operating systems and further polarize the proponents of Linux and NT. Four days after the challenge was initiated, the Linux system was compromised by an add-on CGI script with improper security checks - not by the core operating system. In providing an explanation of the hack, PC Week Labs revealed that they did not install any of the 21 security patches for Red Hat 6; however they did install Service Pack 5 for NT. Their reasoning? It was too difficult to install the individual patches, but Service Pack 5 comes in one easy file. Their perverse reasoning could be described as defining deviancy down - systems administrators must be lazy and sloppy so we will be sloppy as well. PC Week Labs does not seem to be aware that service packs on NT are not necessarily a systems administrator's paradigm. The service packs are very famous for fixing some things, but breaking others; consequently, many systems administrators are more comfortable staying behind a service pack level and utilizing post-SP hotfixes to take a more targeted approach to solving problems. It is clear from PC Week Labs' explanation of their setup rationale that service packs are an ideal service management solution - that would be news even to many NT advocates. PC Week Labs is guilty of making unwise generalizations about how either of the operating systems are or should be securely implemented. So what did PC Week Labs prove? As many veterans of the computer security industry will say, you cannot prove security, only insecurity. Providing total systems assurance is a complicated process that cannot be emulated in a contest. When it comes to using any computer system for the purpose of securing sensitive data, the contribution the technology makes to that equation pales in comparison to the contribution the people must make. People make the difference in information security, and a solitary shootout will do more to establish the competency of the test developers, not the products themselves. Unfortunately, HackPCWeek.com proved very little. What are good hacker challenges to conduct? Vendors that challenge hackers to find flaws in their own products, or very specific algorithms, are doing a positive thing. Microsoft, for one, should be applauded for the Windows 2000 beta test site the firm ran on its own. This is a terrific way to get the product out of their developers' and beta testers' hands and into those with the talents to hack NT's vulnerabilities. We only wish that this effort was more extensive and that Microsoft would have offered nice rewards to successful participants. Vulnerabilities found on a beta product in a hacker challenge are vulnerabilities that won't show up in the released product. Code-breaking challenges like RSA's Data Encryption Standard challenge are enormously useful, as they give us concrete data on the amount of processing power required to crack a widely used crypto algorithm. To be sure, vendors use marketing spin to claim that their own hacker challenge has proven the superiority of their own products, but we all know that vendors are supposed to be biased, and we can filter out the noise. However, contests from a presumably unbiased authority need to be much more carefully constructed, and need to have objective goals. Computer magazines have done competitive product reviews for a long time, and the accepted protocol is to bend over backwards to be fair. Subjectively patching one operating system, but not the other, is troubling and damaging to PC Week Labs' credibility. There are many IT decision makers who want to get to the facts about which operating system they should be using now, and in the future. Facts are sometimes hard to come by, and unfortunately, a hacker shootout does not provide any facts. A hacker shootout serves only to further polarize the respective NT and Linux camps. Ultimately, HackPCWeek.com appears to be a base attempt to capitalize on the Linux-NT debate, without providing something useful for IT decision makers. I personally want to see more hacker challenges. Nothing would please me more than to see talented hackers making a living off of these contests, while we all learn from the results. What did we really learn from the HackPCWeek.com exercise? If you are looking to hire a Linux administrator and you receive a resume listing PC Week Labs as prior experience - you might want to pass. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ FOR RELATED LINKS -- Click here for Network World's home page: http://www.nwfusion.com ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Getting the drop on network intruders, Network World, 10/04/99 http://www.nwfusion.com/reviews/1004trends.html Hacker alert, Network World, 09/27/99 http://www.nwfusion.com/buzz99/buzzintel.html Defending against cyberattack, Network World, 08/23/99 http://www.nwfusion.com/news/1999/0823cyberattack.html Start-up's 'decoy' server helps track down hackers, Network World, 08/09/99 http://www.nwfusion.com/archive/1999/72100_08-09-1999.html Archive of Network World Fusion Focus on Security newsletters: http://www.nwfusion.com/newsletters/sec/ Other security-related articles from Network World: Viruses to crash New Year's bash: Remedies include shutting down e-mail systems, Network World, 12/6/99 http://www.nwfusion.com/news/1999/1206y2k.html Network World interview: Cisco's John Chambers, Network World, 12/6/99 http://www.nwfusion.com/news/1999/1206chambers.html About the author ---------------- Jim Reavis, the founder of SecurityPortal.com (http://securityportal.com/), is an analyst with over 10 years' experience consulting with Fortune 500 organizations on networking and security-related technology projects. Questions or comments? ---------------------- * For editorial comments, write Charley Spektor, Managing Editor at: cspektor () nww com * For advertising information, write Jamie Kalbach, Account Executive at: jkalbach () nww com * For all other inquiries, write Christine Rhoder, Circulation Marketing Manager at: crhoder () nww com Subscription Services --------------------- You can subscribe or unsubscribe to any of your e-mail newsletters by updating your form at: http://www.nwfusion.com/focus/subscription.html For subscription changes that cannot be handled via the web, please send an email to our customer service dept: listnews () gaeta itwpub1 com Network World Fusion is part of IDG.net, the IDG Online Network. IT All Starts Here: http://www.idg.net Copyright Network World, Inc., 1999 ---------------------------------------------------------------- The information transmitted is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon, this information by persons or entities other than the intended recipient is prohibited. If you received this in error, please contact the sender and delete the material from any computer. ISN is sponsored by Security-Focus.COM
Current thread:
- Hacker shootouts? Not! mea culpa (Dec 13)