Re: Made-in-China Firewall Challenges Global Hackers

[security curmudgeon <jericho () ATTRITION ORG>]

> http://english.peopledaily.com.cn/200008/23/eng20000823_48861.html
>
> Wednesday, August 23, 2000, updated at 22:09(GMT+8)
>
> Noted Chinese consumer electronics production company, Hisense, has
> challenged hackers all over the world to hack a server equipped with its
> newly developed firewall products before September 1 to win 500,000
> yuan.
>
> The company has set up a large screen in front of a major department
> store in Beijing, showing the homepage of the protected server and the
> number and sources of hackers.
>
> Hackers would be awarded with the money if they could hack the
> homepage of the server or gained access to a designated document on
> the server, company sources said.

We've all talked about these contests in the past, and how they are
usually nothing more than glorified marketing moves.

It is interesting that they only give two ways to win the contest. Deface
their web page or steal a document from a specific account. So what if I
break into the machine, but do not have write access to the web page or
read access to that document. Does that mean I haven't breached their
firewall and penetrated their machine? No. Putting these kinds of caveats
on a contest is the real shame. Since the document wouldn't be made public
and the page wouldn't be defaced, it is likely no one would know of the
intrusion attempt.

Next, their product is a firewall. Why is it running on the same machine
that is to be targeted? If the firewall is passing port 80 traffic and  I
exploit something in the web server, is their firewall really to blame?
Unless it is stateful inspection and/or incorporates IDS features, I'd say
no. Doesn't seem that their test is a good one for the firewall.

> [500,000 Yuan to U.S. Dollars = $60,387.21 on Wednesday's exchange.]

At least the reward is halfway worth it.

ISN is hosted by SecurityFocus.com
---
To unsubscribe email LISTSERV () SecurityFocus com with a message body of
"SIGNOFF ISN".