Vulnerability Development mailing list archives
Re: Cons and Security Validation
From: "Robert A. Seace" <ras () SLARTIBARTFAST MAGRATHEA COM>
Date: Wed, 7 Feb 2001 12:34:34 -0500
In the profound words of Rowe, Michael CONT:
<snip> Because, once you offer highly desirable prizes (like, say, a big wad of cash ;-)), then you're going to attract a whole different set of people coming after your machine; and, most of them are probably NOT the type you really want to have testing your security... </snip> I may have missed something, but in the security world, you can now pick and choose who you want attacking your machines? Someone forgot to tell me... LoL. I thought the idea was to attract ALL kinds of people and see how the product holds up under "real world" testing.
Sure, that's certainly true... But, my point was that those focused only on the big cash prize aren't likely to really give you any useful testing of the product that you can't accomplish yourself with existing widely-distributed exploits... Sure, that's a generalization, of course... There's got to be a FEW people who really know what they're doing, and who will come up with some useful, interesting, and unique attacks to really test the system; but, yet, who just wouldn't consider it worth their time to bother with, if there were no money on the line... And, maybe I'm wrong, but I'd say such people would NOT be the norm... I think that, in general, the people who are going to give you any serious testing are going to be those who not only aren't doing it for the money, but quite probably would be totally turned off by a big prize contest, and avoid such a thing... And, in general, those who would be attracted to such a big prize contest would NOT be likely to give you very useful testing, but would rather just use up your bandwidth (either with a ton of them all trying to break in at once, or just a few of them being lame, and trying to DoS the machine)... *shrug* Just my opinion, though... -- ||========================================================================|| || Rob Seace || URL || ras () magrathea com || || AKA: Agrajag || http://www.magrathea.com/~ras/ || rob () wordstock com || ||========================================================================|| "It is most gratifying that your enthusiasm for our planet continues unabated, and so we would like to assure you that the guided missiles currently converging with your ship are part of a special service we extend to all of our most enthusiastic clients, and the fully armed nuclear warheads are of course merely a courtesy detail." - THGTTG
Current thread:
- Re: Cons and Security Validation, (continued)
- Re: Cons and Security Validation Crispin Cowan (Feb 07)
- Re: Cons and Security Validation Robert A. Seace (Feb 07)
- Re: Cons and Security Validation Blue Boar (Feb 08)
- Re: Cons and Security Validation Michel Kaempf (Feb 08)
- Re: Cons and Security Validation Blue Boar (Feb 08)
- Re: Cons and Security Validation Pavel Kankovsky (Feb 13)
- Re: Cons and Security Validation Crispin Cowan (Feb 07)
- Re: Cons and Security Validation Jose Nazario (Feb 11)
- Re: Cons and Security Validation Glen Messenger (Feb 07)
- Re: Cons and Security Validation Robert G. Ferrell (Feb 07)
- Re: Cons and Security Validation Rowe, Michael CONT (Feb 07)
- Re: Cons and Security Validation Robert A. Seace (Feb 07)