pjvenda at arrakis
May 16, 2005, 2:51 AM
Post #8 of 9
On Monday 16 May 2005 03:47, William Yang wrote:
> Pedro Venda wrote:
> > On Sunday 15 May 2005 23:29, Nathan Pinkerton wrote:
> >>On 5/15/05, Rui Pedro Figueira Covelo <rpfc [at] mega> wrote:
> >>>Looks like an interesting way to gather information about how someone
> >>>would try to crack a server. "Honey" anyone? ;)
> >>well, of course, those challenges always serve multiple purposes... a)
> >>test the security on the server, and b) learn about techniques used
> >>against the security so that you can see how well your security stands
> >>up to those techniques, and to see if there are techniques that you
> >>haven't thought of, and perhaps should work towards defending against.
> > I've found somewhere on the 'net an interesting comment about security
> > challenges. I think it applies well to this situation.
> > http://www.privacy.nb.ca/cryptography/archives/cryptography/html/1998-12/
> I like to remember that "Quoting ... out of context ... is an art."
obviously, I disagree.
> Or, put another way, maybe you need to re-read Bruce's essay. Bruce
> was talking about crypto challenges, and about how there's no mathematic
> value to a crypto challenge--it doesn't prove cryptographic strength.
yes, I've read it.
> There's a related, but very different, issue involved in a "crack into
> this box" challenge. The point to remember is that, in such challenges,
> it's not really a test of that box's security. It's a test of how good
> the attacker is. It's a well-known axiom of information security that
> any system which can be used legitimately can also be used
> illegitimately. This is a only question of time and resources. The
> details of what resources, and how much time, is left as an exercise to
> for the reader.
no, I think it is very related. most of the points apply exactly to both
situations. the security contest referred in this thread is exactly "my
security system is totally safe. go ahead and crack it, I'm sure you can't -
if you do... congratulations, I'll write your name somewhere".
this doesn't seem to be "I'll reward the best cracker" but more like "I'm the
best! noone can crack my bulletproof system".
if the above is the real purpose of the contest... I also doubt.
> As a security tool, penetration testing can be valuable when you have
> good rules of engagement. There are no clear rules of engagement here,
> making it very difficult to assess whether the security environment
> meets your goals at an appropriate price and effort point to be
I read that on bruce's essay.
> People who focus on being "impervious to attack"
> misunderstand that security--in the real world--is undertaken for
> economic reasons, rather than technical ones. It's a common
> misunderstanding to see in technical security people, though... I think
> it may be a feature of inexperience, perhaps not having roles carrying
> responsibility for more than technical elegance.
ok, but taking security for granted can be much more expensive. elegant
technical security solutions are generally good methods and contribute for
system stability, fewer maintenance costs (this may be going too far) and
improved general network/subsystem security. generally such systems have
steep learning curves (SELinux comes into mind) but pay out well.
> This "crack me" challenge may be held out as a validation technique, but
> that's not what it's doing. After seeing how the page worked, its
> highest value seems to be to gather intelligence about potential
> attackers and to learn more about attack techniques. It looks like a
> nice way to pick up some exploit code for free.
Pedro Joćo Lopes Venda
email: pjvenda < at > arrakis.dhis.org