The Hacker Challenge
                                                     
                                       By: Qubik (qubik@bikkel.com)
                                                     
    You have probably read about them and some of you may have even participated in one or two. Hacker
   challenges; where your asked to bypass the latest security measure implemented into technology which
    is already, prior to testing, dubbed as the latest in computer protection. But for what in return?
    Most challenges offer a reward of some sorts, a reward which is more often than not, a five or six
                        figure with a dollar sign placed neatly at the beginning.
                                                     
   So just what is the deal with these challenges? What purpose do they really serve and are they just
                                             marketing ploys?
                                                     
   I'd like you to imagine for a moment that you're an administrator of a small corporate network. It's
    not the most exciting of jobs, and you don't have time to keep up with the latest going ons in the
     security scene. Your network has been attacked a few times before, and you start to think about
                             upgrading your security. So where do you start?
                                                     
      Where else would you start, but the internet? It's the worlds largest resource, and every good
   company dealing with network security, is bound to be on the internet somewhere. So you use a search
         engine or two and you come across a web site for a new state of the art firewall, who's
        manufacturers claim it resisted every hacker that attempted to hack it at a recent hacker
         convention. Your amazed, surely their high price tag is nothing for complete security!?
                                                     
   Only what if it is all a clever ploy, haven't you got to ask yourself just how many people actually
   tried to hack into that particular piece of software? Haven't you got to look into the reputation of
    the manufacturer? Of course you do! To be sure, you've got to ask for the cold hard facts, not the
                                            marketing babble!
                                                     
   There are serious flaws in many hacker challenges, not the least being that most 'real' hackers only
   hear about them after they've finished. This makes you wonder just who took part, and how they found
                                              out about it.
                                                     
    It's not uncommon for hackers and security analysts to earn wages in excess of six figures, and to
    earn such wages, you've got to be either very lucky, or very busy. So what's your guarantee that a
     hacker who actually knows what he is doing, actually took the time out to earn a, comparatively,
         small ten thousand? You have no guarantee at all, why on earth should he or she bother?
                                                     
    Next ask yourself whether real hackers would want to find all those bugs in that new technological
   innovation. Surely their only going to end up making their job, of hacking, harder by pointing them
                                                   out?
                                                     
     However, A low level source code analysis of a piece of software or a close look at hardware by
    reputable third party security analysis company will delay product ship times and cost a lot more
      than setting up a hacker challenge. Not to mention that it has nowhere near the same marketing
    punch. Display your product at an upcoming convention and let people bang on it for a weekend and
              then claim "Product X survives Hacker Challenge." Makes a great press release.
                                                     
   It all seems rather corrupt, with companies hiding the truth and rubbing their hands at the millions
   they make. A ten thousand dollar reward seems rather pathetic, when your earning ten times that kind
      of money. Surely these companies know this, are they in fact attempting to social engineer the
                                 hackers or maybe worse their customers?
                                                     
   But it's not all like that, there are plenty of genuine challenges out there. Some have been set up
     to test software and, now more and more, hardware, others testing entire networks. For example,
   recently the Quebec government is enlisting the aid of hackers to test its networks and to research
                                  new ways of protecting those networks.
                                                     
    So what can we say about hacker challenges? Do they really prove how secure a product is? I don't
     think so, the fact that most aren't officially announced to the hacker public and that they are
    often deliberately misinterpret, doesn't give a good impression. But then, who should a company go
              to? It's not the easiest of tasks in the world, to announce such a challenge.
                                                     
   Hack at your own discretion, don't be afraid to take part in a hacker challenge, but don't take the
     word of the manufacturer, when they say it's secure, just because a few passers by a convention
    typed a few keys on a keyboard. There will always be flaws in hardware and software, it's up to us
    to the true hacker to find and fix them, whether we do it for the companies maketing campaign, or
                                       for personal gratification.