|
The Hacker Challenge By: Qubik (qubik@bikkel.com) You have probably read about them and some of you may have even participated in one or two. Hacker challenges; where your asked to bypass the latest security measure implemented into technology which is already, prior to testing, dubbed as the latest in computer protection. But for what in return? Most challenges offer a reward of some sorts, a reward which is more often than not, a five or six figure with a dollar sign placed neatly at the beginning. So just what is the deal with these challenges? What purpose do they really serve and are they just marketing ploys? I'd like you to imagine for a moment that you're an administrator of a small corporate network. It's not the most exciting of jobs, and you don't have time to keep up with the latest going ons in the security scene. Your network has been attacked a few times before, and you start to think about upgrading your security. So where do you start? Where else would you start, but the internet? It's the worlds largest resource, and every good company dealing with network security, is bound to be on the internet somewhere. So you use a search engine or two and you come across a web site for a new state of the art firewall, who's manufacturers claim it resisted every hacker that attempted to hack it at a recent hacker convention. Your amazed, surely their high price tag is nothing for complete security!? Only what if it is all a clever ploy, haven't you got to ask yourself just how many people actually tried to hack into that particular piece of software? Haven't you got to look into the reputation of the manufacturer? Of course you do! To be sure, you've got to ask for the cold hard facts, not the marketing babble! There are serious flaws in many hacker challenges, not the least being that most 'real' hackers only hear about them after they've finished. This makes you wonder just who took part, and how they found out about it. It's not uncommon for hackers and security analysts to earn wages in excess of six figures, and to earn such wages, you've got to be either very lucky, or very busy. So what's your guarantee that a hacker who actually knows what he is doing, actually took the time out to earn a, comparatively, small ten thousand? You have no guarantee at all, why on earth should he or she bother? Next ask yourself whether real hackers would want to find all those bugs in that new technological innovation. Surely their only going to end up making their job, of hacking, harder by pointing them out? However, A low level source code analysis of a piece of software or a close look at hardware by reputable third party security analysis company will delay product ship times and cost a lot more than setting up a hacker challenge. Not to mention that it has nowhere near the same marketing punch. Display your product at an upcoming convention and let people bang on it for a weekend and then claim "Product X survives Hacker Challenge." Makes a great press release. It all seems rather corrupt, with companies hiding the truth and rubbing their hands at the millions they make. A ten thousand dollar reward seems rather pathetic, when your earning ten times that kind of money. Surely these companies know this, are they in fact attempting to social engineer the hackers or maybe worse their customers? But it's not all like that, there are plenty of genuine challenges out there. Some have been set up to test software and, now more and more, hardware, others testing entire networks. For example, recently the Quebec government is enlisting the aid of hackers to test its networks and to research new ways of protecting those networks. So what can we say about hacker challenges? Do they really prove how secure a product is? I don't think so, the fact that most aren't officially announced to the hacker public and that they are often deliberately misinterpret, doesn't give a good impression. But then, who should a company go to? It's not the easiest of tasks in the world, to announce such a challenge. Hack at your own discretion, don't be afraid to take part in a hacker challenge, but don't take the word of the manufacturer, when they say it's secure, just because a few passers by a convention typed a few keys on a keyboard. There will always be flaws in hardware and software, it's up to us to the true hacker to find and fix them, whether we do it for the companies maketing campaign, or for personal gratification.