Gartner: Hack contests bad for business

caveman-jim · May 2, 2007, 10:21 AM

A pair of Gartner analysts denounced a recent hack challenge that uncovered a still-unpatched QuickTime bug, calling it "a risky endeavor" and urging sponsors to reconsider such public contests.

The research manager of TippingPoint, the company that paid $10,000 for the QuickTime vulnerability and its associated exploit, rebutted by saying that at no time was there any danger of the vulnerability escaping from responsible parties.

Dino Dai Zovi was the first to hack a MacBook Pro at CanSecWest, a Vancouver security conference held two weeks ago. For his trouble, Dai Zovi took home the $10,000 prize offered by TippingPoint's Zero Day Initiative, a bug bounty program that's been in operation nearly two years.

Security researchers have called the QuickTime bug, which can be exploited through any Java-enabled browser, "very serious." Apple Inc. has yet to patch, or announce when it will patch, the vulnerability.

Read more overreaction at ComputerWorld

Nocturne · May 2, 2007, 01:11 PM

Whatever happened to the exploit of safari (seemed a lot more important to me)? I'm sure the only reason why they didn't award that one is because it is specifically targetting just Apple systems.

These contests are crucial to maintaining development on fixing security exploits. Most often, the initial programmers made the mistake once, so they'll most likely make it again. Furthermore, independent hackers are usually the first the find the exploits, and it's certainly better to bribe them to give it up than have them use the exploits to make money in more fraudulent ways.

I think the most important thing is that this has shattered the ridiculous notion that apple's software is always secure. Almost reminds me of when Cisco (think it was them) claimed their new system couldn't be hacked, and it was a matter of hours before they were proved wrong.

SirBaron · May 3, 2007, 01:22 AM

^ QFT

Not only that if these exploits become more known to alot of people. It forces the company to fix the issue, otherwise it will of gone unnoticed except by a few of the hackers using it, with free reign.

caveman-jim's System Specs
Motherboard	ASUS® P5Q-E
CPU	Intel® Xeon X3360 2.88Ghz
Graphics	AMD® ATI FirePro V3400 128Mb
Memory	4x1Gb Buffalo® Firestix DDR2-800 5-5-5-15
Cooling Solution	Cooler Master® Gemini II + CM 120mm Fans (2)
Display	Westinghouse® 22" LCD LCM22w2 + Viewsonic VX910
Soundcard & Speakers	Dell® USB Powered Speakers
Hard-Drives	Intel® X25-E 32Gb SSD
Optical Drives	None
Power Supply	Zalman® ZMP-600
Case	Antec® P182b
Input Devices	OCZ® Alchemy Elixir keyboard & OCZ® Equalizer mouse
Operating System	Microsoft Windows® 7 x64
Extra Info	trying to downsize

May 3, 2007, 01:22 AM	#3
SirBaron VH Join Date: Apr 2003 Location: England Posts: 17,110	^ QFT Not only that if these exploits become more known to alot of people. It forces the company to fix the issue, otherwise it will of gone unnoticed except by a few of the hackers using it, with free reign. __________________ http://x32i.org/ Manufacturer Blacklist: Netgear, Linksys (no 64bit drivers) Digital Distribution Blacklist: Impulse... Just because :bleh: Fantards the scourge of the universe:

SirBaron's System Specs
Motherboard	Gigabyte EX58-UD5 Intel
CPU	Intel Core i7 920 D0 Stepping 4GHz
Graphics	Asus GTX-280
Memory	Corsair XMS3 6GB (3x2GB)1600MHz
Cooling Solution	Corsair H50
Display	22" Samsung SyncMaster 2233 120hz + 3D vision
Soundcard & Speakers	Creative X-Fi Platnium 64MB ram
Hard-Drives	2x300GB WD VelociRaptor drives in Raid0 + 500gb WD 16MB 7200 drive
Optical Drives	DVD-RW + DVD-ROM
Power Supply	CoolerMaster Real Power Pro 1000W
Case	Coolermaster Stacker 830 Black
Input Devices	Logitech G9 Laser Mouse
Operating System	Windows 7 64Bit

Thread Tools
Show Printable Version Email this Page
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode

May 2, 2007, 01:11 PM	#2
Nocturne Radeon HD 4830 Join Date: Jun 2005 Posts: 175	Whatever happened to the exploit of safari (seemed a lot more important to me)? I'm sure the only reason why they didn't award that one is because it is specifically targetting just Apple systems. These contests are crucial to maintaining development on fixing security exploits. Most often, the initial programmers made the mistake once, so they'll most likely make it again. Furthermore, independent hackers are usually the first the find the exploits, and it's certainly better to bribe them to give it up than have them use the exploits to make money in more fraudulent ways. I think the most important thing is that this has shattered the ridiculous notion that apple's software is always secure. Almost reminds me of when Cisco (think it was them) claimed their new system couldn't be hacked, and it was a matter of hours before they were proved wrong.

Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)