Today a consortium of hardware and software vendors announced
that they will be funding a non-profit organization that will
design and offer monthly security challenges similar to the
one that recently discovered a major problem in OS X. Anthony Lawrence, the newly appointed
Director of Operations for this organization, explained that
the motives of the funding companies aren't entirely altruistic:

Actually, they all realize that there are mutual benefits. So much
software exists across multiple platforms that an exploit on one
platform probably exists on another. Even if it doesn't, the
concept of the exploit may point out danger points in other operating
systems.


We hope that there may be other benefits. Because we are offering
large cash prizes for demonstrated exploits, our hope us that at
least some black hat hackers might be persuaded to augment their
income by winning these contests rather than using their knowledge
for illegal purposes. Even if that doesn't happen, many underground,
"zero day" exploits will surely be brought to light by these
challenges.

The challenges will be held monthly and will have prizes running
from $5,000 to $50,000.00. All manner of hardware and operating systems
will be included, from iPhones and Blackberries right up through
supercomputers. Precise rules and the prizes offered will be published
a month ahead and each contest will run until the prize is won, so
Mr. Lawrence expects that there may be multiple contests running concurrently
at one point. The contests will be similar to other contests where
the prize for a "hands off" hack is higher than those that involve
user involvement.

There's another slant to these contests: the "Duh Awards" for
security
lapses that should not have happened. These are tongue-in-cheek
awards to companies and individuals who make egregious security slips or repeat
the same mistake again. Lawrence explained that these are supposed
to be in a spirit of fun ("We all make dumb mistakes sometimes", he noted)
but also hopefully will provide extra incentive to be careful in code.

The first contest is expected to be announced in July of this year.
Lawrence explained that because of the number of companies involved and
their generous commitment to improving security, the available
prize pool exceeds $100,000 per month.. "That should be enough to
attract plenty of interest", he opined.

Yes, it is April first. But wouldn't this actually be a wonderful
idea?

| << Home | 5:30 PM | Technorati | Ping