[cap-talk] Language-based safety - contest

[Jed Donnelley]

At 06:09 PM 11/15/2004, Kevin Reid wrote:
>On Nov 15, 2004, at 11:59, Karp, Alan H wrote:
>>MarkM wrote:
>>>The contest? I'll give you the answer I'm sure you expect: break E. It 
>>>is indeed all open source. The links I previously sent out should be a 
>>>good guide for getting you started.
>>>As for a prize, ...
>>...I'll put up some money. ...
>
>Bruce Schneier on "The Fallacy of Cracking Contests":
>
>http://www.schneier.com/crypto-gram-9812.html#contests
>
>I realize that what is being proposed isn't exactly the same situation, 
>but it resembles what is described in the article, from a distance. You 
>may wish to take this into account.

I believe that most of the issues raised in the above document (fairness of 
attacks, relative costs of analysis vs. reward of the contest, expecting 
the non-winning of the contest to guarantee something about the security of 
the system, etc.) don't apply.  If we can come up with a reasonable 
definition (important of course) then I think we will be talking about 
something along the lines of:

"...fair and good... contests are successful not because the prize money is 
an incentive ..., but because researchers are already interested in ... 
cracking. The contests simply provide a spotlight for what was already an 
interesting endeavor."

I believe the most important aspect of the contest is defining what is 
meant by a breach in a meaningful way.  I also think such a contest can add 
an element of fun - if appropriately set up.

Still, if there's no meaningful criteria for winning, then of course a 
contest doesn't make sense.  "break E" makes perfect high level sense to 
me, but that would seem to admit all the security bugs (implementation 
flaws vs. model flaws) as contest winners.  That's where I'm stuck on the 
contest and indeed on the analysis that I do hope will prove an 
"interesting endeavor".

--Jed http://www.webstart.com/jed/