[cap-talk] Language-based safety - contest
jed at nersc.gov
Mon Nov 15 21:50:33 EST 2004
At 06:09 PM 11/15/2004, Kevin Reid wrote:
>On Nov 15, 2004, at 11:59, Karp, Alan H wrote:
>>>The contest? I'll give you the answer I'm sure you expect: break E. It
>>>is indeed all open source. The links I previously sent out should be a
>>>good guide for getting you started.
>>>As for a prize, ...
>>...I'll put up some money. ...
>Bruce Schneier on "The Fallacy of Cracking Contests":
>I realize that what is being proposed isn't exactly the same situation,
>but it resembles what is described in the article, from a distance. You
>may wish to take this into account.
I believe that most of the issues raised in the above document (fairness of
attacks, relative costs of analysis vs. reward of the contest, expecting
the non-winning of the contest to guarantee something about the security of
the system, etc.) don't apply. If we can come up with a reasonable
definition (important of course) then I think we will be talking about
something along the lines of:
"...fair and good... contests are successful not because the prize money is
an incentive ..., but because researchers are already interested in ...
cracking. The contests simply provide a spotlight for what was already an
I believe the most important aspect of the contest is defining what is
meant by a breach in a meaningful way. I also think such a contest can add
an element of fun - if appropriately set up.
Still, if there's no meaningful criteria for winning, then of course a
contest doesn't make sense. "break E" makes perfect high level sense to
me, but that would seem to admit all the security bugs (implementation
flaws vs. model flaws) as contest winners. That's where I'm stuck on the
contest and indeed on the analysis that I do hope will prove an
More information about the cap-talk