
The Fallacy of Cracking Contests (1998) - _pius
https://www.schneier.com/crypto-gram-9812.html#contests
======
tptacek
I assume this is about Telegram?

~~~
sillysaurus2
Indeed. Here's a critique of the Telegram challenge and how it relates to this
article:
[https://news.ycombinator.com/item?id=6931922](https://news.ycombinator.com/item?id=6931922)

If it's mistaken or isn't comprehensive enough, then I'd be relieved if you'd
correct it.

~~~
sdevlin
Your analysis is correct. Their terms and conditions rule out just about every
form of attack.

------
diminoten
This may be unrelated, but one of the things I've always thought is that
contests, bug bounties, and things like it kind of give a free pass to hacking
attempts, don't they?

Is this a well-understood part of these kinds of programs? Even the ones that
say "color inside these lines" can be used to say, "Oh, sorry, I didn't know I
was outside of the boundaries" if a person ever gets caught trying to get into
a bad place.

So you've got all kinds of logs of me trying to break into your system, but as
long as I fail I can just pretend like I was going after the bounty you've
placed, right?

~~~
mattlutze
Except that, if you're going after the bounty, you'll have read the rules,
which define the particular attempts you're making as out of bounds, i.e.,
still malicious.

I'm trying, but failing, to find a recent article about a guy who found a
password in a dropbox for another company that had a "hack us" contest, and
subsequently was indirectly accused of potentially illegal conduct (they
settled on sending him a shirt instead of money).

~~~
diminoten
That's my point though, he certainly didn't go to jail, did he?

These are still new enough that a person could mask any legitimate hacking
attempts in the guise of "I didn't know I couldn't do that". So you get to be
as malicious as you'd like, and no one's going to come after you, lest an
Internet mob forms or something.

------
squigs25
On the flipside, it sounds like every company looking to prove their security
_should_ offer a cracking contest for the very reasons described in this
article, because: 1) Investors will love it 2) No one in their right mind will
attempt to crack it 3) in the rare event that someone does crack it, a nominal
prize of 5k - 10k is probably still worth the good PR and the confidence it
would give investors.

~~~
BlackDeath3
2) No one in their right mind will attempt to crack it

What are you saying? Does offering cash decrease the chances of cracking?

~~~
squigs25
What I'm trying to say is that these cracking contests offer great PR, and you
don't actually need to worry about the security of your site. So it's great
for companies who are trying to instill investor/consumer confidence in their
security, even if they are not confident in their security. (I'm not condoning
a company using this technique as a ploy to prove their non-existant security
is secure, but if they are strategic, they could absolutely hold a cracking
contest to do just that.)

------
Houshalter
If it's so difficult and expensive to break the system and no one is willing
to do it for the prize money, doesn't that show it is relatively secure?

~~~
aktiur
It just shows it is too difficult and expensive to break the system _given the
prize value and the constraints put on what are acceptable attacks_.

Any system can be proven secured by such a contest if you limit acceptable
attacks to the parts where you know the system is the strongest... but a real
attacker will always aim at the weakest part.

