It’s not just that $24k is “chump change” – the problem is that when you see “24 hours to beat our firewall”, anyone who has any experience will read between the lines where it says:

a) When you find something, we’re going to do everything in the world to deny it was an issue with our product. So, you should video tape your 24 hour attack under the supervision of a notary public because once the window is closed, everything is going to be heresay.

b) If you use an 0day, it’s going to die because when you read “24 hours to hack in” you realize that everything is going to be sniffed, kernel logged and anything else you can think of. There is also a good chance the vendor will then take credit for “discovering” your bug and killing it, passing no credit on to you.

Another point would be that when you see one of these challenges, you can rest assured that you’re dealing with SNAKE OIL SALESMEN. Someone who is just “discovering” computer security and thinks they have this great solution already. But when you see a challenge like this you KNOW they don’t see the bigger picture and whatever their product is has to suffer from that same ignorance.

Investors and Universities need to stop trying to turn student works into commercial product. Or, if they do, they HAVE to understand that computer security is an industry that suffers MOST from initial impressions and knee jerk reactions. Things are almost NEVER what they seem at first glance in this game and any great idea that may come out of a University needs a “Sherpa” – not just to give a luke warm “thumbs up” to the high level idea, but to dive into the nitty gritty details of HOW things are done.

Universities teach students programming that solves problems without concern for security. Security complicates the solution and it’s the solution that is the lesson objective – so we leave it out. For example, a “secure” code snippet might have 2-3 lines of code for every 1 line of “insecure” code – perhaps more than that even. So of COURSE these students think they can implement their own ideas – without any clue of how dangerous it is for them to take their classroom coding mentality into an actual production environment.

Heh, so if I were a betting man, I’d say, “I see your $24k and… all in”.

Romanian Raids
http://www.wired.com/threatlevel/2009/11/romania/

RBS WorldPay Heist
http://www.informationweek.com/news/software/showArticle.jhtml?articleID=221601284

FREE COFEE
http://www.crunchgear.com/2009/11/06/siren-gif-microsoft-cofee-law-enforcement-tool-leaks-all-over-the-internet/

News
SPAM and Botnets Revive without McColo
http://voices.washingtonpost.com/securityfix/2009/11/a_year_later_a_look_back_at_mc.html?wprss=securityfix
http://www.avertlabs.com/research/blog/index.php/2009/11/11/the-mccolo-effect-one-year-later/
http://www.eweek.com/c/a/Security/Botnets-Tighten-Defenses-Year-After-McColo-Shutdown-61350

ACM Attacks CALEA
http://www.pcworld.com/article/181985/how_to_ddos_a_federal_wiretap.html

Courtnee: Outsource Much?
http://news.hostexploit.com/index.php?option=com_content&view=article&id=222
http://www.telegraphindia.com/
http://www.etalkindia.com/computer_technology_news_it_forum/satyam_banned_fo

Another Stupid Hacker Challenge
http://www.darkreading.com/security/management/showArticle.jhtml?articleID=221600869&cid=ref-true

iPhone ALPINE Worms
http://www.darkreading.com/blog/archives/2009/11/worlds_first_ip.html
http://www.theregister.co.uk/2009/11/11/iphone_hacking_tool/

Quickies
http://www.scmagazineus.com/Festi-botnet-appears/article/157294/
http://isc.sans.org/diary.html?storyid=7543&rss
http://risky.biz/unu-gone
http://www.poly.edu/csaw
http://voices.washingtonpost.com/securityfix/2009/11/nastygram_myspace_phish_plants.html
http://www.theregister.co.uk/2009/11/09/bot_herders_coopt_google_appengine/
http://clubhack.com/2009/

Programming Note
http://rcm.amazon.com/e/cm?lt1=_blank&bc1=EEEEEE&IS2=1&bg1=EEEEEE&fc1=000000&lc1=FF0000&t=hacnewnet-20&o=1&p=8&l=as1&m=amazon&f=ifr&asins=B002SFDJMQ

Stack of Shame
http://www.zerodayinitiative.com/advisories/upcoming/