Maybe you've heard about the VIA Strongbox challenge? Basically, VIA is offerning a paltry sum to anybody who can break their product. So we've all heard that these contests are bogus, but what about this one? Let's investigate to see if it is also rigged... So you know I'm not making this stuff up, I'm pulling the details from VIA's own account of the proceedings:
In this particular challenge, VIA gave (initially) a time-limit of 1 hour for the "hacking" to take place. Since no details of the product and the architecture thereof were given to the challengers, breaking the product has to start with reverse engineering. As anybody who knows about reverse engineering knows, even setting up a debugger to start the analysis would take longer than an hour. As a result, VIA "graciously" extended the contest to last two days. I ask you: in the real world, will an attacker who has something to gain from attacking the product actually stop after two days and give up? Somehow, I doubt it.
Not to mention that the quality and quantity of the researchers was intentially kept small. This was done in two ways: first, by having the contest only open to attendees of the Hack In the Box conference, the challengers were at a maximum a few thousand. Also, the minimal prize money (5k dollars) ensured that from the participants, only those with a desire to waste time would actually participate. So, at the end of the day, we have - what - 20 or so people trying to break it for two days? Guess what - that's not gonna happen.
So the conference is rigged... who cares right? After all, who listens to this stuff anyway? Apparently, the press does. A google search for "VIA strongbox challenge" (no quotes) yields 13,900 hits. Press outlets like "ComputerWorld" are covering this thing like it's legitimate news. In fact, ComputerWorld has no less than three stories on this particular event.
VIA made one hell of a coup - with absolutely no risk to themselves, they have gained a ton of media attention. Let's just hope that security folks out there have the sense to shun VIA until/unless they stop the showmanship and start actually backing up their claims.
Posted by Ed at October 3, 2005 10:16 AM