Challenge: Crack Fontys Security Lab’s Security
I’ve received an email today. It made me smile.
A while ago Fontys has started a new programme specialised in security (Dutch), a pathetic attempt if you ask me. They’ve been heavily criticised by several professionals. You can’t teach people security by teaching teachers about security. Some basic concepts can be taught, but you’ll need real world experience to give your security researcher title any meaning. Rumors about the end of the programme have been around since it’s launch.
Somehow Fontys has found the funds to give the dying educational programme another jolt. A security lab is Fontys’s answer to the failing project. I wonder what’s to be found in a security lab. Is it about network security? Then I wouldn’t expect anything more than some OpenBSD boxes. Is it about software security? All you need for that is a compiler suite and some debugging tools, no lab. Or is it about low level hardware and software security? If that’s the case you’ll need quite a shit load of (extremely expensive) measurement and development tools, since there’s a shit load of low level security mechanisms out there. And the researches will need knowledge beyond anything taught at Fontys. In short the security lab needs to contain everything used to develop the target products in order to be effective.
Another point of critique is the fact that you’ll need to be highly skilled in software development in order to search for security flaws. These youngsters can’t code jack shit and start following security courses. How the hell are they going to look for buffer overflows and illegal (de)referencing if they don’t even know what pointers are? I bet they get taught what security companies are saying instead of really getting down and dirty with a debugger.
But anyway, the challenge. The grand opening of this new lab is scheduled at friday the 13th of June. How appropriate. It would be so cool to prove Fontys is full of crap by, say, spicing up the event. It can’t be that hard since Fontys has been Microsoft’s lap dog for years now. Don’t get all excited and destroy half their network, just leave a little statement. Show some sportsmanship. If you are successful at this the outcome will be positive in any way. If Fontys decides to play the bully and punish whoever did it, they prove they don’t understand security basics (security be fear). If they accept their defeat you’ll prove they’re full of crap.
p.s. They keep insulting us (wnb) hackers.
[...] Read the rest @ JRRZZ’s blog post [...]