Weve wrapped up our Openhack III competition, and no one busted in, so what did we learn? These competitions, where we issue an open challenge to the hackers of the world to find a way to break into a Web site, draw a huge amount of interest, averaging 5 million hits and 340,000 hack attacks per day. This time, we took the tack of ref-
ereeing and auditing a trusted operating system architecture that was pitted against the hackers over two weeks. The competition offered a $50,000 grand prize if four defined elements of the system could be breached. No one got the money, and, in fact, no one cracked any of the four elements, despite thousands of attempts.
Does that mean everyone should abandon perimeter defenses in favor of trusted systems? No. Does it mean that this is the final word on security? No. And does it mean that no one will ever find a way to slip into this type of operating system? I dont think so.
A big lesson of the Web is that it is difficult to predict exactly how a system or architecture will perform until you put it out there. The Openhack competitions are designed to provide not only a place where hackers can test their skills but, more important, a place where technologies can be Web- tested and corporate system developers can learn by watching how hacks are attempted against our system. This is a lot more fun than learning about security by having your system hacked.
We have again been reminded of the importance of security. Microsoft, which is pursuing enterprise sales, has had to bear the embarrassment of system shutdowns due to security breaches. During Openhack III, we, too, had denial-of-service attacks that, while not elegant, can shut a place down.
In the future, perhaps more of the features of a trusted operating system (which has its roots in national secu- rity and banking agencies) will find their way into more widely used systems. Meanwhile, go to our Openhack site to see what lessons you can learn.