"Respectable security researchers don't encourage the creation of malware by running contests for it!" .... You can't fault the Speculative Phish though, Doc.

Although in the world of Ethical Crackers and Hackers Evolving Living Organic Networks, the bait would need to irresistible and forever gratifying....... two elements which are singularly missing.

I thought the basic idea was that one remains "unknown" as a crack hack so even the prize of bragging rights is a ego/super-ego trip wasted.

But with a Zero Day XSS Facility so easily XXXXPloitable, and with such Catastrophic Performance Potential to Critical InfraStructure Systems, one can fully understand the Panic. There is only one Practical Perfect Solution ....... Pay such a Potent Potential Attacker to Change the System which so easily Invites Attack..... for once released XSSXXXX Codes have AI Programmed and Program Led Hive Mind of their Own.

Let's be clear, if a I were a respectable hacker able to write a self replicant XSS exploit in less than 292 chars why should I send my best work to the slaughter house when I could get some bank details instead.

Why???

Not sure if developers care about your idea of respectable security research anymore, or to be honest if they ever did.

I must admit things like this do encourage me to get the latest books on website security though, so the industry does seem to be funding itself.

The amusing thing is the search for the signature premise, https is going to knobble that a bit, forcing the check to happen at the client, and even then obfuscation is getting well known in the web field, so not quite sure of the value. And I am fairly sure the browser makers are aware of the basic signatures already, as they keep plugging the holes.

I have seen some good ideas, to increase web security, but really we need an overhaul of the entire premise that the internet as it stands is ideal for secure transactions. I would suggest that the banks and payment gateway services all invest in diverse technologies, requiring the users to download software that is bullet proof to enable transactions. It is the lack of investment in IT that is causing this problem, along with dull diatribes about reinventing wheels and standards. If there is a panacea, then diversity is its mother.

From my research, it takes about a month for someone who is familiar with IT to create a setup where they can fuzz away for vulnerabilities in browsers, then perhaps a couple of hours a day to get an exploit. If the IT industry was proactive these people would be employed in jobs that helped the IT community, instead they are just creating market demand for their skillset in the future, at considerable risk to themselves, but hey at least they are living.

Security thru diversity is a useful mantra for the IT sector. As long as IT delivers productivity at an increase of one penny more on profit over a manual system, it is a viable solution for business. Diversity requires more people to operate, maintain and develop systems, and it increases security. Sure it is more expensive, but it does make the IT sector rich. In some ways these virus writers are doing us all a favour, but hey it remains illegal in most countries. Though this goes some way to explain why IT on the whole tends to give a degree of freedom to the writers, and the number of IT vigilantes is not great, in fact there is probably more of a dislike about animated gifs than there is viruses :)

why?

Because you are honest perhaps?

Yes I know, just like common sense and altruism. Honesty is very rare these days.

"Yes I know, just like common sense and altruism. Honesty is very rare these days."

And all three found together in the one package, adnim, makes for a priceless purchase.

They're gonna get a sh*tload of code, for free. It's not just the winning entry they're gonna be able to dissect and figure out, but *every* entry they receive.

especially amongst hackers ;o)