StrongWebmail has conceded that a group of ethical hackers beat its systems to claim a $10,000 prize, while reiterating its commitment to callback verification technology and plotting a further "hacker challenge". The US start-up was so confident of its claims to provide a secure webmail and calendar service that it challenged …
For some reason...
...I thought this was about Strongbad Emails...
But they're willing
And that makes a difference - they are trying,
OK they're a bit naive to claim absolute security, but challenges like this can't do anything but help their security...
I think the challengers are making the best of a bad job rather than 'skirting' the issue... spin FTW!
But kudos for fessing up and remaining determined to get it right. The 10K is probably a lot less than they'd have spent on getting some 'consultants' to go through their systems, so they're likely on a winner - and if/when they do end up with a completely secure system, the firm will become ... shall we say... quite valuable?
Agree with the author
Security is not down to just getting in via the expected route.. but any way possible. It appears that StrongWebmail thought they were invincible, but were not, and probably never will be, especially with an attitude that the hackers didnt really get in. Rubbish.
Would be interesting to know what was in the schedule...
Method doesn't matter
"But its argument that hackers bypassed rather than defeated its call verification technology in hacking into its chief exec account skirts the fact its systems were defeated."
Exactly. Your building or house may have a 12" thick steel door with multiple physical locks and a magnetic lock, as well as a fingerprint reader and an iris scanner, but that won't help at all if someone can simply break a window and gain access that way.
Multiple Points of Failure
The whole point with multiple factors of authentication is to mitigate the issue of points of failure; by having something you know (username/password) and something you have (presumably, cell/land phone), you have reasonable security. This is similar to username/password and a USB key or dongle.
However, by committing to a phone, or worse, a cell phone, you then are hoping that someone else's security (the phone company) is up to snuff. This is simply passing the buck. SMS can be comprimised, as it must go through the server(s) of the cell provider first, and they are usually stored there by company policy (or government mandate) for a certain amount of time. This provides a prime, simple target. (Paris/Miley/etc)
In any case, this company is pushing the responsibility of authentication and security onto your cell provider or common carrier... and if they still can't my billing right after 15 years, how can I expect them to maintain security in this day and age?
I love this idea ....
Seriously .. .we all know products have undiscovered security flaws. I have far more confidence in a product whose security was hacked a dozen times ... and each time improved.
What they should do is put $1000 dollars in the pot each week ... so the pot grows the longer the system remains unhacked.
All the low hanging fruit will get picked off right away ... then as it becomes increasingly difficult to find a new flaw ... the stakes also increase ....
The more a system is tested .. the more secure it grows.