In the last few years, Internet security challenges have been a growing phenomenon. The basic idea is that a solution provider sets up an Internet service or site that it feels is secure, then offers a substantial reward – cash prizes, computer equipment, or other inducements – to the first person who follows the contest’s rules and breaches the security of the site or service.
Often, Internet security challenges amount to little more than publicity stunts – since the knowledge of how to break into a particular system can be more valuable than the cash or prizes offered – but they can also go a long way toward legitimizing a new or fledgling system. Although recent Macintosh security challenges have had little technical merit or were over-burdened by complex setups, the first Macintosh Web Security Challenge in late 1995 (see TidBITS-317) and the original Crack-A-Mac contest (see TidBITS-378) firmly established the Mac as a reliable, secure, and simple-to-administer Internet server platform right out of the box.
Therefore, in the spirit that the Macintosh is still the most reliable and secure Internet platform, TidBITS is kicking off not one, but two year-long, security challenges. Since TidBITS’s livelihood is completely dependent on the Internet, we think it’s only fair that we put our money where our mouths are, and state unequivocally that we use Macs for everything we do, and we not only trust our sensitive information to them today, but have been doing so for TidBITS’s entire publishing history.
TidBITS Server Security Challenge — We’ve set up a special challenge server – server.challenge.tidbits.com – running a standard installation of Mac OS 8.1 and connected to the Internet via a dedicated frame relay connection. The server is a Power Macintosh 4100 and is not password-protected or running any special security software. By special arrangement with Apple Computer, the root level of the server contains the following information:
Five Acrobat PDF files which, when printed and presented to the Apple Company Store in Cupertino, California, entitle the bearer to one complete, new Power Macintosh system of their choosing, with monitor(s) and other peripheral devices, up to a total retail value of $20,000. All coupons may be redeemed by the same individual or group.
A text document with the home phone numbers of Apple’s current Board of Directors and executive team.
The total value of this challenge is $100,000, although the personal contact information for Apple’s executive team is potentially invaluable and could be a collectors’ item one day. Each of these files contains a unique passphrase which any winner must present to us as confirmation they successfully broke into the computer. These files are simply sitting in a folder on the challenge server’s hard disk; they are not compressed or encrypted in any way.
Complete contest rules and eligibility requirements are available upon request; in brief, this contest will run until all prizes have been claimed or until 01-Apr-99 (one full year), whichever comes first; contestants who engage in denial of service attacks against any Internet device other than the challenge server will be immediately disqualified, and contestants who try to access the server physically will be disqualified and reported immediately to law enforcement agencies. (The server is monitored continuously by a Connectix QuickCam running DigitalRadar.)
TidBITS Setext Challenge — Here’s where TidBITS really puts itself on the line. We’re not only willing to say our challenge server is immune to any Internet-based security breach, we’re willing to bet that documents we’ve created with our Macs are also immune to security problems.
As long-time readers know, since TidBITS-100 the email version of TidBITS has been distributed using setext, a "structurally enhanced" text-only format that can be easily parsed into digests by programs such as Easy View. We produce TidBITS issues using the Nisus Writer word processing program.
What you don’t know is that setext also stands for "security enhanced" text. Encoded within the format of every TidBITS setext issue since TidBITS-100 are the credit card and checking account numbers of each member of the TidBITS staff who participated in that issue. Earlier issues of TidBITS only include account information for Adam and Tonya, but later issues include information for Mark Anbinder, Matt Neuburg, Jeff Carlson, and (of course) myself. Although none of us are fabulously wealthy, we do have enough resources that, collectively, it’s probably worth someone’s time to attempt to extract this sensitive information from TidBITS issues. Please note that this contest does not involve the Internet in any way: you don’t have to break into a server, you don’t have to know technical details about Macintosh software, TCP/IP packets, or Internet routing. All you need is a couple of TidBITS back issues in setext format, and all our back issues are available online.
Because we created these issues on Macs, we’re confident our account information is secure. So confident, in fact, we’ll even publish a hint. To find the first three digits of my personal credit card number hidden in TidBITS-256, do the following:
Multiply the issue number by the number of characters in the text of the issue:
29,889 * 256 = 7,651,584
Divide the number of seconds that have elapsed between the issue’s publication date and 01-Jan-1904 by the number above, dropping any remainder:
2,870,035,200 / 7,651,584 = 375
Add the number of MailBITS or articles I wrote in that issue, and subtract the total number of articles and MailBITS in the entire issue:
375 + 4 – 13 = 366
Those are the first three digits of my personal credit card number; do with them what you will. As above, complete contest rules and eligibility requirements are available upon request, and this contest runs until all TidBITS staff members are insolvent or 01-Apr-99 (one full year), whichever comes first. Please note that credit card information for guest writers and other non-staff members is not encoded into TidBITS issues. Happy hunting!