I know that sounds weird, but this is a legit request... My company is creating a process for physically securing a door lock that uses software built to communicate via Bluetooth. We know that there will be people trying to attack this system as this is for "doors" in the public domain. We have been working with an outside company to build the security and software, but are thinking of trying to find someone to "crack"the system before deployment.

So how do you find someone who is good at that without risking public knowledge? Oh sure, my company has loads of lawyers and retained legal firms, but the reality is that if the "keys"were posted on the internet, by the time we prosecuted we could be out of millions of dollars. And since I mentioned that this is a door, we are talking, basically about finding a "locksmith" who operates somewhat on the right side of the law... he/she needs to be someone who is trying to beat the system...

What would you do?

Find a legitimate programmer that does Bluetooth communication protocols for a living, and hire him to attack your system. A "white hat cowboy" can know just as much as a "black hat" one. :-)

You could look into getting an IRM (Information Risk Management) consultant to provide this service. I'm not sure if they do this specifically, but I do know that there are services like this out there (i.e. hiring a consultant to hack a system). You could start with the consulting arms of the big firms. They've changed their names so I will try to remember them. Andersen Consulting is called Accenture now. KPMG Consulting is Bearing Point now and I don't know what PriceWaterhouseCoopers consulting is called (I think they got bought by IBM Consulting though).

I don't know if they're able to do this or not, but it's worth a call.

Find a legitimate programmer that does Bluetooth communication protocols for a living, and hire him to attack your system. A "white hat cowboy" can know just as much as a "black hat" one. :-)


Often times, the ones who make their living "legitimately" are the ones that wear more than one hat! :jester: :x-mas: :bday:

But seriously, there are good ones out there, if they are bonded and have a fear of jail time :)

Personally, I would use @ Stake. These guys are some of the best out there IMHO. I have used their Windows Password tester on many occasions. (My clients were not impressed with some of the simple passwords used by employees.)

They can be found at: http://www.atstake.com and you might want to check out this page: http://www.atstake.com/services/excellence/attack_simulation.html It talks attack simulations.

However, if you have that much at stake, I wouldn't get just one security person/firm. AND I wouldn't tell the people you hired that there are others hired to do the same thing.

Often times, the ones who make their living "legitimately" are the ones that wear more than one hat! :jester: :x-mas: :bday:


I think that's true, but a lot of it is people that USED to do the bad things, but got tired of it, got older, whatever, and now use their powers for good instead of evil. ;)

I think that's true, but a lot of it is people that USED to do the bad things, but got tired of it, got older, whatever, and now use their powers for good instead of evil. ;)
That, and good can be pretty darn profitable in these situations. :) Not as much as finance cracking, perhaps, but there's no threat of jailtime...

--janak

Often times, the ones who make their living "legitimately" are the ones that wear more than one hat! :jester: :x-mas: :bday:


I think that's true, but a lot of it is people that USED to do the bad things, but got tired of it, got older, whatever, and now use their powers for good instead of evil. ;)

That's where @stake came from, a bunch of hackers that merged with a security firm. http://www.computerworld.com/news/2000/story/0,11280,40542,00.html (in case you're interested)