Get Paid To Crack?

John Klein writes "Corporate Technologies USA, Inc. is offering hackers $250US and up as part of the Hacker Wargame Research Project. Participants are given sufficient time to hack three primary goals on real Windows 2000 servers on an internet connected wargame network. The servers are updated with fairly current Windows patches, so this is not necessarily an easy task. The difficulty is part of the point. The Project is studying how hackers think, called cognitive research, in an effort to better understand how future IDSs might identify the target of an attack during it's early stages. The Project guarantees complete anonymity for those that want to participate without pay, or complete privacy protection to those that choose to get paid."

isn't $250 kinda cheap?

[192939495969798999]

If they really want some competition, shouldn't they offer at least some TopCoder-scale money - for instance, how about $10k, but have tiered competitions, so that only the top 5 hackers are trying to get in? That would avoid the DoS issues.

Shouldn't be too hard

[derbs]

1. Wait for critical security patch from Microsoft (shouldn't take long)

2. Read up on exploit

3. ???

4. Get paid

Sure, Just dont be TOO good

[LittleBongoMonkey]

I remeber reading a story not so long ago about a company (can't remember their name) that asked a hacker to break into their secure ATM transaction network to prove its infalability. Apon doing so they promptly prosicuted him and had him imprisoned. So I'd be wary of any "open hacking" competition. You dont see Ford running hotwiring competitions.

How do you guarantee anonymity?

[Karl Cocknozzle]

The Project guarantees complete anonymity for those that want to participate without pay, or complete privacy protection to those that choose to get paid.

Complete anonymity? An interesting idea. Let's talk about the practical ways you could "guarantee" somebody else's anonymity on the internet while still having the contest? I tried to make a list, but all I came up with pretty much amounted to "Dump all the logs." Which obviously makes it really difficult to study the attack patterns.

Obviously, the best way to remain anonymous is not to break into other people's networks, invited or otherwise. I mean, are they really going to destroy their data if the FBI calls? That would definitely be illegal (and unwise in our current "terrorism-freak-out") and publicly pre-meditated, at that.

If I had the kind of skillset these people are obviously recruiting for, I would be extremely leery of participating in this "competition." But I don't, and would have no interest.

"Lenny! Tell Mr. Burns I went home to work on the contest!"

Because it's not illegal if you have permission

[Sycraft-fu]

Hacking is much like tresspassing in that you are only guilty if you don't have permission from the rightful owner. For example, if you pick my lock and break in my house, you are guilty of breaking and entering and tresspassing, and will go to jail if caught. However, if I lock my self out of my hose, you are a locksmith and you pick the lock to let me in, then I invite you in for a beer, you've comitted no crime since you did everything at my behest.

Same goes for computer access. You are perfectly legal in hacking a system PROVIDED you have permission. If it belongs to you or if the rightful owner has gtiven you permisson, go nuts. It is only a crime when you do it without permission.

Well, they are explicitly giving you permissoin to hack their boxes if you want to play their game. Thus, no problem. Given the publicised nature of this, even if they decided to try and perjur themselves later and claim you did it without permission, it would be easy to prove otherwise (then they'd go to jail for falesly accusing you of a crime).

Well let's see

[MagicBox]

The servers are updated with fairly current Windows patches, so this is not necessarily an easy task. --Is this meant to reflect most Windows systems out there, without the most recent updated patches? The difficulty is part of the point. The Project is studying how hackers think, called cognitive research, in an effort to better understand how future IDSs might identify the target of an attack during it's early stages. --BS. Why didn't they choose a Unix system? Or a Linux System? I think they are just trying to prove a point other than "researching" how hackers "think". It's pretty obvious. Why don't people just come clean about their intentions? The Project guarantees complete anonymity for those that want to participate without pay, or complete privacy protection to those that choose to get paid." --Well, NOW should I really believe that? I am pretty sure if FBI or CIA are "interested in your hacking skills" your privacy is toast. Think b4 you act. Is it worth for a dirty $250? I don't think so. Over all, I think a lot of people will be getting paid (or arrested for hacking)

Future Build Weaknesses

[SolemnDragon]

So... let me get this straight. They're paying a bunch of people a pittance to hack a machine that isn't set up like the ones that hackers would usually break into.

And they think that this will reveal how hackers think.

So, what we end up with is a bunch of people getting paid a little bit of money to mess with statistics. How many are going to use obvious techniques, just to skew the results in a 'nobody thought of this so it must be safe from exploit' way?? How many are going to have a grand time hacking into their real system just for fun?

And for that matter, how many dumb wanna-bes are going to end up sharing their IP address with a company that might just duly record them, along with the name that they're writing the check out to, and hand it over to other investigators, saying, "Hey- these are the hackers who applied"?

I'm guessing that anyone who's willing to take the money but isn't up to a level where they can really accomplish anything is going to eventually get caught playing with someone else's network- i don't pay enough attention to hackers in the news, so i'm not up to speed on whether this constitutes admission of previous (potentially criminal) activity or not... but if the company has a list of people who registered to 'contribute,' to the effort, they could then give the list to anyone, right?

Somehow, the only way that this could look funnier to me is if they had to enter the system, install kazaalite, upload copyrighted music files to it, and make them available for download. At which point the RIAA would step in and prosecute, creating a net loss of approximately $14,750.00USD for the hacker.

Scenario two is the same, but they have to upload Gigli, and set it to play in a continuous loop until the machine explodes in a desperate move of self-preservation. (And the MPAA would be prosecuting.)

That is... if the hacker were dumb enough to give their real name and use their own (and static) IP address....

Windows HoneyPot?

[SilverThorn]

Isn't what they are asking the similar to that of the HoneyPot project? If they are using software you have to install to 'watch' your scripting/program use (which you later upload), then monitoring the server as well... then what's the point?

-- M

Re:Wargame Servers

[jofny]

It seems the point is to watch the cognitive process that people go through when attacking the systems. It doesn't matter if they're up against a brick wall, NASA, or a deck of cards. The core problem solving skills don't change - just the physical methods that get chosen and executed. This is what it seems like they're looking to learn - not attacks but thought processes.

Hey Mods

[freeweed]

Um, perhaps we shouldn't be modding people up who throw up links that remove software from other people's machines maliciously.

I know, I know "only losers use IE", but last time I checked, there's no crime for using IE, and something like half of Slashdot uses it.

Perhaps we can have people post something like "hey, this is a cool link, it will delete media player from your system if you click here (don't say I didn't warn you)". Instead, we get something modded up that is far worse than that insipid goatse.cx picture.

Real way to make us look like a bunch of idiots.

And no, I'm not sitting here fuming at my own stupidity; Opera has no problem with that link at all :)

Re:Dont trust this guy....

[CAIMLAS]

With Windows, you don't own anything, MS still retains legal rights. Thus, MS owns the computers, or at least the software, and can press charges for violation of the DMCA, because they didn't give permission.

This won't work realistically.

[3Suns]

They have a firewall in which they will allow only one IP address at a time to make the attempt. Thus, you sign up for a set time period and they watch you as you hack away...

Interesting. Seeing as many security tripwire programs shut out an IP as soon as they get suspicious, I can't see how this would replicate a realistic programming environment. One of a cracker's most important tools is being able to attack from unexpected (spoofed or rerouted) IPs. To come from every direction, as it were.

This reminds me of a similar study on Unix use I was in, that studied how people navigate a directory tree in a Unix shell and find relevant files and information quickly. The catch? No pipes or multi-command lines. But pipes are how a knowledgeable Unix user does things - the system is built up around it. So basically, the artificial limitations of the study cripple the performance of the participants.

eck

[Sheepdot]

Hacking is 20% coding, 20% luck, and 60% social engineering. If you throw up a compromisable machine and say, "Hack this" you're losing over half of the social engineering bit, and can expect to see the general rootkit.

What's going to happen, is with only $250 bucks as an offer, you're going to see a lot of pre-made scripts (and underground boards will have a lot of newcomers requesting new code) and rootkits that lack a lot of the more complicated tools hackers use.

In fact, one hack should always lead to another hack (it is part of the fun) and I don't think they are going to get much information or get any serious people interested in what would appear to be a "risky" 250 bucks.

It's always the goodie-goodie white hats that use apps they've seen the other hats use or create that end up winning these "contests" anyway.

Re:Like Most Other Hacking Competitions

[Anonymous Coward]

Being a research study, anything learned is A Good Thing.