Get Paid To Crack? 226
John Klein writes "Corporate Technologies USA, Inc. is offering hackers $250US and up as part of the Hacker Wargame Research Project. Participants are given sufficient time to hack three primary goals on real Windows 2000 servers on an internet connected wargame network. The servers are updated with fairly current Windows patches, so this is not necessarily an easy task. The difficulty is part of the point. The Project is studying how hackers think, called cognitive research, in an effort to better understand how future IDSs might identify the target of an attack during it's early stages. The Project guarantees complete anonymity for those that want to participate without pay, or complete privacy protection to those that choose to get paid."
isn't $250 kinda cheap? (Score:5, Insightful)
Shouldn't be too hard (Score:2, Insightful)
1. Wait for critical security patch from Microsoft (shouldn't take long)
2. Read up on exploit
3. ???
4. Get paid
Sure, Just dont be TOO good (Score:2, Insightful)
How do you guarantee anonymity? (Score:3, Insightful)
Complete anonymity? An interesting idea. Let's talk about the practical ways you could "guarantee" somebody else's anonymity on the internet while still having the contest? I tried to make a list, but all I came up with pretty much amounted to "Dump all the logs." Which obviously makes it really difficult to study the attack patterns.
Obviously, the best way to remain anonymous is not to break into other people's networks, invited or otherwise. I mean, are they really going to destroy their data if the FBI calls? That would definitely be illegal (and unwise in our current "terrorism-freak-out") and publicly pre-meditated, at that.
If I had the kind of skillset these people are obviously recruiting for, I would be extremely leery of participating in this "competition." But I don't, and would have no interest.
"Lenny! Tell Mr. Burns I went home to work on the contest!"
Because it's not illegal if you have permission (Score:5, Insightful)
Same goes for computer access. You are perfectly legal in hacking a system PROVIDED you have permission. If it belongs to you or if the rightful owner has gtiven you permisson, go nuts. It is only a crime when you do it without permission.
Well, they are explicitly giving you permissoin to hack their boxes if you want to play their game. Thus, no problem. Given the publicised nature of this, even if they decided to try and perjur themselves later and claim you did it without permission, it would be easy to prove otherwise (then they'd go to jail for falesly accusing you of a crime).
Well let's see (Score:2, Insightful)
Future Build Weaknesses (Score:5, Insightful)
And they think that this will reveal how hackers think.
So, what we end up with is a bunch of people getting paid a little bit of money to mess with statistics. How many are going to use obvious techniques, just to skew the results in a 'nobody thought of this so it must be safe from exploit' way?? How many are going to have a grand time hacking into their real system just for fun?
And for that matter, how many dumb wanna-bes are going to end up sharing their IP address with a company that might just duly record them, along with the name that they're writing the check out to, and hand it over to other investigators, saying, "Hey- these are the hackers who applied"?
I'm guessing that anyone who's willing to take the money but isn't up to a level where they can really accomplish anything is going to eventually get caught playing with someone else's network- i don't pay enough attention to hackers in the news, so i'm not up to speed on whether this constitutes admission of previous (potentially criminal) activity or not... but if the company has a list of people who registered to 'contribute,' to the effort, they could then give the list to anyone, right?
Somehow, the only way that this could look funnier to me is if they had to enter the system, install kazaalite, upload copyrighted music files to it, and make them available for download. At which point the RIAA would step in and prosecute, creating a net loss of approximately $14,750.00USD for the hacker.
Scenario two is the same, but they have to upload Gigli, and set it to play in a continuous loop until the machine explodes in a desperate move of self-preservation. (And the MPAA would be prosecuting.)
That is... if the hacker were dumb enough to give their real name and use their own (and static) IP address....
Windows HoneyPot? (Score:2, Insightful)
-- M
Re:Wargame Servers (Score:2, Insightful)
Hey Mods (Score:4, Insightful)
I know, I know "only losers use IE", but last time I checked, there's no crime for using IE, and something like half of Slashdot uses it.
Perhaps we can have people post something like "hey, this is a cool link, it will delete media player from your system if you click here (don't say I didn't warn you)". Instead, we get something modded up that is far worse than that insipid goatse.cx picture.
Real way to make us look like a bunch of idiots.
And no, I'm not sitting here fuming at my own stupidity; Opera has no problem with that link at all
Re:Dont trust this guy.... (Score:3, Insightful)
This won't work realistically. (Score:5, Insightful)
Interesting. Seeing as many security tripwire programs shut out an IP as soon as they get suspicious, I can't see how this would replicate a realistic programming environment. One of a cracker's most important tools is being able to attack from unexpected (spoofed or rerouted) IPs. To come from every direction, as it were.
This reminds me of a similar study on Unix use I was in, that studied how people navigate a directory tree in a Unix shell and find relevant files and information quickly. The catch? No pipes or multi-command lines. But pipes are how a knowledgeable Unix user does things - the system is built up around it. So basically, the artificial limitations of the study cripple the performance of the participants.
eck (Score:2, Insightful)
What's going to happen, is with only $250 bucks as an offer, you're going to see a lot of pre-made scripts (and underground boards will have a lot of newcomers requesting new code) and rootkits that lack a lot of the more complicated tools hackers use.
In fact, one hack should always lead to another hack (it is part of the fun) and I don't think they are going to get much information or get any serious people interested in what would appear to be a "risky" 250 bucks.
It's always the goodie-goodie white hats that use apps they've seen the other hats use or create that end up winning these "contests" anyway.
Re:Like Most Other Hacking Competitions (Score:1, Insightful)