Forgot your password?
typodupeerror
Security Software Linux

Linux Server Break-in Challenge 327

Posted by CmdrTaco
from the g3t-r3ady-to-p3wn3z0rzasdkja dept.
Sujit writes "Are you an Internet security expert at heart or by profession? Ever thought of trying your skill at a professionally set up server? If you are ready, enter. The Linux Server Break-in challenge. You will have a server available on the Internet 96 hours without interruption starting from 9 March 2005 2 AM IST. However, the server's life on the Net is in your hands."
This discussion has been archived. No new comments can be posted.

Linux Server Break-in Challenge

Comments Filter:
  • by Maradine (194191) * on Tuesday March 08, 2005 @10:59AM (#11876970) Homepage
    Post the IP address here. That'll compromise it.
  • Even if it's with the system owner's permission, wouldn't this be considered illegal and prosecutable?
    • Possibly, but then again, SCO isn't running the contest.
    • I think it falls under the same rules that http://www.hackerslab.org/eorg/ uses

      whatever those may be...offshore?
    • by LordEd (840443) on Tuesday March 08, 2005 @11:15AM (#11877162)
      Hacking isn't illegal. Hacking without permission is illegal. The distinction is unauthorized access. The owner of the box is giving free license to everyone to attack it.

      Its just like corporations hiring security experts to attack their systems in order to find flaws (and strengthen their defenses)
    • Of course not. You can do whatever you want with your computer once you bought it. And you can do almost whatever you want with FOSS software. Of course, you can't do some things with proprietary software, like reverse engineering. But still, just exploiting a vulnerability on *your* machine with proprietary software is not illegal. And if you give permission to someone else, they can do this too. Your question is like asking whether it's illegal to hire a locksmith to break the lock on the door of *your ow
    • by rfc1394 (155777) <Paul@paul-robinson.us> on Tuesday March 08, 2005 @11:40AM (#11877458) Homepage Journal
      Even if it's with the system owner's permission, wouldn't this be considered illegal and prosecutable?

      No. While I am not a lawyer, the statute on computer trespass are clear that access without permission and beyond one's authorization are illegal. If the access is within one's authorization or owner grants permission for access, it is not illegal.

      Permission can be implied. Anyone who puts up a website gives implied permission to access it (since the whole idea of posting a website is to get people to access it, presumably either to give them information - or get information from them - or to sell them something (or buy something from them).) If that were not the case, every person who accessed a website could be charged with the crime of computer trespass since they were not explicitly given permission to access that computer!

      If you go to a car dealer, ask to take a test drive, some will simply photocopy your license and hand you the keys, and it's reasonable you can borrow it for 5 minutes or so to drive around the block. (Some will send a salesperson along for the ride; depends on the dealer and the probability of theft.) But if you walked in, took the keys and did the same thing, they could prosecute you for grand theft auto.

      Where the owner has publicly given permission and in fact, has encouraged people to access the system as root, this would constitute explicit permission and thus no crime could occur for hacking their box.

      Paul Robinson

  • by c0l0 (826165) on Tuesday March 08, 2005 @11:02AM (#11877013) Homepage
    Now I'll just have to find that Sub7-thingie for Linux somewhere on the net...
  • Incentive? (Score:3, Interesting)

    by virex (562720) on Tuesday March 08, 2005 @11:02AM (#11877014) Homepage
    is there any reason to do this? you would think that the linux geeks out there wouldn't want it to be compremised. especially since there is no reward or prize of any sort. most people that are capable of doing this wouldn't want to.
    • Re:Incentive? (Score:4, Insightful)

      by AArnott (751989) on Tuesday March 08, 2005 @11:04AM (#11877039) Homepage
      most people that are capable of doing this wouldn't want to. Agreed. Microsoft has pulled this stunt with their Windows servers repeatedly. Of course bringing either of these down would result in the hack being logged and eventually corrected. Hackers don't want to give up their secrets.
    • Re:Incentive? (Score:3, Informative)

      by SQLz (564901)
      Actually, they would. For a couple reasons.

      1. Contests like this make Linux more secure.
      2. If your looking to find a job in the security industry, this a is a nice bullet on the resume.

      You don't see MS having break in challenges do you? If they did and 17 unknown holes were found and fixed that would have gone unpatched otherwise, would Windows be more secure or less secure?
      • Uncertainty (Score:2, Interesting)

        by PhYrE2k2 (806396)
        If your looking to find a job in the security industry, this a is a nice bullet on the resume.

        Employers want to know your skills and how you have such in-depth knowledge of such systems. HOWEVER putting this on your resume is just a red flag for most employers. "If (s)he has the ability to hack into this big-bad server then imagine what (s)he can do to the security-though-obscurity network we've set up". Think about it.

        Now you're going to say software companies want secure software and someone to lo
    • you would think that the linux geeks out there wouldn't want it to be compremised

      Actually, this is a very good test at the security of the system, and one that I believe we should welcome. The more of these contests we have, the more security bugs that will be found and then promptly patched. This has the potential for leading to a system with nearly un-crackable remote security (assuming all of the results are publically released). So I say hack the crap out of it!
  • by Anonymous Coward
    That server wont have a firewall or much secuirty... so how about 69.44.61.248 - the linuxense.com webserver :)
  • It might be this company is selling some sort of very hardened Linux. If they are, this is exactly the right way to go about it. They are publicly inviiting people to attack it, meaning that if there are any holes, someone is likely to find them. And anyone who hacks on the box can do so with impunity. And if they really can build a bulletproof box then they deserve the rewards they can get by selling one which, on an open and public basis, has taken the worst anyone could throw at it and survived.
    • by sirket (60694) on Tuesday March 08, 2005 @11:12AM (#11877132)
      has taken the worst anyone could throw at it and survived.

      Let me get this straight- 96 hours allows people to try "the worst anyone could throw at it?" In your wildest dreams perhaps. Furthermore how does this prove anything? Do you honestly think a real attacker would waste a 0-day exploit on such a lame contest? Why not wait until several banks have deployed this system and then make some money with such an attack :)

      The hack contests are silly. Any admin with half a brain can set up a secure system and the only way to root it would be 0-day that no self respecting hacker would waste on this system.

      If you are serious about security you pay for a full audit of the source code, professional penetration testing over a 2 week period, and you test for root exploits using a local account- on the assumption that somewhere down the line the system will be misconfigured and an attacker will gain non-root privileges.

      -sirket
      • Not disagreeing with you, but the longer you sit on a 0-day, the higher the chance someone else uses it, or something close enough to it, to negate your advantage.

        Just a small note.
      • and you test for root exploits using a local account
        Which is exactly what will happen if no-one has found a remote hole in 48 hours.

        RTFA.
        • First off- I did read the article- all 2 dozen sentences of it.

          Second, all I was doing was listing how you go about correctly assessing the security of a system. I was not trying to imply that they were doing _everything_ wrong- just most things.

          That said- have you ever written an exploit? Do you honestly believe 48 hours is sufficient time for someone who also has to work and sleep to test anything? If they truly believe in their system then it should be open for 2 weeks not 2 days.

          -sirket
      • The problem with the full audit and professional penetration testing is that it won't help marketing sell much. The fact that there is no real prize indicates how little faith they have that this contest will prove anything. I suppose the chance that some pointy-haired boss might come across news of this contest makes it worthwhile hold it. Marketing doesn't work by overestimating the clients intelligence.
      • by ryanvm (247662) on Tuesday March 08, 2005 @11:57AM (#11877658)
        The hack contests are silly. Any admin with half a brain can set up a secure system and the only way to root it would be 0-day that no self respecting hacker would waste on this system.


        The assumption you're making is that all "self-respecting hackers" are only interested in farming zombies or stealing data. Have you considered the possibility that there may be skilled people out there who would like to demonstrate their skills, but do so without breaking any laws?

        If you are serious about security you pay for a full audit of the source code, professional penetration testing over a 2 week period, and you test for root exploits using a local account

        Nice know-it-all answer. Unfortunately, that's more of a gameplan if you're serious about pissing money away. The reality is that the vast majority of Internet security companies consist of SATAN tied to a web frontend. And a "full audit of the source code"? Do you have any idea how expensive (and fruitless) that would be?

        I'm sorry, but what you've suggested is not a viable solution to most organizations that actually have to generate a profit. Furthermore, the simple fact that it all comes down to humans staring bleary eyed at thousands of lines of source code means that many bugs and exploits *will be missed*.

        The best security practice is to assume that your company's security systems will be compromised and to have plans in place to mitigate the damage.
        • "..And a "full audit of the source code"? Do you have any idea how expensive (and fruitless) that would be?...Furthermore, the simple fact that it all comes down to humans staring bleary eyed at thousands of lines of source code means that many bugs and exploits *will be missed*."

          It's not that expensive with some of the newer AUTOMATED technologies out there. The DOD and NASA are actually DOING this right now. I have a friend involved with funding advanced research in this area and products are coming. The
        • The assumption you're making is that all "self-respecting hackers" are only interested in farming zombies or stealing data. Have you considered the possibility that there may be skilled people out there who would like to demonstrate their skills, but do so without breaking any laws?

          I make no such assumption. I never tried to imply that they "are only interested in farming zombies or stealing data." That comment I made regarding banks was to express the waste of time I consider hacking constests to be rath
      • "way to root it would be 0-day that no self respecting hacker would waste on this system"

        Why not? Most self-respecting hackers are not hacking to steal.

    • yes, very handy for those real-life applications where the server will be on the internet for more than 96 hours.
      • by Council (514577) <rmunroe@@@gmail...com> on Tuesday March 08, 2005 @11:18AM (#11877198) Homepage
        The Fallacy of Cracking Contests [schneier.com] (Bruce Schneier)

        Contests are a terrible way to demonstrate security. A product/system/protocol/algorithm that has survived a contest unbroken is not obviously more trustworthy than one that has not been the subject of a contest. The best products/systems/protocols/algorithms available today have not been the subjects of any contests, and probably never will be. Contests generally don't produce useful data. There are three basic
        reasons why this is so.
        [see link for explanations]
        • by Halo- (175936)
          I totally agree that "cracking contests" are a bad way to demonstrate "security", but I don't think that is the purpose of this event. (It's a little hard to say because TFA is a bit sparse...)

          The experts and auditors who actually can evaluate a system for "security" have to come from somewhere. Usually these people start off as tinkers, hobbists, and other amateurs. The big problem is how does an amateur gain experience without breaking the law? When I was in college I had to go to great lengths to g

        • One thing worth pointing out is that in real-life situations, the box isn't usually set aside as "the box to be hacked" ... its an active machine doing normal things with real people logging into it one way or another regularly.
        • Your quote, while partially right, is out of context. Schneier is talking about cryptographic cracking contests, especially of the form "here's a ciphertext file, tell me the plaintext." In this case, the attackers have much more access to the machine. Furthermore, there are more skilled hackers with free time than skilled cryptographers with free time.

          However, a much bigger problem is that they only give 96 hours. The Hardened Gentoo server is much more rigorous, as it has no prize associated but has
  • by Xaroth (67516) on Tuesday March 08, 2005 @11:03AM (#11877032) Homepage
    ...this seems like it'd be a great way to try to take down your friend's (or enemy's) computer.

    "Oh, we're putting up a box for the hacking at such and such time. We swear it's ours. No, really! Trust us. "

    Few would be the wiser until it was too late.
  • FTA (Score:5, Funny)

    by mr_z_beeblebrox (591077) on Tuesday March 08, 2005 @11:04AM (#11877038) Journal
    I thought it was a nice touch that they give directions on how to stop network services for someone who gets root. Most people who root linux boxes have trouble with those advanced administrative functions
  • Rules (Score:5, Insightful)

    by 3770 (560838) on Tuesday March 08, 2005 @11:05AM (#11877050) Homepage
    The rules say:

    You need to leave your mark at ``/''. It could be your email address, GPG public key or something else with which we can verify your identity.


    The root partition could be on a read only media such as a CD-ROM, right? In which case nobody could ever win.
    • Re:Rules (Score:5, Insightful)

      by espo812 (261758) on Tuesday March 08, 2005 @11:13AM (#11877143)
      Physical attacks are just as valid as network attacks. Now where did I put my Dell technician uniform...
    • Yeah, or just use GRSec or SELinux to disallow any process to write to /. I imagine that it won't get broken into. If it does, I expect it to be Brad Spengler, or some maintainer of SELinux, who happen to know a few bugs in the code that they maintain.
    • The root partition could be on a read only media such as a CD-ROM, right? In which case nobody could ever win.
      ... unless you make a installation into a RW media and reboot into it.
    • Even if / is read only, if you have root, you should still be able to find some way to leave your mark.

      For example, if you have root, you could probably use usermode linux to run an additional version of linux within itself with / on a ramdisk. Even if the system has no hard drive and loads everything from flash firmware or a cd, you need to have some ram. If you are root, you can write to that ram and label it with your identification information and subsequently make it a root partition in some way.
    • To win, make yourself an account. Stop network services. E-mail them that you did it. All they have to do is log on localy using the admin level account you created. Any questions? This dies after a reboot.
    • Re:Rules (Score:4, Funny)

      by hawk (1151) <hawk@eyry.org> on Tuesday March 08, 2005 @11:50AM (#11877578) Journal

      Nah. Zorro could leave his mark on a cdrom . . .

      hawk
  • vanilla (Score:5, Interesting)

    by jest3r (458429) on Tuesday March 08, 2005 @11:05AM (#11877056)
    I would like to see a challenge like this with vanilla installs of the top 10 Linux distros.

    As Linux gets closer to mainstream more and more people are installing without tweaks or recompiles. How well does Linux stand up without the expertise of a professional?

    • Good idea, For a different test It would also be interesting to add a few windows boxes into the mix as well. WinXP, Win2k, Win 2003, maybe some bsds.

    • Love this idea. Anyone with powers to pull this off listening?
      Could be even a reality TV show (on TechTv as it used to be) ;-)
  • What's the point? (Score:2, Interesting)

    by sirket (60694)
    The server is not being set up as a production system so what is the point to a successful compromise. Furthermore- anyone with any sysadmin experience should be able to set up a server that can not be compromised except by 0-day - and honestly- who would waste 0-day on a lame contest?

    -sirket
  • Time zone? (Score:3, Interesting)

    by KD7JZ (161218) on Tuesday March 08, 2005 @11:07AM (#11877067)
    What time zone is IST?
  • Uh, ok. (Score:5, Interesting)

    by bigtallmofo (695287) on Tuesday March 08, 2005 @11:07AM (#11877074)
    Break into a Linux server that has no services running presumably with some heretofore-unannounced buffer overflow in Linux's implementation of the ICMP protocol, all the while having every single packet sent to the system sniffed so that the sponsors of the challenge can know exactly how you did it.

    Such a feat and sharing of knowledge should be worth about $1,000,000. I'm sure they'll get a lot of contenders with their offer of $0.
  • by mrm677 (456727) on Tuesday March 08, 2005 @11:11AM (#11877110)
    I wonder if somebody could break into Windows 2003 in the same amount of time?

    There are likely hidden exploits in both OSes, but these things take time to find. Stumbling upon something by luck is quite common.

  • by saskboy (600063) on Tuesday March 08, 2005 @11:11AM (#11877111) Homepage Journal
    Obviously the best way to crack this server is going to be to socially engineer the linux administrator at this company, and get the real root password.
    It's probably something like: thislinuxis2coolforU2crax0r

    Hmm, that sounds like something I should use as a root password. Forget I mentioned this.
  • Honeypots? (Score:3, Interesting)

    by utlemming (654269) on Tuesday March 08, 2005 @11:12AM (#11877118) Homepage
    Are honeypots legal? I mean if I put up a honey pot and the root system isn't compromised, do I win?
  • at least give a t-shirt as a prize.

    Altruistic intellectual pursuits are one thing, a penguin t-shirt is completely another.

    On the other hand, could this be:-
    1. A secret government program to ferret out crackers?
    2. Google's latest recruitment drive?
    3. Network Associates looking for a new CEO?
    • "Altruistic intellectual pursuits are one thing, a penguin t-shirt is completely another."

      I'd prefer Napoleon Dynamite's helicopter shirt. To each his own, I guess.
  • Outsourced (Score:3, Funny)

    by Evil W1zard (832703) on Tuesday March 08, 2005 @11:12AM (#11877123) Journal
    Hey our Hacking Contests have been outsourced to India. Seriously though I am kind of wary about this because I don't know what legal implications there may be doing this since I am uneducated in Indian Cyber criminal law? Also the web site looks fairly hinkey (yes its a word and I'll use it!) It would be funny if they posted the IP address at the start of the contest and it turned out to be the IP of some major site or agency....
  • by northcat (827059) on Tuesday March 08, 2005 @11:12AM (#11877125) Journal
    So, this is just another hacking challenge. Like the hundreds of others out there (many/most of which are on Linux). What qualifies this to make it to slashdot?
    • Of course this is a challenge and of course there many others out there. Whoever modded me as troll needs look around the internet more. Just google for "hacking challenge". There are a shit load of these on the net.
    • What would make a great challenge is to create a system and make a shell account public via telnet or ssh, to simulate an employee's account being obtained via social engineering, then having it tested. The system should have a typical set of programs runing that would be found on a production system. This would make for a great test of the system. You must remember taht at an orginization of any reasonable size there will be at least one or two accounts that can be accessed via social engineering the appro
    • by Jonboy X (319895) <`ude.ipw.mula' `ta' `renxeo.nahtanoj'> on Tuesday March 08, 2005 @12:38PM (#11878036) Journal
      So, this is just another hacking challenge. Like the hundreds of others out there (many/most of which are on Linux). What qualifies this to make it to slashdot?

      The main difference is that this one was announced on a slow news day.
  • by Inkieminstrel (812132) on Tuesday March 08, 2005 @11:17AM (#11877182) Homepage
    Dear Admin,

    I am currently working on a project sponsored by you in which I need to break into your computer. In order to do this, I will need the root password. Also, my SSH signature is attached to this message. Please add me to the list of valid signatures.

    Thank you,
    Inkieminstrel
    Social Engineer
    • by hawk (1151) <hawk@eyry.org> on Tuesday March 08, 2005 @11:57AM (#11877653) Journal

      From service@linuxsense.com Fri Feb 25 22:51:32 2005
      From: "linuxsense"
      To: root@linuxsense.com
      Subject: linuxsense Account Security Measures

      Dear linuxsense root,
      Your account has been randomly flagged in our system as a part of our routine security measures. This
      is a must to ensure that only you have access and use of your linuxsense
      account and to ensure a safe linuxsense experience. We require all flagged
      accounts to verify their information on file with us. To verify your
      Information at this time, please visit our secure server webform by
      clicking the hyperlink below [...]

  • by Begemot (38841) on Tuesday March 08, 2005 @11:20AM (#11877214) Homepage
    From my experience, hacking attempts often end up with crashed OS. Double power supply and stable Internet won't help. Somebody is going to ping/reboot the system for 48 hours?
  • by Creepy Crawler (680178) on Tuesday March 08, 2005 @11:20AM (#11877223)
    Its running Zen and using NSA security modules with USB rootplug.

    Then they hand out root ;P and laugh.
  • Limber Up (Score:3, Funny)

    by Stanistani (808333) on Tuesday March 08, 2005 @11:22AM (#11877243) Homepage Journal
    *Buys crate of Cheetos*
    *Installs soda machine*
    *dims lights*
    *cracks knuckles*

    I'm ready...

  • by svin (803162) on Tuesday March 08, 2005 @11:22AM (#11877248)
    First time they did something similar, they appearently got hacked in 45 seconds [slashdot.org]

    But as the old slashdot article also states the 2nd generation was able to stay afloat.

    Seems like a great way to learn how to secure a system though - let the best hackers/crackers out there have a go, and learn what went wrong.
  • by tod_miller (792541) on Tuesday March 08, 2005 @11:22AM (#11877254) Journal
    ...if the admin uses Outlook (on a diff machine):

    Subject: "I hax0r3d your box!11"

    Dear adm1n, I hjax0red your l1nu> box, look at the attached screensh00t as pr00f!!!

    h4x0r3d.vbs.exe.scr.pif.dll.bat

    Look at the pic and I will hack^H^H^H^H show you!!

    Yours

    skr1pt k1|)|)1e

    PS: I am tha l33ts7 I even misp4ll l36t words.
  • by tsmithnj (738472) on Tuesday March 08, 2005 @11:28AM (#11877318)
    All the posts thus far are technical in nature. The easiest way into that machine is through the front door. Find the server, grab it, and run. If these guys are stupid enough to allow you to break into their property-- take them up on the challenge. AFter all, they did lay down the challenge.....
  • Apparently, linuxense is saying, "Hey we don't have enough resources to test our OS's security. Let's stroke the egos of the hacker community and maybe we can trick them into working for us, for free. Free labor, woohoo!"

    They know damn well that the expertise they're looking for is very valuable, and yet they're not even offering a token prize. Pathetic.

    I hope they don't even get a single packet. "Hey everyone! Try to break into our server! It'll be FUN!!!" "...."


    • Apparently, linuxense is saying, "Hey we don't have enough resources to test our OS's security. Let's stroke the egos of the hacker community and maybe we can trick them into working for us, for free. Free labor, woohoo!"

      I disagree. How is this different than releasing a beta test to the Internet?

      As far as not having enough resources...having someone OTHER than the people who developed the system test it only makes sense.

  • A few years back, the LinuxPPC guys ran a challenge this like. Even though DOS attacks were clearly against the rules as the only thing that counted was getting root, lamers doing them nearly ended the challenge.

    I have to wonder if their hosting provider won't wind up throwing them out.
  • Aftermath (Score:2, Funny)

    by halleluja (715870)
    ... and then I would hack along into .gov sites from their site.. try and proof I did it.
  • by Anonymous Coward on Tuesday March 08, 2005 @11:46AM (#11877524)
    Options for extra credit:

    1) Erase the kernel and everything else, replace with printf('Do you want to play a game?\n');

    2) Break into the sniffer on the bridge, and erase the packet logs. Return a copy later.

    3) Install BSD on it.

    4) Install and register Win XP on it, which would really confuse the next hacker.
  • Here's a flashback to 1999. (Wooo, all those years ago!)

    LinuxPPC: "Crack our box." [lwn.net]

    We (LinuxPPC Inc.) announced that in response to the LinuxPPC Security Challenge, a competition to break in to a computer running LinuxPPC 1999. The target computer is running the standard installation of LinuxPPC 1999. The target box has the Apache web server and telnet services turned on. Sendmail and FTP are not activated yet.

    The contest was announce in response to Microsoft's Window 2000 security challenge, which h
  • Why bother (Score:2, Insightful)

    by FyberOptic (813904)
    These kinds of things never work. I've seen many of them pop up over the years, from Windows boxes to Macs to Linux, and they all fail. The reasons of course, are:

    a.) So many people will be trying, that the bandwidth available to do anything with the machine at all will be practically zero.

    b.) Some "hax0r" will decide to just packet the machine to death, thereby making it impossible to even do anything to.

    c.) The software will be up to date, limiting any vulnerabilities that can be taken advantage of,
  • Sl45hd0773d! (Score:3, Interesting)

    by Bud (1705) on Tuesday March 08, 2005 @12:09PM (#11877757)

    However, the server's life on the Net is in your hands.

    Ye-e-esss... just post the news on Slashdot, that ought to take care of the server's life on the net. Good idea!

    On the other hand, it could be that the 37 different rootkits are so busy 0wnz0ring each other, that the web service just MIGHT get enough peace to run for the required 96 hours. ;-)

    --Bud

  • They probably have SELinux installed on the system. You may be able to exploit one of the services but that won't be enough.

    You'd have to find an unpublished local root exploit in the Linux kernel. Good luck with that one.
  • by pclminion (145572) on Tuesday March 08, 2005 @12:19PM (#11877839)
    And neither do any contests of this sort. Break it down by the types of people who might enter the contest:

    1. White hats. Why would they do it? If they're any good, it'll just be a waste of time, and you can always set up your own server to practice with. There's not even any prize!

    2. Black hats (I mean real ones, not script kiddies). They wouldn't bother either. Why expose the contents of your secret toolbox for no good reason? Any hack attempts (and successes) will be fully logged, revealing your secret exploits. That's no good, is it?

    3. Script kiddies. Maybe they'll try, but they won't get in, unless the server is embarrassingly badly configured. If they do manage to crack it, what does that prove? That it's possible to set up a Linux box with terrible security if you happen to be incompetent?

    I'm having a hard time figuring out exactly WHAT this contest is for. The only thing I can imagine (which a few other people have mentioned in this discussion) is that it's meant to enhance the image of Linux as a secure platform. So what -- so you've shown that if you do a good job configuring your box, you can keep out script kiddies. To put it bluntly, no shit.

  • Harsher tests (Score:3, Interesting)

    by bluefoxlucid (723572) on Tuesday March 08, 2005 @12:49PM (#11878140) Journal

    I'd love to get the resources to do this with some old software. Particularly, I'd like to set up a system with software all about 3 months behind on patches, SSP protected, PaX protected, PIE binaries, with the only up-to-date component being the kernel.

    I'd also need to allow for user simulation by giving a Web interface to control a Web browser; and by setting x-chat and gaim connected to everything.

    Basic outline:

    • x86 architecture
      • Most vulnerable architecture by nature of the horrible design of the CPU itself
      • Most common architecture, most attacks are focused here anyway; using PPC or sparc64 or such would be security by obscurity in essence, and we want a real test
    • 3 month old software, no security patches
    • Links to all published exploits for the software
      • Second honeypot has exploits we know we can't protect against fixed, MAYBE
    • GrSecurity kernel
      • Add chrooted shell
      • Let users shell in and try to break out of chroot
    • Kernel is up to date
    • Everything built with ProPolice
    • Remote Web access to control a root Web browser
    • X-chat connected to an IRC server
    • GAIM connected to IRC, AIM, MSN, and Yahoo
    • Remote Web access to make XMMS, Xine, mplayer, Rhythmbox, and totem play any file at any URL

    That would be my setup. And yes I'd use 2.6.11 GrSecurity with the fixed PaX.

    Man, now I want to find people to sponser me some lines to run 3 or 4 honeypots. . . .

Work without a vision is slavery, Vision without work is a pipe dream, But vision with work is the hope of the world.

Working...