Linux Server Break-in Challenge 327
Sujit writes "Are you an Internet security expert at heart or by profession? Ever thought of trying your skill at a professionally set up server? If you are ready, enter.
The Linux Server Break-in challenge. You will have a server available on the Internet 96 hours without interruption starting from 9 March 2005 2 AM IST. However, the server's life on the Net is in your hands."
Isn't this illegal? (Score:2, Insightful)
Selling some sort of hardened Linux, perhaps? (Score:5, Insightful)
break-in challenges (Score:0, Insightful)
Re:Incentive? (Score:4, Insightful)
Rules (Score:5, Insightful)
The root partition could be on a read only media such as a CD-ROM, right? In which case nobody could ever win.
Just a hacking challenge (Score:5, Insightful)
Re:Selling some sort of hardened Linux, perhaps? (Score:4, Insightful)
Let me get this straight- 96 hours allows people to try "the worst anyone could throw at it?" In your wildest dreams perhaps. Furthermore how does this prove anything? Do you honestly think a real attacker would waste a 0-day exploit on such a lame contest? Why not wait until several banks have deployed this system and then make some money with such an attack
The hack contests are silly. Any admin with half a brain can set up a secure system and the only way to root it would be 0-day that no self respecting hacker would waste on this system.
If you are serious about security you pay for a full audit of the source code, professional penetration testing over a 2 week period, and you test for root exploits using a local account- on the assumption that somewhere down the line the system will be misconfigured and an attacker will gain non-root privileges.
-sirket
Re:Rules (Score:5, Insightful)
Reminds me of Red Hat EL (Score:3, Insightful)
But as the old slashdot article also states the 2nd generation was able to stay afloat.
Seems like a great way to learn how to secure a system though - let the best hackers/crackers out there have a go, and learn what went wrong.
give away valuable skills (Score:2, Insightful)
They know damn well that the expertise they're looking for is very valuable, and yet they're not even offering a token prize. Pathetic.
I hope they don't even get a single packet. "Hey everyone! Try to break into our server! It'll be FUN!!!" "...."
Re:Just a hacking challenge (Score:2, Insightful)
You got it! (Score:3, Insightful)
I have to agree that this is a lame ploy at getting publicity. Hopefully others can see through it too.
Re:give away valuable skills (Score:2, Insightful)
Apparently, linuxense is saying, "Hey we don't have enough resources to test our OS's security. Let's stroke the egos of the hacker community and maybe we can trick them into working for us, for free. Free labor, woohoo!"
I disagree. How is this different than releasing a beta test to the Internet?
As far as not having enough resources...having someone OTHER than the people who developed the system test it only makes sense.
Re:Selling some sort of hardened Linux, perhaps? (Score:5, Insightful)
The assumption you're making is that all "self-respecting hackers" are only interested in farming zombies or stealing data. Have you considered the possibility that there may be skilled people out there who would like to demonstrate their skills, but do so without breaking any laws?
If you are serious about security you pay for a full audit of the source code, professional penetration testing over a 2 week period, and you test for root exploits using a local account
Nice know-it-all answer. Unfortunately, that's more of a gameplan if you're serious about pissing money away. The reality is that the vast majority of Internet security companies consist of SATAN tied to a web frontend. And a "full audit of the source code"? Do you have any idea how expensive (and fruitless) that would be?
I'm sorry, but what you've suggested is not a viable solution to most organizations that actually have to generate a profit. Furthermore, the simple fact that it all comes down to humans staring bleary eyed at thousands of lines of source code means that many bugs and exploits *will be missed*.
The best security practice is to assume that your company's security systems will be compromised and to have plans in place to mitigate the damage.
Why bother (Score:2, Insightful)
a.) So many people will be trying, that the bandwidth available to do anything with the machine at all will be practically zero.
b.) Some "hax0r" will decide to just packet the machine to death, thereby making it impossible to even do anything to.
c.) The software will be up to date, limiting any vulnerabilities that can be taken advantage of, compared to your average server out there.
d.) The time limit to do it is never long enough, especially because of the above problems.
I've seen contests where they even turn on a firewall. Obviously whoever was in charge of those had no idea how anything works. Once that firewall goes up, there's not much of anything that can be done to the system solely from a remote position. It was even a default Windows install on the particular one I'm thinking of, and despite the vulnerabilities in a bare Windows XP install, nobody was ever able to do anything to it.
I know the Linux machine in this contest is said to have no firewall, but like I said, the software will be mostly up to date. Most servers that are broken into are done so because they're running older versions of things with known vulnerabilities. Many of these machines are also on the web, running vulnerable versions of PHP and forums and whatnot, which allow one to take advantage of flaws from there, not necessarily via direct TCP connections.
So while it's entirely possible to break into this particular Linux machine, I just don't think many "real hackers" will bother, for the reasons I mentioned above. It's fun to have challenges and all, but they're just not realistically implemented.
Re:Incentive? (Score:3, Insightful)
This contest makes no sense. (Score:5, Insightful)
1. White hats. Why would they do it? If they're any good, it'll just be a waste of time, and you can always set up your own server to practice with. There's not even any prize!
2. Black hats (I mean real ones, not script kiddies). They wouldn't bother either. Why expose the contents of your secret toolbox for no good reason? Any hack attempts (and successes) will be fully logged, revealing your secret exploits. That's no good, is it?
3. Script kiddies. Maybe they'll try, but they won't get in, unless the server is embarrassingly badly configured. If they do manage to crack it, what does that prove? That it's possible to set up a Linux box with terrible security if you happen to be incompetent?
I'm having a hard time figuring out exactly WHAT this contest is for. The only thing I can imagine (which a few other people have mentioned in this discussion) is that it's meant to enhance the image of Linux as a secure platform. So what -- so you've shown that if you do a good job configuring your box, you can keep out script kiddies. To put it bluntly, no shit.
Re:Incentive? (Score:4, Insightful)
that are used in DDoS attacks? Generating a list of IPs and alerting ISPs
might go a long way of reducing the amount of zombie machines out there.
Just a (possibly naive) thought.
Re:Selling some sort of hardened Linux, perhaps? (Score:1, Insightful)
- Have they solved the halting problem then?
Re:Isn't this illegal? (Score:1, Insightful)
----
Except there is no signed legal agreement in this case. The hired whitehat hacker is indemnified in writing against any legal action by the corporation who hires him.
Not the case with an open challenge. While it would be hard to prosecute if someone made a public announcement to "come hack my server", whether you would go to jail would depend on the cost of your legal team, local law, and the depth of your pockets, pretty much like any court case. The golden rule applies.
No thank you, not without a written, signed, and verified-by-a-bonafied-attorney contract/agreement.
This costs me money. Again, no thank you. The incentive simply isn't there.
Add to that that nowhere on this page does it say "We give you permission to comprimise our server and stop the network service". They describe the criteria for a successful breakin, but nowhere do they actually grant any permission to do anything.
You would be on shaky legal ground if they decided to come after you, whether for sport or to sue you for money.
L8,
AC
Re:Selling some sort of hardened Linux, perhaps? (Score:3, Insightful)
Most large programs are stronger than a simple first order predicate logic, though often with sufficient constraints that you can, indeed, prove them correct (or at least it hasn't been shown that you can't), but there are a large number of programs for which this isn't true. Perhaps more recent work has extended somewhat the domain of provable programs, but there's bound to be a very large number that aren't covered.
Note that proving correctness is "even harder" than the halting problem. You've not only got to show that it always comes to an answer, you've also got to show that the answer that it comes to is the correct answer.
Every specification language that I've looked at for specifying that the answer was correct was too complicated to know that it was, itself, correct. The best answers I've seen so far have been unit testing and Eiffel's "Design by Contract". Both of these tend to be sloppily done, but both could, in principle, provide a large measure of security...note that I'm not claiming proof!!..that the correct results are being produced.
OTOH, I'm certainly not in contact with anyone working on a automated code tester...but I doubt that such a person would claim that their work was a "proof of correctness" of arbitrary code. Possibly of some restricted subset, analogous to the Ada subset SPARK which restricts Ada to using a subset of features which results in programs that can be proven correct. Such would be much harder in C, but I can't see any reason why it would be impossible in principle. (I may have slightly misunderstood Ada SPARK, as I've never used it...but that's my understanding. It's usually referred to as a "High Integrity Subset", but I think that's from a book title.)