Linux Server Break-in Challenge 327
Sujit writes "Are you an Internet security expert at heart or by profession? Ever thought of trying your skill at a professionally set up server? If you are ready, enter.
The Linux Server Break-in challenge. You will have a server available on the Internet 96 hours without interruption starting from 9 March 2005 2 AM IST. However, the server's life on the Net is in your hands."
Incentive? (Score:3, Interesting)
While I'm sure they're legit... (Score:5, Interesting)
"Oh, we're putting up a box for the hacking at such and such time. We swear it's ours. No, really! Trust us. "
Few would be the wiser until it was too late.
vanilla (Score:5, Interesting)
As Linux gets closer to mainstream more and more people are installing without tweaks or recompiles. How well does Linux stand up without the expertise of a professional?
What's the point? (Score:2, Interesting)
-sirket
Time zone? (Score:3, Interesting)
Uh, ok. (Score:5, Interesting)
Such a feat and sharing of knowledge should be worth about $1,000,000. I'm sure they'll get a lot of contenders with their offer of $0.
Windows 2003 breakin challenge (Score:4, Interesting)
There are likely hidden exploits in both OSes, but these things take time to find. Stumbling upon something by luck is quite common.
Honeypots? (Score:3, Interesting)
what about script kiddies (Score:1, Interesting)
What about system crashes? (Score:3, Interesting)
Lemee guess the "Catch" (Score:3, Interesting)
Then they hand out root
Re:Windows Server Break-in Counter-Challenge (Score:3, Interesting)
Uncertainty (Score:2, Interesting)
Employers want to know your skills and how you have such in-depth knowledge of such systems. HOWEVER putting this on your resume is just a red flag for most employers. "If (s)he has the ability to hack into this big-bad server then imagine what (s)he can do to the security-though-obscurity network we've set up". Think about it.
Now you're going to say software companies want secure software and someone to look at it, but at the same time, they don't want backdoors. They want to trust you.
I'd be a bit hesitant before putting it on paper unless it has a big company (IBM Security Challenge or something) beside it.
-M
Re:Swiss? (Score:3, Interesting)
If you don't understand, don't mod.
Re:very handy. *cough* (Score:3, Interesting)
The experts and auditors who actually can evaluate a system for "security" have to come from somewhere. Usually these people start off as tinkers, hobbists, and other amateurs. The big problem is how does an amateur gain experience without breaking the law? When I was in college I had to go to great lengths to get approved access to a SunOS box I could poke at with the owner's permission. I wanted to explore things, but didn't want to break any laws or ethical principles.
I think this is just for fun. Breaking into your own system that you know how you secured is boring. The chance to have a third party set up a system and openly invite you to try and break it is rare, and for some people probably very welcome. This sort of event helps ethical people hone their skills and nutures the next generation of experts and auditors.
And finally, I don't want to disagree with Bruce Schneier (because he could crush me with his mind) but these contests do produce useful data if someone tries something which wasn't previously known. I beleive the context of the quote you provided makes that clear.
Sl45hd0773d! (Score:3, Interesting)
However, the server's life on the Net is in your hands.
Ye-e-esss... just post the news on Slashdot, that ought to take care of the server's life on the net. Good idea!
On the other hand, it could be that the 37 different rootkits are so busy 0wnz0ring each other, that the web service just MIGHT get enough peace to run for the required 96 hours. ;-)
--Bud
Re:very handy. *cough* (Score:3, Interesting)
Harsher tests (Score:3, Interesting)
I'd love to get the resources to do this with some old software. Particularly, I'd like to set up a system with software all about 3 months behind on patches, SSP protected, PaX protected, PIE binaries, with the only up-to-date component being the kernel.
I'd also need to allow for user simulation by giving a Web interface to control a Web browser; and by setting x-chat and gaim connected to everything.
Basic outline:
That would be my setup. And yes I'd use 2.6.11 GrSecurity with the fixed PaX.
Man, now I want to find people to sponser me some lines to run 3 or 4 honeypots. . . .
Re:Selling some sort of hardened Linux, perhaps? (Score:3, Interesting)
It's not that expensive with some of the newer AUTOMATED technologies out there. The DOD and NASA are actually DOING this right now. I have a friend involved with funding advanced research in this area and products are coming. The products will likely cost in the 100-200K range and they are pretty fast. They will reveal things like buffer overflows, memory leaks, pointer problems, malformed expression problems, etc. In the not too distant future they will be able to formally prove the correctness of a system. Thats a pretty small cost to pay to KNOW your system is hack-proof. It's pretty darned expensive to have to comply with California regulations about personal data being hacked that requires notification to be sent to EVERYONE who MAY have had info stolen. Not to metion the bad press your company gets when the hacking is made public. I suspect it also lowers your business insurance premiums, and it might also be a competitive edge.
Don't accuse someone on
Re:Selling some sort of hardened Linux, perhaps? (Score:3, Interesting)
I make no such assumption. I never tried to imply that they "are only interested in farming zombies or stealing data." That comment I made regarding banks was to express the waste of time I consider hacking constests to be rather than an approval of for profit hacking (except when done legally as part of a penetration test). I consider anyone who farms zombies to be nothing more than a troll. The idea of wasting 0-day on this contest, however, is still silly. Save it for the defcon hacking contests or to impress your friends or for your job. Write a paper and become famous. But waste it here? Hell no.
Nice know-it-all answer. Unfortunately, that's more of a gameplan if you're serious about pissing money away.
Nice well reasoned response.
The reality is that the vast majority of Internet security companies consist of SATAN tied to a web frontend.
It's a fucking shame you never dealt with any of the good companies back in the day. Companies like IFSec and Breakwater before they became big and got bought out use to do everything by hand. Some companies still do. I can not help it if you do not want to find those companies for your self.
And a "full audit of the source code"? Do you have any idea how expensive (and fruitless) that would be?
It depends on the application and how critical it is. Moreover I would never call it fruitless. Look at all the holes the OpenBSD team found by a code audit. It is a viable option for some applications and it certain proves a hell of a lot more about the security of a system than one of these sham hack contests.
I'm sorry, but what you've suggested is not a viable solution to most organizations that actually have to generate a profit.
It is a viable option and I've worked for and with plenty of companies to perform code audits on critical code. Plenty of serious bugs have been found that no 4 day hack contest ever would have found.
Furthermore, the simple fact that it all comes down to humans staring bleary eyed at thousands of lines of source code means that many bugs and exploits *will be missed*.
Then develop some tools to help you. Look for commonly exploited library calls like sprintf(). Do something more useful than a "hack" contest.
The best security practice is to assume that your company's security systems will be compromised and to have plans in place to mitigate the damage.
No- the best security practice is to be so confident in your own security prowess that you do not even bother securing your systems because you know no one could break in. This works best when you have your head in the sand at the same time.
Seriously though: the best security practice is to have several layers of security coupled with stringent monitoring and strong procedures in place to ensure timely application of updates and patches. Then again that's pretty expensive too and from your post it does not sound like you care to spend any money on security.
Compared to having 1,000 customers pay a bunch of people to monitor your systems 24 hours a day 7 days a week 365 days a year for years the cost of a little up front security analysis is hardly unjustifiable.
-sirket
Re:Alternately, . . . (Score:3, Interesting)
Re:This contest makes no sense. (Score:3, Interesting)
That roughly describes me. I'd give it a try if I had any free time.