Slashdot is powered by your submissions, so send in your scoop

 



Forgot your password?
typodupeerror
×
Security

Get Paid To Crack? 226

John Klein writes "Corporate Technologies USA, Inc. is offering hackers $250US and up as part of the Hacker Wargame Research Project. Participants are given sufficient time to hack three primary goals on real Windows 2000 servers on an internet connected wargame network. The servers are updated with fairly current Windows patches, so this is not necessarily an easy task. The difficulty is part of the point. The Project is studying how hackers think, called cognitive research, in an effort to better understand how future IDSs might identify the target of an attack during it's early stages. The Project guarantees complete anonymity for those that want to participate without pay, or complete privacy protection to those that choose to get paid."
This discussion has been archived. No new comments can be posted.

Get Paid To Crack?

Comments Filter:
  • by n3rd ( 111397 ) on Tuesday October 07, 2003 @07:13AM (#7151894)
    Will this one just get DOSed into oblivion too?
  • Nah... (Score:1, Funny)

    by Ceadda ( 625501 )
    But someone will probably hack the server running the article and put their name at the top... Would that be an instant win?
  • But your going to have to pay for each hit after!!!
  • Secret Methods ?? (Score:2, Interesting)

    by MadX ( 99132 )
    Does this not undermine a crackers "Trade Secrets" then ?? I am no cracker, but I have always been under the impression that if a cracker is going to get into a site, he is going to use his own methods (unless of course he is a script kiddie) .. which means that he is not going to give away his secrets .. no matter how much (little) he will be paid ..
    • Re:Secret Methods ?? (Score:2, Informative)

      by Anonymous Coward
      That's why they'll get nothng more than a whole bunch of enuthuastic script kiddies.

      No real hacker worth is salt, would enter a "hacking competition" for 250$. I know a few who wouldnt enter for 10000$. For them, their livelihood depends on how their skills are able to penetrate into a corporation (yes, they hack for a living).

      And about this new windows box: All I'll say is there's a nasty exploit that can get me a SYSTEM priv shell remotely. And it's worked on every box that I've tried it upon.
      • And about this new windows box: All I'll say is there's a nasty exploit that can get me a SYSTEM priv shell remotely. And it's worked on every box that I've tried it upon.

        Hello? Full disclosure anybody?

        Are all of the Windows admins here supposed to just freak out? What program does it exploit?

  • by 192939495969798999 ( 58312 ) <info AT devinmoore DOT com> on Tuesday October 07, 2003 @07:19AM (#7151917) Homepage Journal
    If they really want some competition, shouldn't they offer at least some TopCoder-scale money - for instance, how about $10k, but have tiered competitions, so that only the top 5 hackers are trying to get in? That would avoid the DoS issues.
    • With the security record of Windows, a $250 cracking reward isn't cheap when you have to pay it out several thousands of times

    • To me, the "competition" seems to say, "We've been given $2,500,000 by Microsoft to find security vulnerabilities in Windows. Give us $25,000 worth of information about how to improve Windows and we will give you $250."

      Okay, here is my contribution: Unpatched IE security holes [pivx.com] -- 11 September 2003: There are currently 31 unpatched vulnerabilities. Okay, where's my money?

      The usual reason someone becomes a destructive hacker is that he or she feels abused by adults. Isn't this more abuse?
    • If they really want some competition, shouldn't they offer at least some TopCoder-scale money - for instance, how about $10k, but have tiered competitions, so that only the top 5 hackers are trying to get in? That would avoid the DoS issues.

      Because a Top 5 competition doesn't seem to be what they're looking for. They aren't studying Windows security, they're studying hacker methodology, and depending on what exactly they're looking for quantity may be more relevant to them than quality.
    • "Corporate Technologies USA, Inc. is offering hackers $250US and up [...]

      Keywords : '$250US and up'

  • Wargame Servers (Score:5, Interesting)

    by sabNetwork ( 416076 ) on Tuesday October 07, 2003 @07:19AM (#7151918)
    Wargames are interesting, maybe even fun, but they shouldn't be used for cognitive research. You simply can't replicate the environment of a real corporate network.

    Where is the poor tech support agent that I call to inform of the "new authentication procedures"? Where are the client boxes sending out cleartext FTP passwords over a compromised proxy server?

    Seriously, this isn't a great way to study "cracker patterns". Most crackers aren't creative enough to gain access to a box that lacks the common weaknesses of a corporate server. It's easy to setup a server that no one is supposed to use, but the challenges (and weaknesses) come from the balance between security and usability.
    • Re:Wargame Servers (Score:2, Insightful)

      by jofny ( 540291 )
      It seems the point is to watch the cognitive process that people go through when attacking the systems. It doesn't matter if they're up against a brick wall, NASA, or a deck of cards. The core problem solving skills don't change - just the physical methods that get chosen and executed. This is what it seems like they're looking to learn - not attacks but thought processes.
      • Re:Wargame Servers (Score:2, Interesting)

        by ninthwave ( 150430 )
        My problem with this is the time limits. When you do things like this you stake out the target. If they were truly interested in the cognitive side that information invovled in staking out the target is more valuable in the actual exploit. But a true stake out of the target would not fall within there time limits.
    • I don't know about that. You certainly have a point, but they did say they are working to develop more secure IDSs. Obviously, the best IDS won't tell you if your tech-support guys are morons who give out passwords, or if your CEO likes to download porn-dialers. But IDSs can, ideally, detect odd behavior on the network on hosts. So while their findings are definitely very limited, the application is just as limited, I think, and probably unaffected by the warped testing conditions.
  • "Shall We Play A Game?"
  • Are you sure you wouldn't prefer a nice game of chess?
  • by derbs ( 563933 )

    1. Wait for critical security patch from Microsoft (shouldn't take long)

    2. Read up on exploit

    3. ???

    4. Get paid

  • What about the DMCA? (Score:2, Interesting)

    by shadowxtc ( 561058 )
    Isn't this a blatent violation of the DMCA?
  • IDS (Score:3, Interesting)

    by EinarH ( 583836 ) on Tuesday October 07, 2003 @07:23AM (#7151948) Journal
    The Project guarantees complete anonymity for those that want to participate without pay,
    How are they planning to monitor the servers with IDS without collecting IP's and MAC-addresses?

    I wonder how far they are willing to go to protect a hacker that finds a rare vulnerability.

    • Re:IDS (Score:2, Interesting)

      by Frit Mock ( 708952 )

      Collect my IP an MAC address, you still won't find my identity!

      I'm using old fashioned accoustic modem in a public telephne box, with an call-by-call provider.
      Or, maybe I'am sitting in a car with a laptop and connect through an unsafely set up WLAN from "Joe Doe dentist".

      You are obviously not a hacker, since you don't understand that IP and MAC-addresses are no trail to a hackers identity!
      It is just too simple to disconnect your identity from the IP and MAC-addresses.

      Unless you want to earn some money wi
  • Dont let the "pstohtml"ish webpage con you. And dont let them convince you that they are not law enforcement.I'm sure they are in with Ashcroft.
    Note the term Hacker in all the writeups, the incorrect use term the establishment uses to paint Linux hackers black ? Note the referral program ? Trust nobody!!
    On a serious note, suppose somebody actually cracks their server, and they hold the information secret, will they be an accesory to crime ? Surely enough , just because nobody compained about a murder
    • by godzillion ( 693800 ) on Tuesday October 07, 2003 @07:29AM (#7151981)
      From the FAQ:

      Q4: How do I know you aren't working for the man?
      A: We're not, we promise.
    • So with convictions for cracking being higher than manslaughter, what is to stop a third party from dragging everyone to court?

      You answered your own question: that third party will never win the lawsuit, although his heirs might...

    • by Sycraft-fu ( 314770 ) on Tuesday October 07, 2003 @07:45AM (#7152066)
      Hacking is much like tresspassing in that you are only guilty if you don't have permission from the rightful owner. For example, if you pick my lock and break in my house, you are guilty of breaking and entering and tresspassing, and will go to jail if caught. However, if I lock my self out of my hose, you are a locksmith and you pick the lock to let me in, then I invite you in for a beer, you've comitted no crime since you did everything at my behest.

      Same goes for computer access. You are perfectly legal in hacking a system PROVIDED you have permission. If it belongs to you or if the rightful owner has gtiven you permisson, go nuts. It is only a crime when you do it without permission.

      Well, they are explicitly giving you permissoin to hack their boxes if you want to play their game. Thus, no problem. Given the publicised nature of this, even if they decided to try and perjur themselves later and claim you did it without permission, it would be easy to prove otherwise (then they'd go to jail for falesly accusing you of a crime).
      • Sure, you gave me permission to hack your system , but microsoft did not.
        • Microsoft has sonthing to do with it. I own my system, it is up to me to choose who may and may not access it. Microsoft has no say in the matter. Likewise, they can't go after you for hacking my system, supposing they could even find out that you did (nothing compels me to tell them).

          What they COULD do is if you published something about the venurability you used, they could go after you for that. It would probably get thrown out of court (would likely be a civil case), but they could try all the same.

          Ho
      • Ok, but the poster meant: do they have permission from Microsoft for breaking into W2K ? *That* would be against the DMCA (not sure).
      • Same goes for computer access. You are perfectly legal in hacking a system PROVIDED you have permission. If it belongs to you or if the rightful owner has gtiven you permisson, go nuts. It is only a crime when you do it without permission.

        Tell that to Randal Schwartz [stonehenge.com]. Because he did not obtain permission for each individual action, he was convicted of Computer Crime [lightlink.com]. You can email his perl bot [mailto] for more info.

        Beware people with benevolent intentions, as they usually become malevolent when they realize 1)

      • Reminds me of the story of a guy who saves someone's life by giving CPR. Since he's an unpaid bystander, he can't be sued for accidentally breaking the guys rib in the process even though he had no formal CPR training.

        So, the man with a broken rib takes his savior out to lunch and then sues him (successfully, I might add) for tens of thousands of dollars, since anyone recieving COMPENSATION (even a burger and fries) for medical services is liable for incidental injuries if it can be proved they have insuf
    • "On a serious note, suppose somebody actually cracks their server, and they hold the information secret, will they be an accesory to crime ? Surely enough , just because nobody compained about a murder it does not become a non-crime."

      I don't think you understand computer crime. The person who owns the computers is providing authorization for other people to gain access to them. Just because the computer isn't letting them in without being tricked does not in any way change the fact that they still have

      • With Windows, you don't own anything, MS still retains legal rights. Thus, MS owns the computers, or at least the software, and can press charges for violation of the DMCA, because they didn't give permission.
    • Note the term Hacker in all the writeups, the incorrect use term the establishment uses to paint Linux hackers black ?

      Oh, give it up. The usage war is over, and you lost before it even started. ESR can whine all he wantsa, but a person who breaks into computers is a "hacker". That isn't the only meaning the word has, but it's the most common one. "Cracker" already has meaning and connotation when applied to a person, and it has nothing to do with computers! Are to trying to suggest that only poor southern
  • Wanted (Score:2, Funny)

    by godzillion ( 693800 )
    Wanted: Cracks on isolated Windows server. Full disclosure required. Compensation $250 or negotiable. Social Engineers need not apply.
  • Mitnick Trick? (Score:3, Interesting)

    by dolo666 ( 195584 ) on Tuesday October 07, 2003 @07:24AM (#7151952) Journal
    This is a huge step compared to how society dealt with Kevin Mitnick. It used to be that they didn't care to know about vulnerabilities in systems, or that they would rather keep the vulnerabilities secret. Now John A. "Cobras" Klein of Corporate Technologies USA, Inc [corptech.net] has some money to burn on people who crack, not to test systems, but to study devious minds. It's impressive, but what will this research be really used for?

    I, for one, would be seriously surprised if anyone at Microsoft uses this to build a better system. I could see if this research was used for security outfits to track B&Es, but even that's a little loosey-goosey, IMHO.

    This effort could be for the good, but crackers out there be warned that this could be a one stop ticket to FBI surveilance and eventual lockup. Come now, doesn't this remind you of the RIAA's amnesty offer?

    • I, for one, would be seriously surprised if anyone at Microsoft uses this to build a better system. I could see if this research was used for security outfits to track B&Es, but even that's a little loosey-goosey, IMHO.

      I'd be really surprised too, because in the FAQ [hackerwargame.org] they say that they'd rather M$ fix the problems before releasing software so they wouldn't have to do this sort of thing.

      Come now, doesn't this remind you of the RIAA's amnesty offer?

      Nope. This seems legit to me. If you're good en
  • I remeber reading a story not so long ago about a company (can't remember their name) that asked a hacker to break into their secure ATM transaction network to prove its infalability. Apon doing so they promptly prosicuted him and had him imprisoned. So I'd be wary of any "open hacking" competition. You dont see Ford running hotwiring competitions.
  • by Frac ( 27516 )
    When I first read the title, I thought it was "Get Paid For Crack?"

    Where where?

    Sigh.
    • Perhaps you've missed the big business that has grown up surrounding slashdot's sale of $3 crack, but I assure you it is quite profitable and mutually beneficial. If you'd like to start selling $3 crack, please reply to this message with your credit card number and address.

    • > When I first read the title, I thought it was "Get Paid For Crack?"

      >

      >Where where?


      On a streetcorner near you, now!!

    • Reminds me of what Robin Williams said about anthrax:

      "White powder in the mail... really "
    • I thought the same (Score:2, Interesting)

      by phorm ( 591458 )
      And immediately assumed it was the daily/weekly Verisign or SCO article. My mistake... though I suppose cracking might apply to an RIAA article instead.
  • by TheWart ( 700842 ) on Tuesday October 07, 2003 @07:28AM (#7151973)
    Nothing like a good joke to start out my day:
    "The servers are updated with fairly current Windows patches, so this is not necessarily an easy task."

    hahahahahah

  • I think I'll work at Wendy's for the week... more profit!
  • by macx666 ( 194150 ) *
    Complete privacy, they say?

    Will that still be the case when someone hacks in to their system housing the database of participant names?
  • by Johnny Mnemonic ( 176043 ) <mdinsmore@@@gmail...com> on Tuesday October 07, 2003 @07:36AM (#7152016) Homepage Journal

    From their FAQ: [hackerwargame.org]

    You should be able to complete the goals easily without the need to break any laws...[in] about 5 hours

    Sounds like this is more of a "target-rich environment" where they expect the dedicated hacker to succeed, and they want to study means/methods, rather than a "our box is unbreakable" type challenge. I think they'll be writing a lot of $250 checks--which explains also why the sum is low.
  • It's a no-brainer competition. Step 1. Find IP address of server 2. Post link on /. 3. Server crashes 18.113 seconds later from overload 4. Collect underpants 5. 6. PROFIT!!!
  • by Anonymous Coward

    Corporate Technologies USA, Inc. is offering hackers $250US and up as part

    In the real world, a "consultant" would be charging $250 AN HOUR, at a bare minimum.

    Wake up and smell the coffee, dudes. They're using you as slave labor.

    • $300. And I'm reading slashdot from the client site through a chain of SSH forwards. Isn't consulting ironic?
    • Uhh mate, they're Windows servers. I make that $250 to be something like $750 an hour, considering how long it's likely to take... :-)

      - Chris
      (Yeah yeah I know, it's a joke..)

    • >>Corporate Technologies USA, Inc. is offering hackers $250US and up
      >>as part
      >
      >In the real world, a "consultant" would be charging $250 AN HOUR, at
      >a bare minimum.
      >
      >Wake up and smell the coffee, dudes. They're using you as slave
      >labor.

      You've got to be dreaming. I'm a professional pen-tester and my chargeout rate is about a grand a day (sterling), er, about $1500 a day. I take home about 1750 (sterling) a month, er, approx. $140/day.

  • by Karl Cocknozzle ( 514413 ) <kcocknozzleNO@SPAMhotmail.com> on Tuesday October 07, 2003 @07:37AM (#7152021) Homepage
    The Project guarantees complete anonymity for those that want to participate without pay, or complete privacy protection to those that choose to get paid.

    Complete anonymity? An interesting idea. Let's talk about the practical ways you could "guarantee" somebody else's anonymity on the internet while still having the contest? I tried to make a list, but all I came up with pretty much amounted to "Dump all the logs." Which obviously makes it really difficult to study the attack patterns.

    Obviously, the best way to remain anonymous is not to break into other people's networks, invited or otherwise. I mean, are they really going to destroy their data if the FBI calls? That would definitely be illegal (and unwise in our current "terrorism-freak-out") and publicly pre-meditated, at that.

    If I had the kind of skillset these people are obviously recruiting for, I would be extremely leery of participating in this "competition." But I don't, and would have no interest.

    "Lenny! Tell Mr. Burns I went home to work on the contest!"
  • $250 per person? A name like "Corporate Technologies USA, Inc.". Sounds like either;

    1. Some fancypants Mr. Govt. Beurcrat's latest great idea
    2. Some fancypants Mrs. Marketing Major with a great idea on a new marketing scheme (get ready for some 'impressive' stats to be quoted shortly)

    Even if I'm wrong about the government or marketing, I am certian that there are fancy pants involved.

  • by account_deleted ( 4530225 ) on Tuesday October 07, 2003 @07:39AM (#7152028)
    Comment removed based on user account deletion
    • Man, you don't realize what you're asking. My memories of Windows include going up to a "Password Protected" Windows box and pressing Escape... I didn't mean to get past their security, it just happened. Imagine some pseudo-cracker doing something simple -- I dunno, forwarding a virus email on purpose -- and then accidentally gaining access.
  • three primary goals on real Windows 2000 servers

    ./dcom 4 xxx.xxx.xxx.xxx

    The servers are updated with fairly current Windows patches

    Oh.. darn. I guess I just have to do it the easier way and send the administrators an email masquerading as a windows update.
  • the Hacker Wargame Research Project. Participants are given sufficient time to hack three primary goals on real Windows 2000 servers

    At least you know you have a chance to win with this platform. That might also explain why the prize is only 250 bucks, it might have be a lot more if participants were to hack a netbsd box for example.

    Oh well, in any case, wargame research projects that don't involve a WOPR are just not worth the name I say ...
  • Well let's see (Score:2, Insightful)

    by MagicBox ( 576175 )
    The servers are updated with fairly current Windows patches, so this is not necessarily an easy task. --Is this meant to reflect most Windows systems out there, without the most recent updated patches? The difficulty is part of the point. The Project is studying how hackers think, called cognitive research, in an effort to better understand how future IDSs might identify the target of an attack during it's early stages. --BS. Why didn't they choose a Unix system? Or a Linux System? I think they are just tr
  • by SolemnDragon ( 593956 ) <solemndragon AT gmail DOT com> on Tuesday October 07, 2003 @07:47AM (#7152080) Homepage Journal
    So... let me get this straight. They're paying a bunch of people a pittance to hack a machine that isn't set up like the ones that hackers would usually break into.

    And they think that this will reveal how hackers think.

    So, what we end up with is a bunch of people getting paid a little bit of money to mess with statistics. How many are going to use obvious techniques, just to skew the results in a 'nobody thought of this so it must be safe from exploit' way?? How many are going to have a grand time hacking into their real system just for fun?

    And for that matter, how many dumb wanna-bes are going to end up sharing their IP address with a company that might just duly record them, along with the name that they're writing the check out to, and hand it over to other investigators, saying, "Hey- these are the hackers who applied"?

    I'm guessing that anyone who's willing to take the money but isn't up to a level where they can really accomplish anything is going to eventually get caught playing with someone else's network- i don't pay enough attention to hackers in the news, so i'm not up to speed on whether this constitutes admission of previous (potentially criminal) activity or not... but if the company has a list of people who registered to 'contribute,' to the effort, they could then give the list to anyone, right?

    Somehow, the only way that this could look funnier to me is if they had to enter the system, install kazaalite, upload copyrighted music files to it, and make them available for download. At which point the RIAA would step in and prosecute, creating a net loss of approximately $14,750.00USD for the hacker.

    Scenario two is the same, but they have to upload Gigli, and set it to play in a continuous loop until the machine explodes in a desperate move of self-preservation. (And the MPAA would be prosecuting.)

    That is... if the hacker were dumb enough to give their real name and use their own (and static) IP address....

  • I'm going to take $250 to be put on a list of windoze crackers? No thanks. I don't care how fun it would be to look into how to do this kind of thing or how bad I need the money. Projects like this have the stink of an INS washing machine give away in a Mexican neghborhood.
  • just setting up a box to be hacked isnt really a good way to test hackers. 90% of "hacking" is sniffing passwords off a network and social engineering.

    both of those aren't an option here on a box that isn't used by anyone, just sitting there.
  • What about studying these crackers so that they/we can determine how a cracker thinks, for the purpose of designing a better system in the first place? Say, design the system so that it's counter-intuitive to cracking attempts, at least at a security level (as opposed to a UI level).
  • Too late to join (Score:3, Informative)

    by infolib ( 618234 ) on Tuesday October 07, 2003 @07:56AM (#7152118)
    According to the FAQ [hackerwargame.org]

    Q23: I'm too busy to do this right now, but I'd like to do it later. How long is this study going on?

    A: We anticipate the study to be wrapping up at the end of 2003, but we will probably be done recruiting by mid-year at the latest, so don't wait too long. Sorry, no reservations accepted.


    I'll go digging at archive.org now to find out how long they've been up.
  • and I was sure I saw the word "smoke" in there somewhere.
  • Windows HoneyPot? (Score:2, Insightful)

    by SilverThorn ( 133151 )
    Isn't what they are asking the similar to that of the HoneyPot project? If they are using software you have to install to 'watch' your scripting/program use (which you later upload), then monitoring the server as well... then what's the point?

    -- M
  • Our research... (Score:2, Interesting)

    by DuranDuran ( 252246 )
    We're doing research like this at the Ecommerce Research Group [anu.edu.au] at the Australian National University [anu.edu.au]. We're focusing on software piracy, trying to work out why people do it if they don't then sell their cracked software (and could be using their coding skills in the workforce).

    Our biggest problem has been getting crackers to participate. Most are so skeptical and wary that they are reluctant to take the survey (which we designed specifically so respondents don't have to admit to doing anything illegal).

    Ou
  • by floydman ( 179924 ) <floydman@gmail.com> on Tuesday October 07, 2003 @07:57AM (#7152139)
    Here is a more detailed version:

    1. We will contact you by e-mail within 72 hours to let you know that we have received your application. This is not an automated mailing, it is a real response from a human being.
    2. We will review your application within one week of application and decide if we will invite you to participate. You will again be personally notified, this time by e-mail or telephone, of our decision.
    3. If you are not chosen to participate, we will tell you why, and we will destroy all records of your application and our communications with you. The only information we will keep is a paper list of who applied and was rejected, and why.
    4. If you are chosen to participate, you will be sent more info on the wargame research project.
    5. You will need to prepare yourself by following the instructions, and schedule a time with us to complete your hack. We will send you all of our direct contact information so you can talk to us directly to answer any questions that you might have.
    6. If you intend to use any Windows box(es) during your hack, you will need to download the free demo version of the CamTasia screen recorder program (15.4MB) from our FTP server [ anonymous login to ftp.hackerwargame.org ] or from the author's commercial website if you prefer. Install the program ahead of time, and play with it a bit to ensure that you know how to use it. It's very simple, and the defaults will work, but you can optimize your output and file size by turning off hardware acceleration and setting your desktop resolution to 800x600 at 16bpp color. We don't recommend recording at 24-bit or 32-bit color since this will result in very large files in the Gig range rather than a few MB.
    7. If you intend to use any *nix box(es) during your hack, you will need to start off by running the command "script -a /log.txt" which will pipe everything from STDOUT and STDERR to a plain text file (adjust the logfile path to wherever you want). Hit CTRL+D when you are all done to close the logging. Check man script to learn more.
    8. If you intend to use a Apple/Mac during your hacks, you're kind of on your own regarding how you're going to produce logs for us, but Snaps Pro X works well under OS-X, and a plain text file with a LOT of typing might work.
    9. Prior to the hack, you will need to get your computer(s) ready for the hack. This includes downloading any tools you intend to use, checking your internet connectivity, and letting us know what IP address(es) you will be coming from. If you receive dynamic address(es) you can notify us of your address just before the actual hack time. To make it easier, you can also get a free account with a free dynamic IP tracking service like NO-IP.com (or any other that you prefer) which will give you a domain name that tracks your dynamic IP address, which we can use to set you up in our IP filter.
    10. At your arranged date and time, you will need to synchronize all of your computer's times to our network so that we can match up logs. We will give you a webpage where you can do this easily, or you can use any standard NTP utility since our network is synchronized at Stratum 2 to the US Atomic Clock. You will then begin your hack by sending us an e-mail to a specific address telling us that you are starting. You will be notified of the wargame's IP address prior to your scheduled hack time.
    11. During the hack, you will log which goal you are attempting to accomplish. This can be done quite simply by typing, for example:
    10:21:42.15>echo SQL goal
    SQL goal
    10:21:42.15>
    in a DOS box or on the *nix console. Note that your command prompt needs to show the time so we can synchronize our logs. On *nix this is done by setting PS1=$t> and on Windows boxes by typing prompt $T$G
    It will also be helpful if you kept a notepad or plain text file open in which you can write notes, paste information that you have gathered, etc. The more loggi
  • Seriously... its been touched on but its a very important point. Users are the weakest link in any system. To ignore this element and the way cracker commonly exploit it, is to skew your research from the get go.
  • Read their 'how do you know we aren't working for the man' page? It basically says 'trust, we promise we aren't!' Also its a very condescending piece of work. I don't trust it. Perhaps their analyzing the hackers that do hack in so that when someone hacks into one of their systems a year or two down the road, they'll have a set of known hackers with what amounts to a behavioral study on each one. I can see it now: 'we just got hacked, run the characteristics of the attack through the database! hmm, it match
  • by Shoten ( 260439 ) on Tuesday October 07, 2003 @08:21AM (#7152352)
    This company seems to be a bit on the er...amateurish side. Checking out their website [corptech.net], I see that they apparently sell Axxis webcams as though it was some kind of high-end technology, and would love to sell me what looks like "Intranet in a can." Waaaaa hoo. Besides, while I don't go for the typical "it's not in Silicon Valley so it can't be for real" attitude, they are in Fargo, North Dakota. I don't think you have to be in the Valley to be serious, but jeez...it's as if it were meant to be parody!
  • Buy now! (Score:3, Interesting)

    by Maradine ( 194191 ) * on Tuesday October 07, 2003 @08:36AM (#7152487) Homepage
    Why, there's no telling who would fall for such a seductive sales pitch!

    "Hackers, we'll give you $249.95 to display all of your best-kept secrets to our packet dumper so we can build it into our IDS product and nail your pasty white asses when you try it with our clients later! Buy now!"

    Oh, crap. Was my sarcasm filter on?
  • eck (Score:2, Insightful)

    by Sheepdot ( 211478 )
    Hacking is 20% coding, 20% luck, and 60% social engineering. If you throw up a compromisable machine and say, "Hack this" you're losing over half of the social engineering bit, and can expect to see the general rootkit.

    What's going to happen, is with only $250 bucks as an offer, you're going to see a lot of pre-made scripts (and underground boards will have a lot of newcomers requesting new code) and rootkits that lack a lot of the more complicated tools hackers use.

    In fact, one hack should always lead to
  • It's a trap!

    -Admiral Ackbar
    A possible $250 vs. jail. Brilliant.
  • Hacking a website is the equivalent of breaking copy protection, except over the net. Instead of this, it might be better to get a bunch of wares crackers or reverse engineers in a room, and watch/listen to them work.

    The only difference between net-based cracking and reverse engineering is the details...the thought process is the same.
  • Just think how many people you could pretend to be, with 250 bucks per identity you could clean these guys out.
  • If they put research on cracker psychology to good use, we'd probably wind up with dedicated corporate servers with a bottomless vault of porn, nethack maps, and Star Trek divx's that will keep a 15 year-old so distracted he'll never think of trying to break into the rest of the network.
  • pr0n...pr0n...pr0n...pr0n...ROOT...pr0n...pr0n... ROOT...pr0n...pizza...Pepsi...bathroom...pr0n... pr0n...warez...pr0n...pr0n...pr0n...pr0n...ROOT... pr0n...homework...pr0n...

    Probably won't be the most surprising findings in history.

  • Welcome to IRC (Score:3, Interesting)

    by MoreDruid ( 584251 ) <moredruid AT gmail DOT com> on Tuesday October 07, 2003 @07:50PM (#7158776) Journal
    I just think some ppl will open up an IRC channel where you can post your goals & your exploits/methods. easy way to make money... and it doesn't really help the study since everyone is using the same methods and such... of course you can only sign up once with your real address... but hey... inform your non-geek friends they will be getting 10% of the check if you can use their address & IP to bounce off. I'm a bit sceptic about how they'll react to such "abuse" of their system...
  • Hmm... how if you had, say 60 seconds to do it in, ... and a gun was to your head, .... and you were getting an expert hummer at the time, ...

    Now THAT could be challenging.

"Being against torture ought to be sort of a multipartisan thing." -- Karl Lehenbauer, as amended by Jeff Daiell, a Libertarian

Working...