Linux Server Break-in Challenge 327
Sujit writes "Are you an Internet security expert at heart or by profession? Ever thought of trying your skill at a professionally set up server? If you are ready, enter.
The Linux Server Break-in challenge. You will have a server available on the Internet 96 hours without interruption starting from 9 March 2005 2 AM IST. However, the server's life on the Net is in your hands."
Alternately, . . . (Score:5, Funny)
Re:Alternately, . . . (Score:2)
Re:Alternately, . . . (Score:5, Funny)
Re:Alternately, . . . (Score:3, Interesting)
Re:Alternately, . . . (Score:5, Funny)
w00t!!! I got in! They used the same root password as I use on my box...What do I win???
Re:Alternately, . . . (Score:5, Funny)
Re:Alternately, . . . (Score:2, Funny)
Re:Alternately, . . . (Score:4, Funny)
a.k.a. SCO.com (after all, they claim to own all linux, so have at 'em, boys and girls)
Re:Alternately, . . . (Score:2)
That's not what I heard... (Score:5, Funny)
Isn't this illegal? (Score:2, Insightful)
Re:Isn't this illegal? (Score:2, Funny)
Re:Isn't this illegal? (Score:2)
whatever those may be...offshore?
Re:Isn't this illegal? (Score:5, Informative)
Its just like corporations hiring security experts to attack their systems in order to find flaws (and strengthen their defenses)
Re:Isn't this illegal? (Score:2)
Re:Isn't this illegal? (Score:5, Informative)
No. While I am not a lawyer, the statute on computer trespass are clear that access without permission and beyond one's authorization are illegal. If the access is within one's authorization or owner grants permission for access, it is not illegal.
Permission can be implied. Anyone who puts up a website gives implied permission to access it (since the whole idea of posting a website is to get people to access it, presumably either to give them information - or get information from them - or to sell them something (or buy something from them).) If that were not the case, every person who accessed a website could be charged with the crime of computer trespass since they were not explicitly given permission to access that computer!
If you go to a car dealer, ask to take a test drive, some will simply photocopy your license and hand you the keys, and it's reasonable you can borrow it for 5 minutes or so to drive around the block. (Some will send a salesperson along for the ride; depends on the dealer and the probability of theft.) But if you walked in, took the keys and did the same thing, they could prosecute you for grand theft auto.
Where the owner has publicly given permission and in fact, has encouraged people to access the system as root, this would constitute explicit permission and thus no crime could occur for hacking their box.
Paul Robinson
Challenge accepted! (Score:4, Funny)
Incentive? (Score:3, Interesting)
Re:Incentive? (Score:4, Insightful)
Re:Incentive? (Score:3, Informative)
1. Contests like this make Linux more secure.
2. If your looking to find a job in the security industry, this a is a nice bullet on the resume.
You don't see MS having break in challenges do you? If they did and 17 unknown holes were found and fixed that would have gone unpatched otherwise, would Windows be more secure or less secure?
Uncertainty (Score:2, Interesting)
Employers want to know your skills and how you have such in-depth knowledge of such systems. HOWEVER putting this on your resume is just a red flag for most employers. "If (s)he has the ability to hack into this big-bad server then imagine what (s)he can do to the security-though-obscurity network we've set up". Think about it.
Now you're going to say software companies want secure software and someone to lo
Re:Incentive? (Score:2)
Re:Incentive? (Score:3, Informative)
It seems that the hackers never managed to gain control of the W2K machines, but were able to launch a DOS on it.
Re:Incentive? (Score:3, Insightful)
Re:Incentive? (Score:4, Insightful)
that are used in DDoS attacks? Generating a list of IPs and alerting ISPs
might go a long way of reducing the amount of zombie machines out there.
Just a (possibly naive) thought.
Re:Incentive? (Score:2)
Actually, this is a very good test at the security of the system, and one that I believe we should welcome. The more of these contests we have, the more security bugs that will be found and then promptly patched. This has the potential for leading to a system with nearly un-crackable remote security (assuming all of the results are publically released). So I say hack the crap out of it!
More Interesting (Score:2, Funny)
Selling some sort of hardened Linux, perhaps? (Score:5, Insightful)
Re:Selling some sort of hardened Linux, perhaps? (Score:4, Insightful)
Let me get this straight- 96 hours allows people to try "the worst anyone could throw at it?" In your wildest dreams perhaps. Furthermore how does this prove anything? Do you honestly think a real attacker would waste a 0-day exploit on such a lame contest? Why not wait until several banks have deployed this system and then make some money with such an attack
The hack contests are silly. Any admin with half a brain can set up a secure system and the only way to root it would be 0-day that no self respecting hacker would waste on this system.
If you are serious about security you pay for a full audit of the source code, professional penetration testing over a 2 week period, and you test for root exploits using a local account- on the assumption that somewhere down the line the system will be misconfigured and an attacker will gain non-root privileges.
-sirket
Re:Selling some sort of hardened Linux, perhaps? (Score:2)
Just a small note.
Re:Selling some sort of hardened Linux, perhaps? (Score:3, Informative)
RTFA.
Re:Selling some sort of hardened Linux, perhaps? (Score:2)
Second, all I was doing was listing how you go about correctly assessing the security of a system. I was not trying to imply that they were doing _everything_ wrong- just most things.
That said- have you ever written an exploit? Do you honestly believe 48 hours is sufficient time for someone who also has to work and sleep to test anything? If they truly believe in their system then it should be open for 2 weeks not 2 days.
-sirket
Good point, almost too good another ./ ad (Score:2)
Re:Selling some sort of hardened Linux, perhaps? (Score:5, Insightful)
The assumption you're making is that all "self-respecting hackers" are only interested in farming zombies or stealing data. Have you considered the possibility that there may be skilled people out there who would like to demonstrate their skills, but do so without breaking any laws?
If you are serious about security you pay for a full audit of the source code, professional penetration testing over a 2 week period, and you test for root exploits using a local account
Nice know-it-all answer. Unfortunately, that's more of a gameplan if you're serious about pissing money away. The reality is that the vast majority of Internet security companies consist of SATAN tied to a web frontend. And a "full audit of the source code"? Do you have any idea how expensive (and fruitless) that would be?
I'm sorry, but what you've suggested is not a viable solution to most organizations that actually have to generate a profit. Furthermore, the simple fact that it all comes down to humans staring bleary eyed at thousands of lines of source code means that many bugs and exploits *will be missed*.
The best security practice is to assume that your company's security systems will be compromised and to have plans in place to mitigate the damage.
Re:Selling some sort of hardened Linux, perhaps? (Score:3, Interesting)
It's not that expensive with some of the newer AUTOMATED technologies out there. The DOD and NASA are actually DOING this right now. I have a friend involved with funding advanced research in this area and products are coming. The
Re:Selling some sort of hardened Linux, perhaps? (Score:3, Insightful)
Most large programs are stronger than a simple first order predicate logic, though often with sufficient constraints that you can, indeed, prove them correct (or at least it hasn't been shown that you can't), but there are a large number of programs for which this isn't true. Perhaps more recent work has extended somewhat the domain of provable programs, but ther
Re:Selling some sort of hardened Linux, perhaps? (Score:3, Interesting)
I make no such assumption. I never tried to imply that they "are only interested in farming zombies or stealing data." That comment I made regarding banks was to express the waste of time I consider hacking constests to be rath
Re:Selling some sort of hardened Linux, perhaps? (Score:2)
Why not? Most self-respecting hackers are not hacking to steal.
very handy. *cough* (Score:2, Funny)
Re:very handy. *cough* (Score:5, Informative)
Contests are a terrible way to demonstrate security. A product/system/protocol/algorithm that has survived a contest unbroken is not obviously more trustworthy than one that has not been the subject of a contest. The best products/systems/protocols/algorithms available today have not been the subjects of any contests, and probably never will be. Contests generally don't produce useful data. There are three basic
reasons why this is so. [see link for explanations]
Re:very handy. *cough* (Score:3, Interesting)
The experts and auditors who actually can evaluate a system for "security" have to come from somewhere. Usually these people start off as tinkers, hobbists, and other amateurs. The big problem is how does an amateur gain experience without breaking the law? When I was in college I had to go to great lengths to g
Re:very handy. *cough* (Score:3, Interesting)
Re:very handy. *cough* (Score:3, Informative)
However, a much bigger problem is that they only give 96 hours. The Hardened Gentoo server is much more rigorous, as it has no prize associated but has
While I'm sure they're legit... (Score:5, Interesting)
"Oh, we're putting up a box for the hacking at such and such time. We swear it's ours. No, really! Trust us. "
Few would be the wiser until it was too late.
Re:While I'm sure they're legit... (Score:2)
FTA (Score:5, Funny)
Rules (Score:5, Insightful)
The root partition could be on a read only media such as a CD-ROM, right? In which case nobody could ever win.
Re:Rules (Score:5, Insightful)
Same basic principle (Score:2)
Step 2: Contact Lashkar-e-Toiba [slashdot.org]
Step 3: pwn3d!
Re:Rules (Score:2)
Re:Rules (Score:2)
Re:Rules (Score:2)
For example, if you have root, you could probably use usermode linux to run an additional version of linux within itself with / on a ramdisk. Even if the system has no hard drive and loads everything from flash firmware or a cd, you need to have some ram. If you are root, you can write to that ram and label it with your identification information and subsequently make it a root partition in some way.
Re:Rules (Score:2)
Re:Rules (Score:4, Funny)
Nah. Zorro could leave his mark on a cdrom . .
hawk
vanilla (Score:5, Interesting)
As Linux gets closer to mainstream more and more people are installing without tweaks or recompiles. How well does Linux stand up without the expertise of a professional?
Re:vanilla (Score:2)
Re:vanilla (Score:2)
Could be even a reality TV show (on TechTv as it used to be)
What's the point? (Score:2, Interesting)
-sirket
Re:What's the point? (Score:2)
-sirket
Time zone? (Score:3, Interesting)
If you don't know, you can't play (Score:2)
Re:Time zone? (Score:2)
Great, that means its practically april fools day overthere.....
Jeroen
Re:Swiss? (Score:3, Interesting)
If you don't understand, don't mod.
Uh, ok. (Score:5, Interesting)
Such a feat and sharing of knowledge should be worth about $1,000,000. I'm sure they'll get a lot of contenders with their offer of $0.
Re:Uh, ok. (Score:4, Informative)
From TFA: This server won't be protected by firewall. There won't be any fake demons or honeypots as well. It will be running all the services normally found in a regular Linux distribution and more.
Re:Uh, ok. (Score:5, Informative)
Now there's probably a Marketing Department that put them up to it, and some PHB's may be impressed, but it sure announces to the security community, "Hey, we have no idea how to think about security - buy our stuff!"
Windows 2003 breakin challenge (Score:4, Interesting)
There are likely hidden exploits in both OSes, but these things take time to find. Stumbling upon something by luck is quite common.
Social engineering (Score:4, Funny)
It's probably something like: thislinuxis2coolforU2crax0r
Hmm, that sounds like something I should use as a root password. Forget I mentioned this.
Honeypots? (Score:3, Interesting)
For crying out loud (Score:2)
Altruistic intellectual pursuits are one thing, a penguin t-shirt is completely another.
On the other hand, could this be:-
1. A secret government program to ferret out crackers?
2. Google's latest recruitment drive?
3. Network Associates looking for a new CEO?
Re:For crying out loud (Score:3, Funny)
I'd prefer Napoleon Dynamite's helicopter shirt. To each his own, I guess.
Outsourced (Score:3, Funny)
Just a hacking challenge (Score:5, Insightful)
Re:Just a hacking challenge (Score:2)
Re:Just a hacking challenge (Score:2, Insightful)
Re:Just a hacking challenge (Score:4, Informative)
The main difference is that this one was announced on a slow news day.
Social Engineering (Score:5, Funny)
I am currently working on a project sponsored by you in which I need to break into your computer. In order to do this, I will need the root password. Also, my SSH signature is attached to this message. Please add me to the list of valid signatures.
Thank you,
Inkieminstrel
Social Engineer
Re:Social Engineering (Score:5, Funny)
From service@linuxsense.com Fri Feb 25 22:51:32 2005
From: "linuxsense"
To: root@linuxsense.com
Subject: linuxsense Account Security Measures
Dear linuxsense root,
Your account has been randomly flagged in our system as a part of our routine security measures. This
is a must to ensure that only you have access and use of your linuxsense
account and to ensure a safe linuxsense experience. We require all flagged
accounts to verify their information on file with us. To verify your
Information at this time, please visit our secure server webform by
clicking the hyperlink below [...]
What about system crashes? (Score:3, Interesting)
Lemee guess the "Catch" (Score:3, Interesting)
Then they hand out root
Limber Up (Score:3, Funny)
*Installs soda machine*
*dims lights*
*cracks knuckles*
I'm ready...
Reminds me of Red Hat EL (Score:3, Insightful)
But as the old slashdot article also states the 2nd generation was able to stay afloat.
Seems like a great way to learn how to secure a system though - let the best hackers/crackers out there have a go, and learn what went wrong.
Oh the irony.. (Score:3, Funny)
Subject: "I hax0r3d your box!11"
Dear adm1n, I hjax0red your l1nu> box, look at the attached screensh00t as pr00f!!!
h4x0r3d.vbs.exe.scr.pif.dll.bat
Look at the pic and I will hack^H^H^H^H show you!!
Yours
skr1pt k1|)|)1e
PS: I am tha l33ts7 I even misp4ll l36t words.
Take the easy way out (Score:5, Funny)
give away valuable skills (Score:2, Insightful)
They know damn well that the expertise they're looking for is very valuable, and yet they're not even offering a token prize. Pathetic.
I hope they don't even get a single packet. "Hey everyone! Try to break into our server! It'll be FUN!!!" "...."
Re:give away valuable skills (Score:2, Insightful)
Apparently, linuxense is saying, "Hey we don't have enough resources to test our OS's security. Let's stroke the egos of the hacker community and maybe we can trick them into working for us, for free. Free labor, woohoo!"
I disagree. How is this different than releasing a beta test to the Internet?
As far as not having enough resources...having someone OTHER than the people who developed the system test it only makes sense.
DOS Lamers (Score:2)
I have to wonder if their hosting provider won't wind up throwing them out.
Aftermath (Score:2, Funny)
Extra Credit (Score:3, Funny)
1) Erase the kernel and everything else, replace with printf('Do you want to play a game?\n');
2) Break into the sniffer on the bridge, and erase the packet logs. Return a copy later.
3) Install BSD on it.
4) Install and register Win XP on it, which would really confuse the next hacker.
Remember the LinuxPPC Security Challenge? (Score:2)
LinuxPPC: "Crack our box." [lwn.net]
We (LinuxPPC Inc.) announced that in response to the LinuxPPC Security Challenge, a competition to break in to a computer running LinuxPPC 1999. The target computer is running the standard installation of LinuxPPC 1999. The target box has the Apache web server and telnet services turned on. Sendmail and FTP are not activated yet.
The contest was announce in response to Microsoft's Window 2000 security challenge, which h
Why bother (Score:2, Insightful)
a.) So many people will be trying, that the bandwidth available to do anything with the machine at all will be practically zero.
b.) Some "hax0r" will decide to just packet the machine to death, thereby making it impossible to even do anything to.
c.) The software will be up to date, limiting any vulnerabilities that can be taken advantage of,
Sl45hd0773d! (Score:3, Interesting)
However, the server's life on the Net is in your hands.
Ye-e-esss... just post the news on Slashdot, that ought to take care of the server's life on the net. Good idea!
On the other hand, it could be that the 37 different rootkits are so busy 0wnz0ring each other, that the web service just MIGHT get enough peace to run for the required 96 hours. ;-)
--Bud
SELinux or something (Score:2)
You'd have to find an unpublished local root exploit in the Linux kernel. Good luck with that one.
This contest makes no sense. (Score:5, Insightful)
1. White hats. Why would they do it? If they're any good, it'll just be a waste of time, and you can always set up your own server to practice with. There's not even any prize!
2. Black hats (I mean real ones, not script kiddies). They wouldn't bother either. Why expose the contents of your secret toolbox for no good reason? Any hack attempts (and successes) will be fully logged, revealing your secret exploits. That's no good, is it?
3. Script kiddies. Maybe they'll try, but they won't get in, unless the server is embarrassingly badly configured. If they do manage to crack it, what does that prove? That it's possible to set up a Linux box with terrible security if you happen to be incompetent?
I'm having a hard time figuring out exactly WHAT this contest is for. The only thing I can imagine (which a few other people have mentioned in this discussion) is that it's meant to enhance the image of Linux as a secure platform. So what -- so you've shown that if you do a good job configuring your box, you can keep out script kiddies. To put it bluntly, no shit.
Re:This contest makes no sense. (Score:3, Interesting)
That roughly describes me. I'd give it a try if I had any free time.
Harsher tests (Score:3, Interesting)
I'd love to get the resources to do this with some old software. Particularly, I'd like to set up a system with software all about 3 months behind on patches, SSP protected, PaX protected, PIE binaries, with the only up-to-date component being the kernel.
I'd also need to allow for user simulation by giving a Web interface to control a Web browser; and by setting x-chat and gaim connected to everything.
Basic outline:
That would be my setup. And yes I'd use 2.6.11 GrSecurity with the fixed PaX.
Man, now I want to find people to sponser me some lines to run 3 or 4 honeypots. . . .
Re: (Score:2)
Re:Windows Server Break-in Counter-Challenge (Score:3, Interesting)
Re:/. Effect (Score:4, Funny)
You got it! (Score:3, Insightful)
I have to agree that this is a lame ploy at getting publicity. Hopefully others can see through it too.