Slashdot Mirror

The contest works as follows:

- every team creates a "Cyber Reasoning System", which is software that takes a vulnerable application binary as input and outputs an exploit and a patched version of the binary
- when the contest starts, DARPA releases a crap-ton of applications (for the qualifying event, there were 131, some of which complex applications that comprised multiple binaries).
- each team's CRS analyzes these binaries (without human intervention), and submits the resulting exploits and patches to DARPA

For the final event, there will be multiple "rounds", in which our CRSes will attempt to hack the *patched* binaries provided to us by our competitors. Additionally, their exploits will be actively launched against our binaries, so we can do some traffic analysis on top of our program analysis.

For the contest, Shellphish put on our researcher hats (we are a bunch of graduate students) and condensed a lot of our recent research into an automated Cyber Reasoning System. Given that this was a student effort, there was the expected level of chaos (for example, at one point, one of my teammates accidentally ran "rm -rf /cgc"), and the expected level of fun (fun being defined as staying in the lab all night, working on automated hacking systems!).

In the more general sense of what "Shellphish does", we are a CTF (Capture The Flag) team. By CTF, in this context, I mean a computer security Capture the Flag contest, in which teams have to exploit services (network applications) to steal "flags" (random, secret data) from others teams and redeem it for points. Some popular CTFs are the iCTF (run by us at UCSB for students to participate in, http://ictf.cs.ucsb.edu/), CSAW CTF (run by NYU Poly, https://ctf.isis.poly.edu/), and, of course, Defcon CTF (the world championship, http://legitbs.net/). Shellphish is, I think, the oldest CTF team that's still playing (at least, definitely the oldest still qualifying for and playing Defcon CTF). I don't know how good a distinction that is, but it's something ;-)

(for some reason the first time I loaded this page there were no comments, so some of this is duplicate)

Excellent! Very glad to hear it. There are a /ton/ of helpful resources out there for you. Here's a brain-dump of some of the most popular:

* CTFTime : http://ctftime.org/ : Website that tracks team scores, upcoming events, and writeups for previous events.
* CapTF : http://captf.com/ : My CTF dump-site that includes a calendar, links to "practice" sites (aka Wargames), and many years worth of CTF events archived
* Field Guide : http://trailofbits.github.io/c... : Specifically covering the skills / approaches, the field guide is a good read for anyone getting into this world.
* Guide for Running a CTF : https://github.com/pwning/docs... : Written by PPP (CMU's ever-dominant CTF team) along with feedback from the broader CTF community, this guide is more relevant when making a CTF, but can aid in understanding how the good CTFs are designed.
* PicoCTF : https://picoctf.com/ : PicoCTF is designed for high school students, but had an awesome difficulty curve, getting up to some relatively advanced challenges by the end of it. It's also extremely well designed, runs for a longer period of time and is a
* CSAW : https://ctf.isis.poly.edu/ : One of the best events targeted specifically at College students, unfortunately the qualifier round just finished, and the participants already selected for the final round, but you can always check out the archives of previous challenges to get a feel for the difficulty. Note that the qualifier event is typically intended to be much easier than the in-person finals to better encourage new students to get into the sport.
* IRC : irc.freenode.net#pwning : There's a lively and active community in #pwning on freenode that would be happy to help you with questions/advice related to CTFs.
* YouTube : There's a couple of different presentations/talks on CTFs over the years. If your'e interested in learning more about attack-defense CTFs and in-particular DEF CON CTF, I gave an old talk that's mostly still relevant (https://www.youtube.com/watch?v=okPWY0FeUoU), though I'd recommend you not focus on A/D at first, but just get into the regular challenge based or jeopardy boards as they're sometimes called.

The best way to prepare for CTF is by... playing CTFs. There's no real magic formula, just go out there and start working on challenges. Old CTFs are great as learning exercises since you can usually cheat and read a writeup, but avoid the temptation as much as possible. If stuck, go off and try another problem first, and only if you're /really/ stuck should you check out a writeup.

Have you looked at some MS programs that help with transition?

Some of the major issues you will encounter are:
communication with the Business (they will have language barier)
selling technology to business
Budgets
Politics
Managing teams

There are great programs that will help. For example in NY you can attend:
http://ce.columbia.edu/Technology-Management
http://www.stevens.edu/sit/development/schools/Howe-School-of-Technology-Management.cfm
http://www.poly.edu/amot

The title is traditionally applied in two different (and probably more) senses. The first, Engineer, is given to a range of professions requiring a high degree of mathematical, scientific, and a well-rounded academic education, that is (supposed to be) typical of at least a four-year college degree. The second sense, engineer, is to refer to members of a range of vocational trades that branched out of heavy equipment operations, (especially steam-powered equipment) in the nineteenth century. Both of these traditional uses of the term have well-established precedent.

Here's another: my alma mater offered (not sure if they still do, don't think so) an Engineer's Degree. It was a professional-level degree, intended to be parallel to a law or medical degree - three years full-time beyond a B.S., just short of a Ph.D. Getting it didn't mean you were licensed, but you certainly had more education than the rank-and-file B.S. going out into the workplace.

Actually, this group has done more work in digital forensics including image manipulation detection, camera-model identification and unique SLR camera identification. Anyone who is interested to learn more about their wrk can visit http://isis.poly.edu/projects/forensics and find all the articles published under this subject!

For those who want to read the source material (yes, I am new here, why do you ask?), this appears to be the research in qusetion:

http://isis.poly.edu/~forensics/pubs/investigation08.pdf

Lucky you. Neither my crappy uni nor my hick high school has alumni lists. Well, I am sure the uni does, as they manage to send me letters begging for money once a month, but none of that info is available to me.

I've managed to find my old friends on facebook and linkedin; hopefully none of those sites become as shady as classmates have become, though facebook is starting to get there.

I led a team that competed in one of the qualifiers and found the competition extremely wanting. It's more of an arcane system administration challenge rather than anything about security. Some responses to the competition are collected at my lab's blog here: http://isisblogs.poly.edu/2008/02/29/pre-neccdc/ (see the comments)

power generally increases at a rate of frequency^3

No, power is linear in clock frequency, and quadratic in voltage. References are easy to find on the Web; here's one.

Plenty of examples you can experience for yourself. One of my favorite examples of evolution through the application of natural selection that you can actually *taste* is beer. When I brew beer, I put a bunch of yeast in a liquid rich in sugars. The little yeasty beasties consume the sugar and one of the byproducts of this process is alcohol. However, all of these yeast organisms are not created equally with respect to the amount of alcohol they can handle in their environment. As the alcohol content of the pre-beer rises, less stalwart individuals die off and the ones that are left (i.e. the ones that can handle their liquor) are fruitful and multiply. Their descendants inherit the tolerance of the alcohol-rich environment, and as the generations go by the tolerance of the population gets higher and higher since the less tolerant lines die out and leave only the most robust. Natural selection and beer. Elegant and delicious.

An example of "artificial" selection that also illustrates the principle are the Heike samurai crabs, and no one tells this story more passionately than Dr. Carl Sagan:

http://www.youtube.com/watch?v=RiNKt6gcEM8
http://cis.poly.edu/~mleung/CS4744/f03/ch06/SamuraiCrabs.htm

Cheers!

Here's a good few:

http://isis.poly.edu/~forensics/pubs/icme2007.pdf

http://www.ws.binghamton.edu/fridrich/Research/Luk FriSPIE06_v9.pdf

http://www.ws.binghamton.edu/fridrich/Research/dou ble.pdf

http://ieeexplore.ieee.org/iel5/10206/32570/101109 TIFS2006873602.pdf?arnumber=101109TIFS2006873602

The actual signatures can be retrieved from signal processing methods. I wouldn't have believed that each
camera has its own unique signature (although I have noticed that one or two pixels will be fixed to a particular colour), and that this can be recovered even after JPEG compression.

The advisory indeed speaks only of using DC++ to launch DDoS http://www.prolexic.com/news/20070514-alert.php However, the New Scientist article refers to two academic studies that discuss how eMule and BitTorrent can be misused for the same purpose:

a) N. Naoumov, and K.W. Ross, Exploiting P2P Systems for DDoS Attacks, International Workshop on Peer-to-Peer Information Management, May 2006 http://cis.poly.edu/~ross/papers/p2pddos.pdf
They show that one can subvert Overnet traffic (applicable to eMule that uses the same DHT as Overnet)

b) Karim El Defrawy, Minas Gjoka, Athina Markopoulou, "BotTorrent: Misusing BitTorrent to Launch DDoS Attacks", USENIX SRUTI, June 2007.
They show that one can subvert BitTorrent traffic by submitting to torrent aggregators fake torrent files that advertize the IP of the victim instead of a legitimate tracker's.

Programmers are going to need to make a big shift. Most programmers don't like to think about making use of multiple processors, but the future of hardware looks like there will be very large performance gains available to well written, multi-threaded applications over single threaded applications.

I would agree with you that writing applications with extreme care for parallel stuff isn't fun - if you're not used to worrying about parallel stuff. But once programmers have internalized simple patterns like fork-join or begin to use parallel frameworks like map-reduce multi threaded applications will be a great deal easier to create.

My school (http://poly.edu/ has had the mandatory laptop deal for sometime now. They used to "give" every student a Thinkpad with wifi since our entire campus is wireless. Now students can purchase any laptop they wish. I must say that sometimes its the worst idea to have an all wireless campus because many people use it to chat during class, or play games, and that's very annoying when I'm paying $40,000 a year for that class and its being interrupted by someone playing WoW. Other than that, it's been very helpful.

One of the folks in my research lab has built a system attacking this exact problem.

NABS uses machine learning to detect the type of traffic by properties of the payload, at the end of the day it dosen't matter what kind of protocol your running, once an admin sees it they can just tag it.

Nabs is a network abuse detector. It allows a network to define and enforce a use-policy based on bandwidth and content type. It uses statistical properties of packet payloads to robustly and efficiently identify content types of network flows and monitor the flows for any deviations from the use-policy. Nabs does not depend on well-known port bindings or application specific headers to determine content types. Nabs has been tested on OC3 lines and work is ongoing to scale the system to even higher speeds. http://isis.poly.edu/projects/nabs/

Instinct tells us that computer security and computer usability are inversely proportional to each other. In other words, the tougher and stricter the security is, the less usability there is, and vice versa. However, there have been plenty of cases where both computer security and computer usability went hand in hand with each other and actually improved together. In the last few years security has been the biggest buzzword in computer systems and as such has become part of our computer systems. Before that, computer systems were all about getting it done faster and easier, but now they must also do it securely. Can the two continue growing together? We believe they can, as evident by the most recent Indian Assembly Election.

http://rozinov.sfs.poly.edu/papers/security_vs_usa bility.pdf
http://it.slashdot.org/article.pl?sid=04/11/15/142 0246

CS905 in Poly, right? I dunno, I took his class as well, I think he does a great job teaching Java and OOP.

Because poly grads can not get jobs after graduating with a degree in CS/EE/CompE/etc. due to offshoring and H1-B and L-1, Poly is facing a massive drop in enrollment, resulting in Polytech facing budgetary problems. Polytech has tried to merge with NYU but that fell through. I mean you should see that so many recent grads are being forced to take jobs fields such as construction, police officer and priest since they can not find jobs in their respective majors. Who the hell is going to go into debt for $80,000+ when they graduate they will barely be making $30,000 in fields they DID NOT need a engineering degree to begin with!!!

Of course, the Poly trustees have decided to answer to their corporate masters and vastly increase F-1 visa enrollment because companies want cheap h1-b workers. Too bad the 2nd oldest engineering school in the country is going to be shutting its doors.

-- A disgusted Polytechnic Alumni

PS> About half of the students in the NSA scholarship program at Poly are VERY recently naturalized citizens because Professor Memon obviously only wants his fellow countrymen in the program. The NSA should not be allowing people who they can not do thorough background security checks into sensitive positions. That does not make any sense. In applying for a TS/SCI position, they really go back and check who you are, your friends, your teachers, your parents, etc. Did the US govt. go to India and check these people out!?!?!

Because poly grads can not get jobs after graduating with a degree in CS/EE/CompE/etc. due to offshoring and H1-B and L-1, Poly is facing a massive drop in enrollment, resulting in Polytech facing budgetary problems. Polytech has tried to merge with NYU but that fell through. I mean you should see that so many recent grads are being forced to take jobs fields such as construction, police officer and priest since they can not find jobs in their respective majors. Who the hell is going to go into debt for $80,000+ when they graduate they will barely be making $30,000 in fields they DID NOT need a engineering degree to begin with!!!

Of course, the Poly trustees have decided to answer to their corporate masters and vastly increase F-1 visa enrollment because companies want cheap h1-b workers. Too bad the 2nd oldest engineering school in the country is going to be shutting its doors.

-- A disgusted Polytechnic Alumni

PS> About half of the students in the NSA scholarship program at Poly are VERY recently naturalized citizens because Professor Memon obviously only wants his fellow countrymen in the program. The NSA should not be allowing people who they can not do thorough background security checks into sensitive positions. That does not make any sense. In applying for a TS/SCI position, they really go back and check who you are, your friends, your teachers, your parents, etc. Did the US govt. go to India and check these people out!?!?!

Because poly grads can not get jobs after graduating with a degree in CS/EE/CompE/etc. due to offshoring and H1-B and L-1, Poly is facing a massive drop in enrollment, resulting in Polytech facing budgetary problems. Polytech has tried to merge with NYU but that fell through. I mean you should see that so many recent grads are being forced to take jobs fields such as construction, police officer and priest since they can not find jobs in their respective majors. Who the hell is going to go into debt for $80,000+ when they graduate they will barely be making $30,000 in fields they DID NOT need a engineering degree to begin with!!!

Of course, the Poly trustees have decided to answer to their corporate masters and vastly increase F-1 visa enrollment because companies want cheap h1-b workers. Too bad the 2nd oldest engineering school in the country is going to be shutting its doors.

-- A disgusted Polytechnic Alumni

PS> About half of the students in the NSA scholarship program at Poly are VERY recently naturalized citizens because Professor Memon obviously only wants his fellow countrymen in the program. The NSA should not be allowing people who they can not do thorough background security checks into sensitive positions. That does not make any sense. In applying for a TS/SCI position, they really go back and check who you are, your friends, your teachers, your parents, etc. Did the US govt. go to India and check these people out!?!?!

Because poly grads can not get jobs after graduating with a degree in CS/EE/CompE/etc. due to offshoring and H1-B and L-1, Poly is facing a massive drop in enrollment, resulting in Polytech facing budgetary problems. Polytech has tried to merge with NYU but that fell through. I mean you should see that so many recent grads are being forced to take jobs fields such as construction, police officer and priest since they can not find jobs in their respective majors. Who the hell is going to go into debt for $80,000+ when they graduate they will barely be making $30,000 in fields they DID NOT need a engineering degree to begin with!!!

Of course, the Poly trustees have decided to answer to their corporate masters and vastly increase F-1 visa enrollment because companies want cheap h1-b workers. Too bad the 2nd oldest engineering school in the country is going to be shutting its doors.

-- A disgusted Polytechnic Alumni

PS> About half of the students in the NSA scholarship program at Poly are VERY recently naturalized citizens because Professor Memon obviously only wants his fellow countrymen in the program. The NSA should not be allowing people who they can not do thorough background security checks into sensitive positions. That does not make any sense. In applying for a TS/SCI position, they really go back and check who you are, your friends, your teachers, your parents, etc. Did the US govt. go to India and check these people out!?!?!

If you do make it to NY, feel free to stop by Polytechnic University (6 metrotech in Brooklyn). The Chudnovsky brothers are here (on the 3rd floor) and are currently building a supercomputer for IBM. http://www.poly.edu/polypress/chudnovsky.cfm

At my alma mater, tuition is now a hair under $25K per year. When I started there in 1987, it was $9500. Room & board can be as high as $9000/year (it was $2K/year for room only back when I was in school).

LOL, sweet memories - the student newspaper at my alma mater was called "The Bohican".

At least part of the problem there, IMO, is that too few schools offer programs in Software Engineering. Not just programming (although programming is cerntainly a big part of it), and not the math-intensive curriculum that usually goes with a CS degree, but how to be a software engineer - understanding a customer's problem, determining requirements, specifications, how to design a software system (rather than the relatively small monolithic programs one often writes in CS courses), how to write code that is readable, robust, and maintanable, how to test, how to work on a team, how to manage the lifecycle of a piece of software, etc.

My own CS program (at Polytechnic University, subject of a recent /. thread) taught none of these things (and I'd imagine quite a few CS-not-SE programs out there are the same in this regard); I learned them (and am still learning them, twelve years later) the hard way, on my own and on the job.

If you want a good education, go to a place with a bit of history, 100 years or more, because you can trust that it knows how to maintain its quality.

Poly is in fact over 100 years old. AIUI, it's not a bad place to go for graduate study. They recently built a big new facility in Brooklyn together with a bunch of New York companies. They make most of their money from research; a lot of Star Wars work was done there. It's just the undergraduate study that leaves something to be desired.

I went to college with a Scott Pehnke, around 1990. Hey Scott, if you're reading this, give a shout!

I thought about joining the FBI after graduating from college, but the absurdly low pay turned me off. They require two years of work experience before considering a candidate, and then they hire you at a "training wage" of $45K. After you graduate from the FBI academy, your salary ranges from $53-$58K.

I would love to be a Special Agent, but I'm not impressed with salaries that are $10-$20K below market rate. Granted, there are the warm fuzzies that you get from being one of the "good guys", but that doesn't put food on the table.

Now we know why our agents leak so many secrets to the Russians :)

I agree. I don't remember professors in college teaching spelling and grammar...

Then you must be a Polytechnic University grad.

I would imagine google uses a highly compressed inverted index stored probably in a flat file format. If you would like to read some academic literature on the subject you can find a great list of resources compiled by Prof. Torsten Suel.

The system has room for each of 6 billion people to have almost 2 million numbers. Not a problem.

Not all 16-digit numbers are valid -- actually, far from it. The LUHN-10 algorithm makes sure a CC number supplied by the client is valid before submitting it for authorization. All credit (and debit/ATM) card numbers must fit that algorithm.

Therefore, there aren't nearly as many numbers available as you might think.

--

Just because NT has an admin account doesn't neccesarily make it more secure. I seem to recall a certain 'screen saver' exploit that allowed any user to get admin access on any NT machine that they had physical access to. Yes, I know that any machine that a user has physical access to is not secure, but have you tried to use a NT machine remotely?

Another problem with NT boxes is that Windows applications like to write to the damndest locations. God forbid you want to restrict access to /winnt dirctory - many applications simply won't save your preferences, or simply not run correctly!

Securing the NT computer lab at my school was a nightmare. According to the head Sysadmin, we switched from a NT app server to a Red Hat Linux box because "we stopped the unstoppable Windows NT".

"I may disagree with what you have to say, but I will defend to the death your right to say it"