Slashdot Mirror

← Back to Stories (view on slashdot.org)

Capture The Capture The Flag

Posted by Hemos on from the meta-hacking dept.

bgp4 writes: "During DefCon 8, the Shmoo Group sniffed all the Capture the Flag network traffic. For those that don't know, Capture the Flag is weekend long hacking contest held at DefCon each year. The network dumps have now been posted and are available here. Hopefully by making this data available to the public, software developers will become more aware of how vulnerable their software really is and fix the root of the problem. Better intrusion detection isn't the answer ... Secure software is. We're looking for mirrors, so if you'd like to host the data, please let me know."

18 of 39 comments (clear)

  1. Better intrusion detection not the answer? by interiot · · Score: 2
    Better intrusion detection isn't the answer ... Secure software is.

    The human body disagrees somewhat. The immune system detects intruders and stops them before they can cause damage. This allows security to be designed once and well, rather than requiring the additional overhead for each component. This becomes more important as programs get more complex and have more components. (more complex = less secure, but we can't mandate that all programs be simple, so we have to find another way).

    Granted, there are other layers of security such as cell walls and nose hair, but the body still uses intrusion detection as a large part of its defense.

    1. Re:Better intrusion detection not the answer? by bgp4 · · Score: 2

      I like the immune system analogy. However the human body's immune system is the result of millions of years of evolution. The current state of secure software development is still in the primordial goo where the organic molecules are blindly flailing trying to build a cell or 2. It's hard to protect something that doesn't have any defenses in the first place.

      One of my fav quotes... It's from Steve Bellovin from ATT:

      "firewalls are a network response to a software engineering problem"

      I'd add intrusion detection to that statement.

      --
      I'm down with that, as it were
    2. Re:Better intrusion detection not the answer? by interiot · · Score: 2

      I'm not saying that intruder detection is a silver bullet. Just that the human body survived moderately well before the 1800s, largely due to its ability to recognize the difference between an outsider and itself, and to attack the outsiders. Intrusion detection is what evolution chose to do in the absence of doctors, so I don't think it's something that should be shunned.

    3. Re:Better intrusion detection not the answer? by Chuck+Chunder · · Score: 4

      Talking of evolution, the human body and the 'success' of the human race is misleading.

      In your original post you state that the immune system 'stops them before they can cause damage'. That's somewhat untrue. The human body (and in fact race) survives by having enough redundancy that it can sustain vast amounts of damage but continue to function and replace the parts that fail.

      Evolution works not by choosing intrusion detection as a good method of protecting the individual, but by having enough redundancy and variety such that the failure of a individuals doesn't matter a great deal to the race as a whole.

      I don't see that as a good (cost effective) solution for a computer network. Individual parts are likely to contain unique information and cannot simply be recreated after destruction.

      That doesn't mean that intrusion detection doesn't have it's place, but using the human body/race as an example to promote it's effectiveness is rather dubious. The human body/race simply 'works' on an entirely different scale with a relatively unlimited amount of resources.

      --
      Boffoonery - downloadable Comedy Benefit for Bletchley Park
  2. Re:The Rules: by dolo666 · · Score: 2

    All you can do is manage the risks. There is no security.

    This is music to my ears! I agree with your adept comment that altruism sucks, yet one can never sing the security song loud enough to management, with their semi-focus on the real issues in a product -- they salivate on profit and unachieved success while the deadlines they push are forcibly unreasonable.

    Good management listens, and better managers do best to respect the lowly designers, who all tend to respect the job at hand. (Orwell, "Napoleon was a sturdy pig.")

    The problem with society is that society has problems.

    Management almost always is the root of all evil when it comes to product safety. While you can package security in your product, to whom you sell security depends on what you have to sell. We can sit here like a gaggle of winos, contemplating if a product is going to be secure, or we can push back deadlines and make things work correctly before D-Day.

    Buddha said it best; "The gatherings of your neighbor are not meant for your jealousy!"

    Management stiffs are often jealous. They often forget the reality of what's going on in the day-to-day because they are stuck looking at how good the new office rep has it.

    Tell that to Mohammed. /d

  3. Another Thing I Would Like To See by n3rd · · Score: 4

    I would also enjoy seeing the shell histories of the people who participated in this event.

    When I seen intrusion detection and honeypot articles, the most interesting thing IMO is seeing the shell history of the intruder. Shell history is one of the best ways to actually see an intruder's train of thought step by step, uncensored. Getting in, obtaining root, cleaning the logs, setting up rootkits and trojans, etc.

    The other thing I take much joy in reading is IRC logs of hackers (posted in some honeypot articles). I feel the IRC logs are the best insight as to which hackers are the real thing, and which ones are just script kiddies begging new spl0its off of the veterans and innovators.

    1. Re:Another Thing I Would Like To See by Anonymous Coward · · Score: 5

      Here ya go:

      ------------------------------

      $ ./wuftpd2600.c
      bash: ./wuftpd2600.c: Permission denied
      $ compile wuftpd2600.c
      bash: compile: command not found
      $ make wuftpd2600.c
      make: Nothing to be done for `wuftpd2600.c'.
      $ BitchX h4x0rd3wd irc.h4x0r.net
      .
      ..
      ...
      ..
      .
      > /join #h4x0r
      > whose got ne 'sploitz? i will trade you my entire 36gig pr0n collection!
      <l33tist> g0 4waY l4m3R. j00 R n0T a h4x0R l1Ke uS 'l33t p0eople!!!
      <supahacker> gotta go, my dad wants to use his computer.
      <p1mpx0r> d3wDz! 3y3 juST 0wN3D www.sheep-pr0n.com! we g0t 3n0ugh sh33p pr0n t0 mak3 0ur d1ckZ bl33d f0r w33kS!!!!11!1!!!1!!1!!
      *** You have been kicked off channel #h4x0r by l33tist (j00 R n0T l33T enUf f0r #h4x0r!)

      ------------------------------

      did this give you any insight?

  4. Which leaves a gaping security hole for... by yerricde · · Score: 2
    ...the AIDS virus.

    The immune system detects intruders and stops them before they can cause damage. This allows security to be designed once and well, rather than requiring the additional overhead for each component.

    Some of the most successful viruses (e.g. AIDS) attack the intrusion detection system directly.


    <O
    ( \
    XGNOME vs. KDE: the game!
    --
    Will I retire or break 10K?
    1. Re:Which leaves a gaping security hole for... by interiot · · Score: 2

      That's because the immune system plays such an important role. But it's not invincible.

  5. Re:This is good by Admiral+Burrito · · Score: 2

    People get realy mad when they buy a defective VCR or a car that after two day won't work. When those things happen they usualy return the product and when personal security is involved (in the case of cars) they can even sue the company that made the car.

    The problem is, insecure products work just fine as far as the user can tell. In fact, insecure products often work "better" (easier to setup and use) than secure ones.

    Also, security is something that can only be proven in the negative (with very few exceptions). So a company can boast about how seriously they take security even when they don't have a clue how to write secure code. After all, they don't know that they are not secure, right? When holes are found they fix them while continuing to boast about how seriously they take security. For most people, software companies' claims of security are all they have to go on.

    The programmers responsible may not even know that they are doing anything wrong. I've spoken with some application developers who think security consists of "passwords and stuff" even after I've shown them how to exploit bugs in their own code. And these are people who've written security-sensitive apps for some large corporations.

  6. This is good by Hard_Core_Nerdity · · Score: 3

    Maybe this will teach software companies to put less pressure overworked programmers trying desperately to meet unrealistic deadlines. They don't realize that people don't work well when they don't have time to do their jobs properly. Many of these companies will never learn their lesson, if you doubt me, look at he number of known security holes in a certain operating system fittingly named after a hole in a wall.

    1. Re:This is good by evilquaker · · Score: 2
      Maybe this will teach software companies to put less pressure overworked programmers trying desperately to meet unrealistic deadlines... Many of these companies will never learn their lesson...

      The only way they'll learn their lesson is if they start losing sales because of security flaws. Right now, security doesn't sell (to the general public and PHBs), but "features" do, and that's why we're in the state we're in...

      --
      To within half a percent, pi seconds is a nanocentury. -- Tom Duff
  7. The Rules: by chazR · · Score: 4

    Rule 1: It's not secure unless it's encrypted.
    Rule 2: It's not secure unless it's encrypted.
    .
    .
    Rule 47: It's not secure unless it's encrypted.
    .
    etc

    Rule 0: Encryption (on it's own) does not give you security. Sorry.

    And, now, the important rules:

    It's not secure "Because thay told me it was secure". The people at the other end of the link know less about security than you do. And that's scary.

    It's not secure because "Nobody cares what I do online." Wrong. somebody might care. If it's online gaming, I will happily snoop your packets for an advantage.

    I hate to spout the truism again, but here I go anyway: "Security is not a product. It's a process"

    All you can do is manage the risks. There is no security.

  8. Re:Very creative by bgp4 · · Score: 3

    We've been planning this for a while now.. I think since April or so. It wasn't based on the MacHack thing at all... the group just came up with the idea.

    As far as the "decency" thing... The capture the flag network at DefCon is a LOT different than the public network at MacHack. There was only one purpose of the data on those wires; attempted compromises of remote systems. This data has real value to the security community, not random artistic value like the machack data ;)

    --
    I'm down with that, as it were
  9. no pun intended? by canthidefromme · · Score: 4

    "Hopefully by making this data available to the public, software developers will become more aware of how vulnerable their software really is and fix the root of the problem."

    Get it?? the ROOT of the problem? hehe...

    -j

    --
    -sigs of the world unite
  10. Re:analysis tools? by FireWhenRady · · Score: 2

    The open source ethereal network analyser Ethereal at zing.org has a large number of protocols defined.

    Another good analysis package is the SNORT intrusion detection system at snort.org

  11. Re:OT: Re:It sucks to have to view at +2 to avoid by Restil · · Score: 2

    Don't they have anything better to do?


    Obviously not.

    Tis a shame that one downside of the internet is that the average lamer is protected from what would get him beaten to a pulp in real life by the same actions.

    Whats truely sad is, when I was the age that most of these idiots probably are, I don't recall knowing anyone that would need to resort to such action to entertain their pathetic lives. Those of us who didn't fit in generally found other more rewarding activities to participate in. Trolling certainly wasn't among them.

    -Restil

    --
    Play with my webcams and lights here
  12. The author is wrong. by Syberghost · · Score: 2

    Better intrusion detection isn't the answer ... Secure software is.

    You're completely wrong.

    "Secure" isn't an object, it's a process. There is no such thing as "secure" in the sense you seem to imply.

    In meatspace, we can't make a house that can't be broken into; it would no longer be a house.

    The same is true of computer security. Secure software only keeps out the lamers, which is an admirable goal in itself, but is only part of the picture.

    Intrusion Detection is about accountability, which combines with the law and the courts to result in deterrance; kind of like the way most people won't break into your house because they might be seen by your neighbors, they might leave fingerprints or other evidence, and you might have alarms or cameras, with all of that meaning that they might go to jail and/or get their ass kicked.

    We know how to build good software, although we often don't do it. Intrusion Detection is where all the hot research is going to be for the next few years.

    -