Moronic Hacking Contest Ends In Free-For-All

atomgiant writes "ZDNet is running an interesting article about the KDWorks hacking contest that has gone bad, or good, depending on your perspective. Entertaining read in any event." I think that Bruce Schneier has said it best on the value of contests such as this one. That the registration server was compromised I think is a telling comment on the value of whole site security.

Hmm

[FooBarWidget]

Why do I have a feeling that they're using this "contest" to lure hackers, only to get them into jail...

Re:Hmm

[clunis]

that would explain why it otherwise appears to be a honeypot. ;)

Re:Hmm

[unicron]

They have this law, called entrapment, that says people can't be baited into committing crimes. You should look into it, might interest you.

Re:Hmm

Excuse my ignorance, but does this law apply in all countries? I know it does in the US, but that doesn't automatically mean it does to the other hackers' countries.

Re:Hmm

Why do I have a feeling that they're using this "contest" to lure hackers, only to get them into jail...

Could be paranoid schizophrenia...

Re:Hmm

[Silver+Rose]

If they have the consent of the owner of the computer being hacked, then they have comitted no crime. This would be only a little bit of circumstantial evidence against any given hacker. I, for instance, may someday take up hacking because it sounds like a fun challenge. However, I would have no intention of hacking a computer without the owner's express written permission. Ergo, I would never have comitted any crimes, and the contest would not have lured me into doing anything.

Re:Hmm

[fishebulb]

entrapment only applies to LAW ENFORCEMENT.

there is no crime commited here because the people were allowed to.

Entrapment only applies when a law enforcement official gets you to commit a crime that you wouldnt without them badgering you.

So since its not a crime to hack into something you have permission to, and they are not police/FBI/etc there is no entrapment

Re:Hmm

[unicron]

Well, considering they keep changing the rules and backpeddling, I'd say the amount of confusion being generated by this contest gives the hackers a nice layer of protection.

Re:Hmm

I wouldn't say that it's to get them into jail... But I'm sure using a "contest" like this wouldn't go beyond what "Homeland Security" would do to find potential "threats", so they can begin to keep tabs on them.

just a thought...while it's still free to have one...

a terrorist
(...at least according to the USA PATRIOT ACT)

Re:Hmm

[unicron]

I'm afraid you really don't know what you're talking about. What do you mean allowed too? When the police do it, criminals also believe they're "allowed to" only to get taken away directly after doing it.

You're also just reinforcing my point by saying that only the police can attempt this. Police get nailed to the wall for doing this, so what do you think would happen to a private company?

I could've hacked any damn server in their company during that 48 hour block and claimed I was under the impression the server I hacked was the true target, and the rest were honeypots. It's completely plausible. Hell, it could be completely true. You take a wrong turn in their infrastructure and start hacking the payroll server my mistake..hell, an honest one.

In short, this company doesn't have the slightest hint of a leg to stand on if they decided to pursue criminal charges against those hackers involved in the contest.

Re:Hmm

"You're also just reinforcing my point by saying that only the police can attempt this. Police get nailed to the wall for doing this, so what do you think would happen to a private company?"

It's ironic that a post this misinformed comes from someone with your sig. READ THE LAST POST, DIPSHIT

Then go kill yourself, please.

Re:Hmm

[unicron]

Actually entrapment simply means "to draw into damaging admission". I can entrap people into doing things, so can you, so can anyone. 5 year olds tell their little brothers to steal cookies just because he wants to watch the kid get punished.

Regardless of what Sean Connery tells you, dipshit, it's a not a thing only the police can do.

And my sig means that arrogant people are usually ignorant. My post was neither.

Re:Hmm

[mabinogi]

Entrapment only happens when police trick someone into doing something illegal. The act of encouraging them to do it, doesn't make an illegal thing legal, which is the whole point.

One part of the previous poster's point was that the act of 'hacking' into a machine you have been given permission to try and crack is not illegal in the first place, so therefore entrapment cannot apply, whether or not it's done by an officer of the law or a private entity.

Re:Hmm

[neuroticia]

I don't think it was "entrapment", and I don't think the original poster was saying that it was. I think that the point of the post could have been better put into a paragraph or three as opposed to a sentence.

The contest could keep records of those who participate, and all the attempts made, and then hand them over to a law enforcement agency to give the agency a "fingerprint" of the hackers involved. Since the contest was legal, the hackers would not have attempted to cover their tracks, and most likely would have used a trackable/real internet account. The law enforcement agency, once posessing the "fingerprint" of the attack could then compare it to similar (illegal) attacks and see if any of them had the same fingerprint.

The actual act of hacking a server that a company has opened up for hacking is not illegal and they could not be arrested for trying to hack that particular server, but they could then be brought under investigation for any crimes that were committed with similar methodology.

-Sara

Re:Hmm

You confuse the legal term with the general idea. It's only a legal defense if the government does the entrapping.

Re:Hmm

Obviously you have either never had any interaction w/ law enforcement in this country or you are an ignoramus. The LETTER of the law and the actual ENFORCEMENT of said laws are completely different animals. Having wasted 3 years of my life in prison on erroneous charges and tens of thousands of dollars in legal fees to get said charges dropped, I can ASSURE you that innocent until proven guilty is a JOKE.

POINT: If you are certain that entrapment is illegal & not practiced in this country, how do you explain undercover police, VICE, narcs, cops in shops, etc etc etc???????

I'm terribly sorry to be the one to shatter the plastic bubble that you've apparently grown up in, but let me assure you, my naive little friend, THERE IS NO SANTA CLAUS!!!!

Re:Hmm

One interesting tactic used by police though, is that they set up criminals (or hackers in this case) to do crimes, dont prosecute for those crimes. But nab them the next time they do something. Kinda like getting an ip address whenever someone tries to log in....

Now granted a good hacker will jump all over the place with an ip address, but the good ones you probably wont get anyways, its the sloppy ones they tend to nail to the wall, and make it seem like they were really hot stuff (Anyone remember the script kiddies who did the DDOS attacks a while back? yah that takes tremendous skill *rolls eyes*)

DEFCON, HOPE, etc

[totallygeek]

Do many companies feel that these are more beneficial to send employees to (IT nerds, information security people, etc) than some of the security training courses/seminars we all get junk mail from? I am working really hard for my company to send me to Red Hat's firewall school, DEFCON, and then SANS. What is the general concensus?

Re:DEFCON, HOPE, etc

[TweeKinDaBahx]

None, because hackers don't tend to teach each other anything. If a company were to send thier IT team to DEFCON with the hope they would learn something, it would also make sense that the company in question must have a CIO who smokes crack.

Security seminars are geared so that everyone learns, cons are geared so that people who already know can have fun.

Re:DEFCON, HOPE, etc

[totallygeek]

Security seminars are geared so that everyone learns, cons are geared so that people who already know can have fun.

I am finding myself unable to get anything out of going to seminars. So, maybe I am closing that gap between needing to learn basics and picking up information at a conference. It is tough when I am told that I must attend training, and it is boring information about ports and services and maybe something about some Windows software I will never use that can do "what is called a port scan."

Maybe I will go to DEFON or the like and see what I can input and bring back...

Re:DEFCON, HOPE, etc

[TweeKinDaBahx]

Everyone has a different way in which they learn, some people can't just be told or shown but must do something hands on.

Maybe there's something to be said for DEFCON as a way to learn security.

I look at it this way: Training should include some of the boring stuff, because it does tend to be important. Yet you must also cover how things work in the real world, and the best way to do this is by demonstration (not just by being shown, but also by seeing and doing it yourself).

Maybe a combination of classwork/honeypot games would make a good training course.

(BTW, That idea is open Source, just like my beer).

Re:DEFCON, HOPE, etc

[Digital+Prophet]

None, because hackers don't tend to teach each other anything. Huh? Part of the nature of a hacker is to ask questions. The hacker community as a whole does nothing but teach each other stuff. Perhaps you like to ignore the hacker publications like 2600 Magazine. I think you are thinking of some other people.

Re:DEFCON, HOPE, etc

[bafu]

Security seminars are geared so that everyone learns, cons are geared so that people who already know can have fun.

Based on my experience at the cons, I'd have to say that is a fair assessment. On the plus side, some were very cheap. You pay for your hotel room, but your actual conference fee was kicking in a share for the booze... :-P

Anyway, they weren't a complete waste of time, but the primary benefit was meeting folks, not learning lore.

I am finding myself unable to get anything out of going to seminars.

They don't do much for me, either. The thing is, if all you are looking for is info on how to better secure your systems, there is loads and loads of it available on the net. The plus is that you can proceed at your own rate and dive however deep you want. If your boss is really twisting your arm about taking courses, I'd see if you can get something detailed on advanced firewall configuration or performance tuning something like that. Those are areas where it's common to only take the self-training as far as the immediate job requires... a course might cover things that would be nice to know in the future, as well. If the boss'll spring for books, that can be good, too.

Re:DEFCON, HOPE, etc

[totallygeek]

I'd see if you can get something detailed on advanced firewall configuration or performance tuning

It hasn't worked out where I can attend the Red Hat firewall course this month (I am an RHCE now), but aside from that type of intense course -- where are the other options? I am beyond what I can learn from a CompuMaster or security boot camp type workshop.

Re:DEFCON, HOPE, etc

[TweeKinDaBahx]

Part of the nature of a hacker is to ask questions.

Sure, we all have to learn somehow. Have you ever seen the "Nick Burns, Computer Guy" sketch on SNL? That's what talking to most hackers is like. Hackers may teach each other, but normally it by passing you off to a link or some other reference. Since not all of us can learn in this fashion, one might as well be asking thier hairdresser to teach them about buffer overflows in BIND.

The hacker community as a whole does nothing but teach each other stuff.

Maybe they should teach each other a little something about tact, empathy, and of course, personal hygiene.

Perhaps you like to ignore the hacker publications like 2600 Magazine.

This is like saying "Newsweek tells me the news". Sure, it has some substance, but how useful is half of the garbage they print in that magazine anymore? It's really gone downhill from what it used to be. Not to mention that it's nearly impossible to find anymore (ESPECIALLY if you don't live in a big city).

And to elaborate upon "hackers don't tend to teach each other anything", at a con like DEFCON, your trying to win. Why would you teach a no0b how to do it when you could be using your time to get it done yourself?

Oh right, RTFM is not a valid training technique for an absolute no0b once programs get more complex than outlook. So don't even go there.

Re:DEFCON, HOPE, etc

DEFCON was cool 4 years ago. It's 2 years past having a point now. It's 95% lamers and wannabes at this point.

Re:DEFCON, HOPE, etc

[Pinball+Wizard]

Have you ever seen the "Nick Burns, Computer Guy" sketch on SNL? That's what talking to most hackers is like.

you really shouldn't be involved in computer security if that's the case.

There is a name for people who can follow simple, easy-to-understand laundry lists of how to approach computer security. They're called script kiddies. You really think this stuff can be simplified to the point that you can understand, given your apparent lack of experience?

Becoming a real hacker as opposed to a script kiddie takes years and there are no shortcuts. Learn the inside and outs of the operating systems you use. Learn a programming language inside and out. Then learn successively lower-level programming languages until you get to C and assembly and learn those. Meanwhile, pay attention to the theoretical aspects of all this stuff - meaning learn about algorithms and the underlying mathematics.

No one is trying to hide the secrets from you, just trying to discourage you from thinking there is a simple explanation to everything - and thinking that someone can tell you all about computer security in plain english(i.e. none of those anti-social phrases like 'buffer overflows') You want to be a hacker? Hit the books, and be prepared for years of hard study.

Then you might understand some of those seemingly obscure references that for the moment are beyond your grasp.

Re:DEFCON, HOPE, etc

[electroniceric]

I disagree.
There's no excuse for not knowing how to communicate with people of variety of levels. You may be a whiz in front of a
[root@boxen root]$
but if you can't express these ideas to people who don't already know most of what you're talking about, you're taking a lot of chances on somebody recognizing your genius.

I do agree to really master the subject, you do have take the time to learn it through and through. A buffer overflow is a compact phrase representing of a particular concept. But you may well be called on to explain in lay terms what that idea means and why Project X should pay you to make sure there aren't any.

All of which is to say, make sure you take an English class or two before leaving college.

Re:DEFCON, HOPE, etc

[oni]

but if you can't express these ideas to people who don't already know most of what you're talking about, you're taking a lot of chances on somebody recognizing your genius.

I suspect these people who failed to express their ideas to you had very little respect for you and held you in such low regard as to be completely unconcerned with whether or not you recognized their genius.

I also suspect you'd have a similar experience if you asked a brain surgeon "how do you make it go?"

That said, this is not intended as a flame. I simply wanted to point out my own experience. I think some people can be quite articulate - and also very choosy about whom they articulate to. Once I stopped asking stupid questions, I found I was no longer seen as stupid and I ended up learning a lot more.

Or to put it another way: "it is better to keep your mouth shut and have everyone think you're a fool, than to open it and remove all doubt" -- Mark Twain

Re:DEFCON, HOPE, etc

[CAIMLAS]

If I'm not mistaken, isn't that quote actually belonging to Abe Lincoln?

Re:DEFCON, HOPE, etc

[a+nanny+mouse]

How do you not ask questions -and- learn more?

Re:DEFCON, HOPE, etc

[oni]

How do you not ask questions -and- learn more?

If you constantly ask question like:
"teach me how to hack?"
"how do I break into windows?"
"do you have any zero-day exploits?"

They'll think you're stupid. You'll learn nothing. You see, anything is better than nothing.

If you just watch what they are already doing, you *will* learn something. Obviously, if you miss something you can ask "What was that?" They'll answer those questions. Just don't be an annoying little leach.

Re:DEFCON, HOPE, etc

[Gryftir]

What I think would be most helpful for some is direct hands on training over a course of time.
First off, hands on means directed training, I found most seminars were focused on the theory, I think theories are after market add-ons to practice. Only after going through enough processes, either on your own in a self directed fashion, or with the personal attention of a teacher, can you really grok a theory.
Case in point, a long time ago I took a class on computer networking. This wasn't Cisco Routing 101 or anything that useful, but one of those classes where we learn facts about protocols, history, and that fucking layer system. Only after I got to play with routers did all that theory make sense. And in no way did that theory actually help me with the routers.
Second, IMHO the only way to learn discipline is through actually going through the processes. It's the difference between reading a book on HTML and actually building a webpage, only by producing something do you learn. That's the real reason you make webpages in those internet classes, not some sort of test of your ability, but the use of what you learn settles that knowledge in you.
If you want to teach people proper security auditing, or whatever term you use for network security procedures, you have to stop giving them lectures on attacks, and start giving them systems being attacked, or perhaps better, start them attacking systems. Gryftir Santa Carla by Night

Re:DEFCON, HOPE, etc

[Shadow51]

I've been to Defcon and the truth is there is alot to learn...

Re:DEFCON, HOPE, etc

How do you not ask questions -and- learn more?

Anyone can go buy copies of "C in 21 days". "TCP/IP Illustrated", and a good or two about unix/linux and windows. Then invest some REAL TIME learning the ins-and-outs of the system and make some contibutions to some real programs. Books can only make you "book smart", but hacking on real code is an opportunity within almost anyone's reach these days, with all the free software projects out there.

But that's a lot of "work" that takes years. If it seems like "work" instead of something so interesting you can't put it down, save yourself some grief and give up NOW (go watch TV instead)

If you just want to HACK SHIT NOW, you can employ much more easily obtained skills, like web surfing and IRC to find scripts, utilities, password guessers and word lists, rootkits, etc... sometimes even with brain-dead instructions you can follow to mindlessly wage destruction (or at least annoyance to some sysadmins and their employers).

But don't be suprised if "real hackers" also find you annoying!

Re:DEFCON, HOPE, etc

[Nipok+Nek]

Try Proverbs 17:28

http://www.bartleby.com/108/20/17.html#28

Re:DEFCON, HOPE, etc

[NoMoreNicksLeft]

Yes, I coined that phrase back in 1861, I believe. Ok, so I'm not the original Abe Lincoln, but a clone created by the Beta Reticulans as part of their master plan to subdue the people of Earth through treachery, illusion, and unwatchable formulaic sitcoms. Still, give credit where credit it due.

Re:DEFCON, HOPE, etc

[a+nanny+mouse]

Yes, that is true. I agree.

Yeah!

[cube00]

Contest: To all Hackers, lets see who gets busted first!

Jeebus...

[TweeKinDaBahx]

It's a silly idea all together, hacking, but I guess it must be better than girls/sunlight.

Any hackers who get busted deserve what they get for being dumb enough to show.

I recall a sherrif's dept. sending out letters to people with outstanding warrants exclaiming that they had one a prize and had to go to a certain address to claim it. Needless to say, the cops had a field day arresting all sorts of people, who were actually dumb enough to buy the ploy.

Just rememebr, if you're doing illegal things, there's always a chance you'll get caught. The best thing to do is just not get caught :)

Re:Jeebus...

[binaryDigit]

Didn't a cable/satellite company do this once? Where they somehow sent a re-program signal to their cards. Those who had illegal service ended up seeing a message to the effect of, "if you see this message and are having problems with the cable signal, please call xxx-xxxx". I recall that it was amazingly effective in "trapping" quite a few cable/sat pirates.

Re:Jeebus...

[Wildcat+J]

If you recall, this occurred on the Simpsons. The Springfield police department sent out notices to criminals claiming they had won a boat. They picked up Homer for an unpaid parking ticket, which he promptly paid, then he demanded his boat. Everything in life can be related back to a Simpsons episode!

-J

Re:Jeebus...

[tg_schlacht]

I recall a sherrif's dept. sending out letters to people with outstanding warrants exclaiming that they had one a prize and had to go to a certain address to claim it. Needless to say, the cops had a field day arresting all sorts of people, who were actually dumb enough to buy the ploy.

This has been done a lot. "You have won a [car, truck, boat, trip to Vegas]." It seems criminal elements of society always like getting something for nothing. Go figure.

Re:Jeebus...

I wonder if the original poster had this in mind; what with the Jeebus reference....

-- I beleive in Jeebus! --

Re:Jeebus...

[ashitaka]

It seems criminal elements of society always like getting something for nothing

Hmmm. Unfortunately you could say the same thing about just about everyone on the planet.

Barring a few monks.

Re:Jeebus...

[AJWM]

TCI did something similar during a pay-per-view boxing match. Flashed up a message offering a free T-shirt (or some such) to those calling a certain 800 number.

A simple cross check of the callers vs those who'd actually paid to watch the fight turned up a number of PPV freeloaders.

Re:Jeebus...

[unicron]

Lisa: Where's our boat?

Homer(ANGRY): I didn't want it.

Lisa: Why not?

Homer(ANGRY): The mast had termites.

Lisa: Why would a motor boat have a mast?

Homer(Angry): Because the dingy was...SHUT-UP!

Re:Jeebus...

[ayden]

I specifically remember this event. Continental Cable, the precursor of MediaOne and my cable provider at the time did this very thing in Northwest Connecticut in the early 1990's. There was a Pay Per View boxing match scheduled for a particular night. Since it was a Pay Per View event, the cable company had an exact list of everyone who had officially ordered (and paid for) the event. The cable company sent a special "commercial" for a free T-shirt to everyone tuned to the Pay Per View channel but also sent a signal to the cable boxes of everyone who paid for the program telling their cable boxes not to show the commercial. The result was that dozens of people called the "toll free" number and turned themselves in.

I have two feelings on the subject:

1. After spending over $1000 (over a number of years) on their product, Continental Cable didn't consider me good customer, but a suspect. How I longed for competition in cable industry.

2. I took this as a warning and learned my lesson well. Beware of anyone offering you something for free.

Re:Jeebus...

[Malicious]

There is also a secondary Simpsons reference, where Skinner, told Bart, Jimbo, Kearny, etc... that they had all won free bikes. He then proceeded to lock them in a storage closet, for the rest of Super Intendant Chalmers stay... However, if i remember correctly, in the end, Skinner was forced to buy all the kids bikes anyway.

Re:Jeebus...

[zootread]

It's a silly idea all together, hacking, but I guess it must be better than girls/sunlight.

Back in high school I hacked some schoolwork for some chicks, they loved me for it. Chicks dig hackers, its a huge turn-on for them. They also like guys who can fix their computers. Girls always say "come over fix my computer." And they usually repay me with sex. Damn life is good.

Re:Jeebus...

I have to wonder how the police can get away with doing this without committing fraud and being prosecuted themselves or having a civil lawsuit filed against them.

Re:Jeebus...

[Bob+Kronkel]

they're not committing fraud. its just that felons aren't elligible to win this prize. too bad.

Re:Jeebus...

[anotherone]

It sounds like they specifically set it up so that people who paid for the program were NOT treated as "suspects." I don't understand what you're trying to say.

Re:Jeebus...

[Inthewire]

One a prize, two a prize, three a prize, enterprise.

Re:Jeebus...

[andhar]

Okay, but the real Springfield, IL police department beat the Simpson's Springfield police department to the punch anyway.

I remember back in the early 80's when the SPD busted some criminals at the Prarie Capital Convention Center after sending them letters that said they had won something.

I don't remember any kids named Bart at my school, though.

Re:Jeebus...

He's saying he was stealing pay-per-view, and got caught. Now he's mad about it. How sad for him.

Re:Jeebus...

[zootread]

Chicks usually dig personality, social skills, confidence, money, power etc. - all of which are in rather short supply in the hacker community; if hackers had any real power they wouldn't be so desperate to show how "powerful" they are.

You're right, its not the hacker in me that attracts the hotties. In fact I don't tell them about that stuff anyways. But my point is that not all hackers are dweebs living in their parents house who can't get laid. Some of us who used to go around exploring systems, are now professionals making $65k/year. So I spent all my free time back in high school in front of a computer screen. Now I make big bucks working in front of a computer screen, and then get laid in my free time. I say again, damn life is good. This is no dream.

But you're right, being a hacker won't really get you chicks. But its not going to prevent you from getting chicks either.

I'll start my own

[Saturn49]

Maybe I'll start my own hacking contest. I give the winner a billion dollars. I'll setup 2 computers, one connected to the 'net, completely open and unpatched. It'll physically sit on top of the "secure" box, which won't be connected, or even turned on. When the "winner" tries to claim his prize, I'll simply state that he hacked the "decoy", and the real server was untouched. Sounds about as fair as this one.

Re:I'll start my own

[F1re]

That's fine until someone breaks into where you store the computers, boots up the unconnected one and ownes it...

Re:I'll start my own

[x136]

Not when they find out that the "secure" box is actually an empty ATX case. :)

Re:I'll start my own

[Sloppy]

For a billion dollars, I'll buy you a motherboard and install it.

Re:I'll start my own

[Mizery+De+Aria]

I believe your sister has already compromised the system.

Re:I'll start my own

Since possession is 90% of ownership all said hacker has to do is walk off with that empty case.

-Greg

Re:I'll start my own

Oh man, that's the funniest thing I've read in ages!

Only when the Open Source community ... argh, I'm getting tired.

Re:I'll start my own

[evacuate_the_bull]

"Secure" box, an empty ATX case? Please. I've got your security right here.

Re:I'll start my own

[therealmoose]

But after he puts it in his truck and drives off, he will most certainly "0wn" it.

Re:I'll start my own

[phalse+phace]

"I'll setup 2 computers, one connected to the 'net, completely open and unpatched"

So I guess that means you'll be installing Windows on it then?

Re:I'll start my own

[Tycho]

Or for that matter a machine all put together and configured with a PPC motherboard and an IDE card for an x86 PC with a hard drive connected to it with Red Hat for an Alpha installed on it.

Re:I'll start my own

[Saturn49]

No, I think a standard install of RedHat 6.2 will do just fine.

waiting for...

[PhilJackson]

I'm just waiting for the "actually I think you mean crackers, hackers are..." comment!

duh. more script kiddies to the rescue

[Telastyn]

The system set up by KDWorks had almost all of its services deactivated, according to kill9 and m0rla. "The contest server was only simulation, not a real-world environment," they wrote. "And you have to ask yourself who will have a Web server running with this small amount of services activated? Nobody."

Heh, in my experience, it's quite to the contrary. Anyone with half a brain turns off nearly all, if not all services to stop script kiddies like you =]

Re:duh. more script kiddies to the rescue

You're completely missing the point.

The don't mean running fingerd and ftpd, they mean webserver features.

How many static only webservers are there out there. Even running an indexing server or simple redirection can lead to exploitable situations.

I could write a simple static webserver which i could say with almost complete certainty is not exploitable, but it is of almost no use to anyone, and it is unfair to say that it is a real world situation.

Re:duh. more script kiddies to the rescue

[Telastyn]

I agree, though I perhaps disagree that server features are what the two in the article were talking about.

Not to mention that any webserver in a situation that requires high security (or to withstand a contest) would probably be modified to turn off indexing (though yes, probably not redirection).

And it's also arguable to say that the "real world" is filled with competant web admins that have some grasp of security...

Re:duh. more script kiddies to the rescue

[TweeKinDaBahx]

Unfortunatly there are gobs of renegade sysadmins out there who still try and secure thier boxes rather than simply turning off services. The problem with not combining these two ideas is that either way there are still holes in your security. No setup is rock solid unless it combines security in the form of no extraneous services, freshly patched services, and hardware security (routers, VPNs, firewalls).

Yet as people have joked, a disconnected machine is still the most secure, and a parallel cable can save yer arse.

Re:duh. more script kiddies to the rescue

[SuiteSisterMary]

Aye, and a locked door, and people who know not to give out passwords, and so on and so forth. A disconnected machine is still meat for the beast if I can get at it for five minutes. Security is an approach, a discipline, not an exercise, not a task.

Re:duh. more script kiddies to the rescue

[Tet]

Anyone with half a brain turns off nearly all, if not all services to stop script kiddies like you =]

Yep, I was open jawed when I read that. All of the web servers for which I'm responsible present an http server to the world on ports 80 and 443, and nothing else. As it happens, they're also running tomcat and sshd, but that's firewalled off (by two firewalls from different vendors), so you won't have access to those unless you're coming in from an approved address. Anyone who believes that a web server would commonly have more services running has obviously been living in the windows world too long...

Re:duh. more script kiddies to the rescue

But you conveniently forget to mention, that in the 'real world', not everyone has half-a-brain.

Re:duh. more script kiddies to the rescue

[warpSpeed]

All of the web servers for which I'm responsible present an http server to the world on ports 80 and 443, and nothing else

To take that one step further, at the firewall I block all the outgoing connections as well. The web server, in most cases, should not be initiating connections to the outside.

Re:duh. more script kiddies to the rescue

[Entropy_ah]

Yes, unfortunately most seem to have a quarter.

Re:duh. more script kiddies to the rescue

[Some+Dumbass...]

Heh, in my experience, it's quite to the contrary. Anyone with half a brain turns off nearly all, if not all services to stop script kiddies like you =]

Yes, but does this resemble the "real-world situation"? In a world full of sysadmins-with-half-a-brain, there would probably only be a few dozen crackers. :)

I mean, let's be honest. Most crackers are just looking for easy targets. They'd never be able to get into a reasonably hardened system. Fortunately, there are lots of easy targets out there. To most of these guys, that's what cracking is -- capturing easy targets. Get a half-dozen of them under your control, and you can make a decent DDoS attack, or you can really, really obscure your location while you hunt for more. There's a reason why more people hunt deer than lions -- you get more trophies at less risk to yourself!

Re:duh. more script kiddies to the rescue

[zaphod110676]

It sounds to me a little like they are whining because the system was too hard to hack. They went for an easier target. That sounds more like script kiddie behavior that of a hacker.

It's amazing how...

[Lobsang]

These so called "hackers" can be so brilliant in technical areas yet naivé to the point of branding themselves with the label of "hacker" in a public contest...

I wish them luck. :)

Re:It's amazing how...

[Permission+Denied]

"naivé" is not a word, in neither English nor in French. In French, the adjective is "naïf" (masculine, un garçon naïf) or "naïve" (feminine, une étudiante naïve) and the noun form is "naïveté" (masculine noun, vous avez démontré un naïveté étonnant). In English, the accepted form is "naïve," but no one will complain if you leave off the diacriticals and just write "naive."

Re:It's amazing how...

[Jon+Howard]

These so called "hackers" can be so brilliant in technical areas yet naivé to the point of branding themselves with the label of "hacker" in a public contest...

I'm only 21 and I can recall the days when "Hacker" didn't connote malicious intent, or for that matter, trespassing.

Please continue supporting derogatory stereotyping, I know plenty of rednecks, hicks, etc. who appreciate having more slurs to shoot at the folks they don't understand.

(Irony? Think about it.)

Re:It's amazing how...

[Lobsang]

Two things:

As a 21 year old guy, you should have noticed the quoted around the word "hacker", denoting irony.

You're way too touchy for a 21 year old person. Truly sad.

Re:It's amazing how...

[Lobsang]

oops...

cat $previous_message | sed -e 's/quoted/quotes/g'

Not "real world"?

[alouts]

Granted, securing the overall infrastructure is as important as securing a single box when trying to defend against intrusion, but the rationale for doing it seems pretty weak.

"And you have to ask yourself who will have a Web server running with this small amount of services activated? Nobody."

Please. What they're basically complaining about is that the web server they were supposed to be attacking was too secure, and not easy enough to get into. If it serves up web pages, it's a web server, whether or not the admin has opened all the ports you're used to exploiting.

'Course, the fact that there was a honeypot elsewhere on the network seems a bit shifty...

Re:Not "real world"?

[alouts]

Ack, I should proof my comments.

I meant to say that the rationale for these scrip kiddies ignoring the target box and attacking the registration machine seems pretty thin. Not that the rationale for securing your infrastructure overall is...

Re:Not "real world"?

I've got to agree with you on this. There is no need for a web server to be running anything other than Apache.

At my company each machine that is connected to the internet has exactly one service running on that NIC and a second NIC on a 192.168 network between those servers. Port scan the company webserver and port 80 is the only thing you'll find; port scan the mail server and port 25 is all you'll find. It doesn't make much sense to do it any other way.

Sounds to me like these "hackers" don't deserve the name.

Re:Not "real world"?

[mangu]

Assuming your hardware is powerful enough, is there any reason for not running all of those services in one machine? Suppose they scan the machine, they'll find ports 20, 21, 25, 53, 80, 110, etc. Is there any reason why these would be any safer if they were each in a separate machine?

Re:Not "real world"?

[noahm]

I've got to agree with you on this. There is no need for a web server to be running anything other than Apache.

I suspect that meanings are being mixed. I don't think they are complaining that the server wasn't running bind, fingerd, NFS, etc etc. I suspect it was more that the web server software itself was unreasonably minimal. You won't likely see a real-world web site run on thttpd or something. I imagine the web server didn't support things like CGI and stuff, so the only way to get in would be to exploit a known buffer overflow or to exploit something on the OS level. There was no searching for insecure form handlers or things like that.

But I could be wrong. There are lots of idiots out there, after all.

noah

Re:Not "real world"?

[chill]

The config used was a Smoothwall Linux install with Apache on a non-standard (high) port. No mail (how does the server report problems), no FTP/SSH (how do you update files on the server), no nothing.

That isn't real world.

As far as the "honeypot" goes, that is utter bullshit.

Re:Not "real world"?

[xinu]

No mail (how does the server report problems)

Uh easy, mails goes out, but no mail comes in... So if it bounces, it's gonna bounce for awhile or bounce to the default MX in DNS.

Re:Not "real world"?

[rlangis]

'Course, the fact that there was a honeypot elsewhere on the network seems a bit shifty...

If I were in charge of a high-profile system on the net, you can be DAMNED sure I'd stick a honeypot RIGHT NEXT to the secure server. I'm *much* rather have script-kiddies and wannabe hackers going after something I could give a damn about rather than my data.

That's NOT shifty my friend, that's common sense.

Re:Not "real world"?

I see. If you get a dick up your ass, and, at the same time, blow somebody and jerk off two other guys, then you are more gay than if you just get it in your ass. Yeah, right.

Re:Not "real world"?

[mabinogi]

>Is there any reason why these would be any safer if they were each in a separate machine?

Yes, a compromise of one service wouldn't automatically lead to a compromise of all...

It doesn't really lessen the chance of having something compromised, just limits damage if it does happen.

Re:Not "real world"?

[espo812]

Seems pretty useless to me. Why waste time setting up yet another system when you could be spending that time securing or scanning your system more? A honeypot is marginally useful for security.

Re:Not "real world"?

[JimmytheGeek]

"You won't likely see a real-world web site run on thttpd"

I use it - works nicely. It *IS* for a static web site, I admit.

Re:Not "real world"?

[nomadic]

Well then why do all the self-appointed security experts on slashdot always insist that anything can be hacked. Of course they didn't make it easy, geeze, they were offering 100k. And people are complaining that it's too hard?

Maybe the people that tried just aren't very good hackers?

Re:Not "real world"?

You don't need a mail server running on the machine to send mail, dumbass.

Re:Not "real world"?

[caluml]

Let's break this down.

The config used was a Smoothwall Linux install with Apache on a non-standard (high) port.

Maybe that's to stop simple probs and shite like Code Red/Nimda cluttering up the logs? If it's not meant for public consumption, what's the problem?

No mail (how does the server report problems),

I don't understand this. As you say, How does the server report problems. Install Sendmail/Postfix/Whatever, and only allow outgoing connections.

no FTP/SSH (how do you update files on the server),

No world-accessible FTP/SSH you mean. Just cos you can't see it, doesn't mean that the people that admin it haven't opened it to their ranges, or a trusted host.

no nothing.

Good. Exactly right. Open only the ports you need open, and make sure the daemons/services running at the end of those ports are secure. What was that Mark Twain quote again...?

Re:Not "real world"?

[ryepup]

Well, if they crack one box then that provides access to all the other machines via the second NIC in the 192.168 range, which could potentially be more harmful, if that range is assumed secure by all other servers.

Re:Not "real world"?

[shyster]

"And you have to ask yourself who will have a Web server running with this small amount of services activated? Nobody." Please. What they're basically complaining about is that the web server they were supposed to be attacking was too secure, and not easy enough to get into. If it serves up web pages, it's a web server, whether or not the admin has opened all the ports you're used to exploiting.

Evidently, that Smoothwall Linux server was indeed NOT a real world example...just take a look at KDWork's other webservers. If KDWorks can't secure ALL their servers, they have no business offering up a hack bounty...or security products.

I believe the hackers' point was that, yes, an otherwise unfunctional box can be secured to the point of being extremely difficult (or impossible) to crack. But, as soon as that box starts doing something functional (like, for instance, processing registration requests connected to a database server), then they can hack it.

Re:Not "real world"?

[shyster]

And I imagine youor thttp server is not doing anything particularly useful, either, is it? And it also doesn't receive very many visits, does it? And contains no interesting info, I'd bet. Exactly the hackers' point.

Re:Not "real world"?

[dossen]

You are assuming that the server should connect to other servers. That may be true for a limited number of services (webserver to db-server or such), but in general there is no reason to trust a host to do anything other than what it is supposed to do. So just don't assume that the servers will remain under your control, put them on a DMZ and allow only the connections from them that are truely needed.

Re:Not "real world"?

[pacman+on+prozac]

It depends what you mean by useful. It's perfectly possible to build a good functional website with some actual content using static pages. They're a helluva lot more useful than the millions of php nuke sites that have popped up everywhere imo.

And contains no interesting info, I'd bet. Exactly the hackers' point.

Whether a site has any interesting content has precisely sodall to do with whether that content is dynamically generated or not. It sounds more like the hackers were complaining that they could n't ./overflow it. For $100k did they really expect to be able to download something off packetstorm and walk straight off with the money?

Re:Not "real world"?

[pacman+on+prozac]

I'd stick a honeypot RIGHT NEXT to the secure server.

I'd recommend you at least put a switch between them. If a honeypot that is literally right next to any production server gets cracked you risk having man-in-the-middle attacks run aswell as sniffing things like the ftp/email passes for the local segment.

Common sense would be running a honeypot anywhere but right next to the secure server :)

Re:Not "real world"?

[Sabalon]

Huh? Okay...so they took a hardened os and put Apache on it. They put it on something other than port 80. If you are setting up a server that serves pages (possibly internal info) this is a good way to hide it from script kiddies.

No mail? You don't need to have sendmail running as a daemon listening on port 25 for mail to work. I have two HP's that don't accept mail, but send me mail on a regular basis.

As for no ftp/ssh - so? You can go to the console and update files. Perhaps they have another machine with ssh and a serial link? Perhaps ssh is firewalled off? perhaps they have something that watches for an attempt to connect to a certain port that will then launch sshd for 5 minutes?

Perhaps the static pages it was serving were generated every 5 minutes by a perl script?

Just because a server isn't running the default RedHat install or something doesn't mean that it isn't real world.

Re:Not "real world"?

[JimmytheGeek]

It's doing a very useful thing for us. The traffic volume is low, but could be extremely high and not freak the server. Bandwidth throttling will allow us to set a ceiling in the unlikely event traffic exceeds fastethernet.

Re:Not "real world"?

[shyster]

Whether a site has any interesting content has precisely sodall to do with whether that content is dynamically generated or not.

I didn't say the content wasn't interesting. The content, whether static or dynamic when the server processes it, is all static once the browser gets it. The content could very well be interesting. But, with only static HTML, there's no database access. That's where juicy info (that's supposed to be hidden) lies. A static HTML site is, more or less, open for the world to see as it is.

And, there's simply no point in cracking a static site. At best, one could hope for creating a shell account with it. But, then static sites aren't usually connected via high bandwidth lines, and usually don't have high end hardware, so what's the point? Of course, you could always destroy the site, or replace it with an 0wn3d page, but static sites aren't usually high profile, and are pretty quick and easy to rebuild.

My point is that not only are static sites harder to hack, but they're also not a very tempting target anyways. And, I can't think of a single high profile site that's purely static HTML. Therefore (unless my memory is simply miserable today, and there's quite a few high profile plain HTML sites), they really aren't a real world example of a site likely to be hacked.

Re:Not "real world"?

[spir0]

You won't likely see a real-world web site run on thttpd

what do you consider real world? here's a quote from right off thttpd's front page:

"Some major sites that are running or have run thttpd:

* demon.net, Demon Internet, a large UK ISP
* global.net.uk, Global Internet, another large UK ISP
* bluelight.com, Kmart's web site
* img.gamespot.com, GameSpot's image server
* download.napster.com, Napster's download server
* stephenking.com, Stephen King's official site
* mtv.com, It's not TV, it's eMpTV.
* news.excite.com, one of Excite's internal servers
* valueclick.com, a banner ad broker
* The Sovereign Principality of Sealand "

Is it hacking when invited?

[AIM-9X]

It seems a little ambiguous - if you are invited to hack, is that a crime?

Granted, there are some thresholds never to be crossed. "Sure, you can shoot me, you won't get in trouble" etc.

Nonetheless, I'd be sure to get written permission from the hackee.

Re:Is it hacking when invited?

[xeromist]

Yes, it's still hacking. Hacking refers to actions, not to the legality of those actions. Hacking does not mean you are doing something illegal. In fact, some companies will actually pay a consultant to hack their system so that vulnerabilities can be discovered and fixed.

Example: Fighting is perfectly legal, but only when it is consensual(ie. boxing). Yet it is still called fighting whether legal or not.

Re:Is it hacking when invited?

[kubrick]

It can't be trespassing if you're invited. However, damage may be a slightly different kettle of fish legally.

*** This is my Sig. This is my Glock, this is my Walther, and this is my Beretta. Any questions?

Yes. Why are you showing me your guns?

Korea and the Internet

[mumblestheclown]

At the risk of sounding like an insensitive racist jerk, what, exactly, has korea contributed positively to the net? 85% of the spam i get continues to be Korean and they have effectively made a shambles out of the korean war project. We're not talking about a Nigeria and it's 419 scams. We're talking about a country that has the resources and ability to be doing a lot more than it currently is.

From time to time, the internet death penalty for countries has been considered and is actually implemented locally by particularly zealous sysadmins. But we've seen that this tends to, at best, piss off a few users unless it's implemented really widely, which it is unlikely to ever be. So, what is the answer to korea?

note: I have visited korea three times and have found it to be a great place. it's their extremely half-assed internet policies that I object to

Re:Korea and the Internet

[Hektor_Troy]

At the risk of sounding like an insensitive racist jerk, what, exactly, has the US contributed positively to the net? 85% of the spam _I_ get continues to be from the US and they have effectively made a shambles out of the internet (witness DMCA, SSSCA (or whatever it's called today etc). We're not talking about a Nigeria and it's 419 scams, we're talking about a country that has the resources and ability to be doing a lot more than it currently is.

Or is it something completly different, when it's the US that's the troublemaker?

Re:Korea and the Internet

[Tazzy531]

Actually Korea has done a great deal in getting you online. The majority of the RAM used on computers now a days originate from Korea. Samsung is a Korean company. In addition, Korea is getting up there in terms of semiconductor manufacturing..

Re:Korea and the Internet

[JordoCrouse]

At the risk of sounding like an insensitive racist jerk, what, exactly, has the US contributed positively to the net?

Uhhh... other than inventing the damn thing?

Re:Korea and the Internet

[Satan's+Librarian]

Our ex-vice president created the whole thing over 10 years ago!

Or something like that....

I am curious where this person would go to for tech news w/o the US though....

Re:Korea and the Internet

[carlos_benj]

At the risk of sounding like an insensitive racist jerk, what, exactly, has the US contributed positively to the net?

You may be an insensitive jerk, but tarring the whole of the US could hardly be racist. The US is comprised of many peoples from many ethnic origins.

You also seem to be having difficulty differentiating between spam/scam. While spelled similarly (note the second letter to tell them apart) they mean different things. A scam can also be a spam, but a spam does not always have to be a scam not does a scam necessarily have to be a spam. In point of fact, many scams are extremely well targeted (although many of these take place in meatspace) while spams as a rule are not. But I digress...

Re:Korea and the Internet

[Selmo]

At the risk of sounding like an insensitive racist jerk, what, exactly, has korea contributed positively to the net?

FWIW, they went apeshit over StarCraft, which provided revenues for other projects like Diablo II and WarCraft III.

Re:Korea and the Internet

[Atzanteol]

I'm sorry. I know this is off topic, and I'm replying to a troll, but this is a personal pet peeve of mine:

we're talking about a country that has the resources and ability to be doing a lot more than it currently is.

What are you expecting? You speak as though the U.S. citizens are some how on a higher plane of existance than the rest of the world! We're people, same as you and everyone else in this world. Sure, we have resources, money, power, etc. So do many other countries. You could say "Why doesn't <insert country here> do so much more!"

As for contributions, I think we've put in quite a bit. Ever look at a graph of the internet backbone? There's a large chunk in the U.S.

Re:Korea and the Internet

[JimmytheGeek]

Ya know - he NEVER made that claim. You can't defend yourself against one of these memes, and so Gore didn't even try. He did claim to have supported its development/expansion, which is true.

Re:Korea and the Internet

Ya know - he NEVER made that claim. You can't defend yourself against one of these memes, and so Gore didn't even try. He did claim to have supported its development/expansion, which is true.

"I took the initative in creating the internet" -Al Gore

Seems like he did to me. Of course, people like you do seem to rewrite history..

Re:Korea and the Internet

[MoldyZero]

At the risk of sounding like an insensitive racist jerk, what, exactly, has the US contributed positively to the net?

Where exactly does it say that? Unless my eyes are tricking me, the words "the US" do not exist in that first part... Though, It does say "korea".

Re:Korea and the Internet

[shyster]

"I took the initative in creating the internet" -Al Gore Seems like he did to me. Of course, people like you do seem to rewrite history..

Not to be too political here, but let's at least look at things reasonably. The context of that quote was Gore talking about legislation that he spearheaded to fund the creation of the Internet. Neither that quote, or any other, can be interpreted by any but the most die hard conservative as Gore claiming to have invented the Internet. It is, however, a fact that Gore did take initiative in legislation to create the Internet.

When you take things out of context, you can prove almost any point. As the old saying goes, the devil can quote scripture to suit his means (or something like that...)

Re:Korea and the Internet

[shyster]

As for contributions, I think we've put in quite a bit. Ever look at a graph of the internet backbone? There's a large chunk in the U.S.

That's because we need the bandwidth to send out all of our spam. And let the script kiddiez r00t boxes. And steal movies and music from P2P networks. Oh yeah...we use it to play games and read Slashdot too. =)

Re:Korea and the Internet

3 words: Made In Taiwan

Re:Korea and the Internet

Once upon a time, when my father was in the military, he went to korea and on a couple of occasions went to what he described as "a room with like 4 or 5 guys and 20 computers, and all they did was pirate software" from which he purchased about $500 worth of software for $20. Now, I'm not ragging on Korea or anything because 4 or 5 guys happened to sell pirated software or anything, but with nearly every place in Seoul being wired with broadband...why would people in Korea *buy* StarCraft? I know I wouldn't (insult me all you like).

Re:Korea and the Internet

[ceejayoz]

Well, they've done a great deal in getting us online cheaper. We'd still be online, it'd just be a bit more expensive to buy the computer.

Anyways, I'd say their contribution about balances out the hordes of e-mails I get through open relays in Korea... :p

Re:Korea and the Internet

[Hektor_Troy]

Actually it's not just a troll; it's an interesting, insightful, flambaiting troll (according to the moderation).

Actually it wasn't meant as a troll, but a twist on the parent posts argument, that Korea was the backwater swamp ... aparently that particular twist is rather close to home judging by the moderations and replies :-)

You could say "Why doesn't do so much more!"

Which is excactly what I did, but some people (none mentioned, none forgotten) aparently get their panties in a twist when their own country is the target of the pointy end of the stick.

As for the backbone, have a look at shysters reply :-)

Re:Korea and the Internet

[Satan's+Librarian]

You can go here and get a pretty full explanation of what he said. It was very poorly phrased, and IMHO, attempted to gain credit for more than his efforts were worth. This is deadly for politicians when they are caught at it, worth poking fun at, and occasionally still funny. Kinda like ALL YOUR NEWS ARE BLONG TO US.

But you are right that he and other US congressmen funded US companies, universities, etc. to speed further development of the internet - which, if you'll notice, was also implied in my from-the-hip post. For example, the place one of the original posters was posting that the US has never done anything for the internet just happens to reside in - well, three guesses.

Re:Korea and the Internet

[pjrc]

what, exactly, has the US contributed positively to the net?

The development of BSD unix (in California, of course) and it's widespread distribution to other universities and research centers that ultimately made IP and TCP the "standard". Microsoft's TCP/IP code was originally based on the free BSD Unix code, as was Sun's (both have re-written most or all of their TCP/IP code since, but they did both ship BSD-derived code for years).

Similarily, while the HTTP protocol, a text-only viewer and original server were developed at CERN, it was NCSA (University of Illinois) that developed the Mosaic web browser and NCSA web server. Both Netscape and Microsoft's IE were based on the Mosaic code (recent versions of IE, like 5.5 which I just tested, still credit the University of Illinois in their Help->About Internet Explorer menu). In all likelyhood, you're using IE to view this message, so if you are just click on that menu to see a credit for a quick reality check that code you're using to access the net originated in Illinois. Since you're reading this one slashdot, the server that sent it to you was Apache, which was also originally based on the web server from Illinois (named apache due to a large number of patched to NCSA's server, "A Patchy" server).

There's just two little examples. Of course, if the question was really what has Korea contributed to the internet's infrastructure... well, that's a good question?

Re:bad news for open source?

Linux is already bankrupt; this is an
incontrovertible fact. Is the disturbed
personalities of the leading players, gross
technical incompetence or something bigger than
all of these. One thing is clear: Linux is
very sick, Linux is dying.

Site statistics

[cavegrub]

Hmm...

Sounds like kill9 and m0rla got into the true spirit of the competition.

According to Netcraft , www.kdworks.co.kr was running IIS 5.0 since April.

(or look here if you don't believe me)

Re:bad news for open source?

Hackers have had a bad name for 15-20 years now. Trying to be 5up3r-l33t by calling open source programmers "hackers" is ridiculous. Come up with a new word and just learn to deal with it. There are tons of other words that have been corrupted. For example "e-mail". "I'm going to send him an e-mail". A what? It doesn't even make sense. Remove the "e-" from it and say it again... "I'm going to send him a mail". No, you send him mail or you send him e-mail or you send him an e-mail message. You DON'T send him "an e-mail". The web is also not the fucking Internet!

RSA Challenge anyone?

[bugg]

The best products/systems/protocols/algorithms available today have not been the subjects of any contests, and probably never will be.

I think that contests, when done properly, can't prove security but it certainly can certainly prove a point. I doubt we'll ever see a proof that factoring numbers must be complex, but the RSA challenge proves that, well, anyone who has the technology would rather keep it than the money. Hrm. Well, at least that means a script kiddie or casual hacker can't factor very large numbers, eh?

Re:RSA Challenge anyone?

[Boatman]

Contests are good at proving *insecurity*. Thus the RSA contests. But lack of proof of insecurity isn't proof of security.

Re:RSA Challenge anyone?

RSA-500 =
189719413374862665633053474331720252723718359195 34 28303184581123062450458870768760594321234762576642 74945547644195154275867433811981387466471553446001 28172402854835142675669719253496205220699188798491 81484706819044791457088226110939902411592763469776 33946326637808872646881505242830850704932797792349 29990615521801952267534305575027779393713330209195 00860225343124870843796867881478506011320772871728 19942445113232019492229554237898606631074891074722 42561739680319169243814676235712934292299974411361
=
374271217706205830913214247547412243984017009431 36 92569409724669036067145935665469179209556046350643 13650735649742880036461009375273062497609978034621 28542518686344030635843911820718776925659054905814 34421018260726150246940722888295355624667254579581
*
506903561907846134219439740502974882747391794703 94 18122726805813382156225921428772801214922594206458 07834997795076354606802490111106153804429088209985 42738154413103798892589988519726447464444686565204 60558816777620924293750629417010292417375848211381

Re:RSA Challenge anyone?

RSA-500 =
189719413374862665633053474331720252723718359195 34 28303184581123062450458870768760594321234762576642 74945547644195154275867433811981387466471553446001 28172402854835142675669719253496205220699188798491 81484706819044791457088226110939902411592763469776 33946326637808872646881505242830850704932797792349 29990615521801952267534305575027779393713330209195 00860225343124870843796867881478506011320772871728 19942445113232019492229554237898606631074891074722 42561739680319169243814676235712934292299974411361
=
374271217706205830913214247547412243984017009431 36 92569409724669036067145935665469179209556046350643 13650735649742880036461009375273062497609978034621 28542518686344030635843911820718776925659054905814 34421018260726150246940722888295355624667254579581
*
506903561907846134219439740502974882747391794703 94 18122726805813382156225921428772801214922594206458 07834997795076354606802490111106153804429088209985 42738154413103798892589988519726447464444686565204 60558816777620924293750629417010292417375848211381


...but
506903561907846134219439740502974882747391794703 94 18122726805813382156225921428772801214922594206458 07834997795076354606802490111106153804429088209985 42738154413103798892589988519726447464444686565204 60558816777620924293750629417010292417375848211381 isn't prime. Your factorization is incomplete.

Re:RSA Challenge anyone?

[bugg]

That's a pretty clever troll. The problem is, that's not RSA-500! :)

Re:RSA Challenge anyone?

[opti6600]

As a matter of fact, a good friend of mine, whos a freshman too, has come up with a truly genius method of RSA cracking. She's getting closer on a daily basis. This reminds me to ask her just how far she's gotten...

Re:RSA Challenge anyone?

[Telastyn]

Actually, the point is better put (as proper security should be) that anyone can factor very large numbers, but it will take them all a very long time without the key.

Re:RSA Challenge anyone?

[Corvus9]

Unfortunately, the margin was too small to contain the proof.

Re:RSA Challenge anyone?

[slashclone]

It was not a troll. he used Toppenheimer algoritm (see a recent issue of "Practical Internet Security Bulletin) to obtain the number.

Re:RSA Challenge anyone?

[caluml]

You might get lucky and hit the correct one first time....

OK, so it's almost completely unlikely - but that doesn't mean it can't/won't happen.

Re:RSA Challenge anyone?

[happyhippy]

LOL Shame on anyone who doesnt get this joke.

Re:RSA Challenge anyone?

Is that the last fermented equation?

ok, ok...bad pun.

JoeLinux, too lazy to sign in.

GO KILL-9/M0RLA

[apoKalypse]

Things apparently started to go wrong for KDWorks when two hackers, who go by the pseudonyms kill9 and m0rla, posted a message to the hackers.com Web site, saying they had broken into the server holding the registration details of the entrants with relative ease and sent an e-mail to all 1,240 of them.
I used to chat with kill-9/m0rla on irc before, I hope they had lots of fun pulling this one off. Congrats :P

Re:GO KILL-9/M0RLA

[Dread_ed]

Reminds me of an old Star Trek episode/reference. The Koybayashi Maru, "Can't stand to lose? Change the rules!"

"The only way to learn good judgement is by exercising bad judgement...REPEATEDLY!"---Mom

no, he does mean hackers!

[shemnon]

Well, the contest was for hackers and not crackers. Crackers got the registration machine, but since the "contest" machine had an open invitation to break in, there was nothing illegal about it.

Remember, the class requirements for the Cracker class has the ethical alignment of Chaotic as a requirement. Hackers can have any Ethical Alignments. The White Hat Cracker class has a Chaotic Good alignment requirement. Since they asked people to hack the box it would be very within the Lawful alignments, Lawful Evil in partiular since the money is a self motivational goal. A Lawful Good Hacker would submit a resume so that he can properly lock down the registration computer.

Did I mention the GNU Hacker Prestige class? Must have a Lawful alignment, otherwise the whole bit about licencing wouldn't have any meaning to them. BSD Hackers are closer to True Neutral, since they don't care what is done as long as they get credit.

Re:no, he does mean hackers!

[liquidmarkets]

I think this (the parent) should get a 5!

Re:no, he does mean hackers!

You've never been laid... have you?

Re:no, he does mean hackers!

Well, I consider good to mean enlightend self interest and evil to mean selfish self interest. But you are right, LE may not be the only lawful people competing. A Lawful Good Hacker may compete, take the money if he wins, and donate it to the EFF or such. Just because you win the money does not mean you have to keep it.

And I believe it is more properly stated [universal qulaifier] Evil : Money = Evil^(1/2). (Where [universal qualifier] is that cool upsidedown "A" I cannot find in unicode). For all evil, money is the root. Or stated as a contradiction there is no evil such that money = evil^(1/2) does not hold true.

Open source is a security contest

[Beryllium+Sphere(tm)]

which addresses some of Schneier's criticisms.

Instead of a limited time frame, it lasts as long as the product is used.

Instead of the unrealistic conditions of a contest, there's enough information that talented people can spend their time studying security rather than doing reverse engineering.

One of the reasons for mostly-trusting OpenBSD or PGP is that they're the outcome of what amounts to multi-year cracking contests. With enough of the right eyeballs, even security bugs can be shallow.

Re:Open source is a security contest

[Paradise+Pete]

With enough of the right eyeballs...

...we should sneak up from the left.

I am an "outstanding competitor"

I also received the emails asking how they should send me the $1250. Does anyone know where they posted the list of winners?

Stealing Links?

[nirvdrum]

Ok, take for granted that not everyone here goes to Freshmeat everyday (as is always the constant source of bickering when a new kernel is released), but I've seen an ever growing trend where someone just scans down to the SecurityFocus links on Freshmeat, and then posts them here as original stories. Please stop doing that. That is all.

Re:Stealing Links?

"Flash! Freshmeat has a link to Security Focus who are linking to ZDNet story about a failed hacking contest..."

Frankly it's easier to link to the ZDNet site itself. Links are not intellectual property.

Re:Stealing Links?

Please stop doing that. That is all.
Black & White rules! :)

Re:Stealing Links?

[kubrick]

Welcome to Slashdot. :)

(Yes, I know your UID means you've been here for a while, but it's the traditional sarcastic response when someone complains about a practice that, in one form or another, has been around since... oh... around the time when I signed up.)

What about other web server apps?

[yerricde]

There is no need for a web server to be running anything [on an open port] other than Apache.

What about Roxen? What about AOLserver? What about the hypothetical future complete rewrite of IIS? And what about Other?

You can't always get what you want, but....

[L.+VeGas]

This reminds me of my old boss that was taking karate lessons. He went up to a geek I worked with and asked him to "try to kick me as hard as you can". He hadn't even finished the sentence when Ken slammed him in the jewels so hard that my boss threw up. All he kept saying was "But I wasn't ready!"

Re:You can't always get what you want, but....

Actually, that's how Houdini died! He was bragging about how well trained his stomache muscles were -- told some guy to punch him as hard as he could. Trouble was, the guy hit him before he was ready...

Re:You can't always get what you want, but....

First hit on Google:

http://ask.yahoo.com/ask/20000710.html

Don't you feel like a retard now?

Re:You can't always get what you want, but....

[elvis+the+frog]

Some annoying marketroid tried this on me once - "I've been taking karate and I can block any punch, try me-ooof!"

I already knew the punchline, my fist was moving as soon as he asked for it....

You hear this so often, you might think it's an urban legend, but noooo, it really happens.

Re:You can't always get what you want, but....

[Shade,+The]

It's different in the dojo than in real life. Even when you're training at full speed, with the blows at geniune strength, you still expect them, and so it's quite difficult to avoid a blow you do not expect unless you're very good. Silat is good for that, so I'm told. In my opinion, I tend to find that most forms of Karate aren't very good for real life situations anyway.

Re:You can't always get what you want, but....

[Art+Tatum]

Yep. Back when I was doing the training, I often wondered how some of it could possibly apply to RL. I mean, say I'm standing around minding my own business when some guy decides to make trouble. How am I supposed to kick him in the head without stopping to do 15 minutes of stretching first? I'm certain that pulling my groin isn't going to be a good defensive tactic....

Re:You can't always get what you want, but....

I always carry a (brand name omitted)-cola bottle to break against something in self defence.
"But they're plastic" you say?
I run away before my opponent recovers from laughing.

Re:You can't always get what you want, but....

>How am I supposed to kick him in the head without stopping to do 15 minutes of stretching first? I'm certain that pulling my groin isn't going to be a good defensive tactic....

two words : muay-thai

Incredible...

[mongoks]

Bill Wong, of New York, who after hearing about the compromised registration server was then asked for bank account details, became suspicious. "At this point," said Wong, "I don't know whether to provide them with that information and, if in fact, whether I actually did win anything. I'm beginning to suspect that this could be a spam or a hoax (perhaps, even from the start)."

Gosh Bill, ya think?

Alright!

[reaper20]

"And you have to ask yourself who will have a Web server running with this small amount of services activated? Nobody."

Looks like my paranoia is beginning to pay off. Either that, or they were expecting the typical default IIS install.

Re:Alright!

[GravySkin]

Base IIS install complete with Nimda and Code Red.

I once set up IIS with no patches on purpose to see how long it took until Nimda was installed. All of 30 minutes - via DIALUP into my ISP.

RE: your sig

Yeah, I've got questions about your Sig. Did you go for the night-sights? and if so, how old are they? do they seem as bright as when they were new? Do you think it shoots as well as the Beretta? If you have those much nicer guns, why buy a Glock?

Who Mods This Crap UP?

[BlueFrog]

I know I'm going to get modded into oblivion for this, but I've finally had enough. Fuck it.

I had a whole rant chambered and ready to fly, but I'll just keep it short.

Does it trouble anyone else that the above comment rated a "5: Insightful"?

Oh...fuck it. Why do I bother?

New Contest

I've set up an interesting server with the name www.whitehouse.gov
The first hacker to break in gets a large prize....

Re:New Contest

[Selmo]

The first hacker to break in gets a large prize....

Like what? Taking Bubba's schlong up the cornhole in the federal pen? Some "large prize"

No FTP/SSH is real world

[AHumbleOpinion]

... no FTP/SSH (how do you update files on the server)... That isn't real world

No, that is real world, or would be if the "world" was properly administered. You are making a false assumption that ftp/ssh has to be universally open, this is wrong. These ports may, and should, only be opened to certain IP ranges. For example, the companies internal subnet, admin's home IP, etc.

Re:No FTP/SSH is real world

[SaDan]

Exactly.

The personal web server I run has SSH and Apache accessible from the outside, and that's it.

Re:No FTP/SSH is real world

[btellier]

And SSH has had multiple security vulnerabilities in the past. You're secure. Current snapshots are secure. Keep thinking that. If smart people are determined to break in, they will. It may take months, but chances are excellent that it'll happen. Everyone would be fascinated to know just how common off-by-one buffer overflows, signed/unsigned bugs and the like are in their popular programs. The point is that Apache with only .html running will never be run by any company/bank/government/ISP or any other non high school kid web server. Have you looked at the Apache .html processing code? It's *miniscule* in comparison to the amount of code used for a "typical" corporate web server.

They are trying to market their product to corporations. They're trying to prove that it will withstand hacker attacks. What's the goddamn point if they're not running all the services that a typical company would?

Re:No FTP/SSH is real world

[SaDan]

Eh, I was a "typical company" for about two years doing web hosting. I had all sorts of stuff running (Apache, SSH, Sendmail, POP, IMAP, FTP), and never had any problems with people breaking in. Oh, sure... I could see the scans and login attempts in my logs, but I've never had my machine cracked so far.

Keep on top of security reports, keep the software current and PROPERLY CONFIGURED, and read the logs frequently. That's been my standard procedure for years, and it has served me well.

The point is that Apache with only .html running will never be run by any company/bank/government/ISP or any other non high school kid web server.

That's absolutely hilarious... I guess there are quite a few high school kids with web servers out there to make those stats over at NetCraft show Apache with as many servers as there are.

Get a clue. A typical company that is concerned with security is going to lock down their networks and their servers/workstation. A typical company that doesn't think about security is the one you'll be able to break into easily.

I am a moron.

[BlueFrog]

Ignore the above. Spoke too soon. I blame El Niño.

Or flame to your hear's content.

Re:I am a moron.

You're a moron AND you can't spell.

Does "Kobayashi Maru" mean anything to you?

[saforrest]

Damn, when James T. Kirk did an analogous thing, he got commended for it. Props to the hackers for proving you can't define security problems away.

Moronic Hacking Contest

[carlos_benj]

I missed the part in the article where they said the contest was limited to moronic hackers....

Re:Slashwho

You, sir, are an imbecile. Get a fsking life, will you?

Sincerely, Mike "Trollmaster" Bouma

Your BS for the day...

[Chris+Burke]

This cracked me up. The article says that the honeypot server would start a tracing program as soon as it detected anyone trying to connect to it and that (emphasis mine):

"Then the tracking software analyses all the activities of the intruder (including hacking method, all the ISP used, IP address, even what the hackers punched on his keyboard) to trace down the original location of the intruder."

Okay, thanks ZDNet. Did they tell you that, or did you just make that insanity up on your own? You get kudos either for gullibility or imagination, depending. So basically, they're trying to suggest that this program not only traces the hacker (ooh, it logs IP addys!), but then automatically hacks the hacker's machine to install a keystroke logger.

Each day you learn something new. Then something comes along so stupid it damages the brain cells that managed to learn that new thing. But at least I laughed. :)

Re:Your BS for the day...

They probably meant logging all Telnet trafic. But then, it's ZDNet...

Re:Your BS for the day...

[gmanske]

I initially laughed too, but then I remembered something.

Keyloggers are not new, and are mentioned here. Besides simply logging cleartext traffic (telnet), encrypted traffic can be logged on the host side before it is sent back over the wire (ssh) using a replacement shell (forwarding traffic to syslogd), ttywatchers or the *trace tools.

I believe this is the technique used to log outgoing ssh traffic from a compromised machine, particularly but not limited to the case of common rootkits which drop replacement sshd[s].

The zdnet text is sensationalist, but that doesn't mean it isn't technically possible.

Gmanske.

Re:Your BS for the day...

[Chris+Burke]

Yes, I'm aware of all those things, but they all share a common property -- they happen on the receiver's end. They're only keystroke loggers in as much as the data sent to the honeypot represents the actual keys hit by the attacker. Which, even in the case of telnet, could be not at all. Thus saying that those things log keystrokes is something that only ZDNet would say.

Re:Your BS for the day...

[gmanske]

Yeah, I understood. It is zdnet after all... :)

Gmanske.

Re:Your BS for the day...

Logging keypresses probably refers to logging all shell and other textual sessions opened to the network being hacked, which is perfectly realistic.

It's just not pedantic reporting, since laypeople can't tell the difference.

Re:Your BS for the day...

[Mike1024]

Hey,

automatically hacks the hacker's machine to install a keystroke logger.

Many programs make really short logs. Perhaps they mean it logs every keystroke transmitted by the hacker's terminal program - backspaces and suchlike.

It could just have been 'creatively interpreted' by marketing folks who don't understand the technology.

Michael

Re:Your BS for the day...

So basically, they're trying to suggest that this program not only traces the hacker (ooh, it logs IP addys!), but then automatically hacks the hacker's machine to install a keystroke logger.

It was written ambiguously, but what it probably meant is it archives the shell history of remote clients connected to the machine.

Irony...

[jhaberman]

"As entrants were required to enter personal details together with some form of identification--such as a passport or social security number--in the event that they won the competition, some are worried that their privacy has been compromised."

Doesn't anyone else just find that line HILLAIROUS!? I mean, c'mon... if anyone should be familiar with the vuneralbilities of a web server, and personal information found on said web server, it should be a bunch of "hackers". This is so stupid, I can't even believe it. It has to be a hoax...

Jason

Re:Irony...

[WildBeast]

Those people sound more like the politicians talking: "We have the right and the duty to compromise your privacy, but don't you dare compromise ours" :)

Re:Irony...

[Bastian]

I doubt the greatest hackers in the world are doing this. Heck, I have a feeling it's mostly just amateur crackers who have never done anything seriously illegal.

Anybody who really has had much experience breaking into hardened networks would theoretically be way too paranoid to ever attatch something like a social security number to a hacking attempt, even an authorized one. I know I wouldn't. . .

hehe that reminds me of something

[WildBeast]

I had a job interview a few months ago. I went there for the interview on time, I entered the Office, nobody was in there, so I looked around to find a few servers and some of them where powered on and logged on. So I sat down and waited until a guy arrived 10 minutes later.

When I asked them why they used Solaris as there servers, they told me that it was more secure than Windows and Linux :)

Re:hehe that reminds me of something

Not an unreasonable statement, depending on what kind of configuration, software and patches your box is installed with, but you probably reminded them of security only being as good as the weakest link...

Interesting thing about the site...

[jerkychew]

...It's not ZDnet.com. Look at the web address - the domain is zdnet.com.com

zdnet.com - 128.11.45.117
zdnet.com.com - 64.124.237.140

I don't have time to investigate further, but could it be that the article itself is a hack? Or does zdnet own the com.com domain?

Re:Interesting thing about the site...

> Or does zdnet own the com.com domain?
>
Yes.

Re:Interesting thing about the site...

Look at the whois. com.com is owned by CNET.

Re:Interesting thing about the site...

[mtnharo]

Nope, seems that they own both domains. Clicking the "today's news" link on the zdnet.com home page links to zdnet.com.com I guess they use that one for their news stuff that changes more often, the rest of the url is based on the date. Kinda odd though.

Re:Interesting thing about the site...

[rlowe69]

Or does zdnet own the com.com domain?

Yes. I asked this question about six months ago, and a clever person pointed out that this would allow ZDNET to use a cookie with the com.com domain across its whole family of sites. Then they could track a person uniquely, customizing advertising, preferences or anything else. I don't know if they actually do this, but it would be a good way to do it.

rL

Re:Interesting thing about the site...

[MobyTurbo]

One often sees com.com type addresses for CNet sites. ZDNet and CNet made a merger a year or two ago, so it's no wonder that ZDNet is using it.

Re:Interesting thing about the site...

[Shaheen]

C|Net owns the com.com domain. They centralize around that. News.com is news.com.com, etc.

Re:Interesting thing about the site...

[rat7307]

It's not ZDnet.com. Look at the web address - the domain is zdnet.com.com
[RANT]

How come this is (right now)at 4???

EVERY time a zdnet story is linked someone points out the com.com thingy..

+4 for stating the obvious.... ..oops.. I just remembered it's slashdot.....

[END OF RANT]

Re:Interesting thing about the site...

It really doesn't matter. I think it was a year ago when CNET bought ZDNet right... and com.com is owned by CNET! :)

Re:Interesting thing about the site...

[badvictor]

ZDNet is actually owen by CNET, and if you check the WHOIS database, you will see plain as day that CNET does own the com.com domain. QED.

Re:Interesting thing about the site...

[bryan1945]

Well, with 500,000 registered users the odds are pretty good that with each zdnet story there is going to be someone who hasn't seen it before.

Re: your sig

I've got a Beretta mini-couger and a model 84 .380 auto (nikel plated). I also have several other handguns...a few smiths and a colt...and I must say, the beretta's are better than anything else I've ever used. They shoot straighter, are better balanced and just feel right. I'm not expert, but man I love berettas...

Cracking?

[Drakker]

Shouldnt it be called a cracking contest? If yes, then this is really a moronic contest... unless I'm really mistaken and the goal of the contest was to hack together a better web server? =)

that explains what you were doing there.

how else would you know that the past two years were 95% lamerz and wannabez?

(nuff said)

where kirk got the idea

[iloveprotoss]

"I don't believe in the no-win scenario."

Hacker!

[fisman]

Congratulations! You just managed to hack the server in question it seems :0)

Now is it not interesting that this got posted right past our demigod moderators.

Guess slashdot CAN be hacked afterall ...

This is fun and all of this..

[Sarin]

But tell me why do I always get to hear /after/ such a "swift ordeal" on slashdot. Isn't there somesort of website that announces these kinds of contests way-back --infront-- or whatever?

Yes, I know that there's nothing new about exploiting another machine that's been hooked up by a company that's in desperate need of some cheap advertising (though some press-agencies seem to disagree), but $till I would be happy to be informed in front, if you know what I mean;

It plagues my mind sometimes to hear these things afterwards, it's a bad trend. I'm not the only one: some people are even writing basic scripts that r00t any vulnareble machine in case there's a contest running on it, they leave subtle hints inside their scripts so the people who had their contest machine r00ted know who to send the pricemoney to, you all know who I'am talking about!

This really happens

[Sycraft-fu]

Some police departments do this. They send packets to peopel with warrants claiming they have won some sort of prize, like a Hawiian vacation or something. They then arrest them when they show up and their identity is confirmed. Apparently, it works fairly well.

Re:This really happens

do the departments have to keep their promises, or can they just downright f**k *p people?
now imagine a case, police using this to nail someone who had committed mail marketing fraud.......

Re:This really happens

[Hellkitten]

If the warrant means jail they only have to offer them a "vacation", not specifying where. Then they can't complain when they are sent off to prison.

Dear Sir,
We are happy to inform you that you are one of several lucky individuals that will recieve a free stay at one of our country resorts. You will receive free room and board at our expense, all you need to do is meet at the address below to collect your prize.

Pro-monopoly talk on Slashdot?

From original post: "There is no need for a web server to be running anything [on an open port] other than Apache"

Yeah, and there is no reason for a desktop microcomputer to be running anything other than Windows. No need to play media files on anything other than Real. Why not play only Sony music CD's while you are at it?

Remind you of anything?

[ProfKyne]

.

Is it the Kobayashi Maru or is it Ender's Game?

. .

.

. . . . . .

(Captain Kirk did the same thing when presented with an "unbeatable" tactical scenario, and Ender Wiggin "defeated" his game by breaking the rules and going straight for the Giant's Eye.)

Uncle Goatse

Wants YOU to join Jon Barrett's army.

kekekeke

^_^

kekekekekekek GOGOGOGOGOGO

Re:Slashdot sucks

2001-11-27 19:34:42 Has anyone on slashdot ever gotten a story publish (askslashdot,news) (rejected)

I'm sorry, but this is hilarious.

Bad Idea!!

(by two firewalls from different vendors)

You should never use two firewalls. They rub against each other creating heat through friction and eventually break...

Oh wait, sorry I was thinking of something else.

This goes with the Ancient Chinese teaching

[IHavePowers]

Master: Do you see the candle on the table, you must put it out using only your energy. Student: What energy master? Master: Do you not feel the energy within me? You must learn to use that for yourself. Student: I think I understand master. Student grabs the master and slings him ontop of the table and the candle falls to the floor. Master: Get out of my class!

Ruptured appendix

>that's how Houdini died!

Not according to this:
http://www.foxvalleyhistory.org/houdini/fac ts.html

Ouch! It must have been a painful death.

Re:Usama Bin Laden is dead!!

Hey I was expecting to read how Osama was actually a woman, etc, etc, which is a nice twist.

Yeah, but...

[athmanb]

A real webserver usually runs a couple of different dynamic page scripts (Perl, PHP, ASP, whatever). And they are usually the key point to break in.

Re:Yeah, but...

[btellier]

Exactly. Obviously when they say "services" they really mean ISAPI extentions or modules. The point is that the more lines of code a hacker can access the more likely they are to break into the computer. More services generally means more code, more extentions means more code. If a server runs Apache with only .html access enabled the odds of breaking in are slim to none (baring some heretofore unknown haq-fu). However most sites enable one of the dynamic languages you listed above, which then creates the ability for people to hack the Triforce of web code:

- Server-Side interperatation of pathnames

- Server-Side interperatation of dynamic parameters

- Backend-Side database metacharacter injection

It's easy to secure a simple web server. It's very, very difficult to secure one offering many "services".

a copy/paste from my yahoo mail =(

[Bill+Wong]

From: ""±èÅÂæ""

To: ""bcw@rave.ch""

Subject: KDWORKS Notice mail

Date: Mon, 27 May 2002 03:18:31 +0900

Hi!
We will wire your prize as soon as we get your bank account information.
we need;
1) bank account number
2) bank routing number
3) Name on the account
4) Name of COuntry where the bank resides.

If you have any question or concern, please let us know.
Have a great day!

Re:a copy/paste from my yahoo mail =(

[ProfMoriarty]

Odd ... this looks like the same email I got from some really friendly Nigerians a while back ...

But their government wasn't allowing them to physically take their money out of the country, so was wondering if they could wire it to me ...

Bogus nonsense form hackers...

[fanatic]

"And you have to ask yourself who will have a Web server running with this small amount of services activated? Nobody."


Nice try, but from outside the firewall, that's exactly how many servers will look. Segregating different unctions to different places is definiely part of a strategy.

That is the worst constructed article ever

[Xeo2]

THE WORST...
Honestly, for a professional website you'd think they'd hire better writers. No mention of the honeypot until the second to last paragraph, and even then it came out of the blue.

Re: your sig

[Inthewire]

Have you dealt with the Browning Hi-Power? The single-action first shot is annoying, but it is the most comfortable and most accurate pistol I've ever had the pleasure of carrying.

Why can't they just admit they aren't good enough?

How egotistical can they get? Oh, it wasn't realistic they say. BS. Don't be an ass, just admit you weren't good enough.

I can see it now.

[Guido69]

"I hacked KDWorks and all I got was this lousy T-Shirt!"

No Mac webserver has ever been hacked! Ever.

No Mac webserver has ever been hacked! Ever.

This is despite two large contests.

That is why the us army once gave up and for some of its sites used Mac OS 9x and Webstar.

There are numerous technical reasons why no mac webservers have ever been remotely hacked and exploited.

no UNIX is as secure as Mac OS 9 and earlier according to the hundreds of exploits in Unix and the
lack of a single exploit ever discoverred in OS9 web servers.

If you want security, get rid of root, get rid of command line, get rid of single fork executables,
get rid of filename extensions, get rid of unix utility software, get rid of ANSI C library based
code and its C string buffer exploits, and save return addres HIGHER up the stack, etc etc. Basically you end up with Mac OS 7 through 9.

If security is paramount, to exclusion of all else, then Mac OS 7 through 9 cant be beat.

SecurityFocus concurs.

But most linux loving slashdot readers will never understand the TECHNICAL reasons no mac web server running Webstar and Mac OS has ever been rooted, or ignore the facts.

Re:No Mac webserver has ever been hacked! Ever.

No Mac webserver has even been hacked because macintoshes don't yet support being hacked. However, the new iHac interface coming out next year should fix this problem, and further advance the Apple product line.

Why not Fugly?

Why not name the contest
The Good, Bad, and the Fugly.

Check out www.fugly.com!!! The place to be for all Morons.

thttpd - "Not real world"?

[Latrell+Sprewell]

Originally posted by noahm:
You won't likely see a real-world web site run on thttpd or something.

Voyeurweb (porn), one of the most heavily used sites (in visitors and bandwidth usage) on the 'Net, has been using thttpd v2.20x for a long time...

Netcraft search results for Voyeurweb

Flamed by an AC

[BlueFrog]

Jeez... guess I should really be ashamed, huh.

Mac fixed that no-hack problem.

[xQx]

Okay, get your facts straight:
No server running Macintosh OS 7 through 9 has been hacked! remotely. Ever.

This was quite simply, because macintosh in their infinate wisdom couldn't see a use for a command prompt. Everything could be done via a single mouse click. (or, you know, and option click to emulate a right mouse button)

Of course, come OS X, they fixed those problems by moving to a new platform, based on Darwin, which has one of those wonderful command prompts, and can thus be hacked. remotely.

So, before you go running around saying "No mac server has ever been hacked", just remember that No MS DOS 3 server with it's command processor removed has ever been hacked either.

what's not "Real World"???

[justanetgod]

ZDNet seems to think that a "stripped down machine running almost no services" is not "real world". Funny, I build my servers stripped down, no telnet no ftp, no r-anything, no NFS, etc - how is this not real world?

Maybe in the 80's?

Re:Why can't they just admit they aren't good enou

No shit! Every company server I've setup fits their description of "not realistic." What is the point of a webserver listening on any ports other than 80?

SOT:Re:Remind you of anything?

[Gambit253]

Usually the first thing that comes to my mind about unwinnable situations in Ender's Game is when he was faced with two teams with the odds extremely stacked in their favor and he sent a small team with the sole purpose of opening the door before anyone noticed them or the battle was even over.

Re:First Linux is Dying Post

[gotr00t]

Go look at RedHat, SuSE and Mandrake. Sun Microsystems is devoted to Open Source, but not as much as some other firms. Their Solaris OE is free, but not free free, as in open. This can be contributed to their downfall. Moreover, their adoption of Open Source only occured a few months back, and on a minimal scale, so it is not realiable to use Sun as an example. Moreover, it's open SOURCE software. So, either your analysists are very poor in their diction, or you are (hence your name, Stock Quote Troll), or you're attempting to produce a pun, but I don't find that funny or even tasteful.

"ALL YOU PEOPLE AGAINST OPEN SOURCE ARE AGAINST FREEDOM! YOU FREAKISH TERRORISTS!"

Good lord, a gaming nerd.

[AlienRelics]

Alignment? Chaotic Good? Why am I hearing more and more people described in gaming nerd terms?

Whatever happened to describing people in computer terms? Short on RAM, experiencing a buffer overflow, 8.4 Gigs installed but only 540 megs addressable by current OS, his hard drive is compressed with Stacker but he's got MSDOS 6.22 installed... y'know, stuff real people say.

;')

So they're complaining...

[Trogre]

...that the competition was too tough for them? Harden up.

They say that the machine was running a version of Smoothwall linux with Apache running on a non-standard port and a minimum of other services.

Now their complaint is that this does not reflect a real-world situation. What is a real-world situation? A Windows machine running IIS? A default Red Hat install with all firewalling turned off and all services turned on?

I know I wouldn't run Telnet, SMB, Rlogin, Xdmcp and other "please hack me" services on my public webserver. I also would be inclined to put my webserver on a port where hackers wouldn't normally look. It's just common sense.

I thought the purpose of a hacking contest was to say "Here's a machine we think is unbreakable, now go break it". These jokers seem to be saying "hey, you've made it unbreakable, what gives?" I somehow get the feeling that kill9 and m0rla have missed the point.

(btw, anything related to Smoothwall should be avoided at all costs)