Slashdot Mirror

← Back to Stories (view on slashdot.org)

Moronic Hacking Contest Ends In Free-For-All

Posted by chrisd on from the stupid-marketing-tricks-end-badly dept.

atomgiant writes "ZDNet is running an interesting article about the KDWorks hacking contest that has gone bad, or good, depending on your perspective. Entertaining read in any event." I think that Bruce Schneier has said it best on the value of contests such as this one. That the registration server was compromised I think is a telling comment on the value of whole site security.

7 of 297 comments (clear)

  1. Re:DEFCON, HOPE, etc by TweeKinDaBahx · · Score: 5, Insightful

    None, because hackers don't tend to teach each other anything. If a company were to send thier IT team to DEFCON with the hope they would learn something, it would also make sense that the company in question must have a CIO who smokes crack.

    Security seminars are geared so that everyone learns, cons are geared so that people who already know can have fun.

    --
    Linux is dead.
    LU
  2. duh. more script kiddies to the rescue by Telastyn · · Score: 5, Insightful
    The system set up by KDWorks had almost all of its services deactivated, according to kill9 and m0rla. "The contest server was only simulation, not a real-world environment," they wrote. "And you have to ask yourself who will have a Web server running with this small amount of services activated? Nobody."


    Heh, in my experience, it's quite to the contrary. Anyone with half a brain turns off nearly all, if not all services to stop script kiddies like you =]
    1. Re:duh. more script kiddies to the rescue by warpSpeed · · Score: 5, Insightful
      All of the web servers for which I'm responsible present an http server to the world on ports 80 and 443, and nothing else

      To take that one step further, at the firewall I block all the outgoing connections as well. The web server, in most cases, should not be initiating connections to the outside.

  3. Re:Not "real world"? by noahm · · Score: 5, Insightful
    I've got to agree with you on this. There is no need for a web server to be running anything other than Apache.

    I suspect that meanings are being mixed. I don't think they are complaining that the server wasn't running bind, fingerd, NFS, etc etc. I suspect it was more that the web server software itself was unreasonably minimal. You won't likely see a real-world web site run on thttpd or something. I imagine the web server didn't support things like CGI and stuff, so the only way to get in would be to exploit a known buffer overflow or to exploit something on the OS level. There was no searching for insecure form handlers or things like that.

    But I could be wrong. There are lots of idiots out there, after all.

    noah

  4. Your BS for the day... by Chris+Burke · · Score: 5, Insightful

    This cracked me up. The article says that the honeypot server would start a tracing program as soon as it detected anyone trying to connect to it and that (emphasis mine):

    "Then the tracking software analyses all the activities of the intruder (including hacking method, all the ISP used, IP address, even what the hackers punched on his keyboard) to trace down the original location of the intruder."

    Okay, thanks ZDNet. Did they tell you that, or did you just make that insanity up on your own? You get kudos either for gullibility or imagination, depending. So basically, they're trying to suggest that this program not only traces the hacker (ooh, it logs IP addys!), but then automatically hacks the hacker's machine to install a keystroke logger.

    Each day you learn something new. Then something comes along so stupid it damages the brain cells that managed to learn that new thing. But at least I laughed. :)

    --

    The enemies of Democracy are
  5. Re:DEFCON, HOPE, etc by Pinball+Wizard · · Score: 5, Insightful
    Have you ever seen the "Nick Burns, Computer Guy" sketch on SNL? That's what talking to most hackers is like.

    you really shouldn't be involved in computer security if that's the case.

    There is a name for people who can follow simple, easy-to-understand laundry lists of how to approach computer security. They're called script kiddies. You really think this stuff can be simplified to the point that you can understand, given your apparent lack of experience?

    Becoming a real hacker as opposed to a script kiddie takes years and there are no shortcuts. Learn the inside and outs of the operating systems you use. Learn a programming language inside and out. Then learn successively lower-level programming languages until you get to C and assembly and learn those. Meanwhile, pay attention to the theoretical aspects of all this stuff - meaning learn about algorithms and the underlying mathematics.

    No one is trying to hide the secrets from you, just trying to discourage you from thinking there is a simple explanation to everything - and thinking that someone can tell you all about computer security in plain english(i.e. none of those anti-social phrases like 'buffer overflows') You want to be a hacker? Hit the books, and be prepared for years of hard study.

    Then you might understand some of those seemingly obscure references that for the moment are beyond your grasp.

    --

    No, Thursday's out. How about never - is never good for you?

  6. Re:Interesting thing about the site... by rlowe69 · · Score: 5, Insightful

    Or does zdnet own the com.com domain?

    Yes. I asked this question about six months ago, and a clever person pointed out that this would allow ZDNET to use a cookie with the com.com domain across its whole family of sites. Then they could track a person uniquely, customizing advertising, preferences or anything else. I don't know if they actually do this, but it would be a good way to do it.

    rL

    --
    ----- rL