Slashdot Mirror

← Back to Stories (view on slashdot.org)

Moronic Hacking Contest Ends In Free-For-All

Posted by chrisd on from the stupid-marketing-tricks-end-badly dept.

atomgiant writes "ZDNet is running an interesting article about the KDWorks hacking contest that has gone bad, or good, depending on your perspective. Entertaining read in any event." I think that Bruce Schneier has said it best on the value of contests such as this one. That the registration server was compromised I think is a telling comment on the value of whole site security.

181 of 297 comments (clear)

  1. Hmm by FooBarWidget · · Score: 1, Insightful

    Why do I have a feeling that they're using this "contest" to lure hackers, only to get them into jail...

    1. Re:Hmm by clunis · · Score: 1

      that would explain why it otherwise appears to be a honeypot. ;)

    2. Re:Hmm by unicron · · Score: 3, Informative

      They have this law, called entrapment, that says people can't be baited into committing crimes. You should look into it, might interest you.

      --
      Finally, math books without any of that base 6 crap in them.
    3. Re:Hmm by Silver+Rose · · Score: 1

      If they have the consent of the owner of the computer being hacked, then they have comitted no crime. This would be only a little bit of circumstantial evidence against any given hacker. I, for instance, may someday take up hacking because it sounds like a fun challenge. However, I would have no intention of hacking a computer without the owner's express written permission. Ergo, I would never have comitted any crimes, and the contest would not have lured me into doing anything.

    4. Re:Hmm by fishebulb · · Score: 2

      entrapment only applies to LAW ENFORCEMENT.

      there is no crime commited here because the people were allowed to.

      Entrapment only applies when a law enforcement official gets you to commit a crime that you wouldnt without them badgering you.

      So since its not a crime to hack into something you have permission to, and they are not police/FBI/etc there is no entrapment

    5. Re:Hmm by unicron · · Score: 1

      Well, considering they keep changing the rules and backpeddling, I'd say the amount of confusion being generated by this contest gives the hackers a nice layer of protection.

      --
      Finally, math books without any of that base 6 crap in them.
    6. Re:Hmm by Anonymous Coward · · Score: 1, Interesting

      I wouldn't say that it's to get them into jail... But I'm sure using a "contest" like this wouldn't go beyond what "Homeland Security" would do to find potential "threats", so they can begin to keep tabs on them.

      just a thought...while it's still free to have one...

      a terrorist
      (...at least according to the USA PATRIOT ACT)

    7. Re:Hmm by unicron · · Score: 1

      I'm afraid you really don't know what you're talking about. What do you mean allowed too? When the police do it, criminals also believe they're "allowed to" only to get taken away directly after doing it.

      You're also just reinforcing my point by saying that only the police can attempt this. Police get nailed to the wall for doing this, so what do you think would happen to a private company?

      I could've hacked any damn server in their company during that 48 hour block and claimed I was under the impression the server I hacked was the true target, and the rest were honeypots. It's completely plausible. Hell, it could be completely true. You take a wrong turn in their infrastructure and start hacking the payroll server my mistake..hell, an honest one.

      In short, this company doesn't have the slightest hint of a leg to stand on if they decided to pursue criminal charges against those hackers involved in the contest.

      --
      Finally, math books without any of that base 6 crap in them.
    8. Re:Hmm by unicron · · Score: 1

      Actually entrapment simply means "to draw into damaging admission". I can entrap people into doing things, so can you, so can anyone. 5 year olds tell their little brothers to steal cookies just because he wants to watch the kid get punished.

      Regardless of what Sean Connery tells you, dipshit, it's a not a thing only the police can do.

      And my sig means that arrogant people are usually ignorant. My post was neither.

      --
      Finally, math books without any of that base 6 crap in them.
    9. Re:Hmm by mabinogi · · Score: 1

      Entrapment only happens when police trick someone into doing something illegal. The act of encouraging them to do it, doesn't make an illegal thing legal, which is the whole point.

      One part of the previous poster's point was that the act of 'hacking' into a machine you have been given permission to try and crack is not illegal in the first place, so therefore entrapment cannot apply, whether or not it's done by an officer of the law or a private entity.

      --
      Advanced users are users too!
    10. Re:Hmm by neuroticia · · Score: 1

      I don't think it was "entrapment", and I don't think the original poster was saying that it was. I think that the point of the post could have been better put into a paragraph or three as opposed to a sentence.

      The contest could keep records of those who participate, and all the attempts made, and then hand them over to a law enforcement agency to give the agency a "fingerprint" of the hackers involved. Since the contest was legal, the hackers would not have attempted to cover their tracks, and most likely would have used a trackable/real internet account. The law enforcement agency, once posessing the "fingerprint" of the attack could then compare it to similar (illegal) attacks and see if any of them had the same fingerprint.

      The actual act of hacking a server that a company has opened up for hacking is not illegal and they could not be arrested for trying to hack that particular server, but they could then be brought under investigation for any crimes that were committed with similar methodology.

      -Sara

  2. DEFCON, HOPE, etc by totallygeek · · Score: 3, Interesting
    Do many companies feel that these are more beneficial to send employees to (IT nerds, information security people, etc) than some of the security training courses/seminars we all get junk mail from? I am working really hard for my company to send me to Red Hat's firewall school, DEFCON, and then SANS. What is the general concensus?

    --
    Click here or here.
    1. Re:DEFCON, HOPE, etc by TweeKinDaBahx · · Score: 5, Insightful

      None, because hackers don't tend to teach each other anything. If a company were to send thier IT team to DEFCON with the hope they would learn something, it would also make sense that the company in question must have a CIO who smokes crack.

      Security seminars are geared so that everyone learns, cons are geared so that people who already know can have fun.

      --
      Linux is dead.
      LU
    2. Re:DEFCON, HOPE, etc by totallygeek · · Score: 3, Interesting

      Security seminars are geared so that everyone learns, cons are geared so that people who already know can have fun.


      I am finding myself unable to get anything out of going to seminars. So, maybe I am closing that gap between needing to learn basics and picking up information at a conference. It is tough when I am told that I must attend training, and it is boring information about ports and services and maybe something about some Windows software I will never use that can do "what is called a port scan."


      Maybe I will go to DEFON or the like and see what I can input and bring back...

      --
      Click here or here.
    3. Re:DEFCON, HOPE, etc by TweeKinDaBahx · · Score: 1

      Everyone has a different way in which they learn, some people can't just be told or shown but must do something hands on.

      Maybe there's something to be said for DEFCON as a way to learn security.

      I look at it this way: Training should include some of the boring stuff, because it does tend to be important. Yet you must also cover how things work in the real world, and the best way to do this is by demonstration (not just by being shown, but also by seeing and doing it yourself).

      Maybe a combination of classwork/honeypot games would make a good training course.

      (BTW, That idea is open Source, just like my beer).

      --
      Linux is dead.
      LU
    4. Re:DEFCON, HOPE, etc by Digital+Prophet · · Score: 2, Insightful

      None, because hackers don't tend to teach each other anything. Huh? Part of the nature of a hacker is to ask questions. The hacker community as a whole does nothing but teach each other stuff. Perhaps you like to ignore the hacker publications like 2600 Magazine. I think you are thinking of some other people.

    5. Re:DEFCON, HOPE, etc by bafu · · Score: 4, Insightful

      Security seminars are geared so that everyone learns, cons are geared so that people who already know can have fun.

      Based on my experience at the cons, I'd have to say that is a fair assessment. On the plus side, some were very cheap. You pay for your hotel room, but your actual conference fee was kicking in a share for the booze... :-P

      Anyway, they weren't a complete waste of time, but the primary benefit was meeting folks, not learning lore.

      I am finding myself unable to get anything out of going to seminars.

      They don't do much for me, either. The thing is, if all you are looking for is info on how to better secure your systems, there is loads and loads of it available on the net. The plus is that you can proceed at your own rate and dive however deep you want. If your boss is really twisting your arm about taking courses, I'd see if you can get something detailed on advanced firewall configuration or performance tuning something like that. Those are areas where it's common to only take the self-training as far as the immediate job requires... a course might cover things that would be nice to know in the future, as well. If the boss'll spring for books, that can be good, too.

    6. Re:DEFCON, HOPE, etc by totallygeek · · Score: 2
      I'd see if you can get something detailed on advanced firewall configuration or performance tuning


      It hasn't worked out where I can attend the Red Hat firewall course this month (I am an RHCE now), but aside from that type of intense course -- where are the other options? I am beyond what I can learn from a CompuMaster or security boot camp type workshop.

      --
      Click here or here.
    7. Re:DEFCON, HOPE, etc by TweeKinDaBahx · · Score: 1

      Part of the nature of a hacker is to ask questions.

      Sure, we all have to learn somehow. Have you ever seen the "Nick Burns, Computer Guy" sketch on SNL? That's what talking to most hackers is like. Hackers may teach each other, but normally it by passing you off to a link or some other reference. Since not all of us can learn in this fashion, one might as well be asking thier hairdresser to teach them about buffer overflows in BIND.

      The hacker community as a whole does nothing but teach each other stuff.

      Maybe they should teach each other a little something about tact, empathy, and of course, personal hygiene.

      Perhaps you like to ignore the hacker publications like 2600 Magazine.

      This is like saying "Newsweek tells me the news". Sure, it has some substance, but how useful is half of the garbage they print in that magazine anymore? It's really gone downhill from what it used to be. Not to mention that it's nearly impossible to find anymore (ESPECIALLY if you don't live in a big city).

      And to elaborate upon "hackers don't tend to teach each other anything", at a con like DEFCON, your trying to win. Why would you teach a no0b how to do it when you could be using your time to get it done yourself?

      Oh right, RTFM is not a valid training technique for an absolute no0b once programs get more complex than outlook. So don't even go there.

      --
      Linux is dead.
      LU
    8. Re:DEFCON, HOPE, etc by Pinball+Wizard · · Score: 5, Insightful
      Have you ever seen the "Nick Burns, Computer Guy" sketch on SNL? That's what talking to most hackers is like.

      you really shouldn't be involved in computer security if that's the case.

      There is a name for people who can follow simple, easy-to-understand laundry lists of how to approach computer security. They're called script kiddies. You really think this stuff can be simplified to the point that you can understand, given your apparent lack of experience?

      Becoming a real hacker as opposed to a script kiddie takes years and there are no shortcuts. Learn the inside and outs of the operating systems you use. Learn a programming language inside and out. Then learn successively lower-level programming languages until you get to C and assembly and learn those. Meanwhile, pay attention to the theoretical aspects of all this stuff - meaning learn about algorithms and the underlying mathematics.

      No one is trying to hide the secrets from you, just trying to discourage you from thinking there is a simple explanation to everything - and thinking that someone can tell you all about computer security in plain english(i.e. none of those anti-social phrases like 'buffer overflows') You want to be a hacker? Hit the books, and be prepared for years of hard study.

      Then you might understand some of those seemingly obscure references that for the moment are beyond your grasp.

      --

      No, Thursday's out. How about never - is never good for you?

    9. Re:DEFCON, HOPE, etc by electroniceric · · Score: 2

      I disagree.
      There's no excuse for not knowing how to communicate with people of variety of levels. You may be a whiz in front of a
      [root@boxen root]$
      but if you can't express these ideas to people who don't already know most of what you're talking about, you're taking a lot of chances on somebody recognizing your genius.

      I do agree to really master the subject, you do have take the time to learn it through and through. A buffer overflow is a compact phrase representing of a particular concept. But you may well be called on to explain in lay terms what that idea means and why Project X should pay you to make sure there aren't any.

      All of which is to say, make sure you take an English class or two before leaving college.

    10. Re:DEFCON, HOPE, etc by oni · · Score: 2

      but if you can't express these ideas to people who don't already know most of what you're talking about, you're taking a lot of chances on somebody recognizing your genius.

      I suspect these people who failed to express their ideas to you had very little respect for you and held you in such low regard as to be completely unconcerned with whether or not you recognized their genius.

      I also suspect you'd have a similar experience if you asked a brain surgeon "how do you make it go?"

      That said, this is not intended as a flame. I simply wanted to point out my own experience. I think some people can be quite articulate - and also very choosy about whom they articulate to. Once I stopped asking stupid questions, I found I was no longer seen as stupid and I ended up learning a lot more.

      Or to put it another way: "it is better to keep your mouth shut and have everyone think you're a fool, than to open it and remove all doubt" -- Mark Twain

    11. Re:DEFCON, HOPE, etc by CAIMLAS · · Score: 2

      If I'm not mistaken, isn't that quote actually belonging to Abe Lincoln?

      --
      ~/ssh slashdot.org ssh: connect to host slashdot.org port 22: too many beers
    12. Re:DEFCON, HOPE, etc by a+nanny+mouse · · Score: 1

      How do you not ask questions -and- learn more?

    13. Re:DEFCON, HOPE, etc by oni · · Score: 1

      How do you not ask questions -and- learn more?

      If you constantly ask question like:
      "teach me how to hack?"
      "how do I break into windows?"
      "do you have any zero-day exploits?"

      They'll think you're stupid. You'll learn nothing. You see, anything is better than nothing.

      If you just watch what they are already doing, you *will* learn something. Obviously, if you miss something you can ask "What was that?" They'll answer those questions. Just don't be an annoying little leach.

    14. Re:DEFCON, HOPE, etc by Gryftir · · Score: 1

      What I think would be most helpful for some is direct hands on training over a course of time.
      First off, hands on means directed training, I found most seminars were focused on the theory, I think theories are after market add-ons to practice. Only after going through enough processes, either on your own in a self directed fashion, or with the personal attention of a teacher, can you really grok a theory.
      Case in point, a long time ago I took a class on computer networking. This wasn't Cisco Routing 101 or anything that useful, but one of those classes where we learn facts about protocols, history, and that fucking layer system. Only after I got to play with routers did all that theory make sense. And in no way did that theory actually help me with the routers.
      Second, IMHO the only way to learn discipline is through actually going through the processes. It's the difference between reading a book on HTML and actually building a webpage, only by producing something do you learn. That's the real reason you make webpages in those internet classes, not some sort of test of your ability, but the use of what you learn settles that knowledge in you.
      If you want to teach people proper security auditing, or whatever term you use for network security procedures, you have to stop giving them lectures on attacks, and start giving them systems being attacked, or perhaps better, start them attacking systems. Gryftir Santa Carla by Night

      --
      http://www.santacruzbynight.com/index.shtml Santa Cruz By Night Vampire Larp
    15. Re:DEFCON, HOPE, etc by Shadow51 · · Score: 1

      I've been to Defcon and the truth is there is alot to learn...

    16. Re:DEFCON, HOPE, etc by Nipok+Nek · · Score: 1

      Try Proverbs 17:28

      http://www.bartleby.com/108/20/17.html#28

      --
      Why choose white shoes?
    17. Re:DEFCON, HOPE, etc by NoMoreNicksLeft · · Score: 2

      Yes, I coined that phrase back in 1861, I believe. Ok, so I'm not the original Abe Lincoln, but a clone created by the Beta Reticulans as part of their master plan to subdue the people of Earth through treachery, illusion, and unwatchable formulaic sitcoms. Still, give credit where credit it due.

    18. Re:DEFCON, HOPE, etc by a+nanny+mouse · · Score: 1

      Yes, that is true. I agree.

  3. Jeebus... by TweeKinDaBahx · · Score: 3, Funny

    It's a silly idea all together, hacking, but I guess it must be better than girls/sunlight.

    Any hackers who get busted deserve what they get for being dumb enough to show.

    I recall a sherrif's dept. sending out letters to people with outstanding warrants exclaiming that they had one a prize and had to go to a certain address to claim it. Needless to say, the cops had a field day arresting all sorts of people, who were actually dumb enough to buy the ploy.

    Just rememebr, if you're doing illegal things, there's always a chance you'll get caught. The best thing to do is just not get caught :)

    --
    Linux is dead.
    LU
    1. Re:Jeebus... by binaryDigit · · Score: 2

      Didn't a cable/satellite company do this once? Where they somehow sent a re-program signal to their cards. Those who had illegal service ended up seeing a message to the effect of, "if you see this message and are having problems with the cable signal, please call xxx-xxxx". I recall that it was amazingly effective in "trapping" quite a few cable/sat pirates.

    2. Re:Jeebus... by Wildcat+J · · Score: 5, Funny
      If you recall, this occurred on the Simpsons. The Springfield police department sent out notices to criminals claiming they had won a boat. They picked up Homer for an unpaid parking ticket, which he promptly paid, then he demanded his boat. Everything in life can be related back to a Simpsons episode!

      -J

    3. Re:Jeebus... by tg_schlacht · · Score: 1

      I recall a sherrif's dept. sending out letters to people with outstanding warrants exclaiming that they had one a prize and had to go to a certain address to claim it. Needless to say, the cops had a field day arresting all sorts of people, who were actually dumb enough to buy the ploy.

      This has been done a lot. "You have won a [car, truck, boat, trip to Vegas]." It seems criminal elements of society always like getting something for nothing. Go figure.

    4. Re:Jeebus... by ashitaka · · Score: 2

      It seems criminal elements of society always like getting something for nothing

      Hmmm. Unfortunately you could say the same thing about just about everyone on the planet.

      Barring a few monks.

      --
      If you don't want to repeat the past, stop living in it.
    5. Re:Jeebus... by AJWM · · Score: 2

      TCI did something similar during a pay-per-view boxing match. Flashed up a message offering a free T-shirt (or some such) to those calling a certain 800 number.

      A simple cross check of the callers vs those who'd actually paid to watch the fight turned up a number of PPV freeloaders.

      --
      -- Alastair
    6. Re:Jeebus... by unicron · · Score: 1

      Lisa: Where's our boat?

      Homer(ANGRY): I didn't want it.

      Lisa: Why not?

      Homer(ANGRY): The mast had termites.

      Lisa: Why would a motor boat have a mast?

      Homer(Angry): Because the dingy was...SHUT-UP!

      --
      Finally, math books without any of that base 6 crap in them.
    7. Re:Jeebus... by ayden · · Score: 4, Funny

      I specifically remember this event. Continental Cable, the precursor of MediaOne and my cable provider at the time did this very thing in Northwest Connecticut in the early 1990's. There was a Pay Per View boxing match scheduled for a particular night. Since it was a Pay Per View event, the cable company had an exact list of everyone who had officially ordered (and paid for) the event. The cable company sent a special "commercial" for a free T-shirt to everyone tuned to the Pay Per View channel but also sent a signal to the cable boxes of everyone who paid for the program telling their cable boxes not to show the commercial. The result was that dozens of people called the "toll free" number and turned themselves in.

      I have two feelings on the subject:

      1. After spending over $1000 (over a number of years) on their product, Continental Cable didn't consider me good customer, but a suspect. How I longed for competition in cable industry.

      2. I took this as a warning and learned my lesson well. Beware of anyone offering you something for free.

      --
      "I'm The Bounty Bear. I will find him anywhere. I'm searching."
    8. Re:Jeebus... by Malicious · · Score: 1

      There is also a secondary Simpsons reference, where Skinner, told Bart, Jimbo, Kearny, etc... that they had all won free bikes. He then proceeded to lock them in a storage closet, for the rest of Super Intendant Chalmers stay... However, if i remember correctly, in the end, Skinner was forced to buy all the kids bikes anyway.

      --
      01101001001000000110000101101101001000000110001001 10000101110100011011010110000101101110
    9. Re:Jeebus... by zootread · · Score: 2, Funny

      It's a silly idea all together, hacking, but I guess it must be better than girls/sunlight.

      Back in high school I hacked some schoolwork for some chicks, they loved me for it. Chicks dig hackers, its a huge turn-on for them. They also like guys who can fix their computers. Girls always say "come over fix my computer." And they usually repay me with sex. Damn life is good.

      --
      Zoot!
    10. Re:Jeebus... by anotherone · · Score: 1

      It sounds like they specifically set it up so that people who paid for the program were NOT treated as "suspects." I don't understand what you're trying to say.

      --
      Username taken, please choose another one.
    11. Re:Jeebus... by Inthewire · · Score: 1

      One a prize, two a prize, three a prize, enterprise.

      --


      Writers imply. Readers infer.
    12. Re:Jeebus... by andhar · · Score: 1

      Okay, but the real Springfield, IL police department beat the Simpson's Springfield police department to the punch anyway.

      I remember back in the early 80's when the SPD busted some criminals at the Prarie Capital Convention Center after sending them letters that said they had won something.

      I don't remember any kids named Bart at my school, though.

      --
      Vaya con huevos, my darling.
    13. Re:Jeebus... by zootread · · Score: 1

      Chicks usually dig personality, social skills, confidence, money, power etc. - all of which are in rather short supply in the hacker community; if hackers had any real power they wouldn't be so desperate to show how "powerful" they are.

      You're right, its not the hacker in me that attracts the hotties. In fact I don't tell them about that stuff anyways. But my point is that not all hackers are dweebs living in their parents house who can't get laid. Some of us who used to go around exploring systems, are now professionals making $65k/year. So I spent all my free time back in high school in front of a computer screen. Now I make big bucks working in front of a computer screen, and then get laid in my free time. I say again, damn life is good. This is no dream.

      But you're right, being a hacker won't really get you chicks. But its not going to prevent you from getting chicks either.

      --
      Zoot!
  4. I'll start my own by Saturn49 · · Score: 5, Funny

    Maybe I'll start my own hacking contest. I give the winner a billion dollars. I'll setup 2 computers, one connected to the 'net, completely open and unpatched. It'll physically sit on top of the "secure" box, which won't be connected, or even turned on. When the "winner" tries to claim his prize, I'll simply state that he hacked the "decoy", and the real server was untouched. Sounds about as fair as this one.

    1. Re:I'll start my own by F1re · · Score: 5, Funny

      That's fine until someone breaks into where you store the computers, boots up the unconnected one and ownes it...

      --
      ...there is no sig...
    2. Re:I'll start my own by x136 · · Score: 5, Funny

      Not when they find out that the "secure" box is actually an empty ATX case. :)

      --
      SIGFEH
    3. Re:I'll start my own by Sloppy · · Score: 5, Funny

      For a billion dollars, I'll buy you a motherboard and install it.

      --
      As copyright owner of this comment, I authorize everyone to defeat any technological measure which limits access to it.
    4. Re:I'll start my own by evacuate_the_bull · · Score: 1

      "Secure" box, an empty ATX case? Please. I've got your security right here.

      --
      Satanists get good grades too...suspiciously good grades
    5. Re:I'll start my own by phalse+phace · · Score: 2
      "I'll setup 2 computers, one connected to the 'net, completely open and unpatched"

      So I guess that means you'll be installing Windows on it then?

    6. Re:I'll start my own by Tycho · · Score: 1

      Or for that matter a machine all put together and configured with a PPC motherboard and an IDE card for an x86 PC with a hard drive connected to it with Red Hat for an Alpha installed on it.

      --
      Impersonating Tycho from Penny Arcade since before there was a PA.
    7. Re:I'll start my own by Saturn49 · · Score: 1

      No, I think a standard install of RedHat 6.2 will do just fine.

  5. waiting for... by PhilJackson · · Score: 1, Funny

    I'm just waiting for the "actually I think you mean crackers, hackers are..." comment!

  6. duh. more script kiddies to the rescue by Telastyn · · Score: 5, Insightful
    The system set up by KDWorks had almost all of its services deactivated, according to kill9 and m0rla. "The contest server was only simulation, not a real-world environment," they wrote. "And you have to ask yourself who will have a Web server running with this small amount of services activated? Nobody."


    Heh, in my experience, it's quite to the contrary. Anyone with half a brain turns off nearly all, if not all services to stop script kiddies like you =]
    1. Re:duh. more script kiddies to the rescue by Telastyn · · Score: 1

      I agree, though I perhaps disagree that server features are what the two in the article were talking about.

      Not to mention that any webserver in a situation that requires high security (or to withstand a contest) would probably be modified to turn off indexing (though yes, probably not redirection).

      And it's also arguable to say that the "real world" is filled with competant web admins that have some grasp of security...

    2. Re:duh. more script kiddies to the rescue by TweeKinDaBahx · · Score: 1

      Unfortunatly there are gobs of renegade sysadmins out there who still try and secure thier boxes rather than simply turning off services. The problem with not combining these two ideas is that either way there are still holes in your security. No setup is rock solid unless it combines security in the form of no extraneous services, freshly patched services, and hardware security (routers, VPNs, firewalls).

      Yet as people have joked, a disconnected machine is still the most secure, and a parallel cable can save yer arse.

      --
      Linux is dead.
      LU
    3. Re:duh. more script kiddies to the rescue by SuiteSisterMary · · Score: 2

      Aye, and a locked door, and people who know not to give out passwords, and so on and so forth. A disconnected machine is still meat for the beast if I can get at it for five minutes. Security is an approach, a discipline, not an exercise, not a task.

      --
      Vintage computer games and RPG books available. Email me if you're interested.
    4. Re:duh. more script kiddies to the rescue by Tet · · Score: 4, Insightful
      Anyone with half a brain turns off nearly all, if not all services to stop script kiddies like you =]

      Yep, I was open jawed when I read that. All of the web servers for which I'm responsible present an http server to the world on ports 80 and 443, and nothing else. As it happens, they're also running tomcat and sshd, but that's firewalled off (by two firewalls from different vendors), so you won't have access to those unless you're coming in from an approved address. Anyone who believes that a web server would commonly have more services running has obviously been living in the windows world too long...

      --
      "The invisible and the non-existent look very much alike." -- Delos B. McKown
    5. Re:duh. more script kiddies to the rescue by warpSpeed · · Score: 5, Insightful
      All of the web servers for which I'm responsible present an http server to the world on ports 80 and 443, and nothing else

      To take that one step further, at the firewall I block all the outgoing connections as well. The web server, in most cases, should not be initiating connections to the outside.

    6. Re:duh. more script kiddies to the rescue by Entropy_ah · · Score: 1

      Yes, unfortunately most seem to have a quarter.

      --
      my other penis is a vagina
    7. Re:duh. more script kiddies to the rescue by Some+Dumbass... · · Score: 1

      Heh, in my experience, it's quite to the contrary. Anyone with half a brain turns off nearly all, if not all services to stop script kiddies like you =]

      Yes, but does this resemble the "real-world situation"? In a world full of sysadmins-with-half-a-brain, there would probably only be a few dozen crackers. :)

      I mean, let's be honest. Most crackers are just looking for easy targets. They'd never be able to get into a reasonably hardened system. Fortunately, there are lots of easy targets out there. To most of these guys, that's what cracking is -- capturing easy targets. Get a half-dozen of them under your control, and you can make a decent DDoS attack, or you can really, really obscure your location while you hunt for more. There's a reason why more people hunt deer than lions -- you get more trophies at less risk to yourself!

    8. Re:duh. more script kiddies to the rescue by zaphod110676 · · Score: 1

      It sounds to me a little like they are whining because the system was too hard to hack. They went for an easier target. That sounds more like script kiddie behavior that of a hacker.

      --
      To Do: 1. Take over world 2. Pick up Milk and Bread on the way home
  7. It's amazing how... by Lobsang · · Score: 1

    These so called "hackers" can be so brilliant in technical areas yet naivé to the point of branding themselves with the label of "hacker" in a public contest...

    I wish them luck. :)

    1. Re:It's amazing how... by Permission+Denied · · Score: 1

      "naivé" is not a word, in neither English nor in French. In French, the adjective is "naïf" (masculine, un garçon naïf) or "naïve" (feminine, une étudiante naïve) and the noun form is "naïveté" (masculine noun, vous avez démontré un naïveté étonnant). In English, the accepted form is "naïve," but no one will complain if you leave off the diacriticals and just write "naive."

    2. Re:It's amazing how... by Jon+Howard · · Score: 1

      These so called "hackers" can be so brilliant in technical areas yet naivé to the point of branding themselves with the label of "hacker" in a public contest...

      I'm only 21 and I can recall the days when "Hacker" didn't connote malicious intent, or for that matter, trespassing.

      Please continue supporting derogatory stereotyping, I know plenty of rednecks, hicks, etc. who appreciate having more slurs to shoot at the folks they don't understand.

      (Irony? Think about it.)

    3. Re:It's amazing how... by Lobsang · · Score: 2

      Two things:

      As a 21 year old guy, you should have noticed the quoted around the word "hacker", denoting irony.

      You're way too touchy for a 21 year old person. Truly sad.

    4. Re:It's amazing how... by Lobsang · · Score: 2

      oops...

      cat $previous_message | sed -e 's/quoted/quotes/g'

  8. Not "real world"? by alouts · · Score: 4, Insightful
    Granted, securing the overall infrastructure is as important as securing a single box when trying to defend against intrusion, but the rationale for doing it seems pretty weak.

    "And you have to ask yourself who will have a Web server running with this small amount of services activated? Nobody."

    Please. What they're basically complaining about is that the web server they were supposed to be attacking was too secure, and not easy enough to get into. If it serves up web pages, it's a web server, whether or not the admin has opened all the ports you're used to exploiting.

    'Course, the fact that there was a honeypot elsewhere on the network seems a bit shifty...

    1. Re:Not "real world"? by alouts · · Score: 1
      Ack, I should proof my comments.

      I meant to say that the rationale for these scrip kiddies ignoring the target box and attacking the registration machine seems pretty thin. Not that the rationale for securing your infrastructure overall is...

    2. Re:Not "real world"? by mangu · · Score: 1

      Assuming your hardware is powerful enough, is there any reason for not running all of those services in one machine? Suppose they scan the machine, they'll find ports 20, 21, 25, 53, 80, 110, etc. Is there any reason why these would be any safer if they were each in a separate machine?

    3. Re:Not "real world"? by noahm · · Score: 5, Insightful
      I've got to agree with you on this. There is no need for a web server to be running anything other than Apache.

      I suspect that meanings are being mixed. I don't think they are complaining that the server wasn't running bind, fingerd, NFS, etc etc. I suspect it was more that the web server software itself was unreasonably minimal. You won't likely see a real-world web site run on thttpd or something. I imagine the web server didn't support things like CGI and stuff, so the only way to get in would be to exploit a known buffer overflow or to exploit something on the OS level. There was no searching for insecure form handlers or things like that.

      But I could be wrong. There are lots of idiots out there, after all.

      noah

    4. Re:Not "real world"? by chill · · Score: 2

      The config used was a Smoothwall Linux install with Apache on a non-standard (high) port. No mail (how does the server report problems), no FTP/SSH (how do you update files on the server), no nothing.

      That isn't real world.

      As far as the "honeypot" goes, that is utter bullshit.

      --
      Learning HOW to think is more important than learning WHAT to think.
    5. Re:Not "real world"? by xinu · · Score: 1
      No mail (how does the server report problems)
      Uh easy, mails goes out, but no mail comes in... So if it bounces, it's gonna bounce for awhile or bounce to the default MX in DNS.
    6. Re:Not "real world"? by rlangis · · Score: 1

      'Course, the fact that there was a honeypot elsewhere on the network seems a bit shifty...

      If I were in charge of a high-profile system on the net, you can be DAMNED sure I'd stick a honeypot RIGHT NEXT to the secure server. I'm *much* rather have script-kiddies and wannabe hackers going after something I could give a damn about rather than my data.

      That's NOT shifty my friend, that's common sense.

      --
      GIR: I'm going to sing the Doom song now. Doom doom doom doom doom doom de-doom doom doom doom doom doom doom...
    7. Re:Not "real world"? by mabinogi · · Score: 2, Informative

      >Is there any reason why these would be any safer if they were each in a separate machine?

      Yes, a compromise of one service wouldn't automatically lead to a compromise of all...

      It doesn't really lessen the chance of having something compromised, just limits damage if it does happen.

      --
      Advanced users are users too!
    8. Re:Not "real world"? by espo812 · · Score: 1

      Seems pretty useless to me. Why waste time setting up yet another system when you could be spending that time securing or scanning your system more? A honeypot is marginally useful for security.

      --

      espo
    9. Re:Not "real world"? by JimmytheGeek · · Score: 1

      "You won't likely see a real-world web site run on thttpd"

      I use it - works nicely. It *IS* for a static web site, I admit.

    10. Re:Not "real world"? by nomadic · · Score: 3, Insightful

      Well then why do all the self-appointed security experts on slashdot always insist that anything can be hacked. Of course they didn't make it easy, geeze, they were offering 100k. And people are complaining that it's too hard?

      Maybe the people that tried just aren't very good hackers?

    11. Re:Not "real world"? by caluml · · Score: 2, Insightful

      Let's break this down.

      The config used was a Smoothwall Linux install with Apache on a non-standard (high) port.

      Maybe that's to stop simple probs and shite like Code Red/Nimda cluttering up the logs? If it's not meant for public consumption, what's the problem?

      No mail (how does the server report problems),

      I don't understand this. As you say, How does the server report problems. Install Sendmail/Postfix/Whatever, and only allow outgoing connections.

      no FTP/SSH (how do you update files on the server),

      No world-accessible FTP/SSH you mean. Just cos you can't see it, doesn't mean that the people that admin it haven't opened it to their ranges, or a trusted host.

      no nothing.

      Good. Exactly right. Open only the ports you need open, and make sure the daemons/services running at the end of those ports are secure. What was that Mark Twain quote again...?

      --
      Get your own free personal location tracker
    12. Re:Not "real world"? by ryepup · · Score: 1

      Well, if they crack one box then that provides access to all the other machines via the second NIC in the 192.168 range, which could potentially be more harmful, if that range is assumed secure by all other servers.

    13. Re:Not "real world"? by shyster · · Score: 4, Insightful
      "And you have to ask yourself who will have a Web server running with this small amount of services activated? Nobody." Please. What they're basically complaining about is that the web server they were supposed to be attacking was too secure, and not easy enough to get into. If it serves up web pages, it's a web server, whether or not the admin has opened all the ports you're used to exploiting.

      Evidently, that Smoothwall Linux server was indeed NOT a real world example...just take a look at KDWork's other webservers. If KDWorks can't secure ALL their servers, they have no business offering up a hack bounty...or security products.

      I believe the hackers' point was that, yes, an otherwise unfunctional box can be secured to the point of being extremely difficult (or impossible) to crack. But, as soon as that box starts doing something functional (like, for instance, processing registration requests connected to a database server), then they can hack it.

    14. Re:Not "real world"? by shyster · · Score: 2

      And I imagine youor thttp server is not doing anything particularly useful, either, is it? And it also doesn't receive very many visits, does it? And contains no interesting info, I'd bet. Exactly the hackers' point.

    15. Re:Not "real world"? by dossen · · Score: 1

      You are assuming that the server should connect to other servers. That may be true for a limited number of services (webserver to db-server or such), but in general there is no reason to trust a host to do anything other than what it is supposed to do. So just don't assume that the servers will remain under your control, put them on a DMZ and allow only the connections from them that are truely needed.

    16. Re:Not "real world"? by pacman+on+prozac · · Score: 1

      It depends what you mean by useful. It's perfectly possible to build a good functional website with some actual content using static pages. They're a helluva lot more useful than the millions of php nuke sites that have popped up everywhere imo.

      And contains no interesting info, I'd bet. Exactly the hackers' point.

      Whether a site has any interesting content has precisely sodall to do with whether that content is dynamically generated or not. It sounds more like the hackers were complaining that they could n't ./overflow it. For $100k did they really expect to be able to download something off packetstorm and walk straight off with the money?

    17. Re:Not "real world"? by pacman+on+prozac · · Score: 2, Insightful

      I'd stick a honeypot RIGHT NEXT to the secure server.

      I'd recommend you at least put a switch between them. If a honeypot that is literally right next to any production server gets cracked you risk having man-in-the-middle attacks run aswell as sniffing things like the ftp/email passes for the local segment.

      Common sense would be running a honeypot anywhere but right next to the secure server :)

    18. Re:Not "real world"? by Sabalon · · Score: 2

      Huh? Okay...so they took a hardened os and put Apache on it. They put it on something other than port 80. If you are setting up a server that serves pages (possibly internal info) this is a good way to hide it from script kiddies.

      No mail? You don't need to have sendmail running as a daemon listening on port 25 for mail to work. I have two HP's that don't accept mail, but send me mail on a regular basis.

      As for no ftp/ssh - so? You can go to the console and update files. Perhaps they have another machine with ssh and a serial link? Perhaps ssh is firewalled off? perhaps they have something that watches for an attempt to connect to a certain port that will then launch sshd for 5 minutes?

      Perhaps the static pages it was serving were generated every 5 minutes by a perl script?

      Just because a server isn't running the default RedHat install or something doesn't mean that it isn't real world.

    19. Re:Not "real world"? by JimmytheGeek · · Score: 1

      It's doing a very useful thing for us. The traffic volume is low, but could be extremely high and not freak the server. Bandwidth throttling will allow us to set a ceiling in the unlikely event traffic exceeds fastethernet.

    20. Re:Not "real world"? by shyster · · Score: 2
      Whether a site has any interesting content has precisely sodall to do with whether that content is dynamically generated or not.

      I didn't say the content wasn't interesting. The content, whether static or dynamic when the server processes it, is all static once the browser gets it. The content could very well be interesting. But, with only static HTML, there's no database access. That's where juicy info (that's supposed to be hidden) lies. A static HTML site is, more or less, open for the world to see as it is.

      And, there's simply no point in cracking a static site. At best, one could hope for creating a shell account with it. But, then static sites aren't usually connected via high bandwidth lines, and usually don't have high end hardware, so what's the point? Of course, you could always destroy the site, or replace it with an 0wn3d page, but static sites aren't usually high profile, and are pretty quick and easy to rebuild.

      My point is that not only are static sites harder to hack, but they're also not a very tempting target anyways. And, I can't think of a single high profile site that's purely static HTML. Therefore (unless my memory is simply miserable today, and there's quite a few high profile plain HTML sites), they really aren't a real world example of a site likely to be hacked.

    21. Re:Not "real world"? by spir0 · · Score: 1

      You won't likely see a real-world web site run on thttpd

      what do you consider real world? here's a quote from right off thttpd's front page:

      "Some major sites that are running or have run thttpd:

      * demon.net, Demon Internet, a large UK ISP
      * global.net.uk, Global Internet, another large UK ISP
      * bluelight.com, Kmart's web site
      * img.gamespot.com, GameSpot's image server
      * download.napster.com, Napster's download server
      * stephenking.com, Stephen King's official site
      * mtv.com, It's not TV, it's eMpTV.
      * news.excite.com, one of Excite's internal servers
      * valueclick.com, a banner ad broker
      * The Sovereign Principality of Sealand "

      --
      The reason girls and Windows users don't understand UNIX is because all the documentation is in Man files.
  9. Is it hacking when invited? by AIM-9X · · Score: 2, Interesting

    It seems a little ambiguous - if you are invited to hack, is that a crime?

    Granted, there are some thresholds never to be crossed. "Sure, you can shoot me, you won't get in trouble" etc.

    Nonetheless, I'd be sure to get written permission from the hackee.

    --
    ***
    This is my Sig. This is my Glock, this is my Walther, and this is my Beretta.
    Any questions?
    1. Re:Is it hacking when invited? by xeromist · · Score: 1

      Yes, it's still hacking. Hacking refers to actions, not to the legality of those actions. Hacking does not mean you are doing something illegal. In fact, some companies will actually pay a consultant to hack their system so that vulnerabilities can be discovered and fixed.

      Example: Fighting is perfectly legal, but only when it is consensual(ie. boxing). Yet it is still called fighting whether legal or not.

      --
      This sig is exactly seventy characters long and a real waste of space!
    2. Re:Is it hacking when invited? by kubrick · · Score: 1

      It can't be trespassing if you're invited. However, damage may be a slightly different kettle of fish legally.

      *** This is my Sig. This is my Glock, this is my Walther, and this is my Beretta. Any questions?

      Yes. Why are you showing me your guns?

      --
      deus does not exist but if he does
  10. Site statistics by cavegrub · · Score: 1

    Hmm...

    Sounds like kill9 and m0rla got into the true spirit of the competition.

    According to Netcraft , www.kdworks.co.kr was running IIS 5.0 since April.

    (or look here if you don't believe me)

  11. RSA Challenge anyone? by bugg · · Score: 4, Insightful
    The best products/systems/protocols/algorithms available today have not been the subjects of any contests, and probably never will be.

    I think that contests, when done properly, can't prove security but it certainly can certainly prove a point. I doubt we'll ever see a proof that factoring numbers must be complex, but the RSA challenge proves that, well, anyone who has the technology would rather keep it than the money. Hrm. Well, at least that means a script kiddie or casual hacker can't factor very large numbers, eh?

    --
    -bugg
    1. Re:RSA Challenge anyone? by Boatman · · Score: 3, Informative

      Contests are good at proving *insecurity*. Thus the RSA contests. But lack of proof of insecurity isn't proof of security.

      --
      --Just the place for a snark!
    2. Re:RSA Challenge anyone? by bugg · · Score: 2

      That's a pretty clever troll. The problem is, that's not RSA-500! :)

      --
      -bugg
    3. Re:RSA Challenge anyone? by opti6600 · · Score: 1

      As a matter of fact, a good friend of mine, whos a freshman too, has come up with a truly genius method of RSA cracking. She's getting closer on a daily basis. This reminds me to ask her just how far she's gotten...

    4. Re:RSA Challenge anyone? by Telastyn · · Score: 2

      Actually, the point is better put (as proper security should be) that anyone can factor very large numbers, but it will take them all a very long time without the key.

    5. Re:RSA Challenge anyone? by Corvus9 · · Score: 2, Funny

      Unfortunately, the margin was too small to contain the proof.

    6. Re:RSA Challenge anyone? by slashclone · · Score: 1

      It was not a troll. he used Toppenheimer algoritm (see a recent issue of "Practical Internet Security Bulletin) to obtain the number.

      --


      US-UK-Israel: The real Axis of Evil
    7. Re:RSA Challenge anyone? by caluml · · Score: 1

      You might get lucky and hit the correct one first time....

      OK, so it's almost completely unlikely - but that doesn't mean it can't/won't happen.

      --
      Get your own free personal location tracker
    8. Re:RSA Challenge anyone? by happyhippy · · Score: 1

      LOL Shame on anyone who doesnt get this joke.

  12. GO KILL-9/M0RLA by apoKalypse · · Score: 1

    Things apparently started to go wrong for KDWorks when two hackers, who go by the pseudonyms kill9 and m0rla, posted a message to the hackers.com Web site, saying they had broken into the server holding the registration details of the entrants with relative ease and sent an e-mail to all 1,240 of them.
    I used to chat with kill-9/m0rla on irc before, I hope they had lots of fun pulling this one off. Congrats :P

    1. Re:GO KILL-9/M0RLA by Dread_ed · · Score: 1

      Reminds me of an old Star Trek episode/reference. The Koybayashi Maru, "Can't stand to lose? Change the rules!"

      "The only way to learn good judgement is by exercising bad judgement...REPEATEDLY!"---Mom

      --
      When the only tool you have is a claw hammer every problem starts to look like the back of someone's skull.
  13. Re:Korea and the Internet by Hektor_Troy · · Score: 1, Troll

    At the risk of sounding like an insensitive racist jerk, what, exactly, has the US contributed positively to the net? 85% of the spam _I_ get continues to be from the US and they have effectively made a shambles out of the internet (witness DMCA, SSSCA (or whatever it's called today etc). We're not talking about a Nigeria and it's 419 scams, we're talking about a country that has the resources and ability to be doing a lot more than it currently is.

    Or is it something completly different, when it's the US that's the troublemaker?

    --
    We do not live in the 21st century. We live in the 20 second century.
  14. Re:Korea and the Internet by Tazzy531 · · Score: 2

    Actually Korea has done a great deal in getting you online. The majority of the RAM used on computers now a days originate from Korea. Samsung is a Korean company. In addition, Korea is getting up there in terms of semiconductor manufacturing..

    --


    _______________________________
    "I'm not Conceited...I'm just a realist..."
  15. no, he does mean hackers! by shemnon · · Score: 5, Funny

    Well, the contest was for hackers and not crackers. Crackers got the registration machine, but since the "contest" machine had an open invitation to break in, there was nothing illegal about it.

    Remember, the class requirements for the Cracker class has the ethical alignment of Chaotic as a requirement. Hackers can have any Ethical Alignments. The White Hat Cracker class has a Chaotic Good alignment requirement. Since they asked people to hack the box it would be very within the Lawful alignments, Lawful Evil in partiular since the money is a self motivational goal. A Lawful Good Hacker would submit a resume so that he can properly lock down the registration computer.

    Did I mention the GNU Hacker Prestige class? Must have a Lawful alignment, otherwise the whole bit about licencing wouldn't have any meaning to them. BSD Hackers are closer to True Neutral, since they don't care what is done as long as they get credit.

    --
    --Shemnon
    1. Re:no, he does mean hackers! by liquidmarkets · · Score: 1

      I think this (the parent) should get a 5!

      --
      Sig: Free classified ads at
  16. Open source is a security contest by Beryllium+Sphere(tm) · · Score: 3, Insightful

    which addresses some of Schneier's criticisms.

    Instead of a limited time frame, it lasts as long as the product is used.

    Instead of the unrealistic conditions of a contest, there's enough information that talented people can spend their time studying security rather than doing reverse engineering.

    One of the reasons for mostly-trusting OpenBSD or PGP is that they're the outcome of what amounts to multi-year cracking contests. With enough of the right eyeballs, even security bugs can be shallow.

    1. Re:Open source is a security contest by Paradise+Pete · · Score: 2, Funny
      With enough of the right eyeballs...

      ...we should sneak up from the left.

  17. Stealing Links? by nirvdrum · · Score: 2, Interesting

    Ok, take for granted that not everyone here goes to Freshmeat everyday (as is always the constant source of bickering when a new kernel is released), but I've seen an ever growing trend where someone just scans down to the SecurityFocus links on Freshmeat, and then posts them here as original stories. Please stop doing that. That is all.

    --
    If there was a "-1 Not Funny", that'd be my most used mod.
    1. Re:Stealing Links? by kubrick · · Score: 1

      Welcome to Slashdot. :)

      (Yes, I know your UID means you've been here for a while, but it's the traditional sarcastic response when someone complains about a practice that, in one form or another, has been around since... oh... around the time when I signed up.)

      --
      deus does not exist but if he does
  18. Re:Korea and the Internet by JordoCrouse · · Score: 5, Funny

    At the risk of sounding like an insensitive racist jerk, what, exactly, has the US contributed positively to the net?

    Uhhh... other than inventing the damn thing?

    --
    Do you have Linux and a DotPal? Click here now!
  19. What about other web server apps? by yerricde · · Score: 1

    There is no need for a web server to be running anything [on an open port] other than Apache.

    What about Roxen? What about AOLserver? What about the hypothetical future complete rewrite of IIS? And what about Other?

    --
    Will I retire or break 10K?
  20. You can't always get what you want, but.... by L.+VeGas · · Score: 5, Funny

    This reminds me of my old boss that was taking karate lessons. He went up to a geek I worked with and asked him to "try to kick me as hard as you can". He hadn't even finished the sentence when Ken slammed him in the jewels so hard that my boss threw up. All he kept saying was "But I wasn't ready!"

    --
    Best Windows Freeware
    1. Re:You can't always get what you want, but.... by Anonymous Coward · · Score: 1, Interesting


      Actually, that's how Houdini died! He was bragging about how well trained his stomache muscles were -- told some guy to punch him as hard as he could. Trouble was, the guy hit him before he was ready...

    2. Re:You can't always get what you want, but.... by Anonymous Coward · · Score: 1, Informative
      First hit on Google:

      http://ask.yahoo.com/ask/20000710.html

      Don't you feel like a retard now?

    3. Re:You can't always get what you want, but.... by elvis+the+frog · · Score: 1

      Some annoying marketroid tried this on me once - "I've been taking karate and I can block any punch, try me-ooof!"

      I already knew the punchline, my fist was moving as soon as he asked for it....

      You hear this so often, you might think it's an urban legend, but noooo, it really happens.

    4. Re:You can't always get what you want, but.... by Shade,+The · · Score: 2

      It's different in the dojo than in real life. Even when you're training at full speed, with the blows at geniune strength, you still expect them, and so it's quite difficult to avoid a blow you do not expect unless you're very good. Silat is good for that, so I'm told. In my opinion, I tend to find that most forms of Karate aren't very good for real life situations anyway.

    5. Re:You can't always get what you want, but.... by Art+Tatum · · Score: 1

      Yep. Back when I was doing the training, I often wondered how some of it could possibly apply to RL. I mean, say I'm standing around minding my own business when some guy decides to make trouble. How am I supposed to kick him in the head without stopping to do 15 minutes of stretching first? I'm certain that pulling my groin isn't going to be a good defensive tactic....

  21. Alright! by reaper20 · · Score: 1, Flamebait

    "And you have to ask yourself who will have a Web server running with this small amount of services activated? Nobody."

    Looks like my paranoia is beginning to pay off. Either that, or they were expecting the typical default IIS install.

    1. Re:Alright! by GravySkin · · Score: 1

      Base IIS install complete with Nimda and Code Red.

      I once set up IIS with no patches on purpose to see how long it took until Nimda was installed. All of 30 minutes - via DIALUP into my ISP.

      --
      "never met a Microsoft zealot"
  22. Who Mods This Crap UP? by BlueFrog · · Score: 1
    I know I'm going to get modded into oblivion for this, but I've finally had enough. Fuck it.

    I had a whole rant chambered and ready to fly, but I'll just keep it short.

    Does it trouble anyone else that the above comment rated a "5: Insightful"?

    Oh...fuck it. Why do I bother?

  23. Re:Korea and the Internet by Satan's+Librarian · · Score: 1

    Our ex-vice president created the whole thing over 10 years ago!

    Or something like that....

    I am curious where this person would go to for tech news w/o the US though....

    --
    I write code.
  24. No FTP/SSH is real world by AHumbleOpinion · · Score: 3, Insightful

    ... no FTP/SSH (how do you update files on the server)... That isn't real world

    No, that is real world, or would be if the "world" was properly administered. You are making a false assumption that ftp/ssh has to be universally open, this is wrong. These ports may, and should, only be opened to certain IP ranges. For example, the companies internal subnet, admin's home IP, etc.

    1. Re:No FTP/SSH is real world by SaDan · · Score: 1

      Exactly.

      The personal web server I run has SSH and Apache accessible from the outside, and that's it.

    2. Re:No FTP/SSH is real world by btellier · · Score: 2

      And SSH has had multiple security vulnerabilities in the past. You're secure. Current snapshots are secure. Keep thinking that. If smart people are determined to break in, they will. It may take months, but chances are excellent that it'll happen. Everyone would be fascinated to know just how common off-by-one buffer overflows, signed/unsigned bugs and the like are in their popular programs. The point is that Apache with only .html running will never be run by any company/bank/government/ISP or any other non high school kid web server. Have you looked at the Apache .html processing code? It's *miniscule* in comparison to the amount of code used for a "typical" corporate web server.

      They are trying to market their product to corporations. They're trying to prove that it will withstand hacker attacks. What's the goddamn point if they're not running all the services that a typical company would?

    3. Re:No FTP/SSH is real world by SaDan · · Score: 1
      Eh, I was a "typical company" for about two years doing web hosting. I had all sorts of stuff running (Apache, SSH, Sendmail, POP, IMAP, FTP), and never had any problems with people breaking in. Oh, sure... I could see the scans and login attempts in my logs, but I've never had my machine cracked so far.

      Keep on top of security reports, keep the software current and PROPERLY CONFIGURED, and read the logs frequently. That's been my standard procedure for years, and it has served me well.

      The point is that Apache with only .html running will never be run by any company/bank/government/ISP or any other non high school kid web server.


      That's absolutely hilarious... I guess there are quite a few high school kids with web servers out there to make those stats over at NetCraft show Apache with as many servers as there are.

      Get a clue. A typical company that is concerned with security is going to lock down their networks and their servers/workstation. A typical company that doesn't think about security is the one you'll be able to break into easily.
  25. I am a moron. by BlueFrog · · Score: 1
    Ignore the above. Spoke too soon. I blame El Niño.

    Or flame to your hear's content.

  26. Does "Kobayashi Maru" mean anything to you? by saforrest · · Score: 1

    Damn, when James T. Kirk did an analogous thing, he got commended for it. Props to the hackers for proving you can't define security problems away.

  27. Re:Korea and the Internet by carlos_benj · · Score: 1

    At the risk of sounding like an insensitive racist jerk, what, exactly, has the US contributed positively to the net?

    You may be an insensitive jerk, but tarring the whole of the US could hardly be racist. The US is comprised of many peoples from many ethnic origins.

    You also seem to be having difficulty differentiating between spam/scam. While spelled similarly (note the second letter to tell them apart) they mean different things. A scam can also be a spam, but a spam does not always have to be a scam not does a scam necessarily have to be a spam. In point of fact, many scams are extremely well targeted (although many of these take place in meatspace) while spams as a rule are not. But I digress...

    --

    --

    As a matter of fact, I am a lawyer. But I play an actor on TV.

  28. Moronic Hacking Contest by carlos_benj · · Score: 1

    I missed the part in the article where they said the contest was limited to moronic hackers....

    --

    --

    As a matter of fact, I am a lawyer. But I play an actor on TV.

  29. Re:Korea and the Internet by Selmo · · Score: 3, Funny
    At the risk of sounding like an insensitive racist jerk, what, exactly, has korea contributed positively to the net?

    FWIW, they went apeshit over StarCraft, which provided revenues for other projects like Diablo II and WarCraft III.

  30. Your BS for the day... by Chris+Burke · · Score: 5, Insightful

    This cracked me up. The article says that the honeypot server would start a tracing program as soon as it detected anyone trying to connect to it and that (emphasis mine):

    "Then the tracking software analyses all the activities of the intruder (including hacking method, all the ISP used, IP address, even what the hackers punched on his keyboard) to trace down the original location of the intruder."

    Okay, thanks ZDNet. Did they tell you that, or did you just make that insanity up on your own? You get kudos either for gullibility or imagination, depending. So basically, they're trying to suggest that this program not only traces the hacker (ooh, it logs IP addys!), but then automatically hacks the hacker's machine to install a keystroke logger.

    Each day you learn something new. Then something comes along so stupid it damages the brain cells that managed to learn that new thing. But at least I laughed. :)

    --

    The enemies of Democracy are
    1. Re:Your BS for the day... by gmanske · · Score: 3, Insightful
      I initially laughed too, but then I remembered something.

      Keyloggers are not new, and are mentioned here. Besides simply logging cleartext traffic (telnet), encrypted traffic can be logged on the host side before it is sent back over the wire (ssh) using a replacement shell (forwarding traffic to syslogd), ttywatchers or the *trace tools.

      I believe this is the technique used to log outgoing ssh traffic from a compromised machine, particularly but not limited to the case of common rootkits which drop replacement sshd[s].

      The zdnet text is sensationalist, but that doesn't mean it isn't technically possible.

      Gmanske.

    2. Re:Your BS for the day... by Chris+Burke · · Score: 2

      Yes, I'm aware of all those things, but they all share a common property -- they happen on the receiver's end. They're only keystroke loggers in as much as the data sent to the honeypot represents the actual keys hit by the attacker. Which, even in the case of telnet, could be not at all. Thus saying that those things log keystrokes is something that only ZDNet would say.

      --

      The enemies of Democracy are
    3. Re:Your BS for the day... by gmanske · · Score: 1
      Yeah, I understood. It is zdnet after all... :)

      Gmanske.

    4. Re:Your BS for the day... by Mike1024 · · Score: 2

      Hey,

      automatically hacks the hacker's machine to install a keystroke logger.

      Many programs make really short logs. Perhaps they mean it logs every keystroke transmitted by the hacker's terminal program - backspaces and suchlike.

      It could just have been 'creatively interpreted' by marketing folks who don't understand the technology.

      Michael

      --
      "Goodness me, how unlike the FBI to abuse the trust of the American public." -- The Onion
  31. Irony... by jhaberman · · Score: 5, Funny

    "As entrants were required to enter personal details together with some form of identification--such as a passport or social security number--in the event that they won the competition, some are worried that their privacy has been compromised."

    Doesn't anyone else just find that line HILLAIROUS!? I mean, c'mon... if anyone should be familiar with the vuneralbilities of a web server, and personal information found on said web server, it should be a bunch of "hackers". This is so stupid, I can't even believe it. It has to be a hoax...

    Jason

    --
    He's totally creeping out the Great One, eh...
    1. Re:Irony... by WildBeast · · Score: 2

      Those people sound more like the politicians talking: "We have the right and the duty to compromise your privacy, but don't you dare compromise ours" :)

    2. Re:Irony... by Bastian · · Score: 2

      I doubt the greatest hackers in the world are doing this. Heck, I have a feeling it's mostly just amateur crackers who have never done anything seriously illegal.

      Anybody who really has had much experience breaking into hardened networks would theoretically be way too paranoid to ever attatch something like a social security number to a hacking attempt, even an authorized one. I know I wouldn't. . .

  32. Re:Korea and the Internet by Atzanteol · · Score: 1
    I'm sorry. I know this is off topic, and I'm replying to a troll, but this is a personal pet peeve of mine:
    we're talking about a country that has the resources and ability to be doing a lot more than it currently is.

    What are you expecting? You speak as though the U.S. citizens are some how on a higher plane of existance than the rest of the world! We're people, same as you and everyone else in this world. Sure, we have resources, money, power, etc. So do many other countries. You could say "Why doesn't <insert country here> do so much more!"

    As for contributions, I think we've put in quite a bit. Ever look at a graph of the internet backbone? There's a large chunk in the U.S.

    --
    "Ignorance more frequently begets confidence than does knowledge"

    - Charles Darwin
  33. hehe that reminds me of something by WildBeast · · Score: 4, Funny

    I had a job interview a few months ago. I went there for the interview on time, I entered the Office, nobody was in there, so I looked around to find a few servers and some of them where powered on and logged on. So I sat down and waited until a guy arrived 10 minutes later.

    When I asked them why they used Solaris as there servers, they told me that it was more secure than Windows and Linux :)

  34. Interesting thing about the site... by jerkychew · · Score: 3, Interesting

    ...It's not ZDnet.com. Look at the web address - the domain is zdnet.com.com

    zdnet.com - 128.11.45.117
    zdnet.com.com - 64.124.237.140

    I don't have time to investigate further, but could it be that the article itself is a hack? Or does zdnet own the com.com domain?

    1. Re:Interesting thing about the site... by mtnharo · · Score: 1

      Nope, seems that they own both domains. Clicking the "today's news" link on the zdnet.com home page links to zdnet.com.com I guess they use that one for their news stuff that changes more often, the rest of the url is based on the date. Kinda odd though.

    2. Re:Interesting thing about the site... by rlowe69 · · Score: 5, Insightful

      Or does zdnet own the com.com domain?

      Yes. I asked this question about six months ago, and a clever person pointed out that this would allow ZDNET to use a cookie with the com.com domain across its whole family of sites. Then they could track a person uniquely, customizing advertising, preferences or anything else. I don't know if they actually do this, but it would be a good way to do it.

      rL

      --
      ----- rL
    3. Re:Interesting thing about the site... by MobyTurbo · · Score: 2, Informative

      One often sees com.com type addresses for CNet sites. ZDNet and CNet made a merger a year or two ago, so it's no wonder that ZDNet is using it.

    4. Re:Interesting thing about the site... by Shaheen · · Score: 3, Interesting

      C|Net owns the com.com domain. They centralize around that. News.com is news.com.com, etc.

      --
      You should never take life too seriously - You'll never get out of it alive.
    5. Re:Interesting thing about the site... by rat7307 · · Score: 1
      It's not ZDnet.com. Look at the web address - the domain is zdnet.com.com
      [RANT]

      How come this is (right now)at 4???


      EVERY time a zdnet story is linked someone points out the com.com thingy..


      +4 for stating the obvious.... ..oops.. I just remembered it's slashdot.....



      [END OF RANT]
      --
      Burma?
    6. Re:Interesting thing about the site... by badvictor · · Score: 1

      ZDNet is actually owen by CNET, and if you check the WHOIS database, you will see plain as day that CNET does own the com.com domain. QED.

    7. Re:Interesting thing about the site... by bryan1945 · · Score: 1

      Well, with 500,000 registered users the odds are pretty good that with each zdnet story there is going to be someone who hasn't seen it before.

      --
      Vote monkeys into Congress. They are cheaper and more trustworthy.
  35. Cracking? by Drakker · · Score: 1

    Shouldnt it be called a cracking contest? If yes, then this is really a moronic contest... unless I'm really mistaken and the goal of the contest was to hack together a better web server? =)

  36. where kirk got the idea by iloveprotoss · · Score: 1

    "I don't believe in the no-win scenario."

  37. Re:Korea and the Internet by JimmytheGeek · · Score: 1

    Ya know - he NEVER made that claim. You can't defend yourself against one of these memes, and so Gore didn't even try. He did claim to have supported its development/expansion, which is true.

  38. Hacker! by fisman · · Score: 1

    Congratulations! You just managed to hack the server in question it seems :0)

    Now is it not interesting that this got posted right past our demigod moderators.

    Guess slashdot CAN be hacked afterall ...

  39. This is fun and all of this.. by Sarin · · Score: 2

    But tell me why do I always get to hear /after/ such a "swift ordeal" on slashdot. Isn't there somesort of website that announces these kinds of contests way-back --infront-- or whatever?

    Yes, I know that there's nothing new about exploiting another machine that's been hooked up by a company that's in desperate need of some cheap advertising (though some press-agencies seem to disagree), but $till I would be happy to be informed in front, if you know what I mean;

    It plagues my mind sometimes to hear these things afterwards, it's a bad trend. I'm not the only one: some people are even writing basic scripts that r00t any vulnareble machine in case there's a contest running on it, they leave subtle hints inside their scripts so the people who had their contest machine r00ted know who to send the pricemoney to, you all know who I'am talking about!

  40. This really happens by Sycraft-fu · · Score: 2

    Some police departments do this. They send packets to peopel with warrants claiming they have won some sort of prize, like a Hawiian vacation or something. They then arrest them when they show up and their identity is confirmed. Apparently, it works fairly well.

    1. Re:This really happens by Hellkitten · · Score: 1

      If the warrant means jail they only have to offer them a "vacation", not specifying where. Then they can't complain when they are sent off to prison.

      Dear Sir,
      We are happy to inform you that you are one of several lucky individuals that will recieve a free stay at one of our country resorts. You will receive free room and board at our expense, all you need to do is meet at the address below to collect your prize.

      --
      - We are the slashdot. Resistance is futile. Prepare to be moderated -
  41. Remind you of anything? by ProfKyne · · Score: 1
    .

    Is it the Kobayashi Maru or is it Ender's Game?

    . .

    .

    . . . . . .

    (Captain Kirk did the same thing when presented with an "unbeatable" tactical scenario, and Ender Wiggin "defeated" his game by breaking the rules and going straight for the Giant's Eye.)

    --
    "First you gotta do the truffle shuffle."
  42. Re:Korea and the Internet by Anonymous Coward · · Score: 1, Informative

    Ya know - he NEVER made that claim. You can't defend yourself against one of these memes, and so Gore didn't even try. He did claim to have supported its development/expansion, which is true.

    "I took the initative in creating the internet" -Al Gore

    Seems like he did to me. Of course, people like you do seem to rewrite history..

  43. This goes with the Ancient Chinese teaching by IHavePowers · · Score: 2, Funny

    Master: Do you see the candle on the table, you must put it out using only your energy. Student: What energy master? Master: Do you not feel the energy within me? You must learn to use that for yourself. Student: I think I understand master. Student grabs the master and slings him ontop of the table and the candle falls to the floor. Master: Get out of my class!

  44. Yeah, but... by athmanb · · Score: 5, Interesting

    A real webserver usually runs a couple of different dynamic page scripts (Perl, PHP, ASP, whatever). And they are usually the key point to break in.

    1. Re:Yeah, but... by btellier · · Score: 4, Informative

      Exactly. Obviously when they say "services" they really mean ISAPI extentions or modules. The point is that the more lines of code a hacker can access the more likely they are to break into the computer. More services generally means more code, more extentions means more code. If a server runs Apache with only .html access enabled the odds of breaking in are slim to none (baring some heretofore unknown haq-fu). However most sites enable one of the dynamic languages you listed above, which then creates the ability for people to hack the Triforce of web code:

      - Server-Side interperatation of pathnames

      - Server-Side interperatation of dynamic parameters

      - Backend-Side database metacharacter injection

      It's easy to secure a simple web server. It's very, very difficult to secure one offering many "services".

  45. a copy/paste from my yahoo mail =( by Bill+Wong · · Score: 3, Funny

    From: ""±èÅÂæ""

    To: ""bcw@rave.ch""

    Subject: KDWORKS Notice mail

    Date: Mon, 27 May 2002 03:18:31 +0900

    Hi!
    We will wire your prize as soon as we get your bank account information.
    we need;
    1) bank account number
    2) bank routing number
    3) Name on the account
    4) Name of COuntry where the bank resides.

    If you have any question or concern, please let us know.
    Have a great day!

    1. Re:a copy/paste from my yahoo mail =( by ProfMoriarty · · Score: 2
      Odd ... this looks like the same email I got from some really friendly Nigerians a while back ...

      But their government wasn't allowing them to physically take their money out of the country, so was wondering if they could wire it to me ...

      --
      Karma? Karma? I don't need no stinkin' karma.
  46. Bogus nonsense form hackers... by fanatic · · Score: 2

    "And you have to ask yourself who will have a Web server running with this small amount of services activated? Nobody."

    Nice try, but from outside the firewall, that's exactly how many servers will look. Segregating different unctions to different places is definiely part of a strategy.

    --
    "that's not encryption - it's a new perl script that I'm working on..." - from some Matrix parody
  47. That is the worst constructed article ever by Xeo2 · · Score: 1

    THE WORST...
    Honestly, for a professional website you'd think they'd hire better writers. No mention of the honeypot until the second to last paragraph, and even then it came out of the blue.

    --
    ___ alwaysBETA.com - Hey, you've got nothing better to do.
  48. Re:Korea and the Internet by shyster · · Score: 3, Informative
    "I took the initative in creating the internet" -Al Gore Seems like he did to me. Of course, people like you do seem to rewrite history..

    Not to be too political here, but let's at least look at things reasonably. The context of that quote was Gore talking about legislation that he spearheaded to fund the creation of the Internet. Neither that quote, or any other, can be interpreted by any but the most die hard conservative as Gore claiming to have invented the Internet. It is, however, a fact that Gore did take initiative in legislation to create the Internet.

    When you take things out of context, you can prove almost any point. As the old saying goes, the devil can quote scripture to suit his means (or something like that...)

  49. Re:Korea and the Internet by shyster · · Score: 2
    As for contributions, I think we've put in quite a bit. Ever look at a graph of the internet backbone? There's a large chunk in the U.S.

    That's because we need the bandwidth to send out all of our spam. And let the script kiddiez r00t boxes. And steal movies and music from P2P networks. Oh yeah...we use it to play games and read Slashdot too. =)

  50. Re: your sig by Inthewire · · Score: 1

    Have you dealt with the Browning Hi-Power? The single-action first shot is annoying, but it is the most comfortable and most accurate pistol I've ever had the pleasure of carrying.

    --


    Writers imply. Readers infer.
  51. I can see it now. by Guido69 · · Score: 1

    "I hacked KDWorks and all I got was this lousy T-Shirt!"

    --
    - If we aren't supposed to eat animals, then why are they made out of meat? - Steven Wright
  52. thttpd - "Not real world"? by Latrell+Sprewell · · Score: 3, Interesting
    Originally posted by noahm:
    You won't likely see a real-world web site run on thttpd or something.


    Voyeurweb (porn), one of the most heavily used sites (in visitors and bandwidth usage) on the 'Net, has been using thttpd v2.20x for a long time...

    Netcraft search results for Voyeurweb
  53. Re:Korea and the Internet by ceejayoz · · Score: 1

    Well, they've done a great deal in getting us online cheaper. We'd still be online, it'd just be a bit more expensive to buy the computer.

    Anyways, I'd say their contribution about balances out the hordes of e-mails I get through open relays in Korea... :p

  54. Flamed by an AC by BlueFrog · · Score: 1

    Jeez... guess I should really be ashamed, huh.

  55. Mac fixed that no-hack problem. by xQx · · Score: 1

    Okay, get your facts straight:
    No server running Macintosh OS 7 through 9 has been hacked! remotely. Ever.

    This was quite simply, because macintosh in their infinate wisdom couldn't see a use for a command prompt. Everything could be done via a single mouse click. (or, you know, and option click to emulate a right mouse button)

    Of course, come OS X, they fixed those problems by moving to a new platform, based on Darwin, which has one of those wonderful command prompts, and can thus be hacked. remotely.

    So, before you go running around saying "No mac server has ever been hacked", just remember that No MS DOS 3 server with it's command processor removed has ever been hacked either.

  56. what's not "Real World"??? by justanetgod · · Score: 1

    ZDNet seems to think that a "stripped down machine running almost no services" is not "real world". Funny, I build my servers stripped down, no telnet no ftp, no r-anything, no NFS, etc - how is this not real world?

    Maybe in the 80's?

  57. Re:Korea and the Internet by Satan's+Librarian · · Score: 1
    You can go here and get a pretty full explanation of what he said. It was very poorly phrased, and IMHO, attempted to gain credit for more than his efforts were worth. This is deadly for politicians when they are caught at it, worth poking fun at, and occasionally still funny. Kinda like ALL YOUR NEWS ARE BLONG TO US.

    But you are right that he and other US congressmen funded US companies, universities, etc. to speed further development of the internet - which, if you'll notice, was also implied in my from-the-hip post. For example, the place one of the original posters was posting that the US has never done anything for the internet just happens to reside in - well, three guesses.

    --
    I write code.
  58. Re:First Linux is Dying Post by gotr00t · · Score: 1

    Go look at RedHat, SuSE and Mandrake. Sun Microsystems is devoted to Open Source, but not as much as some other firms. Their Solaris OE is free, but not free free, as in open. This can be contributed to their downfall. Moreover, their adoption of Open Source only occured a few months back, and on a minimal scale, so it is not realiable to use Sun as an example. Moreover, it's open SOURCE software. So, either your analysists are very poor in their diction, or you are (hence your name, Stock Quote Troll), or you're attempting to produce a pun, but I don't find that funny or even tasteful.

    "ALL YOU PEOPLE AGAINST OPEN SOURCE ARE AGAINST FREEDOM! YOU FREAKISH TERRORISTS!"

  59. Good lord, a gaming nerd. by AlienRelics · · Score: 1

    Alignment? Chaotic Good? Why am I hearing more and more people described in gaming nerd terms?

    Whatever happened to describing people in computer terms? Short on RAM, experiencing a buffer overflow, 8.4 Gigs installed but only 540 megs addressable by current OS, his hard drive is compressed with Stacker but he's got MSDOS 6.22 installed... y'know, stuff real people say.

    ;')

  60. Re:Korea and the Internet by pjrc · · Score: 2
    what, exactly, has the US contributed positively to the net?

    The development of BSD unix (in California, of course) and it's widespread distribution to other universities and research centers that ultimately made IP and TCP the "standard". Microsoft's TCP/IP code was originally based on the free BSD Unix code, as was Sun's (both have re-written most or all of their TCP/IP code since, but they did both ship BSD-derived code for years).

    Similarily, while the HTTP protocol, a text-only viewer and original server were developed at CERN, it was NCSA (University of Illinois) that developed the Mosaic web browser and NCSA web server. Both Netscape and Microsoft's IE were based on the Mosaic code (recent versions of IE, like 5.5 which I just tested, still credit the University of Illinois in their Help->About Internet Explorer menu). In all likelyhood, you're using IE to view this message, so if you are just click on that menu to see a credit for a quick reality check that code you're using to access the net originated in Illinois. Since you're reading this one slashdot, the server that sent it to you was Apache, which was also originally based on the web server from Illinois (named apache due to a large number of patched to NCSA's server, "A Patchy" server).

    There's just two little examples. Of course, if the question was really what has Korea contributed to the internet's infrastructure... well, that's a good question?

    --
    PJRC: Electronic Projects, 8051 Microcontroller Tools
  61. So they're complaining... by Trogre · · Score: 1

    ...that the competition was too tough for them? Harden up.

    They say that the machine was running a version of Smoothwall linux with Apache running on a non-standard port and a minimum of other services.

    Now their complaint is that this does not reflect a real-world situation. What is a real-world situation? A Windows machine running IIS? A default Red Hat install with all firewalling turned off and all services turned on?

    I know I wouldn't run Telnet, SMB, Rlogin, Xdmcp and other "please hack me" services on my public webserver. I also would be inclined to put my webserver on a port where hackers wouldn't normally look. It's just common sense.

    I thought the purpose of a hacking contest was to say "Here's a machine we think is unbreakable, now go break it". These jokers seem to be saying "hey, you've made it unbreakable, what gives?" I somehow get the feeling that kill9 and m0rla have missed the point.

    (btw, anything related to Smoothwall should be avoided at all costs)

    --
    "Nine times out of ten, starting a fire is not the best way to solve the problem." - my wife