Slashdot Mirror

← Back to Stories (view on slashdot.org)

Moronic Hacking Contest Ends In Free-For-All

Posted by chrisd on from the stupid-marketing-tricks-end-badly dept.

atomgiant writes "ZDNet is running an interesting article about the KDWorks hacking contest that has gone bad, or good, depending on your perspective. Entertaining read in any event." I think that Bruce Schneier has said it best on the value of contests such as this one. That the registration server was compromised I think is a telling comment on the value of whole site security.

83 of 297 comments (clear)

  1. DEFCON, HOPE, etc by totallygeek · · Score: 3, Interesting
    Do many companies feel that these are more beneficial to send employees to (IT nerds, information security people, etc) than some of the security training courses/seminars we all get junk mail from? I am working really hard for my company to send me to Red Hat's firewall school, DEFCON, and then SANS. What is the general concensus?

    --
    Click here or here.
    1. Re:DEFCON, HOPE, etc by TweeKinDaBahx · · Score: 5, Insightful

      None, because hackers don't tend to teach each other anything. If a company were to send thier IT team to DEFCON with the hope they would learn something, it would also make sense that the company in question must have a CIO who smokes crack.

      Security seminars are geared so that everyone learns, cons are geared so that people who already know can have fun.

      --
      Linux is dead.
      LU
    2. Re:DEFCON, HOPE, etc by totallygeek · · Score: 3, Interesting

      Security seminars are geared so that everyone learns, cons are geared so that people who already know can have fun.


      I am finding myself unable to get anything out of going to seminars. So, maybe I am closing that gap between needing to learn basics and picking up information at a conference. It is tough when I am told that I must attend training, and it is boring information about ports and services and maybe something about some Windows software I will never use that can do "what is called a port scan."


      Maybe I will go to DEFON or the like and see what I can input and bring back...

      --
      Click here or here.
    3. Re:DEFCON, HOPE, etc by Digital+Prophet · · Score: 2, Insightful

      None, because hackers don't tend to teach each other anything. Huh? Part of the nature of a hacker is to ask questions. The hacker community as a whole does nothing but teach each other stuff. Perhaps you like to ignore the hacker publications like 2600 Magazine. I think you are thinking of some other people.

    4. Re:DEFCON, HOPE, etc by bafu · · Score: 4, Insightful

      Security seminars are geared so that everyone learns, cons are geared so that people who already know can have fun.

      Based on my experience at the cons, I'd have to say that is a fair assessment. On the plus side, some were very cheap. You pay for your hotel room, but your actual conference fee was kicking in a share for the booze... :-P

      Anyway, they weren't a complete waste of time, but the primary benefit was meeting folks, not learning lore.

      I am finding myself unable to get anything out of going to seminars.

      They don't do much for me, either. The thing is, if all you are looking for is info on how to better secure your systems, there is loads and loads of it available on the net. The plus is that you can proceed at your own rate and dive however deep you want. If your boss is really twisting your arm about taking courses, I'd see if you can get something detailed on advanced firewall configuration or performance tuning something like that. Those are areas where it's common to only take the self-training as far as the immediate job requires... a course might cover things that would be nice to know in the future, as well. If the boss'll spring for books, that can be good, too.

    5. Re:DEFCON, HOPE, etc by totallygeek · · Score: 2
      I'd see if you can get something detailed on advanced firewall configuration or performance tuning


      It hasn't worked out where I can attend the Red Hat firewall course this month (I am an RHCE now), but aside from that type of intense course -- where are the other options? I am beyond what I can learn from a CompuMaster or security boot camp type workshop.

      --
      Click here or here.
    6. Re:DEFCON, HOPE, etc by Pinball+Wizard · · Score: 5, Insightful
      Have you ever seen the "Nick Burns, Computer Guy" sketch on SNL? That's what talking to most hackers is like.

      you really shouldn't be involved in computer security if that's the case.

      There is a name for people who can follow simple, easy-to-understand laundry lists of how to approach computer security. They're called script kiddies. You really think this stuff can be simplified to the point that you can understand, given your apparent lack of experience?

      Becoming a real hacker as opposed to a script kiddie takes years and there are no shortcuts. Learn the inside and outs of the operating systems you use. Learn a programming language inside and out. Then learn successively lower-level programming languages until you get to C and assembly and learn those. Meanwhile, pay attention to the theoretical aspects of all this stuff - meaning learn about algorithms and the underlying mathematics.

      No one is trying to hide the secrets from you, just trying to discourage you from thinking there is a simple explanation to everything - and thinking that someone can tell you all about computer security in plain english(i.e. none of those anti-social phrases like 'buffer overflows') You want to be a hacker? Hit the books, and be prepared for years of hard study.

      Then you might understand some of those seemingly obscure references that for the moment are beyond your grasp.

      --

      No, Thursday's out. How about never - is never good for you?

    7. Re:DEFCON, HOPE, etc by electroniceric · · Score: 2

      I disagree.
      There's no excuse for not knowing how to communicate with people of variety of levels. You may be a whiz in front of a
      [root@boxen root]$
      but if you can't express these ideas to people who don't already know most of what you're talking about, you're taking a lot of chances on somebody recognizing your genius.

      I do agree to really master the subject, you do have take the time to learn it through and through. A buffer overflow is a compact phrase representing of a particular concept. But you may well be called on to explain in lay terms what that idea means and why Project X should pay you to make sure there aren't any.

      All of which is to say, make sure you take an English class or two before leaving college.

    8. Re:DEFCON, HOPE, etc by oni · · Score: 2

      but if you can't express these ideas to people who don't already know most of what you're talking about, you're taking a lot of chances on somebody recognizing your genius.

      I suspect these people who failed to express their ideas to you had very little respect for you and held you in such low regard as to be completely unconcerned with whether or not you recognized their genius.

      I also suspect you'd have a similar experience if you asked a brain surgeon "how do you make it go?"

      That said, this is not intended as a flame. I simply wanted to point out my own experience. I think some people can be quite articulate - and also very choosy about whom they articulate to. Once I stopped asking stupid questions, I found I was no longer seen as stupid and I ended up learning a lot more.

      Or to put it another way: "it is better to keep your mouth shut and have everyone think you're a fool, than to open it and remove all doubt" -- Mark Twain

    9. Re:DEFCON, HOPE, etc by CAIMLAS · · Score: 2

      If I'm not mistaken, isn't that quote actually belonging to Abe Lincoln?

      --
      ~/ssh slashdot.org ssh: connect to host slashdot.org port 22: too many beers
    10. Re:DEFCON, HOPE, etc by NoMoreNicksLeft · · Score: 2

      Yes, I coined that phrase back in 1861, I believe. Ok, so I'm not the original Abe Lincoln, but a clone created by the Beta Reticulans as part of their master plan to subdue the people of Earth through treachery, illusion, and unwatchable formulaic sitcoms. Still, give credit where credit it due.

  2. Jeebus... by TweeKinDaBahx · · Score: 3, Funny

    It's a silly idea all together, hacking, but I guess it must be better than girls/sunlight.

    Any hackers who get busted deserve what they get for being dumb enough to show.

    I recall a sherrif's dept. sending out letters to people with outstanding warrants exclaiming that they had one a prize and had to go to a certain address to claim it. Needless to say, the cops had a field day arresting all sorts of people, who were actually dumb enough to buy the ploy.

    Just rememebr, if you're doing illegal things, there's always a chance you'll get caught. The best thing to do is just not get caught :)

    --
    Linux is dead.
    LU
    1. Re:Jeebus... by binaryDigit · · Score: 2

      Didn't a cable/satellite company do this once? Where they somehow sent a re-program signal to their cards. Those who had illegal service ended up seeing a message to the effect of, "if you see this message and are having problems with the cable signal, please call xxx-xxxx". I recall that it was amazingly effective in "trapping" quite a few cable/sat pirates.

    2. Re:Jeebus... by Wildcat+J · · Score: 5, Funny
      If you recall, this occurred on the Simpsons. The Springfield police department sent out notices to criminals claiming they had won a boat. They picked up Homer for an unpaid parking ticket, which he promptly paid, then he demanded his boat. Everything in life can be related back to a Simpsons episode!

      -J

    3. Re:Jeebus... by ashitaka · · Score: 2

      It seems criminal elements of society always like getting something for nothing

      Hmmm. Unfortunately you could say the same thing about just about everyone on the planet.

      Barring a few monks.

      --
      If you don't want to repeat the past, stop living in it.
    4. Re:Jeebus... by AJWM · · Score: 2

      TCI did something similar during a pay-per-view boxing match. Flashed up a message offering a free T-shirt (or some such) to those calling a certain 800 number.

      A simple cross check of the callers vs those who'd actually paid to watch the fight turned up a number of PPV freeloaders.

      --
      -- Alastair
    5. Re:Jeebus... by ayden · · Score: 4, Funny

      I specifically remember this event. Continental Cable, the precursor of MediaOne and my cable provider at the time did this very thing in Northwest Connecticut in the early 1990's. There was a Pay Per View boxing match scheduled for a particular night. Since it was a Pay Per View event, the cable company had an exact list of everyone who had officially ordered (and paid for) the event. The cable company sent a special "commercial" for a free T-shirt to everyone tuned to the Pay Per View channel but also sent a signal to the cable boxes of everyone who paid for the program telling their cable boxes not to show the commercial. The result was that dozens of people called the "toll free" number and turned themselves in.

      I have two feelings on the subject:

      1. After spending over $1000 (over a number of years) on their product, Continental Cable didn't consider me good customer, but a suspect. How I longed for competition in cable industry.

      2. I took this as a warning and learned my lesson well. Beware of anyone offering you something for free.

      --
      "I'm The Bounty Bear. I will find him anywhere. I'm searching."
    6. Re:Jeebus... by zootread · · Score: 2, Funny

      It's a silly idea all together, hacking, but I guess it must be better than girls/sunlight.

      Back in high school I hacked some schoolwork for some chicks, they loved me for it. Chicks dig hackers, its a huge turn-on for them. They also like guys who can fix their computers. Girls always say "come over fix my computer." And they usually repay me with sex. Damn life is good.

      --
      Zoot!
  3. I'll start my own by Saturn49 · · Score: 5, Funny

    Maybe I'll start my own hacking contest. I give the winner a billion dollars. I'll setup 2 computers, one connected to the 'net, completely open and unpatched. It'll physically sit on top of the "secure" box, which won't be connected, or even turned on. When the "winner" tries to claim his prize, I'll simply state that he hacked the "decoy", and the real server was untouched. Sounds about as fair as this one.

    1. Re:I'll start my own by F1re · · Score: 5, Funny

      That's fine until someone breaks into where you store the computers, boots up the unconnected one and ownes it...

      --
      ...there is no sig...
    2. Re:I'll start my own by x136 · · Score: 5, Funny

      Not when they find out that the "secure" box is actually an empty ATX case. :)

      --
      SIGFEH
    3. Re:I'll start my own by Sloppy · · Score: 5, Funny

      For a billion dollars, I'll buy you a motherboard and install it.

      --
      As copyright owner of this comment, I authorize everyone to defeat any technological measure which limits access to it.
    4. Re:I'll start my own by phalse+phace · · Score: 2
      "I'll setup 2 computers, one connected to the 'net, completely open and unpatched"

      So I guess that means you'll be installing Windows on it then?

  4. duh. more script kiddies to the rescue by Telastyn · · Score: 5, Insightful
    The system set up by KDWorks had almost all of its services deactivated, according to kill9 and m0rla. "The contest server was only simulation, not a real-world environment," they wrote. "And you have to ask yourself who will have a Web server running with this small amount of services activated? Nobody."


    Heh, in my experience, it's quite to the contrary. Anyone with half a brain turns off nearly all, if not all services to stop script kiddies like you =]
    1. Re:duh. more script kiddies to the rescue by SuiteSisterMary · · Score: 2

      Aye, and a locked door, and people who know not to give out passwords, and so on and so forth. A disconnected machine is still meat for the beast if I can get at it for five minutes. Security is an approach, a discipline, not an exercise, not a task.

      --
      Vintage computer games and RPG books available. Email me if you're interested.
    2. Re:duh. more script kiddies to the rescue by Tet · · Score: 4, Insightful
      Anyone with half a brain turns off nearly all, if not all services to stop script kiddies like you =]

      Yep, I was open jawed when I read that. All of the web servers for which I'm responsible present an http server to the world on ports 80 and 443, and nothing else. As it happens, they're also running tomcat and sshd, but that's firewalled off (by two firewalls from different vendors), so you won't have access to those unless you're coming in from an approved address. Anyone who believes that a web server would commonly have more services running has obviously been living in the windows world too long...

      --
      "The invisible and the non-existent look very much alike." -- Delos B. McKown
    3. Re:duh. more script kiddies to the rescue by warpSpeed · · Score: 5, Insightful
      All of the web servers for which I'm responsible present an http server to the world on ports 80 and 443, and nothing else

      To take that one step further, at the firewall I block all the outgoing connections as well. The web server, in most cases, should not be initiating connections to the outside.

  5. Not "real world"? by alouts · · Score: 4, Insightful
    Granted, securing the overall infrastructure is as important as securing a single box when trying to defend against intrusion, but the rationale for doing it seems pretty weak.

    "And you have to ask yourself who will have a Web server running with this small amount of services activated? Nobody."

    Please. What they're basically complaining about is that the web server they were supposed to be attacking was too secure, and not easy enough to get into. If it serves up web pages, it's a web server, whether or not the admin has opened all the ports you're used to exploiting.

    'Course, the fact that there was a honeypot elsewhere on the network seems a bit shifty...

    1. Re:Not "real world"? by noahm · · Score: 5, Insightful
      I've got to agree with you on this. There is no need for a web server to be running anything other than Apache.

      I suspect that meanings are being mixed. I don't think they are complaining that the server wasn't running bind, fingerd, NFS, etc etc. I suspect it was more that the web server software itself was unreasonably minimal. You won't likely see a real-world web site run on thttpd or something. I imagine the web server didn't support things like CGI and stuff, so the only way to get in would be to exploit a known buffer overflow or to exploit something on the OS level. There was no searching for insecure form handlers or things like that.

      But I could be wrong. There are lots of idiots out there, after all.

      noah

    2. Re:Not "real world"? by chill · · Score: 2

      The config used was a Smoothwall Linux install with Apache on a non-standard (high) port. No mail (how does the server report problems), no FTP/SSH (how do you update files on the server), no nothing.

      That isn't real world.

      As far as the "honeypot" goes, that is utter bullshit.

      --
      Learning HOW to think is more important than learning WHAT to think.
    3. Re:Not "real world"? by mabinogi · · Score: 2, Informative

      >Is there any reason why these would be any safer if they were each in a separate machine?

      Yes, a compromise of one service wouldn't automatically lead to a compromise of all...

      It doesn't really lessen the chance of having something compromised, just limits damage if it does happen.

      --
      Advanced users are users too!
    4. Re:Not "real world"? by nomadic · · Score: 3, Insightful

      Well then why do all the self-appointed security experts on slashdot always insist that anything can be hacked. Of course they didn't make it easy, geeze, they were offering 100k. And people are complaining that it's too hard?

      Maybe the people that tried just aren't very good hackers?

    5. Re:Not "real world"? by caluml · · Score: 2, Insightful

      Let's break this down.

      The config used was a Smoothwall Linux install with Apache on a non-standard (high) port.

      Maybe that's to stop simple probs and shite like Code Red/Nimda cluttering up the logs? If it's not meant for public consumption, what's the problem?

      No mail (how does the server report problems),

      I don't understand this. As you say, How does the server report problems. Install Sendmail/Postfix/Whatever, and only allow outgoing connections.

      no FTP/SSH (how do you update files on the server),

      No world-accessible FTP/SSH you mean. Just cos you can't see it, doesn't mean that the people that admin it haven't opened it to their ranges, or a trusted host.

      no nothing.

      Good. Exactly right. Open only the ports you need open, and make sure the daemons/services running at the end of those ports are secure. What was that Mark Twain quote again...?

      --
      Get your own free personal location tracker
    6. Re:Not "real world"? by shyster · · Score: 4, Insightful
      "And you have to ask yourself who will have a Web server running with this small amount of services activated? Nobody." Please. What they're basically complaining about is that the web server they were supposed to be attacking was too secure, and not easy enough to get into. If it serves up web pages, it's a web server, whether or not the admin has opened all the ports you're used to exploiting.

      Evidently, that Smoothwall Linux server was indeed NOT a real world example...just take a look at KDWork's other webservers. If KDWorks can't secure ALL their servers, they have no business offering up a hack bounty...or security products.

      I believe the hackers' point was that, yes, an otherwise unfunctional box can be secured to the point of being extremely difficult (or impossible) to crack. But, as soon as that box starts doing something functional (like, for instance, processing registration requests connected to a database server), then they can hack it.

    7. Re:Not "real world"? by shyster · · Score: 2

      And I imagine youor thttp server is not doing anything particularly useful, either, is it? And it also doesn't receive very many visits, does it? And contains no interesting info, I'd bet. Exactly the hackers' point.

    8. Re:Not "real world"? by pacman+on+prozac · · Score: 2, Insightful

      I'd stick a honeypot RIGHT NEXT to the secure server.

      I'd recommend you at least put a switch between them. If a honeypot that is literally right next to any production server gets cracked you risk having man-in-the-middle attacks run aswell as sniffing things like the ftp/email passes for the local segment.

      Common sense would be running a honeypot anywhere but right next to the secure server :)

    9. Re:Not "real world"? by Sabalon · · Score: 2

      Huh? Okay...so they took a hardened os and put Apache on it. They put it on something other than port 80. If you are setting up a server that serves pages (possibly internal info) this is a good way to hide it from script kiddies.

      No mail? You don't need to have sendmail running as a daemon listening on port 25 for mail to work. I have two HP's that don't accept mail, but send me mail on a regular basis.

      As for no ftp/ssh - so? You can go to the console and update files. Perhaps they have another machine with ssh and a serial link? Perhaps ssh is firewalled off? perhaps they have something that watches for an attempt to connect to a certain port that will then launch sshd for 5 minutes?

      Perhaps the static pages it was serving were generated every 5 minutes by a perl script?

      Just because a server isn't running the default RedHat install or something doesn't mean that it isn't real world.

    10. Re:Not "real world"? by shyster · · Score: 2
      Whether a site has any interesting content has precisely sodall to do with whether that content is dynamically generated or not.

      I didn't say the content wasn't interesting. The content, whether static or dynamic when the server processes it, is all static once the browser gets it. The content could very well be interesting. But, with only static HTML, there's no database access. That's where juicy info (that's supposed to be hidden) lies. A static HTML site is, more or less, open for the world to see as it is.

      And, there's simply no point in cracking a static site. At best, one could hope for creating a shell account with it. But, then static sites aren't usually connected via high bandwidth lines, and usually don't have high end hardware, so what's the point? Of course, you could always destroy the site, or replace it with an 0wn3d page, but static sites aren't usually high profile, and are pretty quick and easy to rebuild.

      My point is that not only are static sites harder to hack, but they're also not a very tempting target anyways. And, I can't think of a single high profile site that's purely static HTML. Therefore (unless my memory is simply miserable today, and there's quite a few high profile plain HTML sites), they really aren't a real world example of a site likely to be hacked.

  6. Is it hacking when invited? by AIM-9X · · Score: 2, Interesting

    It seems a little ambiguous - if you are invited to hack, is that a crime?

    Granted, there are some thresholds never to be crossed. "Sure, you can shoot me, you won't get in trouble" etc.

    Nonetheless, I'd be sure to get written permission from the hackee.

    --
    ***
    This is my Sig. This is my Glock, this is my Walther, and this is my Beretta.
    Any questions?
  7. RSA Challenge anyone? by bugg · · Score: 4, Insightful
    The best products/systems/protocols/algorithms available today have not been the subjects of any contests, and probably never will be.

    I think that contests, when done properly, can't prove security but it certainly can certainly prove a point. I doubt we'll ever see a proof that factoring numbers must be complex, but the RSA challenge proves that, well, anyone who has the technology would rather keep it than the money. Hrm. Well, at least that means a script kiddie or casual hacker can't factor very large numbers, eh?

    --
    -bugg
    1. Re:RSA Challenge anyone? by Boatman · · Score: 3, Informative

      Contests are good at proving *insecurity*. Thus the RSA contests. But lack of proof of insecurity isn't proof of security.

      --
      --Just the place for a snark!
    2. Re:RSA Challenge anyone? by bugg · · Score: 2

      That's a pretty clever troll. The problem is, that's not RSA-500! :)

      --
      -bugg
    3. Re:RSA Challenge anyone? by Telastyn · · Score: 2

      Actually, the point is better put (as proper security should be) that anyone can factor very large numbers, but it will take them all a very long time without the key.

    4. Re:RSA Challenge anyone? by Corvus9 · · Score: 2, Funny

      Unfortunately, the margin was too small to contain the proof.

  8. Re:Korea and the Internet by Tazzy531 · · Score: 2

    Actually Korea has done a great deal in getting you online. The majority of the RAM used on computers now a days originate from Korea. Samsung is a Korean company. In addition, Korea is getting up there in terms of semiconductor manufacturing..

    --


    _______________________________
    "I'm not Conceited...I'm just a realist..."
  9. Re:Hmm by unicron · · Score: 3, Informative

    They have this law, called entrapment, that says people can't be baited into committing crimes. You should look into it, might interest you.

    --
    Finally, math books without any of that base 6 crap in them.
  10. no, he does mean hackers! by shemnon · · Score: 5, Funny

    Well, the contest was for hackers and not crackers. Crackers got the registration machine, but since the "contest" machine had an open invitation to break in, there was nothing illegal about it.

    Remember, the class requirements for the Cracker class has the ethical alignment of Chaotic as a requirement. Hackers can have any Ethical Alignments. The White Hat Cracker class has a Chaotic Good alignment requirement. Since they asked people to hack the box it would be very within the Lawful alignments, Lawful Evil in partiular since the money is a self motivational goal. A Lawful Good Hacker would submit a resume so that he can properly lock down the registration computer.

    Did I mention the GNU Hacker Prestige class? Must have a Lawful alignment, otherwise the whole bit about licencing wouldn't have any meaning to them. BSD Hackers are closer to True Neutral, since they don't care what is done as long as they get credit.

    --
    --Shemnon
  11. Open source is a security contest by Beryllium+Sphere(tm) · · Score: 3, Insightful

    which addresses some of Schneier's criticisms.

    Instead of a limited time frame, it lasts as long as the product is used.

    Instead of the unrealistic conditions of a contest, there's enough information that talented people can spend their time studying security rather than doing reverse engineering.

    One of the reasons for mostly-trusting OpenBSD or PGP is that they're the outcome of what amounts to multi-year cracking contests. With enough of the right eyeballs, even security bugs can be shallow.

    1. Re:Open source is a security contest by Paradise+Pete · · Score: 2, Funny
      With enough of the right eyeballs...

      ...we should sneak up from the left.

  12. Stealing Links? by nirvdrum · · Score: 2, Interesting

    Ok, take for granted that not everyone here goes to Freshmeat everyday (as is always the constant source of bickering when a new kernel is released), but I've seen an ever growing trend where someone just scans down to the SecurityFocus links on Freshmeat, and then posts them here as original stories. Please stop doing that. That is all.

    --
    If there was a "-1 Not Funny", that'd be my most used mod.
  13. Re:Korea and the Internet by JordoCrouse · · Score: 5, Funny

    At the risk of sounding like an insensitive racist jerk, what, exactly, has the US contributed positively to the net?

    Uhhh... other than inventing the damn thing?

    --
    Do you have Linux and a DotPal? Click here now!
  14. You can't always get what you want, but.... by L.+VeGas · · Score: 5, Funny

    This reminds me of my old boss that was taking karate lessons. He went up to a geek I worked with and asked him to "try to kick me as hard as you can". He hadn't even finished the sentence when Ken slammed him in the jewels so hard that my boss threw up. All he kept saying was "But I wasn't ready!"

    --
    Best Windows Freeware
    1. Re:You can't always get what you want, but.... by Shade,+The · · Score: 2

      It's different in the dojo than in real life. Even when you're training at full speed, with the blows at geniune strength, you still expect them, and so it's quite difficult to avoid a blow you do not expect unless you're very good. Silat is good for that, so I'm told. In my opinion, I tend to find that most forms of Karate aren't very good for real life situations anyway.

  15. Re:Hmm by fishebulb · · Score: 2

    entrapment only applies to LAW ENFORCEMENT.

    there is no crime commited here because the people were allowed to.

    Entrapment only applies when a law enforcement official gets you to commit a crime that you wouldnt without them badgering you.

    So since its not a crime to hack into something you have permission to, and they are not police/FBI/etc there is no entrapment

  16. No FTP/SSH is real world by AHumbleOpinion · · Score: 3, Insightful

    ... no FTP/SSH (how do you update files on the server)... That isn't real world

    No, that is real world, or would be if the "world" was properly administered. You are making a false assumption that ftp/ssh has to be universally open, this is wrong. These ports may, and should, only be opened to certain IP ranges. For example, the companies internal subnet, admin's home IP, etc.

    1. Re:No FTP/SSH is real world by btellier · · Score: 2

      And SSH has had multiple security vulnerabilities in the past. You're secure. Current snapshots are secure. Keep thinking that. If smart people are determined to break in, they will. It may take months, but chances are excellent that it'll happen. Everyone would be fascinated to know just how common off-by-one buffer overflows, signed/unsigned bugs and the like are in their popular programs. The point is that Apache with only .html running will never be run by any company/bank/government/ISP or any other non high school kid web server. Have you looked at the Apache .html processing code? It's *miniscule* in comparison to the amount of code used for a "typical" corporate web server.

      They are trying to market their product to corporations. They're trying to prove that it will withstand hacker attacks. What's the goddamn point if they're not running all the services that a typical company would?

  17. Re:Korea and the Internet by Selmo · · Score: 3, Funny
    At the risk of sounding like an insensitive racist jerk, what, exactly, has korea contributed positively to the net?

    FWIW, they went apeshit over StarCraft, which provided revenues for other projects like Diablo II and WarCraft III.

  18. Your BS for the day... by Chris+Burke · · Score: 5, Insightful

    This cracked me up. The article says that the honeypot server would start a tracing program as soon as it detected anyone trying to connect to it and that (emphasis mine):

    "Then the tracking software analyses all the activities of the intruder (including hacking method, all the ISP used, IP address, even what the hackers punched on his keyboard) to trace down the original location of the intruder."

    Okay, thanks ZDNet. Did they tell you that, or did you just make that insanity up on your own? You get kudos either for gullibility or imagination, depending. So basically, they're trying to suggest that this program not only traces the hacker (ooh, it logs IP addys!), but then automatically hacks the hacker's machine to install a keystroke logger.

    Each day you learn something new. Then something comes along so stupid it damages the brain cells that managed to learn that new thing. But at least I laughed. :)

    --

    The enemies of Democracy are
    1. Re:Your BS for the day... by gmanske · · Score: 3, Insightful
      I initially laughed too, but then I remembered something.

      Keyloggers are not new, and are mentioned here. Besides simply logging cleartext traffic (telnet), encrypted traffic can be logged on the host side before it is sent back over the wire (ssh) using a replacement shell (forwarding traffic to syslogd), ttywatchers or the *trace tools.

      I believe this is the technique used to log outgoing ssh traffic from a compromised machine, particularly but not limited to the case of common rootkits which drop replacement sshd[s].

      The zdnet text is sensationalist, but that doesn't mean it isn't technically possible.

      Gmanske.

    2. Re:Your BS for the day... by Chris+Burke · · Score: 2

      Yes, I'm aware of all those things, but they all share a common property -- they happen on the receiver's end. They're only keystroke loggers in as much as the data sent to the honeypot represents the actual keys hit by the attacker. Which, even in the case of telnet, could be not at all. Thus saying that those things log keystrokes is something that only ZDNet would say.

      --

      The enemies of Democracy are
    3. Re:Your BS for the day... by Mike1024 · · Score: 2

      Hey,

      automatically hacks the hacker's machine to install a keystroke logger.

      Many programs make really short logs. Perhaps they mean it logs every keystroke transmitted by the hacker's terminal program - backspaces and suchlike.

      It could just have been 'creatively interpreted' by marketing folks who don't understand the technology.

      Michael

      --
      "Goodness me, how unlike the FBI to abuse the trust of the American public." -- The Onion
  19. Irony... by jhaberman · · Score: 5, Funny

    "As entrants were required to enter personal details together with some form of identification--such as a passport or social security number--in the event that they won the competition, some are worried that their privacy has been compromised."

    Doesn't anyone else just find that line HILLAIROUS!? I mean, c'mon... if anyone should be familiar with the vuneralbilities of a web server, and personal information found on said web server, it should be a bunch of "hackers". This is so stupid, I can't even believe it. It has to be a hoax...

    Jason

    --
    He's totally creeping out the Great One, eh...
    1. Re:Irony... by WildBeast · · Score: 2

      Those people sound more like the politicians talking: "We have the right and the duty to compromise your privacy, but don't you dare compromise ours" :)

    2. Re:Irony... by Bastian · · Score: 2

      I doubt the greatest hackers in the world are doing this. Heck, I have a feeling it's mostly just amateur crackers who have never done anything seriously illegal.

      Anybody who really has had much experience breaking into hardened networks would theoretically be way too paranoid to ever attatch something like a social security number to a hacking attempt, even an authorized one. I know I wouldn't. . .

  20. hehe that reminds me of something by WildBeast · · Score: 4, Funny

    I had a job interview a few months ago. I went there for the interview on time, I entered the Office, nobody was in there, so I looked around to find a few servers and some of them where powered on and logged on. So I sat down and waited until a guy arrived 10 minutes later.

    When I asked them why they used Solaris as there servers, they told me that it was more secure than Windows and Linux :)

  21. Interesting thing about the site... by jerkychew · · Score: 3, Interesting

    ...It's not ZDnet.com. Look at the web address - the domain is zdnet.com.com

    zdnet.com - 128.11.45.117
    zdnet.com.com - 64.124.237.140

    I don't have time to investigate further, but could it be that the article itself is a hack? Or does zdnet own the com.com domain?

    1. Re:Interesting thing about the site... by rlowe69 · · Score: 5, Insightful

      Or does zdnet own the com.com domain?

      Yes. I asked this question about six months ago, and a clever person pointed out that this would allow ZDNET to use a cookie with the com.com domain across its whole family of sites. Then they could track a person uniquely, customizing advertising, preferences or anything else. I don't know if they actually do this, but it would be a good way to do it.

      rL

      --
      ----- rL
    2. Re:Interesting thing about the site... by MobyTurbo · · Score: 2, Informative

      One often sees com.com type addresses for CNet sites. ZDNet and CNet made a merger a year or two ago, so it's no wonder that ZDNet is using it.

    3. Re:Interesting thing about the site... by Shaheen · · Score: 3, Interesting

      C|Net owns the com.com domain. They centralize around that. News.com is news.com.com, etc.

      --
      You should never take life too seriously - You'll never get out of it alive.
  22. This is fun and all of this.. by Sarin · · Score: 2

    But tell me why do I always get to hear /after/ such a "swift ordeal" on slashdot. Isn't there somesort of website that announces these kinds of contests way-back --infront-- or whatever?

    Yes, I know that there's nothing new about exploiting another machine that's been hooked up by a company that's in desperate need of some cheap advertising (though some press-agencies seem to disagree), but $till I would be happy to be informed in front, if you know what I mean;

    It plagues my mind sometimes to hear these things afterwards, it's a bad trend. I'm not the only one: some people are even writing basic scripts that r00t any vulnareble machine in case there's a contest running on it, they leave subtle hints inside their scripts so the people who had their contest machine r00ted know who to send the pricemoney to, you all know who I'am talking about!

  23. This really happens by Sycraft-fu · · Score: 2

    Some police departments do this. They send packets to peopel with warrants claiming they have won some sort of prize, like a Hawiian vacation or something. They then arrest them when they show up and their identity is confirmed. Apparently, it works fairly well.

  24. This goes with the Ancient Chinese teaching by IHavePowers · · Score: 2, Funny

    Master: Do you see the candle on the table, you must put it out using only your energy. Student: What energy master? Master: Do you not feel the energy within me? You must learn to use that for yourself. Student: I think I understand master. Student grabs the master and slings him ontop of the table and the candle falls to the floor. Master: Get out of my class!

  25. Yeah, but... by athmanb · · Score: 5, Interesting

    A real webserver usually runs a couple of different dynamic page scripts (Perl, PHP, ASP, whatever). And they are usually the key point to break in.

    1. Re:Yeah, but... by btellier · · Score: 4, Informative

      Exactly. Obviously when they say "services" they really mean ISAPI extentions or modules. The point is that the more lines of code a hacker can access the more likely they are to break into the computer. More services generally means more code, more extentions means more code. If a server runs Apache with only .html access enabled the odds of breaking in are slim to none (baring some heretofore unknown haq-fu). However most sites enable one of the dynamic languages you listed above, which then creates the ability for people to hack the Triforce of web code:

      - Server-Side interperatation of pathnames

      - Server-Side interperatation of dynamic parameters

      - Backend-Side database metacharacter injection

      It's easy to secure a simple web server. It's very, very difficult to secure one offering many "services".

  26. a copy/paste from my yahoo mail =( by Bill+Wong · · Score: 3, Funny

    From: ""±èÅÂæ""

    To: ""bcw@rave.ch""

    Subject: KDWORKS Notice mail

    Date: Mon, 27 May 2002 03:18:31 +0900

    Hi!
    We will wire your prize as soon as we get your bank account information.
    we need;
    1) bank account number
    2) bank routing number
    3) Name on the account
    4) Name of COuntry where the bank resides.

    If you have any question or concern, please let us know.
    Have a great day!

    1. Re:a copy/paste from my yahoo mail =( by ProfMoriarty · · Score: 2
      Odd ... this looks like the same email I got from some really friendly Nigerians a while back ...

      But their government wasn't allowing them to physically take their money out of the country, so was wondering if they could wire it to me ...

      --
      Karma? Karma? I don't need no stinkin' karma.
  27. Bogus nonsense form hackers... by fanatic · · Score: 2

    "And you have to ask yourself who will have a Web server running with this small amount of services activated? Nobody."

    Nice try, but from outside the firewall, that's exactly how many servers will look. Segregating different unctions to different places is definiely part of a strategy.

    --
    "that's not encryption - it's a new perl script that I'm working on..." - from some Matrix parody
  28. Re:Korea and the Internet by shyster · · Score: 3, Informative
    "I took the initative in creating the internet" -Al Gore Seems like he did to me. Of course, people like you do seem to rewrite history..

    Not to be too political here, but let's at least look at things reasonably. The context of that quote was Gore talking about legislation that he spearheaded to fund the creation of the Internet. Neither that quote, or any other, can be interpreted by any but the most die hard conservative as Gore claiming to have invented the Internet. It is, however, a fact that Gore did take initiative in legislation to create the Internet.

    When you take things out of context, you can prove almost any point. As the old saying goes, the devil can quote scripture to suit his means (or something like that...)

  29. Re:Korea and the Internet by shyster · · Score: 2
    As for contributions, I think we've put in quite a bit. Ever look at a graph of the internet backbone? There's a large chunk in the U.S.

    That's because we need the bandwidth to send out all of our spam. And let the script kiddiez r00t boxes. And steal movies and music from P2P networks. Oh yeah...we use it to play games and read Slashdot too. =)

  30. thttpd - "Not real world"? by Latrell+Sprewell · · Score: 3, Interesting
    Originally posted by noahm:
    You won't likely see a real-world web site run on thttpd or something.


    Voyeurweb (porn), one of the most heavily used sites (in visitors and bandwidth usage) on the 'Net, has been using thttpd v2.20x for a long time...

    Netcraft search results for Voyeurweb
  31. Re:Korea and the Internet by pjrc · · Score: 2
    what, exactly, has the US contributed positively to the net?

    The development of BSD unix (in California, of course) and it's widespread distribution to other universities and research centers that ultimately made IP and TCP the "standard". Microsoft's TCP/IP code was originally based on the free BSD Unix code, as was Sun's (both have re-written most or all of their TCP/IP code since, but they did both ship BSD-derived code for years).

    Similarily, while the HTTP protocol, a text-only viewer and original server were developed at CERN, it was NCSA (University of Illinois) that developed the Mosaic web browser and NCSA web server. Both Netscape and Microsoft's IE were based on the Mosaic code (recent versions of IE, like 5.5 which I just tested, still credit the University of Illinois in their Help->About Internet Explorer menu). In all likelyhood, you're using IE to view this message, so if you are just click on that menu to see a credit for a quick reality check that code you're using to access the net originated in Illinois. Since you're reading this one slashdot, the server that sent it to you was Apache, which was also originally based on the web server from Illinois (named apache due to a large number of patched to NCSA's server, "A Patchy" server).

    There's just two little examples. Of course, if the question was really what has Korea contributed to the internet's infrastructure... well, that's a good question?

    --
    PJRC: Electronic Projects, 8051 Microcontroller Tools
  32. Re:It's amazing how... by Lobsang · · Score: 2

    Two things:

    As a 21 year old guy, you should have noticed the quoted around the word "hacker", denoting irony.

    You're way too touchy for a 21 year old person. Truly sad.

  33. Re:It's amazing how... by Lobsang · · Score: 2

    oops...

    cat $previous_message | sed -e 's/quoted/quotes/g'