Slashdot Mirror

← Back to Stories (view on slashdot.org)

Moronic Hacking Contest Ends In Free-For-All

Posted by chrisd on from the stupid-marketing-tricks-end-badly dept.

atomgiant writes "ZDNet is running an interesting article about the KDWorks hacking contest that has gone bad, or good, depending on your perspective. Entertaining read in any event." I think that Bruce Schneier has said it best on the value of contests such as this one. That the registration server was compromised I think is a telling comment on the value of whole site security.

40 of 297 comments (clear)

  1. DEFCON, HOPE, etc by totallygeek · · Score: 3, Interesting
    Do many companies feel that these are more beneficial to send employees to (IT nerds, information security people, etc) than some of the security training courses/seminars we all get junk mail from? I am working really hard for my company to send me to Red Hat's firewall school, DEFCON, and then SANS. What is the general concensus?

    --
    Click here or here.
    1. Re:DEFCON, HOPE, etc by TweeKinDaBahx · · Score: 5, Insightful

      None, because hackers don't tend to teach each other anything. If a company were to send thier IT team to DEFCON with the hope they would learn something, it would also make sense that the company in question must have a CIO who smokes crack.

      Security seminars are geared so that everyone learns, cons are geared so that people who already know can have fun.

      --
      Linux is dead.
      LU
    2. Re:DEFCON, HOPE, etc by totallygeek · · Score: 3, Interesting

      Security seminars are geared so that everyone learns, cons are geared so that people who already know can have fun.


      I am finding myself unable to get anything out of going to seminars. So, maybe I am closing that gap between needing to learn basics and picking up information at a conference. It is tough when I am told that I must attend training, and it is boring information about ports and services and maybe something about some Windows software I will never use that can do "what is called a port scan."


      Maybe I will go to DEFON or the like and see what I can input and bring back...

      --
      Click here or here.
    3. Re:DEFCON, HOPE, etc by bafu · · Score: 4, Insightful

      Security seminars are geared so that everyone learns, cons are geared so that people who already know can have fun.

      Based on my experience at the cons, I'd have to say that is a fair assessment. On the plus side, some were very cheap. You pay for your hotel room, but your actual conference fee was kicking in a share for the booze... :-P

      Anyway, they weren't a complete waste of time, but the primary benefit was meeting folks, not learning lore.

      I am finding myself unable to get anything out of going to seminars.

      They don't do much for me, either. The thing is, if all you are looking for is info on how to better secure your systems, there is loads and loads of it available on the net. The plus is that you can proceed at your own rate and dive however deep you want. If your boss is really twisting your arm about taking courses, I'd see if you can get something detailed on advanced firewall configuration or performance tuning something like that. Those are areas where it's common to only take the self-training as far as the immediate job requires... a course might cover things that would be nice to know in the future, as well. If the boss'll spring for books, that can be good, too.

    4. Re:DEFCON, HOPE, etc by Pinball+Wizard · · Score: 5, Insightful
      Have you ever seen the "Nick Burns, Computer Guy" sketch on SNL? That's what talking to most hackers is like.

      you really shouldn't be involved in computer security if that's the case.

      There is a name for people who can follow simple, easy-to-understand laundry lists of how to approach computer security. They're called script kiddies. You really think this stuff can be simplified to the point that you can understand, given your apparent lack of experience?

      Becoming a real hacker as opposed to a script kiddie takes years and there are no shortcuts. Learn the inside and outs of the operating systems you use. Learn a programming language inside and out. Then learn successively lower-level programming languages until you get to C and assembly and learn those. Meanwhile, pay attention to the theoretical aspects of all this stuff - meaning learn about algorithms and the underlying mathematics.

      No one is trying to hide the secrets from you, just trying to discourage you from thinking there is a simple explanation to everything - and thinking that someone can tell you all about computer security in plain english(i.e. none of those anti-social phrases like 'buffer overflows') You want to be a hacker? Hit the books, and be prepared for years of hard study.

      Then you might understand some of those seemingly obscure references that for the moment are beyond your grasp.

      --

      No, Thursday's out. How about never - is never good for you?

  2. Jeebus... by TweeKinDaBahx · · Score: 3, Funny

    It's a silly idea all together, hacking, but I guess it must be better than girls/sunlight.

    Any hackers who get busted deserve what they get for being dumb enough to show.

    I recall a sherrif's dept. sending out letters to people with outstanding warrants exclaiming that they had one a prize and had to go to a certain address to claim it. Needless to say, the cops had a field day arresting all sorts of people, who were actually dumb enough to buy the ploy.

    Just rememebr, if you're doing illegal things, there's always a chance you'll get caught. The best thing to do is just not get caught :)

    --
    Linux is dead.
    LU
    1. Re:Jeebus... by Wildcat+J · · Score: 5, Funny
      If you recall, this occurred on the Simpsons. The Springfield police department sent out notices to criminals claiming they had won a boat. They picked up Homer for an unpaid parking ticket, which he promptly paid, then he demanded his boat. Everything in life can be related back to a Simpsons episode!

      -J

    2. Re:Jeebus... by ayden · · Score: 4, Funny

      I specifically remember this event. Continental Cable, the precursor of MediaOne and my cable provider at the time did this very thing in Northwest Connecticut in the early 1990's. There was a Pay Per View boxing match scheduled for a particular night. Since it was a Pay Per View event, the cable company had an exact list of everyone who had officially ordered (and paid for) the event. The cable company sent a special "commercial" for a free T-shirt to everyone tuned to the Pay Per View channel but also sent a signal to the cable boxes of everyone who paid for the program telling their cable boxes not to show the commercial. The result was that dozens of people called the "toll free" number and turned themselves in.

      I have two feelings on the subject:

      1. After spending over $1000 (over a number of years) on their product, Continental Cable didn't consider me good customer, but a suspect. How I longed for competition in cable industry.

      2. I took this as a warning and learned my lesson well. Beware of anyone offering you something for free.

      --
      "I'm The Bounty Bear. I will find him anywhere. I'm searching."
  3. I'll start my own by Saturn49 · · Score: 5, Funny

    Maybe I'll start my own hacking contest. I give the winner a billion dollars. I'll setup 2 computers, one connected to the 'net, completely open and unpatched. It'll physically sit on top of the "secure" box, which won't be connected, or even turned on. When the "winner" tries to claim his prize, I'll simply state that he hacked the "decoy", and the real server was untouched. Sounds about as fair as this one.

    1. Re:I'll start my own by F1re · · Score: 5, Funny

      That's fine until someone breaks into where you store the computers, boots up the unconnected one and ownes it...

      --
      ...there is no sig...
    2. Re:I'll start my own by x136 · · Score: 5, Funny

      Not when they find out that the "secure" box is actually an empty ATX case. :)

      --
      SIGFEH
    3. Re:I'll start my own by Sloppy · · Score: 5, Funny

      For a billion dollars, I'll buy you a motherboard and install it.

      --
      As copyright owner of this comment, I authorize everyone to defeat any technological measure which limits access to it.
  4. duh. more script kiddies to the rescue by Telastyn · · Score: 5, Insightful
    The system set up by KDWorks had almost all of its services deactivated, according to kill9 and m0rla. "The contest server was only simulation, not a real-world environment," they wrote. "And you have to ask yourself who will have a Web server running with this small amount of services activated? Nobody."


    Heh, in my experience, it's quite to the contrary. Anyone with half a brain turns off nearly all, if not all services to stop script kiddies like you =]
    1. Re:duh. more script kiddies to the rescue by Tet · · Score: 4, Insightful
      Anyone with half a brain turns off nearly all, if not all services to stop script kiddies like you =]

      Yep, I was open jawed when I read that. All of the web servers for which I'm responsible present an http server to the world on ports 80 and 443, and nothing else. As it happens, they're also running tomcat and sshd, but that's firewalled off (by two firewalls from different vendors), so you won't have access to those unless you're coming in from an approved address. Anyone who believes that a web server would commonly have more services running has obviously been living in the windows world too long...

      --
      "The invisible and the non-existent look very much alike." -- Delos B. McKown
    2. Re:duh. more script kiddies to the rescue by warpSpeed · · Score: 5, Insightful
      All of the web servers for which I'm responsible present an http server to the world on ports 80 and 443, and nothing else

      To take that one step further, at the firewall I block all the outgoing connections as well. The web server, in most cases, should not be initiating connections to the outside.

  5. Not "real world"? by alouts · · Score: 4, Insightful
    Granted, securing the overall infrastructure is as important as securing a single box when trying to defend against intrusion, but the rationale for doing it seems pretty weak.

    "And you have to ask yourself who will have a Web server running with this small amount of services activated? Nobody."

    Please. What they're basically complaining about is that the web server they were supposed to be attacking was too secure, and not easy enough to get into. If it serves up web pages, it's a web server, whether or not the admin has opened all the ports you're used to exploiting.

    'Course, the fact that there was a honeypot elsewhere on the network seems a bit shifty...

    1. Re:Not "real world"? by noahm · · Score: 5, Insightful
      I've got to agree with you on this. There is no need for a web server to be running anything other than Apache.

      I suspect that meanings are being mixed. I don't think they are complaining that the server wasn't running bind, fingerd, NFS, etc etc. I suspect it was more that the web server software itself was unreasonably minimal. You won't likely see a real-world web site run on thttpd or something. I imagine the web server didn't support things like CGI and stuff, so the only way to get in would be to exploit a known buffer overflow or to exploit something on the OS level. There was no searching for insecure form handlers or things like that.

      But I could be wrong. There are lots of idiots out there, after all.

      noah

    2. Re:Not "real world"? by nomadic · · Score: 3, Insightful

      Well then why do all the self-appointed security experts on slashdot always insist that anything can be hacked. Of course they didn't make it easy, geeze, they were offering 100k. And people are complaining that it's too hard?

      Maybe the people that tried just aren't very good hackers?

    3. Re:Not "real world"? by shyster · · Score: 4, Insightful
      "And you have to ask yourself who will have a Web server running with this small amount of services activated? Nobody." Please. What they're basically complaining about is that the web server they were supposed to be attacking was too secure, and not easy enough to get into. If it serves up web pages, it's a web server, whether or not the admin has opened all the ports you're used to exploiting.

      Evidently, that Smoothwall Linux server was indeed NOT a real world example...just take a look at KDWork's other webservers. If KDWorks can't secure ALL their servers, they have no business offering up a hack bounty...or security products.

      I believe the hackers' point was that, yes, an otherwise unfunctional box can be secured to the point of being extremely difficult (or impossible) to crack. But, as soon as that box starts doing something functional (like, for instance, processing registration requests connected to a database server), then they can hack it.

  6. RSA Challenge anyone? by bugg · · Score: 4, Insightful
    The best products/systems/protocols/algorithms available today have not been the subjects of any contests, and probably never will be.

    I think that contests, when done properly, can't prove security but it certainly can certainly prove a point. I doubt we'll ever see a proof that factoring numbers must be complex, but the RSA challenge proves that, well, anyone who has the technology would rather keep it than the money. Hrm. Well, at least that means a script kiddie or casual hacker can't factor very large numbers, eh?

    --
    -bugg
    1. Re:RSA Challenge anyone? by Boatman · · Score: 3, Informative

      Contests are good at proving *insecurity*. Thus the RSA contests. But lack of proof of insecurity isn't proof of security.

      --
      --Just the place for a snark!
  7. Re:Hmm by unicron · · Score: 3, Informative

    They have this law, called entrapment, that says people can't be baited into committing crimes. You should look into it, might interest you.

    --
    Finally, math books without any of that base 6 crap in them.
  8. no, he does mean hackers! by shemnon · · Score: 5, Funny

    Well, the contest was for hackers and not crackers. Crackers got the registration machine, but since the "contest" machine had an open invitation to break in, there was nothing illegal about it.

    Remember, the class requirements for the Cracker class has the ethical alignment of Chaotic as a requirement. Hackers can have any Ethical Alignments. The White Hat Cracker class has a Chaotic Good alignment requirement. Since they asked people to hack the box it would be very within the Lawful alignments, Lawful Evil in partiular since the money is a self motivational goal. A Lawful Good Hacker would submit a resume so that he can properly lock down the registration computer.

    Did I mention the GNU Hacker Prestige class? Must have a Lawful alignment, otherwise the whole bit about licencing wouldn't have any meaning to them. BSD Hackers are closer to True Neutral, since they don't care what is done as long as they get credit.

    --
    --Shemnon
  9. Open source is a security contest by Beryllium+Sphere(tm) · · Score: 3, Insightful

    which addresses some of Schneier's criticisms.

    Instead of a limited time frame, it lasts as long as the product is used.

    Instead of the unrealistic conditions of a contest, there's enough information that talented people can spend their time studying security rather than doing reverse engineering.

    One of the reasons for mostly-trusting OpenBSD or PGP is that they're the outcome of what amounts to multi-year cracking contests. With enough of the right eyeballs, even security bugs can be shallow.

  10. Re:Korea and the Internet by JordoCrouse · · Score: 5, Funny

    At the risk of sounding like an insensitive racist jerk, what, exactly, has the US contributed positively to the net?

    Uhhh... other than inventing the damn thing?

    --
    Do you have Linux and a DotPal? Click here now!
  11. You can't always get what you want, but.... by L.+VeGas · · Score: 5, Funny

    This reminds me of my old boss that was taking karate lessons. He went up to a geek I worked with and asked him to "try to kick me as hard as you can". He hadn't even finished the sentence when Ken slammed him in the jewels so hard that my boss threw up. All he kept saying was "But I wasn't ready!"

    --
    Best Windows Freeware
  12. No FTP/SSH is real world by AHumbleOpinion · · Score: 3, Insightful

    ... no FTP/SSH (how do you update files on the server)... That isn't real world

    No, that is real world, or would be if the "world" was properly administered. You are making a false assumption that ftp/ssh has to be universally open, this is wrong. These ports may, and should, only be opened to certain IP ranges. For example, the companies internal subnet, admin's home IP, etc.

  13. Re:Korea and the Internet by Selmo · · Score: 3, Funny
    At the risk of sounding like an insensitive racist jerk, what, exactly, has korea contributed positively to the net?

    FWIW, they went apeshit over StarCraft, which provided revenues for other projects like Diablo II and WarCraft III.

  14. Your BS for the day... by Chris+Burke · · Score: 5, Insightful

    This cracked me up. The article says that the honeypot server would start a tracing program as soon as it detected anyone trying to connect to it and that (emphasis mine):

    "Then the tracking software analyses all the activities of the intruder (including hacking method, all the ISP used, IP address, even what the hackers punched on his keyboard) to trace down the original location of the intruder."

    Okay, thanks ZDNet. Did they tell you that, or did you just make that insanity up on your own? You get kudos either for gullibility or imagination, depending. So basically, they're trying to suggest that this program not only traces the hacker (ooh, it logs IP addys!), but then automatically hacks the hacker's machine to install a keystroke logger.

    Each day you learn something new. Then something comes along so stupid it damages the brain cells that managed to learn that new thing. But at least I laughed. :)

    --

    The enemies of Democracy are
    1. Re:Your BS for the day... by gmanske · · Score: 3, Insightful
      I initially laughed too, but then I remembered something.

      Keyloggers are not new, and are mentioned here. Besides simply logging cleartext traffic (telnet), encrypted traffic can be logged on the host side before it is sent back over the wire (ssh) using a replacement shell (forwarding traffic to syslogd), ttywatchers or the *trace tools.

      I believe this is the technique used to log outgoing ssh traffic from a compromised machine, particularly but not limited to the case of common rootkits which drop replacement sshd[s].

      The zdnet text is sensationalist, but that doesn't mean it isn't technically possible.

      Gmanske.

  15. Irony... by jhaberman · · Score: 5, Funny

    "As entrants were required to enter personal details together with some form of identification--such as a passport or social security number--in the event that they won the competition, some are worried that their privacy has been compromised."

    Doesn't anyone else just find that line HILLAIROUS!? I mean, c'mon... if anyone should be familiar with the vuneralbilities of a web server, and personal information found on said web server, it should be a bunch of "hackers". This is so stupid, I can't even believe it. It has to be a hoax...

    Jason

    --
    He's totally creeping out the Great One, eh...
  16. hehe that reminds me of something by WildBeast · · Score: 4, Funny

    I had a job interview a few months ago. I went there for the interview on time, I entered the Office, nobody was in there, so I looked around to find a few servers and some of them where powered on and logged on. So I sat down and waited until a guy arrived 10 minutes later.

    When I asked them why they used Solaris as there servers, they told me that it was more secure than Windows and Linux :)

  17. Interesting thing about the site... by jerkychew · · Score: 3, Interesting

    ...It's not ZDnet.com. Look at the web address - the domain is zdnet.com.com

    zdnet.com - 128.11.45.117
    zdnet.com.com - 64.124.237.140

    I don't have time to investigate further, but could it be that the article itself is a hack? Or does zdnet own the com.com domain?

    1. Re:Interesting thing about the site... by rlowe69 · · Score: 5, Insightful

      Or does zdnet own the com.com domain?

      Yes. I asked this question about six months ago, and a clever person pointed out that this would allow ZDNET to use a cookie with the com.com domain across its whole family of sites. Then they could track a person uniquely, customizing advertising, preferences or anything else. I don't know if they actually do this, but it would be a good way to do it.

      rL

      --
      ----- rL
    2. Re:Interesting thing about the site... by Shaheen · · Score: 3, Interesting

      C|Net owns the com.com domain. They centralize around that. News.com is news.com.com, etc.

      --
      You should never take life too seriously - You'll never get out of it alive.
  18. Yeah, but... by athmanb · · Score: 5, Interesting

    A real webserver usually runs a couple of different dynamic page scripts (Perl, PHP, ASP, whatever). And they are usually the key point to break in.

    1. Re:Yeah, but... by btellier · · Score: 4, Informative

      Exactly. Obviously when they say "services" they really mean ISAPI extentions or modules. The point is that the more lines of code a hacker can access the more likely they are to break into the computer. More services generally means more code, more extentions means more code. If a server runs Apache with only .html access enabled the odds of breaking in are slim to none (baring some heretofore unknown haq-fu). However most sites enable one of the dynamic languages you listed above, which then creates the ability for people to hack the Triforce of web code:

      - Server-Side interperatation of pathnames

      - Server-Side interperatation of dynamic parameters

      - Backend-Side database metacharacter injection

      It's easy to secure a simple web server. It's very, very difficult to secure one offering many "services".

  19. a copy/paste from my yahoo mail =( by Bill+Wong · · Score: 3, Funny

    From: ""±èÅÂæ""

    To: ""bcw@rave.ch""

    Subject: KDWORKS Notice mail

    Date: Mon, 27 May 2002 03:18:31 +0900

    Hi!
    We will wire your prize as soon as we get your bank account information.
    we need;
    1) bank account number
    2) bank routing number
    3) Name on the account
    4) Name of COuntry where the bank resides.

    If you have any question or concern, please let us know.
    Have a great day!

  20. Re:Korea and the Internet by shyster · · Score: 3, Informative
    "I took the initative in creating the internet" -Al Gore Seems like he did to me. Of course, people like you do seem to rewrite history..

    Not to be too political here, but let's at least look at things reasonably. The context of that quote was Gore talking about legislation that he spearheaded to fund the creation of the Internet. Neither that quote, or any other, can be interpreted by any but the most die hard conservative as Gore claiming to have invented the Internet. It is, however, a fact that Gore did take initiative in legislation to create the Internet.

    When you take things out of context, you can prove almost any point. As the old saying goes, the devil can quote scripture to suit his means (or something like that...)

  21. thttpd - "Not real world"? by Latrell+Sprewell · · Score: 3, Interesting
    Originally posted by noahm:
    You won't likely see a real-world web site run on thttpd or something.


    Voyeurweb (porn), one of the most heavily used sites (in visitors and bandwidth usage) on the 'Net, has been using thttpd v2.20x for a long time...

    Netcraft search results for Voyeurweb