Slashdot Mirror
Moronic Hacking Contest Ends In Free-For-All
atomgiant writes "ZDNet is running an interesting article about the KDWorks hacking contest that has gone bad, or good, depending on your perspective. Entertaining read in any event." I think that Bruce Schneier has said it best on the value of contests such as this one. That the registration server was compromised I think is a telling comment on the value of whole site security.
Maybe I'll start my own hacking contest. I give the winner a billion dollars. I'll setup 2 computers, one connected to the 'net, completely open and unpatched. It'll physically sit on top of the "secure" box, which won't be connected, or even turned on. When the "winner" tries to claim his prize, I'll simply state that he hacked the "decoy", and the real server was untouched. Sounds about as fair as this one.
None, because hackers don't tend to teach each other anything. If a company were to send thier IT team to DEFCON with the hope they would learn something, it would also make sense that the company in question must have a CIO who smokes crack.
Security seminars are geared so that everyone learns, cons are geared so that people who already know can have fun.
Linux is dead.
LU
Heh, in my experience, it's quite to the contrary. Anyone with half a brain turns off nearly all, if not all services to stop script kiddies like you =]
"And you have to ask yourself who will have a Web server running with this small amount of services activated? Nobody."
Please. What they're basically complaining about is that the web server they were supposed to be attacking was too secure, and not easy enough to get into. If it serves up web pages, it's a web server, whether or not the admin has opened all the ports you're used to exploiting.
'Course, the fact that there was a honeypot elsewhere on the network seems a bit shifty...
I think that contests, when done properly, can't prove security but it certainly can certainly prove a point. I doubt we'll ever see a proof that factoring numbers must be complex, but the RSA challenge proves that, well, anyone who has the technology would rather keep it than the money. Hrm. Well, at least that means a script kiddie or casual hacker can't factor very large numbers, eh?
-bugg
Well, the contest was for hackers and not crackers. Crackers got the registration machine, but since the "contest" machine had an open invitation to break in, there was nothing illegal about it.
Remember, the class requirements for the Cracker class has the ethical alignment of Chaotic as a requirement. Hackers can have any Ethical Alignments. The White Hat Cracker class has a Chaotic Good alignment requirement. Since they asked people to hack the box it would be very within the Lawful alignments, Lawful Evil in partiular since the money is a self motivational goal. A Lawful Good Hacker would submit a resume so that he can properly lock down the registration computer.
Did I mention the GNU Hacker Prestige class? Must have a Lawful alignment, otherwise the whole bit about licencing wouldn't have any meaning to them. BSD Hackers are closer to True Neutral, since they don't care what is done as long as they get credit.
--Shemnon
-J
At the risk of sounding like an insensitive racist jerk, what, exactly, has the US contributed positively to the net?
Uhhh... other than inventing the damn thing?
Do you have Linux and a DotPal? Click here now!
This reminds me of my old boss that was taking karate lessons. He went up to a geek I worked with and asked him to "try to kick me as hard as you can". He hadn't even finished the sentence when Ken slammed him in the jewels so hard that my boss threw up. All he kept saying was "But I wasn't ready!"
Best Windows Freeware
Based on my experience at the cons, I'd have to say that is a fair assessment. On the plus side, some were very cheap. You pay for your hotel room, but your actual conference fee was kicking in a share for the booze... :-P
Anyway, they weren't a complete waste of time, but the primary benefit was meeting folks, not learning lore.
They don't do much for me, either. The thing is, if all you are looking for is info on how to better secure your systems, there is loads and loads of it available on the net. The plus is that you can proceed at your own rate and dive however deep you want. If your boss is really twisting your arm about taking courses, I'd see if you can get something detailed on advanced firewall configuration or performance tuning something like that. Those are areas where it's common to only take the self-training as far as the immediate job requires... a course might cover things that would be nice to know in the future, as well. If the boss'll spring for books, that can be good, too.
This cracked me up. The article says that the honeypot server would start a tracing program as soon as it detected anyone trying to connect to it and that (emphasis mine):
:)
"Then the tracking software analyses all the activities of the intruder (including hacking method, all the ISP used, IP address, even what the hackers punched on his keyboard) to trace down the original location of the intruder."
Okay, thanks ZDNet. Did they tell you that, or did you just make that insanity up on your own? You get kudos either for gullibility or imagination, depending. So basically, they're trying to suggest that this program not only traces the hacker (ooh, it logs IP addys!), but then automatically hacks the hacker's machine to install a keystroke logger.
Each day you learn something new. Then something comes along so stupid it damages the brain cells that managed to learn that new thing. But at least I laughed.
The enemies of Democracy are
"As entrants were required to enter personal details together with some form of identification--such as a passport or social security number--in the event that they won the competition, some are worried that their privacy has been compromised."
Doesn't anyone else just find that line HILLAIROUS!? I mean, c'mon... if anyone should be familiar with the vuneralbilities of a web server, and personal information found on said web server, it should be a bunch of "hackers". This is so stupid, I can't even believe it. It has to be a hoax...
Jason
He's totally creeping out the Great One, eh...
you really shouldn't be involved in computer security if that's the case.
There is a name for people who can follow simple, easy-to-understand laundry lists of how to approach computer security. They're called script kiddies. You really think this stuff can be simplified to the point that you can understand, given your apparent lack of experience?
Becoming a real hacker as opposed to a script kiddie takes years and there are no shortcuts. Learn the inside and outs of the operating systems you use. Learn a programming language inside and out. Then learn successively lower-level programming languages until you get to C and assembly and learn those. Meanwhile, pay attention to the theoretical aspects of all this stuff - meaning learn about algorithms and the underlying mathematics.
No one is trying to hide the secrets from you, just trying to discourage you from thinking there is a simple explanation to everything - and thinking that someone can tell you all about computer security in plain english(i.e. none of those anti-social phrases like 'buffer overflows') You want to be a hacker? Hit the books, and be prepared for years of hard study.
Then you might understand some of those seemingly obscure references that for the moment are beyond your grasp.
No, Thursday's out. How about never - is never good for you?
I had a job interview a few months ago. I went there for the interview on time, I entered the Office, nobody was in there, so I looked around to find a few servers and some of them where powered on and logged on. So I sat down and waited until a guy arrived 10 minutes later.
:)
When I asked them why they used Solaris as there servers, they told me that it was more secure than Windows and Linux
I specifically remember this event. Continental Cable, the precursor of MediaOne and my cable provider at the time did this very thing in Northwest Connecticut in the early 1990's. There was a Pay Per View boxing match scheduled for a particular night. Since it was a Pay Per View event, the cable company had an exact list of everyone who had officially ordered (and paid for) the event. The cable company sent a special "commercial" for a free T-shirt to everyone tuned to the Pay Per View channel but also sent a signal to the cable boxes of everyone who paid for the program telling their cable boxes not to show the commercial. The result was that dozens of people called the "toll free" number and turned themselves in.
I have two feelings on the subject:
1. After spending over $1000 (over a number of years) on their product, Continental Cable didn't consider me good customer, but a suspect. How I longed for competition in cable industry.
2. I took this as a warning and learned my lesson well. Beware of anyone offering you something for free.
"I'm The Bounty Bear. I will find him anywhere. I'm searching."
Or does zdnet own the com.com domain?
Yes. I asked this question about six months ago, and a clever person pointed out that this would allow ZDNET to use a cookie with the com.com domain across its whole family of sites. Then they could track a person uniquely, customizing advertising, preferences or anything else. I don't know if they actually do this, but it would be a good way to do it.
rL
----- rL
A real webserver usually runs a couple of different dynamic page scripts (Perl, PHP, ASP, whatever). And they are usually the key point to break in.