Slashdot Mirror
Linux Top Gun Hacker Contest Report
We heard about this from a slashdot article ("Computer Attack and Defense As Spectator Sport").
Tough Audience The event was held at the Alamo Drafthouse, a movie house with tables and a wireless network. The theatre was packed, and there was a waiting line going out the door. I talked to an admin who had driven in from Brownsville (South Texas) for this event, so obviously there was a lot of interest, although we didnt know what to expect. Many attendees, maybe 10%, had computers with them.
The event was supposed to start at 7 p.m., but because of technical difficulties, it didnt start until 9 p.m. In the outer lobby were vendors selling metal bras and edgy political/sex books. Very Austinesque.
The Event Itself When the Top Gun event itself started, it went like this: there are a few registered teams; each team is given the 'target' box, and has ten minutes to secure it. After that, everyone in the room has thirty minutes to try to hack into the box. A few services had to be enabled -- http, https, ssh, smtp, and ftp. The defenders start with 100 points, and points are deducted if any of the services seemed unavailable, or if judges determined the box was compromised. DoS attacks are not allowed.
Already the idea sounded weak. On the big screen, they were running a homebrew GUI app that showed the score, time, IP addresses, and the services on the target. The services were being polled by a monitoring machine, and the response time was displayed. If the response time increased, i.e. the service was laggy, then points were automatically deducted from the defender's score. Laggy web server performance? That's a strange definition of 'hacked', but it is (or should have been) easy to monitor, which is probably why they did it.
Part of the draw to this event was that they were going to use "video animation" to "show how network attacks happen." I didn't have my hopes up for this, but I was still disapointed. They used their (Linux-based) homebrew GUI, which looked like it just used some libraries from etherape to draw lines from ips to the services on the target they attach to. That was it for the visualizations. The list of services was supposed to turn from green to red when they went slow, but for most of the night they stayed red and displayed just zeros, no readings. Their software appeared very buggy, hardly ever working, and windows in the background showed them fixing it as they went.
The commentary was sparse and uninformative. "Yes, that line shows connections to http, and it is taking a beating!" There was no discussion of exploits, security, concepts, attacks, what is currently happening, etc. After the attack session ended, the defenders were brought up for a brief Q&A, which reminded me of a post-fight boxing interview. "Uh, yeah, we felt good, we had a plan. A lot of things happened, and we applied patches."
Before, during, and after the attack session, no one knew what was happening. It seems that despite hours of trying by different teams, the target box was NEVER compromised. During the second Q&A session I stood up and asked, "Was the box hacked in any way whatsoever?" The reply? "Probably." But no one knew. If it had been hacked, I believe the person doing it would have said something, or at least bragged on the irc channel for the contest.
The entire operation seemed very amateurish. Technical difficulties occured during the event, giving one team a higher score becuase the monitoring software wasnt working to remove points. Most attendees left early, and a highlight of the evening was when someone posted ascii porn to the irc channel.
On the upside, the DJ had a good stream of music, there were more women than you'd expect, and some in small metal bras. And it was a gathering of a lot of smart geeks, a great opp to meet people.
Room for improvement. The longest topic of conversation in the audience was how to fix this mess. We came up with some ideas:
Visuals
They should have used proven, off-the-shelf network visualization and monitoring tools for the event. We were _dying_ for some snort output, to see what exploits were being attempted. A tool like Demarc would have been perfect to show the events as they happened. Or at least snortsnarf or acid. The screen should have rotated between different monitoring tools to give an idea of what was happening.
Contest Format
The format of the event was flawed. The truth is most hackers take advantage of easy targets. Defending a box is not that hard. Simply applying the latest patches and configuring a basic iptables firewall about does it. After those steps are taken by the defending team, only truely leet hax0rs with 0day exploits are going to get root in thirty minutes.
A better format would be this: Bring an unpatched or lightly patched Linux server for everyone to attack. As soon as someone gets in, stop the show. The hacker gets a prize, and has to explain/show what they did. Then that vulnerability is patched, and the contest starts up again.
All in all, the event was a let down. Austin is a cool town, and lots of smart geeks came out. There is obviously interest in an event like this, but the execution didn't result in any entertainment or learning. If this is a PR event to generate publicity for the sponsors, I think it failed, because if this is an example of their organizational and technical skills, I would not hire them myself. But then, they're probably better at security than they are at public events.
Slashdot welcomes reader-submitted features; thanks to marc for this one.
Did someone hack this page? Seems it won't load for me :)
"I believe in everything in moderation. Including moderation." -Dean DeLeo, Stone Temple Pilots
Modest doubt is called the beacon of the wise. - William Shakespeare
Amateurish? From the site...
"Everyone join #ltg on efnet for some Paco bashing, and to witness Dick Hunter in full rantitude.
What are you expecting?!
pics plz
Username taken, please choose another one.
"and a highlight of the evening was when someone posted ascii porn to the irc channel.
You say that as if the highlight of ANY geekfest ISNT pr0n???? Just where are your priorities man!!
This is my sig. Its pathetic.
On the upside, the DJ had a good stream of music, there were more women than you'd expect, and some in small metal bras
One of the women was probably Leslie.
An alternative would be a case-mod contest with action packed 3-D live animation of the modifications in progress and quotes from the contestents; "Um yeah, like we hacked the case with a jigsaw and added some blue neons right, and now it runs and looks cooler".
Maybe even a contest to make the smallest distro right from downloading the latest mandrake linux to booting up on a 486DX66 with 32MB ram. Should be a fascinating spectator sport.
What was her name?
I don't need no instructions to know how to rock!!!!
Just remember, you look at the screen intently, type really fast for 20 seconds or so, then shout "I'm in!"
Or try the Russian variation: type really fast with one hand while clicking a ballpoint pen with the other, just so James Bond can give you an exploding pen later in the movie.
All elements meant to distract you from the fact that there is nothing going on in the room and you wasted gas and money driving there.
I'm heading off to a dog show now...
It's like the fishing channel, only with geeks instead of rednecks.
It's like the golf channel, only with geeks instead of Republicans.
It's like the NASCAR channel, only with geeks instead of trailer-trash.
It's like the gardening channel, only with geeks instead of Aunt Lulu.
One man's boredom is another man's thrill.
Hmmm, inaccurate description in post, should have read "and some UGLY ones in metal bras".
I'm the big fish in the big pond bitch.
Computer-related death is non-zero, so the gun to computer related death is not infinite.
I have this mental image of something like The Iron Chef. I think the commentary style would work well :)
Male Voice: "Iron Hacker Ginsburg is opening another xterm. I wonder what's going on?"
Female Voice: "Is that kshell?"
Male Voice: "Hrm. Well, I don't know...."
Male Voice (from floor): "Sysop!"
Male Voice: "Yes?"
Male Voice (from floor): "Ginsburg is indeed opening another xterm, and it's not kshell, it's a special shell he's written himself. When I asked about it, he told me it has a custom completion tool and command substitution algorithm."
Female Voice: "Oooh.."
Male Voice: "Very unusual. Let's see what challenger Fordham has up his sleeve...."
Not representing or approved by my company or anybody else.
tell me more about these bras that you speak of and that which they contained
There are some odd things afoot now, in the Villa Straylight.
Use real targets.
Create a points system based on method of entry and create a rating system (open, hardened, impossible, etc.) for targets. Scores are created by combining the various entry levels with the various target ratings. Targets could be selected by the audiencs, the teams or the event coordinators. Targets could be published before hand or not.
Granted this would be shut down so fast. All involved would be sent to Guantanamo Bay for being terrorists but it would be _really_ fun to watch. I also think that it could be done without causing real damage and in fact would _increase_ security. It would still be shut down though.
Nah, it'll be a, ummmmm, "big" success when it starts attracting women with *large* metal bras that just *look* small.
I can't help but wonder though. Are the metal bras protection against the aliens beaming messages to their "assets"?
KFG
I was disappointed even reading this article!
--------
Free your mind.
Sleeveless t-shirt under your other clothes marked 'bulletproof vest'. "Hey, I shot you!" "No, you didn't." *BANG*
Cardboard box inserted in someone's locker, with label 'thermonuclear device'.
Master the possibilities.
Cole's Law: Thinly sliced cabbage