Slashdot Mirror
Linux Top Gun Hacker Contest Report
We heard about this from a slashdot article ("Computer Attack and Defense As Spectator Sport").
Tough Audience The event was held at the Alamo Drafthouse, a movie house with tables and a wireless network. The theatre was packed, and there was a waiting line going out the door. I talked to an admin who had driven in from Brownsville (South Texas) for this event, so obviously there was a lot of interest, although we didnt know what to expect. Many attendees, maybe 10%, had computers with them.
The event was supposed to start at 7 p.m., but because of technical difficulties, it didnt start until 9 p.m. In the outer lobby were vendors selling metal bras and edgy political/sex books. Very Austinesque.
The Event Itself When the Top Gun event itself started, it went like this: there are a few registered teams; each team is given the 'target' box, and has ten minutes to secure it. After that, everyone in the room has thirty minutes to try to hack into the box. A few services had to be enabled -- http, https, ssh, smtp, and ftp. The defenders start with 100 points, and points are deducted if any of the services seemed unavailable, or if judges determined the box was compromised. DoS attacks are not allowed.
Already the idea sounded weak. On the big screen, they were running a homebrew GUI app that showed the score, time, IP addresses, and the services on the target. The services were being polled by a monitoring machine, and the response time was displayed. If the response time increased, i.e. the service was laggy, then points were automatically deducted from the defender's score. Laggy web server performance? That's a strange definition of 'hacked', but it is (or should have been) easy to monitor, which is probably why they did it.
Part of the draw to this event was that they were going to use "video animation" to "show how network attacks happen." I didn't have my hopes up for this, but I was still disapointed. They used their (Linux-based) homebrew GUI, which looked like it just used some libraries from etherape to draw lines from ips to the services on the target they attach to. That was it for the visualizations. The list of services was supposed to turn from green to red when they went slow, but for most of the night they stayed red and displayed just zeros, no readings. Their software appeared very buggy, hardly ever working, and windows in the background showed them fixing it as they went.
The commentary was sparse and uninformative. "Yes, that line shows connections to http, and it is taking a beating!" There was no discussion of exploits, security, concepts, attacks, what is currently happening, etc. After the attack session ended, the defenders were brought up for a brief Q&A, which reminded me of a post-fight boxing interview. "Uh, yeah, we felt good, we had a plan. A lot of things happened, and we applied patches."
Before, during, and after the attack session, no one knew what was happening. It seems that despite hours of trying by different teams, the target box was NEVER compromised. During the second Q&A session I stood up and asked, "Was the box hacked in any way whatsoever?" The reply? "Probably." But no one knew. If it had been hacked, I believe the person doing it would have said something, or at least bragged on the irc channel for the contest.
The entire operation seemed very amateurish. Technical difficulties occured during the event, giving one team a higher score becuase the monitoring software wasnt working to remove points. Most attendees left early, and a highlight of the evening was when someone posted ascii porn to the irc channel.
On the upside, the DJ had a good stream of music, there were more women than you'd expect, and some in small metal bras. And it was a gathering of a lot of smart geeks, a great opp to meet people.
Room for improvement. The longest topic of conversation in the audience was how to fix this mess. We came up with some ideas:
Visuals
They should have used proven, off-the-shelf network visualization and monitoring tools for the event. We were _dying_ for some snort output, to see what exploits were being attempted. A tool like Demarc would have been perfect to show the events as they happened. Or at least snortsnarf or acid. The screen should have rotated between different monitoring tools to give an idea of what was happening.
Contest Format
The format of the event was flawed. The truth is most hackers take advantage of easy targets. Defending a box is not that hard. Simply applying the latest patches and configuring a basic iptables firewall about does it. After those steps are taken by the defending team, only truely leet hax0rs with 0day exploits are going to get root in thirty minutes.
A better format would be this: Bring an unpatched or lightly patched Linux server for everyone to attack. As soon as someone gets in, stop the show. The hacker gets a prize, and has to explain/show what they did. Then that vulnerability is patched, and the contest starts up again.
All in all, the event was a let down. Austin is a cool town, and lots of smart geeks came out. There is obviously interest in an event like this, but the execution didn't result in any entertainment or learning. If this is a PR event to generate publicity for the sponsors, I think it failed, because if this is an example of their organizational and technical skills, I would not hire them myself. But then, they're probably better at security than they are at public events.
Slashdot welcomes reader-submitted features; thanks to marc for this one.
After the excitement of all of those hacker movies and TV shows, I'm suprised at this result.
Yet another event trying to make it look like hacking into computers is really cool and a fun activity... when in fact it's long, boring, solitary and quite pointless for most people when you think about it (especially pointless for those 14 year olds with too much time who would do better to go out and get laid than to DoS someone they don't like on IRC with one of the boxes they got into courtesy of code red or whatever). Daniel
Carpe Diem
Won't even be at this show. They are too busy elsewhere.
Personally, the idea of a hacking competition is interesting, but it would have to be done over a long period of time, and set up more like a war game than a boxing match.
Skr1p7 k1dd13s treat hacking as a boxing match. Real hackers are far more efficient and skilled at it.
An idea for a real hacking competition (Almost like capture the flag): Two sides to the fight, different locations for both. One side will have multiple targets, the other side will have multiple attackers.
The goal of the attackers will be to get specific files from the targets, using any technique desired. (Including Social Engineering) The goal of the defenders will be to catch/name/etc the attackers, and thus completely neutralize them.
Do this over a course of a month or a year, and make a TV show with the highlights of battle. Now that would be excellent viewing.
** NOTE: the term hacker above can also be translated as cracker for those who are offended by this use of the term hacker, thank you **
~ kjrose
Speaking of which, did anyone get tired of the poorly thoughout contest and break into a game of Quake, Counter Strike, or War Craft III???
Honestly, this event sounded like it had potential, but the organizers just didn't plan things well enough
HallmarkOrnaments.Com
Take it, just take it.
Seriously. I am not worthy of the title, because there is no way in hell you could ever drag me to one of these events.
It turned out to be pretty boring?
Gee, I wonder why.
Hacking IMO isn't a spectator sport.
Kinda like eating oatmeal isn't a spectator sport.
Uh oh, here come the flamebait mods.
Hey, it's my opinion folks. Don't like it? Reply with why. But you know I may just be the first to say it, but I'd be willing to bet many here are thinking the same thing.
I don't condone it because it couldn't help but be bad or boring. Hacking, for whatever purpose, is tedious if anything, and tedium rarely makes for exciting stuff. Having a technical discussion afterward might be neat, doing it as a demonstration, but mixing in DJ's and scantily clad women just comes off as silly. You might as well hold your next math convention at a strip club.
As far as terrorism goes... please! There's nothing illegal or "black hat" about breaking into a box you've been told to break into. What better way to find bugs or flaws, so that you can then close them? I'd be a lot more worried about gun shows before I worried about hacker conventions cause last I checked, the gun to computer related death factor was still INFINITE.
The more people banned (or are bullied) into stopping completely legal and (possibly) worthwhile activities, the more I'll seriously consider moving to Canada... or running for office. Neither of which I'd really enjoy, BTW.
The entire idea of this contest is flawed. Like the article said, securing a box is trivial. Apply the newest patches and set up a simple firewall, bingo. But if everyone knew what was going to be open ahead of time, it'd just be a race to see who could run their exploit scripts first.
Truth is, hacking in general is not rocket science. Anyone can do it. Securing a box is not hard, however the reason so many machines get hacked is ignorance and/or apathy to the situation. Hell, the hardest part about hacking is finding a box with holes to exploit. If you already know the box has holes, you can run a script to find them. I went to the first Linux top gun and it was a total washout as well. This one sounds a bit more organized (at the first one, half the attendees were bums there for pizza) but the entire idea of this contest just sounds stupid. Anyone can be a l33t h4x0r, it takes intelligence not to want to.
OK, I guess it's official now.
Hacker = Cracker
and good linux programmers are just good linux programmers.
It's sad that mass media has finally triumped over the geeks.
nohup rm -rf ~/. >& zen &
Expecting geeks to know what is entertaining in a group format is asking a little much. Also, the more intellegent the audience, the harder it is to satisfy them.
Some real thought needs to be put into the venue. Conduct some tests and trials for christ sakes. That would have exposed the weaknesses of the format.
- Just because you can't, doesn't mean you shouldn't
Sounds like the people putting this event on should have paid attention at Defcon 10. The Ghetto Hackers put on an excellent Capture the Flag event.
I was undecided until the last minute this time around if i would go at all to LTG. However I ended up going, and spent most of my time in the back doing installs and configuration on my laptop since I was bored and had nothing much else to do. This was once again proof that the people who manage and put on the LTG event are incompitent, refusing to listen to the feedback that has been given.
I must point out once again that an individual makes most of the decisions for this event, his name is Paco Nathan and as an individual he really is unorganized for this type of thing, he's been through a lot of jobs and companies for a reason. The security company backing this is one he chairs and as far as i've seen evidenced, these guys don't really have much in the way of security knowledge.
Enough critisim of that though, its old news. The LTG Suffers from issues which could be fixed, and LTG could be actualy turned into something worthwhile, imo. (I'd like to see the name changed, the logo of the penguin wearing a pilots mask and invoking images from that stupid top gun movie really doesen't do it for most people)
The biggest flaw is the competiton style, its weak and really doesen't do much for teams defending, attackers, or the audience, there are many other types of attacks/defense that could happen at an event of this nature and happen at other events like Defcon that would work out much much better. In addition to that, the audience needs something better, and having two girls stand around this time in some metal bikinis trying to hock their services for some Geek Dating/Makeover/Social scene service that no one cared about then showing a broken boring visualization with no explanation to the general audience of what was going on was just not fun.
The other issue is this time they neglected to even tell people (including teams) exactly when certain things had started or ended or other critical issues, communication was pretty dead overall. A lot more could be done with a mix of visualization tools and videos and music and live commentary to make it exciting, even for those who are not participating and who don't even know that much about the topics at hand.
Anyways, the event is still kicking it seems and is on target for a big show at SXSW, sounds like it will still be a mess and failure though. on a last note, my biggest irk with this one was the fact they where hours late getting things started.. and why? because they had to setup all this equipment and configure the server, etc.. obviously not enough forethought and rehersal of setting things up. I certainly know they could get all this set up at one location, then break it down and move it to the event within a matter of two hours before the event's start time rather than do it all while people are waiting around bored.