Slashdot Mirror
Linux Top Gun Hacker Contest Report
We heard about this from a slashdot article ("Computer Attack and Defense As Spectator Sport").
Tough Audience The event was held at the Alamo Drafthouse, a movie house with tables and a wireless network. The theatre was packed, and there was a waiting line going out the door. I talked to an admin who had driven in from Brownsville (South Texas) for this event, so obviously there was a lot of interest, although we didnt know what to expect. Many attendees, maybe 10%, had computers with them.
The event was supposed to start at 7 p.m., but because of technical difficulties, it didnt start until 9 p.m. In the outer lobby were vendors selling metal bras and edgy political/sex books. Very Austinesque.
The Event Itself When the Top Gun event itself started, it went like this: there are a few registered teams; each team is given the 'target' box, and has ten minutes to secure it. After that, everyone in the room has thirty minutes to try to hack into the box. A few services had to be enabled -- http, https, ssh, smtp, and ftp. The defenders start with 100 points, and points are deducted if any of the services seemed unavailable, or if judges determined the box was compromised. DoS attacks are not allowed.
Already the idea sounded weak. On the big screen, they were running a homebrew GUI app that showed the score, time, IP addresses, and the services on the target. The services were being polled by a monitoring machine, and the response time was displayed. If the response time increased, i.e. the service was laggy, then points were automatically deducted from the defender's score. Laggy web server performance? That's a strange definition of 'hacked', but it is (or should have been) easy to monitor, which is probably why they did it.
Part of the draw to this event was that they were going to use "video animation" to "show how network attacks happen." I didn't have my hopes up for this, but I was still disapointed. They used their (Linux-based) homebrew GUI, which looked like it just used some libraries from etherape to draw lines from ips to the services on the target they attach to. That was it for the visualizations. The list of services was supposed to turn from green to red when they went slow, but for most of the night they stayed red and displayed just zeros, no readings. Their software appeared very buggy, hardly ever working, and windows in the background showed them fixing it as they went.
The commentary was sparse and uninformative. "Yes, that line shows connections to http, and it is taking a beating!" There was no discussion of exploits, security, concepts, attacks, what is currently happening, etc. After the attack session ended, the defenders were brought up for a brief Q&A, which reminded me of a post-fight boxing interview. "Uh, yeah, we felt good, we had a plan. A lot of things happened, and we applied patches."
Before, during, and after the attack session, no one knew what was happening. It seems that despite hours of trying by different teams, the target box was NEVER compromised. During the second Q&A session I stood up and asked, "Was the box hacked in any way whatsoever?" The reply? "Probably." But no one knew. If it had been hacked, I believe the person doing it would have said something, or at least bragged on the irc channel for the contest.
The entire operation seemed very amateurish. Technical difficulties occured during the event, giving one team a higher score becuase the monitoring software wasnt working to remove points. Most attendees left early, and a highlight of the evening was when someone posted ascii porn to the irc channel.
On the upside, the DJ had a good stream of music, there were more women than you'd expect, and some in small metal bras. And it was a gathering of a lot of smart geeks, a great opp to meet people.
Room for improvement. The longest topic of conversation in the audience was how to fix this mess. We came up with some ideas:
Visuals
They should have used proven, off-the-shelf network visualization and monitoring tools for the event. We were _dying_ for some snort output, to see what exploits were being attempted. A tool like Demarc would have been perfect to show the events as they happened. Or at least snortsnarf or acid. The screen should have rotated between different monitoring tools to give an idea of what was happening.
Contest Format
The format of the event was flawed. The truth is most hackers take advantage of easy targets. Defending a box is not that hard. Simply applying the latest patches and configuring a basic iptables firewall about does it. After those steps are taken by the defending team, only truely leet hax0rs with 0day exploits are going to get root in thirty minutes.
A better format would be this: Bring an unpatched or lightly patched Linux server for everyone to attack. As soon as someone gets in, stop the show. The hacker gets a prize, and has to explain/show what they did. Then that vulnerability is patched, and the contest starts up again.
All in all, the event was a let down. Austin is a cool town, and lots of smart geeks came out. There is obviously interest in an event like this, but the execution didn't result in any entertainment or learning. If this is a PR event to generate publicity for the sponsors, I think it failed, because if this is an example of their organizational and technical skills, I would not hire them myself. But then, they're probably better at security than they are at public events.
Slashdot welcomes reader-submitted features; thanks to marc for this one.
Any hacker worth the time wouldn't shuffle off to an ACM-esque programming comp. Just doesn't seem to be what's cool to me. I'm much more inclined to believe the monitoring box was hacked to flop-like-a-fish all night.
As far as hacking, why not run a box per team local to the gathering all night. They all have the same holes, and the team that can exploit it best wins.
For the majority of my time though, I'd prefer to simply watch presentations about known hacks and documented exploits. Esp. given the mystery about the GOBBLE and such latests dealing with P2P.
mug
If you left too early and missed the penguinati presentation.. Check it out
http://www.penguinati.com
we did an "odd todd" ripoff to present our information.
ChiefArcher
Does anyone else find it amusing that they are not allowing DoS attacks but are awarding points based on service response times?
It seems to be that the most legitimate measurement that response times provide in a hacking contest is how effective a DoS attack is.
Past that, all the majority of that result comes from how much traffic you have. Last time I checked, this was a hacking contest, not a web server benchmark.
Overrated Moderation: This posts sucks... because.
For those not familar: Leslie is a (pseudo) homeless cross-dresser in Austin. He/She has run for mayor in every election I've witnessed, and consistantly pulls in some votes. He/She is a true example of how Austin still holds on to some of what makes it special. For a little slideshow of leslie, go to this slide show
Your idea sort of reminds me of a game we used to play in high school called "Assassin". The game master assigned each player a target whom they were supposed to "assassinate" (via disk gun, toilet-paper garrotte, sticky-tack contact poison, alarm-clock bomb, etc.). So everyone was both a target and an assassin, but you never knew who was out to get you. Once you eliminated your target, you inherited their target. Last one left alive wins. Each game generally lasted for 2-3 weeks, depending on the number of players.
(Naturally, this was several years ago. Any high schoolers caught doing something like this today would probably be locked up.)
Your fantasies contain the seeds of important concepts.