Slashdot Mirror
Linux Top Gun Hacker Contest Report
We heard about this from a slashdot article ("Computer Attack and Defense As Spectator Sport").
Tough Audience The event was held at the Alamo Drafthouse, a movie house with tables and a wireless network. The theatre was packed, and there was a waiting line going out the door. I talked to an admin who had driven in from Brownsville (South Texas) for this event, so obviously there was a lot of interest, although we didnt know what to expect. Many attendees, maybe 10%, had computers with them.
The event was supposed to start at 7 p.m., but because of technical difficulties, it didnt start until 9 p.m. In the outer lobby were vendors selling metal bras and edgy political/sex books. Very Austinesque.
The Event Itself When the Top Gun event itself started, it went like this: there are a few registered teams; each team is given the 'target' box, and has ten minutes to secure it. After that, everyone in the room has thirty minutes to try to hack into the box. A few services had to be enabled -- http, https, ssh, smtp, and ftp. The defenders start with 100 points, and points are deducted if any of the services seemed unavailable, or if judges determined the box was compromised. DoS attacks are not allowed.
Already the idea sounded weak. On the big screen, they were running a homebrew GUI app that showed the score, time, IP addresses, and the services on the target. The services were being polled by a monitoring machine, and the response time was displayed. If the response time increased, i.e. the service was laggy, then points were automatically deducted from the defender's score. Laggy web server performance? That's a strange definition of 'hacked', but it is (or should have been) easy to monitor, which is probably why they did it.
Part of the draw to this event was that they were going to use "video animation" to "show how network attacks happen." I didn't have my hopes up for this, but I was still disapointed. They used their (Linux-based) homebrew GUI, which looked like it just used some libraries from etherape to draw lines from ips to the services on the target they attach to. That was it for the visualizations. The list of services was supposed to turn from green to red when they went slow, but for most of the night they stayed red and displayed just zeros, no readings. Their software appeared very buggy, hardly ever working, and windows in the background showed them fixing it as they went.
The commentary was sparse and uninformative. "Yes, that line shows connections to http, and it is taking a beating!" There was no discussion of exploits, security, concepts, attacks, what is currently happening, etc. After the attack session ended, the defenders were brought up for a brief Q&A, which reminded me of a post-fight boxing interview. "Uh, yeah, we felt good, we had a plan. A lot of things happened, and we applied patches."
Before, during, and after the attack session, no one knew what was happening. It seems that despite hours of trying by different teams, the target box was NEVER compromised. During the second Q&A session I stood up and asked, "Was the box hacked in any way whatsoever?" The reply? "Probably." But no one knew. If it had been hacked, I believe the person doing it would have said something, or at least bragged on the irc channel for the contest.
The entire operation seemed very amateurish. Technical difficulties occured during the event, giving one team a higher score becuase the monitoring software wasnt working to remove points. Most attendees left early, and a highlight of the evening was when someone posted ascii porn to the irc channel.
On the upside, the DJ had a good stream of music, there were more women than you'd expect, and some in small metal bras. And it was a gathering of a lot of smart geeks, a great opp to meet people.
Room for improvement. The longest topic of conversation in the audience was how to fix this mess. We came up with some ideas:
Visuals
They should have used proven, off-the-shelf network visualization and monitoring tools for the event. We were _dying_ for some snort output, to see what exploits were being attempted. A tool like Demarc would have been perfect to show the events as they happened. Or at least snortsnarf or acid. The screen should have rotated between different monitoring tools to give an idea of what was happening.
Contest Format
The format of the event was flawed. The truth is most hackers take advantage of easy targets. Defending a box is not that hard. Simply applying the latest patches and configuring a basic iptables firewall about does it. After those steps are taken by the defending team, only truely leet hax0rs with 0day exploits are going to get root in thirty minutes.
A better format would be this: Bring an unpatched or lightly patched Linux server for everyone to attack. As soon as someone gets in, stop the show. The hacker gets a prize, and has to explain/show what they did. Then that vulnerability is patched, and the contest starts up again.
All in all, the event was a let down. Austin is a cool town, and lots of smart geeks came out. There is obviously interest in an event like this, but the execution didn't result in any entertainment or learning. If this is a PR event to generate publicity for the sponsors, I think it failed, because if this is an example of their organizational and technical skills, I would not hire them myself. But then, they're probably better at security than they are at public events.
Slashdot welcomes reader-submitted features; thanks to marc for this one.
did the ref take 3 seconds to throw a flag if there was an infraction??
3 seconds = to a Miami fan