Slashdot Mirror

← Back to Stories (view on slashdot.org)

Linux Top Gun Hacker Contest Report

Posted by timothy on from the missing-austin dept.

A semi-anonymous reader writes with this account: "Kyley and I drove up to Austin for the Linux top gun hacker challenge event. We weren't sure what to expect, but looked forward to seeing a theatre with wireless internet, meeting security geeks, and learning new tricks at this hackfest. In the end, most people left early and unhappy, but I'm still glad we went." Read on for more on what was worthwhile about this event, and what left some of the audience disappointed.

We heard about this from a slashdot article ("Computer Attack and Defense As Spectator Sport").

Tough Audience The event was held at the Alamo Drafthouse, a movie house with tables and a wireless network. The theatre was packed, and there was a waiting line going out the door. I talked to an admin who had driven in from Brownsville (South Texas) for this event, so obviously there was a lot of interest, although we didnt know what to expect. Many attendees, maybe 10%, had computers with them.

The event was supposed to start at 7 p.m., but because of technical difficulties, it didnt start until 9 p.m. In the outer lobby were vendors selling metal bras and edgy political/sex books. Very Austinesque.

The Event Itself When the Top Gun event itself started, it went like this: there are a few registered teams; each team is given the 'target' box, and has ten minutes to secure it. After that, everyone in the room has thirty minutes to try to hack into the box. A few services had to be enabled -- http, https, ssh, smtp, and ftp. The defenders start with 100 points, and points are deducted if any of the services seemed unavailable, or if judges determined the box was compromised. DoS attacks are not allowed.

Already the idea sounded weak. On the big screen, they were running a homebrew GUI app that showed the score, time, IP addresses, and the services on the target. The services were being polled by a monitoring machine, and the response time was displayed. If the response time increased, i.e. the service was laggy, then points were automatically deducted from the defender's score. Laggy web server performance? That's a strange definition of 'hacked', but it is (or should have been) easy to monitor, which is probably why they did it.

Part of the draw to this event was that they were going to use "video animation" to "show how network attacks happen." I didn't have my hopes up for this, but I was still disapointed. They used their (Linux-based) homebrew GUI, which looked like it just used some libraries from etherape to draw lines from ips to the services on the target they attach to. That was it for the visualizations. The list of services was supposed to turn from green to red when they went slow, but for most of the night they stayed red and displayed just zeros, no readings. Their software appeared very buggy, hardly ever working, and windows in the background showed them fixing it as they went.

The commentary was sparse and uninformative. "Yes, that line shows connections to http, and it is taking a beating!" There was no discussion of exploits, security, concepts, attacks, what is currently happening, etc. After the attack session ended, the defenders were brought up for a brief Q&A, which reminded me of a post-fight boxing interview. "Uh, yeah, we felt good, we had a plan. A lot of things happened, and we applied patches."

Before, during, and after the attack session, no one knew what was happening. It seems that despite hours of trying by different teams, the target box was NEVER compromised. During the second Q&A session I stood up and asked, "Was the box hacked in any way whatsoever?" The reply? "Probably." But no one knew. If it had been hacked, I believe the person doing it would have said something, or at least bragged on the irc channel for the contest.

The entire operation seemed very amateurish. Technical difficulties occured during the event, giving one team a higher score becuase the monitoring software wasnt working to remove points. Most attendees left early, and a highlight of the evening was when someone posted ascii porn to the irc channel.

On the upside, the DJ had a good stream of music, there were more women than you'd expect, and some in small metal bras. And it was a gathering of a lot of smart geeks, a great opp to meet people.

Room for improvement. The longest topic of conversation in the audience was how to fix this mess. We came up with some ideas:

Visuals

They should have used proven, off-the-shelf network visualization and monitoring tools for the event. We were _dying_ for some snort output, to see what exploits were being attempted. A tool like Demarc would have been perfect to show the events as they happened. Or at least snortsnarf or acid. The screen should have rotated between different monitoring tools to give an idea of what was happening.

Contest Format

The format of the event was flawed. The truth is most hackers take advantage of easy targets. Defending a box is not that hard. Simply applying the latest patches and configuring a basic iptables firewall about does it. After those steps are taken by the defending team, only truely leet hax0rs with 0day exploits are going to get root in thirty minutes.

A better format would be this: Bring an unpatched or lightly patched Linux server for everyone to attack. As soon as someone gets in, stop the show. The hacker gets a prize, and has to explain/show what they did. Then that vulnerability is patched, and the contest starts up again.

All in all, the event was a let down. Austin is a cool town, and lots of smart geeks came out. There is obviously interest in an event like this, but the execution didn't result in any entertainment or learning. If this is a PR event to generate publicity for the sponsors, I think it failed, because if this is an example of their organizational and technical skills, I would not hire them myself. But then, they're probably better at security than they are at public events.

Slashdot welcomes reader-submitted features; thanks to marc for this one.

42 of 179 comments (clear)

  1. Overall impression? by Chocolate+Teapot · · Score: 5, Funny
    On the upside, the DJ had a good stream of music, there were more women than you'd expect, and some in small metal bras
    So all-in-all, the evening was a resounding success then?
    --
    Modest doubt is called the beacon of the wise. - William Shakespeare
    1. Re:Overall impression? by DNS-and-BIND · · Score: 2, Funny
      It's a sad day when women in small metal bras and political flamage is considered 'Austinesque'. Used to be women in rumpled cowboy hats and gentle leftist politics were 'Austinesque'. I bet you few people there even knew who Willie Nelson is, and the ones who do know would look at him with scorn because he's a 'country' singer. Reminds me of a quote from 'Half-Baked'...

      Willie Nelson: "Man, I remember when a dime bag cost a dime. You know what I mean? You know how much condoms used to cost back in them days?"
      Thurgood: "How much?"
      Willie Nelson: "I don't know. We never used them."

      --
      Shutting down free speech with violence isn't fighting fascism. It IS fascism!
  2. Hacking by burgburgburg · · Score: 4, Insightful
    Another private activity that doesn't translate well to being a live public group activity.

    After the excitement of all of those hacker movies and TV shows, I'm suprised at this result.

    1. Re:Hacking by JoeBuck · · Score: 2, Funny

      Just remember, you look at the screen intently, type really fast for 20 seconds or so, then shout "I'm in!"

      Or try the Russian variation: type really fast with one hand while clicking a ballpoint pen with the other, just so James Bond can give you an exploding pen later in the movie.

    2. Re:Hacking by SnowDog_2112 · · Score: 5, Funny

      I have this mental image of something like The Iron Chef. I think the commentary style would work well :)

      Male Voice: "Iron Hacker Ginsburg is opening another xterm. I wonder what's going on?"
      Female Voice: "Is that kshell?"
      Male Voice: "Hrm. Well, I don't know...."
      Male Voice (from floor): "Sysop!"
      Male Voice: "Yes?"
      Male Voice (from floor): "Ginsburg is indeed opening another xterm, and it's not kshell, it's a special shell he's written himself. When I asked about it, he told me it has a custom completion tool and command substitution algorithm."
      Female Voice: "Oooh.."
      Male Voice: "Very unusual. Let's see what challenger Fordham has up his sleeve...."

      --
      Not representing or approved by my company or anybody else.
  3. Like the movie Hackers, or Swordfish... by KDan · · Score: 5, Insightful

    Yet another event trying to make it look like hacking into computers is really cool and a fun activity... when in fact it's long, boring, solitary and quite pointless for most people when you think about it (especially pointless for those 14 year olds with too much time who would do better to go out and get laid than to DoS someone they don't like on IRC with one of the boxes they got into courtesy of code red or whatever). Daniel

    --
    Carpe Diem
    1. Re:Like the movie Hackers, or Swordfish... by unicron · · Score: 2, Insightful

      It was always fun at Defcon to watch. Maybe because they didn't try to make it look like someone was bringing down a Gibson with a GUI virus. This Topgun show sounds pretty damn lame, IMHO.

      But Defcon is slipping. This year they did some wardriving stuff and a friend of mine had his antenna snapped off of his truck. Fuckers.

      --
      Finally, math books without any of that base 6 crap in them.
  4. hey by anotherone · · Score: 5, Funny
    there were more women than you'd expect, and some in small metal bras.

    pics plz

    --
    Username taken, please choose another one.
    1. Re:hey by Anonymous Coward · · Score: 2, Informative

      Heres the link from the site ...

    2. Re:hey by GT_Alias · · Score: 4, Funny

      Yeah, and everyone goes to that page just for the articles.

  5. Austin humour by binaryDigit · · Score: 5, Funny

    On the upside, the DJ had a good stream of music, there were more women than you'd expect, and some in small metal bras
    One of the women was probably Leslie.

    1. Re:Austin humour by Anonymous Coward · · Score: 2, Informative

      lol!

      Okay, for those who don't know who Leslie is or what makes this comment hilarious as all get out, I'll try to explain.

      Leslie is a real person, a very well known of person. Washington, DC has Bush, Austin has Leslie.

      Leslie is a crossdresser, often seen on 6th street on a friday night banging a bucket in a non-rythmetic way and other popular venues. Which the parent poster is stating here.

      There was a mayoral race a while ago, I've been told, that Leslie got his name on the ballot to be voted in, as a joke, I presume. I don't know how well he did, though.

    2. Re:Austin humour by JJ22 · · Score: 2, Funny

      austin humor i understand, and me with no mod points.

    3. Re:Austin humour by parc · · Score: 2, Interesting

      For those not familar: Leslie is a (pseudo) homeless cross-dresser in Austin. He/She has run for mayor in every election I've witnessed, and consistantly pulls in some votes. He/She is a true example of how Austin still holds on to some of what makes it special. For a little slideshow of leslie, go to this slide show

  6. and the real hackers... by MarvinMouse · · Score: 5, Insightful

    Won't even be at this show. They are too busy elsewhere.

    Personally, the idea of a hacking competition is interesting, but it would have to be done over a long period of time, and set up more like a war game than a boxing match.

    Skr1p7 k1dd13s treat hacking as a boxing match. Real hackers are far more efficient and skilled at it.

    An idea for a real hacking competition (Almost like capture the flag): Two sides to the fight, different locations for both. One side will have multiple targets, the other side will have multiple attackers.

    The goal of the attackers will be to get specific files from the targets, using any technique desired. (Including Social Engineering) The goal of the defenders will be to catch/name/etc the attackers, and thus completely neutralize them.

    Do this over a course of a month or a year, and make a TV show with the highlights of battle. Now that would be excellent viewing.

    ** NOTE: the term hacker above can also be translated as cracker for those who are offended by this use of the term hacker, thank you **

    --
    ~ kjrose
    1. Re:and the real hackers... by superflippy · · Score: 3, Interesting

      Your idea sort of reminds me of a game we used to play in high school called "Assassin". The game master assigned each player a target whom they were supposed to "assassinate" (via disk gun, toilet-paper garrotte, sticky-tack contact poison, alarm-clock bomb, etc.). So everyone was both a target and an assassin, but you never knew who was out to get you. Once you eliminated your target, you inherited their target. Last one left alive wins. Each game generally lasted for 2-3 weeks, depending on the number of players.

      (Naturally, this was several years ago. Any high schoolers caught doing something like this today would probably be locked up.)

      --
      Your fantasies contain the seeds of important concepts.
    2. Re:and the real hackers... by fuzzybunny · · Score: 2, Funny

      Sleeveless t-shirt under your other clothes marked 'bulletproof vest'. "Hey, I shot you!" "No, you didn't." *BANG*


      Cardboard box inserted in someone's locker, with label 'thermonuclear device'.


      Master the possibilities.

      --
      Cole's Law: Thinly sliced cabbage
  7. This sounds like ... by mustangdavis · · Score: 2, Insightful



    ... a LAN party gone bad ....


    Speaking of which, did anyone get tired of the poorly thoughout contest and break into a game of Quake, Counter Strike, or War Craft III???


    Honestly, this event sounded like it had potential, but the organizers just didn't plan things well enough ... they obviuosl have never been to a well planed LAN party .... or maybe these are the guys that you get pissed at when they throw a reall bad LAN party :)

    --
    HallmarkOrnaments.Com
  8. Or what about... by rusty+spoon · · Score: 2, Funny

    An alternative would be a case-mod contest with action packed 3-D live animation of the modifications in progress and quotes from the contestents; "Um yeah, like we hacked the case with a jigsaw and added some blue neons right, and now it runs and looks cooler".

    Maybe even a contest to make the smallest distro right from downloading the latest mandrake linux to booting up on a 486DX66 with 32MB ram. Should be a fascinating spectator sport.

  9. The contest by ChiefArcher · · Score: 5, Informative

    Being on an actual team at the contest, It was a lot better than their 2nd attempt.. Every time LTG throws an event. it gets better..
    Although #2 required you to run a specific application on the webserver.. this one you could put anything you want.. (aka a static page with hello world).

    But all and all it was good.
    I came in #1 for the 2nd contest.
    Team 2600 came in 1st this time
    (We, team penguinati, came in second this time).

    but oh well.

    It was fun.... the best thing is the food and beer...

    ChiefArcher

  10. Re:I don't condone these types of events by Bisifiniti · · Score: 2, Informative

    I agree wholeheartedly. I also plea to Slashdotters, avoid gun shows!! They just encourage people to go and shoot random bypassers. While you're at it, never go to a bar again, because they promote drunken driving. Designated driving is just a way to make it LOOK like they aren't. Oh, and never play a computer game again, because you know those crazy Everquest addicts that haven't seen the sun in 14 months... you could turn into one of those. Geez... it's just a convention. It's not a cry to go out and 0wnz some b0x3s. If you can't find a stable job, that's too bad. How's telling people not to go this convention gonna fix that?

  11. Pics? by geekfiend · · Score: 4, Informative

    http://www.gbronline.com/brooksdesign/

    Yah... People asked... I found... it seems...

  12. "there were more women than you'd expect" by stratjakt · · Score: 5, Funny

    What was her name?

    --
    I don't need no instructions to know how to rock!!!!
    1. Re:"there were more women than you'd expect" by Anonymous Coward · · Score: 5, Funny

      "What was her name?"

      Mom

    2. Re:"there were more women than you'd expect" by Zak3056 · · Score: 2, Funny

      What was her name?

      Yeah, right, as if ANYONE in that building would ask...

      --
      What part of "shall not be infringed" is so hard to understand?
  13. Local information by chrysrobyn · · Score: 4, Informative

    Since this is in the Austin area, I recommend checking out the Austin area slash based GeekAustin. They had a head's up on this event a while ago. I haven't seen a followup yet.

  14. Re:Neither do I, for different reasons by zanerock · · Score: 3, Insightful

    I don't condone it because it couldn't help but be bad or boring. Hacking, for whatever purpose, is tedious if anything, and tedium rarely makes for exciting stuff. Having a technical discussion afterward might be neat, doing it as a demonstration, but mixing in DJ's and scantily clad women just comes off as silly. You might as well hold your next math convention at a strip club.

    As far as terrorism goes... please! There's nothing illegal or "black hat" about breaking into a box you've been told to break into. What better way to find bugs or flaws, so that you can then close them? I'd be a lot more worried about gun shows before I worried about hacker conventions cause last I checked, the gun to computer related death factor was still INFINITE.

    The more people banned (or are bullied) into stopping completely legal and (possibly) worthwhile activities, the more I'll seriously consider moving to Canada... or running for office. Neither of which I'd really enjoy, BTW.

  15. Hacked Comp? by mugnyte · · Score: 2, Interesting


    Any hacker worth the time wouldn't shuffle off to an ACM-esque programming comp. Just doesn't seem to be what's cool to me. I'm much more inclined to believe the monitoring box was hacked to flop-like-a-fish all night.

    As far as hacking, why not run a box per team local to the gathering all night. They all have the same holes, and the team that can exploit it best wins.

    For the majority of my time though, I'd prefer to simply watch presentations about known hacks and documented exploits. Esp. given the mystery about the GOBBLE and such latests dealing with P2P.

    mug

  16. Ineffable by andbutso · · Score: 3, Funny
    the DJ had a good stream of music, there were more women than you'd expect, and some in small metal bras

    All elements meant to distract you from the fact that there is nothing going on in the room and you wasted gas and money driving there.
    I'm heading off to a dog show now...

  17. More than the format... by Ryan+Amos · · Score: 4, Insightful

    The entire idea of this contest is flawed. Like the article said, securing a box is trivial. Apply the newest patches and set up a simple firewall, bingo. But if everyone knew what was going to be open ahead of time, it'd just be a race to see who could run their exploit scripts first.

    Truth is, hacking in general is not rocket science. Anyone can do it. Securing a box is not hard, however the reason so many machines get hacked is ignorance and/or apathy to the situation. Hell, the hardest part about hacking is finding a box with holes to exploit. If you already know the box has holes, you can run a script to find them. I went to the first Linux top gun and it was a total washout as well. This one sounds a bit more organized (at the first one, half the attendees were bums there for pizza) but the entire idea of this contest just sounds stupid. Anyone can be a l33t h4x0r, it takes intelligence not to want to.

  18. TOP GUN PHOTOS!!! by dallask · · Score: 5, Informative

    http://www.espressowebdesign.com/gallery/gallery.p hp?gallery=16

    --
    The Code Ninja is swift with his tool, precise in his delivery, and deadly accurate in his execution.
    1. Re:TOP GUN PHOTOS!!! by jgerman · · Score: 3, Funny

      Hmmm, inaccurate description in post, should have read "and some UGLY ones in metal bras".

      --
      I'm the big fish in the big pond bitch.
  19. Team Penguinati by ChiefArcher · · Score: 4, Interesting

    If you left too early and missed the penguinati presentation.. Check it out

    http://www.penguinati.com

    we did an "odd todd" ripoff to present our information.

    ChiefArcher

  20. Hacker==Cracker? by Carbon+Unit+549 · · Score: 3, Insightful

    OK, I guess it's official now.
    Hacker = Cracker
    and good linux programmers are just good linux programmers.
    It's sad that mass media has finally triumped over the geeks.

    --

    nohup rm -rf ~/. >& zen &

  21. Latency and DoS attacks by argmanah · · Score: 2, Interesting

    Does anyone else find it amusing that they are not allowing DoS attacks but are awarding points based on service response times?

    It seems to be that the most legitimate measurement that response times provide in a hacking contest is how effective a DoS attack is.

    Past that, all the majority of that result comes from how much traffic you have. Last time I checked, this was a hacking contest, not a web server benchmark.

    --
    Overrated Moderation: This posts sucks... because.
  22. Re:Neither do I, for different reasons by EatHam · · Score: 2, Funny

    Computer-related death is non-zero, so the gun to computer related death is not infinite.

  23. Geeks and meeting planning by Brent_Litzer · · Score: 2, Insightful
    There is a big difference between what is enjoyable to a single being and what is enjoyable to a group. The movie industry is batting less than 10%.

    Expecting geeks to know what is entertaining in a group format is asking a little much. Also, the more intellegent the audience, the harder it is to satisfy them.

    Some real thought needs to be put into the venue. Conduct some tests and trials for christ sakes. That would have exposed the weaknesses of the format.

    --
    - Just because you can't, doesn't mean you shouldn't
  24. small metal bras? by AssFace · · Score: 3, Funny

    tell me more about these bras that you speak of and that which they contained

    --

    There are some odd things afoot now, in the Villa Straylight.
  25. How do you improve the event? by cornice · · Score: 4, Funny

    Use real targets.

    Create a points system based on method of entry and create a rating system (open, hardened, impossible, etc.) for targets. Scores are created by combining the various entry levels with the various target ratings. Targets could be selected by the audiencs, the teams or the event coordinators. Targets could be published before hand or not.

    Granted this would be shut down so fast. All involved would be sent to Guantanamo Bay for being terrorists but it would be _really_ fun to watch. I also think that it could be done without causing real damage and in fact would _increase_ security. It would still be shut down though.

  26. yup, I was there and you're right by SethJohnson · · Score: 2, Informative


    I went expecting that it would be a demonstration of common cracking techniques and defenses. Unfortunately, everything was left to our imagination as to what was going on. Here's how they could have improved on this:

    1. Interview the attackers and ask them about the techniques they're applying.

    2. Have all the defending teams prepare their fucking boxes ahead of time. After the event starts, they can't touch them. That way information divulged by suggestion 1 can't be used to protect the boxes.

    3. Let people attack all the boxes at the same time.

    4. Improve the visualization using snort.

    5. Have web apps running on the server. Let them be simple and of the defending team's design (whatever apps they want), but they have to accomplish a specific task such as threaded discussion board, etc. Just a "hello world" web page is unrealistic for real-world comparisons.

    This was a fantastic disappointment for myself and the several hundred other people in attendance. I think the event was intended to provide the security company sponsoring it with research about current cracking techniques. I don't think they were so much interested in the educational opportunities that could have been made available to the attendees.
    --
    $5 / month hosted VPS on linux = awesome!
  27. a resounding success then? by kfg · · Score: 2, Funny

    Nah, it'll be a, ummmmm, "big" success when it starts attracting women with *large* metal bras that just *look* small.

    I can't help but wonder though. Are the metal bras protection against the aliens beaming messages to their "assets"?

    KFG

  28. The event was so bad.. by Gortbusters.org · · Score: 2, Funny

    I was disappointed even reading this article!

    --
    --------
    Free your mind.