Slashdot Mirror
Linux Top Gun Hacker Contest Report
We heard about this from a slashdot article ("Computer Attack and Defense As Spectator Sport").
Tough Audience The event was held at the Alamo Drafthouse, a movie house with tables and a wireless network. The theatre was packed, and there was a waiting line going out the door. I talked to an admin who had driven in from Brownsville (South Texas) for this event, so obviously there was a lot of interest, although we didnt know what to expect. Many attendees, maybe 10%, had computers with them.
The event was supposed to start at 7 p.m., but because of technical difficulties, it didnt start until 9 p.m. In the outer lobby were vendors selling metal bras and edgy political/sex books. Very Austinesque.
The Event Itself When the Top Gun event itself started, it went like this: there are a few registered teams; each team is given the 'target' box, and has ten minutes to secure it. After that, everyone in the room has thirty minutes to try to hack into the box. A few services had to be enabled -- http, https, ssh, smtp, and ftp. The defenders start with 100 points, and points are deducted if any of the services seemed unavailable, or if judges determined the box was compromised. DoS attacks are not allowed.
Already the idea sounded weak. On the big screen, they were running a homebrew GUI app that showed the score, time, IP addresses, and the services on the target. The services were being polled by a monitoring machine, and the response time was displayed. If the response time increased, i.e. the service was laggy, then points were automatically deducted from the defender's score. Laggy web server performance? That's a strange definition of 'hacked', but it is (or should have been) easy to monitor, which is probably why they did it.
Part of the draw to this event was that they were going to use "video animation" to "show how network attacks happen." I didn't have my hopes up for this, but I was still disapointed. They used their (Linux-based) homebrew GUI, which looked like it just used some libraries from etherape to draw lines from ips to the services on the target they attach to. That was it for the visualizations. The list of services was supposed to turn from green to red when they went slow, but for most of the night they stayed red and displayed just zeros, no readings. Their software appeared very buggy, hardly ever working, and windows in the background showed them fixing it as they went.
The commentary was sparse and uninformative. "Yes, that line shows connections to http, and it is taking a beating!" There was no discussion of exploits, security, concepts, attacks, what is currently happening, etc. After the attack session ended, the defenders were brought up for a brief Q&A, which reminded me of a post-fight boxing interview. "Uh, yeah, we felt good, we had a plan. A lot of things happened, and we applied patches."
Before, during, and after the attack session, no one knew what was happening. It seems that despite hours of trying by different teams, the target box was NEVER compromised. During the second Q&A session I stood up and asked, "Was the box hacked in any way whatsoever?" The reply? "Probably." But no one knew. If it had been hacked, I believe the person doing it would have said something, or at least bragged on the irc channel for the contest.
The entire operation seemed very amateurish. Technical difficulties occured during the event, giving one team a higher score becuase the monitoring software wasnt working to remove points. Most attendees left early, and a highlight of the evening was when someone posted ascii porn to the irc channel.
On the upside, the DJ had a good stream of music, there were more women than you'd expect, and some in small metal bras. And it was a gathering of a lot of smart geeks, a great opp to meet people.
Room for improvement. The longest topic of conversation in the audience was how to fix this mess. We came up with some ideas:
Visuals
They should have used proven, off-the-shelf network visualization and monitoring tools for the event. We were _dying_ for some snort output, to see what exploits were being attempted. A tool like Demarc would have been perfect to show the events as they happened. Or at least snortsnarf or acid. The screen should have rotated between different monitoring tools to give an idea of what was happening.
Contest Format
The format of the event was flawed. The truth is most hackers take advantage of easy targets. Defending a box is not that hard. Simply applying the latest patches and configuring a basic iptables firewall about does it. After those steps are taken by the defending team, only truely leet hax0rs with 0day exploits are going to get root in thirty minutes.
A better format would be this: Bring an unpatched or lightly patched Linux server for everyone to attack. As soon as someone gets in, stop the show. The hacker gets a prize, and has to explain/show what they did. Then that vulnerability is patched, and the contest starts up again.
All in all, the event was a let down. Austin is a cool town, and lots of smart geeks came out. There is obviously interest in an event like this, but the execution didn't result in any entertainment or learning. If this is a PR event to generate publicity for the sponsors, I think it failed, because if this is an example of their organizational and technical skills, I would not hire them myself. But then, they're probably better at security than they are at public events.
Slashdot welcomes reader-submitted features; thanks to marc for this one.
Modest doubt is called the beacon of the wise. - William Shakespeare
After the excitement of all of those hacker movies and TV shows, I'm suprised at this result.
Yet another event trying to make it look like hacking into computers is really cool and a fun activity... when in fact it's long, boring, solitary and quite pointless for most people when you think about it (especially pointless for those 14 year olds with too much time who would do better to go out and get laid than to DoS someone they don't like on IRC with one of the boxes they got into courtesy of code red or whatever). Daniel
Carpe Diem
pics plz
Username taken, please choose another one.
On the upside, the DJ had a good stream of music, there were more women than you'd expect, and some in small metal bras
One of the women was probably Leslie.
Won't even be at this show. They are too busy elsewhere.
Personally, the idea of a hacking competition is interesting, but it would have to be done over a long period of time, and set up more like a war game than a boxing match.
Skr1p7 k1dd13s treat hacking as a boxing match. Real hackers are far more efficient and skilled at it.
An idea for a real hacking competition (Almost like capture the flag): Two sides to the fight, different locations for both. One side will have multiple targets, the other side will have multiple attackers.
The goal of the attackers will be to get specific files from the targets, using any technique desired. (Including Social Engineering) The goal of the defenders will be to catch/name/etc the attackers, and thus completely neutralize them.
Do this over a course of a month or a year, and make a TV show with the highlights of battle. Now that would be excellent viewing.
** NOTE: the term hacker above can also be translated as cracker for those who are offended by this use of the term hacker, thank you **
~ kjrose
Being on an actual team at the contest, It was a lot better than their 2nd attempt.. Every time LTG throws an event. it gets better..
Although #2 required you to run a specific application on the webserver.. this one you could put anything you want.. (aka a static page with hello world).
But all and all it was good.
I came in #1 for the 2nd contest.
Team 2600 came in 1st this time
(We, team penguinati, came in second this time).
but oh well.
It was fun.... the best thing is the food and beer...
ChiefArcher
http://www.gbronline.com/brooksdesign/
Yah... People asked... I found... it seems...
What was her name?
I don't need no instructions to know how to rock!!!!
Since this is in the Austin area, I recommend checking out the Austin area slash based GeekAustin. They had a head's up on this event a while ago. I haven't seen a followup yet.
I don't condone it because it couldn't help but be bad or boring. Hacking, for whatever purpose, is tedious if anything, and tedium rarely makes for exciting stuff. Having a technical discussion afterward might be neat, doing it as a demonstration, but mixing in DJ's and scantily clad women just comes off as silly. You might as well hold your next math convention at a strip club.
As far as terrorism goes... please! There's nothing illegal or "black hat" about breaking into a box you've been told to break into. What better way to find bugs or flaws, so that you can then close them? I'd be a lot more worried about gun shows before I worried about hacker conventions cause last I checked, the gun to computer related death factor was still INFINITE.
The more people banned (or are bullied) into stopping completely legal and (possibly) worthwhile activities, the more I'll seriously consider moving to Canada... or running for office. Neither of which I'd really enjoy, BTW.
All elements meant to distract you from the fact that there is nothing going on in the room and you wasted gas and money driving there.
I'm heading off to a dog show now...
The entire idea of this contest is flawed. Like the article said, securing a box is trivial. Apply the newest patches and set up a simple firewall, bingo. But if everyone knew what was going to be open ahead of time, it'd just be a race to see who could run their exploit scripts first.
Truth is, hacking in general is not rocket science. Anyone can do it. Securing a box is not hard, however the reason so many machines get hacked is ignorance and/or apathy to the situation. Hell, the hardest part about hacking is finding a box with holes to exploit. If you already know the box has holes, you can run a script to find them. I went to the first Linux top gun and it was a total washout as well. This one sounds a bit more organized (at the first one, half the attendees were bums there for pizza) but the entire idea of this contest just sounds stupid. Anyone can be a l33t h4x0r, it takes intelligence not to want to.
http://www.espressowebdesign.com/gallery/gallery.p hp?gallery=16
The Code Ninja is swift with his tool, precise in his delivery, and deadly accurate in his execution.
If you left too early and missed the penguinati presentation.. Check it out
http://www.penguinati.com
we did an "odd todd" ripoff to present our information.
ChiefArcher
OK, I guess it's official now.
Hacker = Cracker
and good linux programmers are just good linux programmers.
It's sad that mass media has finally triumped over the geeks.
nohup rm -rf ~/. >& zen &
tell me more about these bras that you speak of and that which they contained
There are some odd things afoot now, in the Villa Straylight.
Use real targets.
Create a points system based on method of entry and create a rating system (open, hardened, impossible, etc.) for targets. Scores are created by combining the various entry levels with the various target ratings. Targets could be selected by the audiencs, the teams or the event coordinators. Targets could be published before hand or not.
Granted this would be shut down so fast. All involved would be sent to Guantanamo Bay for being terrorists but it would be _really_ fun to watch. I also think that it could be done without causing real damage and in fact would _increase_ security. It would still be shut down though.