Slashdot Mirror
Get Paid To Crack?
John Klein writes "Corporate Technologies USA, Inc. is offering hackers $250US and up as part of the Hacker Wargame Research Project. Participants are given sufficient time to hack three primary goals on real Windows 2000 servers on an internet connected wargame network. The servers are updated with fairly current Windows patches, so this is not necessarily an easy task. The difficulty is part of the point. The Project is studying how hackers think, called cognitive research, in an effort to better understand how future IDSs might identify the target of an attack during it's early stages. The Project guarantees complete anonymity for those that want to participate without pay, or complete privacy protection to those that choose to get paid."
Will this one just get DOSed into oblivion too?
But someone will probably hack the server running the article and put their name at the top... Would that be an instant win?
*There's Klingons on the starboard bow, scrape em off Jim!*
But your going to have to pay for each hit after!!!
Does this not undermine a crackers "Trade Secrets" then ?? I am no cracker, but I have always been under the impression that if a cracker is going to get into a site, he is going to use his own methods (unless of course he is a script kiddie) .. which means that he is not going to give away his secrets .. no matter how much (little) he will be paid ..
If they really want some competition, shouldn't they offer at least some TopCoder-scale money - for instance, how about $10k, but have tiered competitions, so that only the top 5 hackers are trying to get in? That would avoid the DoS issues.
stuff |
Wargames are interesting, maybe even fun, but they shouldn't be used for cognitive research. You simply can't replicate the environment of a real corporate network.
Where is the poor tech support agent that I call to inform of the "new authentication procedures"? Where are the client boxes sending out cleartext FTP passwords over a compromised proxy server?
Seriously, this isn't a great way to study "cracker patterns". Most crackers aren't creative enough to gain access to a box that lacks the common weaknesses of a corporate server. It's easy to setup a server that no one is supposed to use, but the challenges (and weaknesses) come from the balance between security and usability.
"Shall We Play A Game?"
Are you sure you wouldn't prefer a nice game of chess?
When I am king, you will be first against the wall.
1. Wait for critical security patch from Microsoft (shouldn't take long)
2. Read up on exploit
3. ???
4. Get paid
Isn't this a blatent violation of the DMCA?
gahhh he found me!
at least he modded me up, i don't think he's going to fire me.
I wonder how far they are willing to go to protect a hacker that finds a rare vulnerability.
Melius mori in libertate quam vivere in servitute.
Dont let the "pstohtml"ish webpage con you. And dont let them convince you that they are not law enforcement.I'm sure they are in with Ashcroft.
Note the term Hacker in all the writeups, the incorrect use term the establishment uses to paint Linux hackers black ? Note the referral program ? Trust nobody!!
On a serious note, suppose somebody actually cracks their server, and they hold the information secret, will they be an accesory to crime ? Surely enough , just because nobody compained about a murder it does not become a non-crime. So with convictions for cracking being higher than manslaughter, what is to stop a third party from dragging everyone to court? Even if they dont cause any harm to these guys, they surely broke DMCA laws, by harming microsoft? No?
.ACMD setaloiv siht gnidaeR
Wanted: Cracks on isolated Windows server. Full disclosure required. Compensation $250 or negotiable. Social Engineers need not apply.
I, for one, would be seriously surprised if anyone at Microsoft uses this to build a better system. I could see if this research was used for security outfits to track B&Es, but even that's a little loosey-goosey, IMHO.
This effort could be for the good, but crackers out there be warned that this could be a one stop ticket to FBI surveilance and eventual lockup. Come now, doesn't this remind you of the RIAA's amnesty offer?
I remeber reading a story not so long ago about a company (can't remember their name) that asked a hacker to break into their secure ATM transaction network to prove its infalability. Apon doing so they promptly prosicuted him and had him imprisoned. So I'd be wary of any "open hacking" competition. You dont see Ford running hotwiring competitions.
Fred, come see me in my office ASAP.
-- Mike
Senior Network Administrator
When I first read the title, I thought it was "Get Paid For Crack?"
Where where?
Sigh.
Nothing like a good joke to start out my day:
"The servers are updated with fairly current Windows patches, so this is not necessarily an easy task."
hahahahahah
I think I'll work at Wendy's for the week... more profit!
That ought to make it pretty quick and easy. In fact, if they install Outlook and actually use this machine it will probbly get nice and fucked real quick.
Now have somebody inside the network load some app with a backdoor in it. I mean isn't one of these two methods how the majority of real cracks happen.
I'm about to format a drive on my network that keeps breaking through the firewall to connect to some bozo snoopers. Who knows where this stuff comes from, it's everywhere. I think the people organizing this are playing up a false image of how hacking works so they can hype a worthless product to defend you from these mad hacker skills when, in fact, it's all very mundane and ubiquitous. Putting a face on it like a wanted poster is little more than a marketing gimick.
From the FAQ:
Q4: How do I know you aren't working for the man?
A: We're not, we promise.
Why would any real cracker spend time and effort on showing those he hate how he operates?
Complete privacy, they say?
Will that still be the case when someone hacks in to their system housing the database of participant names?
This would be a good way for someone to develop an ID for individual hackers. Just study the way individual attackers attack and try to come up with a way to associate that attack profile with an individual. $250 per person to build a database to go after future attackers. Seems like a cost effective way to get the data.
From their FAQ:
You should be able to complete the goals easily without the need to break any laws...[in] about 5 hours
Sounds like this is more of a "target-rich environment" where they expect the dedicated hacker to succeed, and they want to study means/methods, rather than a "our box is unbreakable" type challenge. I think they'll be writing a lot of $250 checks--which explains also why the sum is low.
--
$tar -xvf
It's a no-brainer competition. Step 1. Find IP address of server 2. Post link on /.
3. Server crashes 18.113 seconds later from overload
4. Collect underpants
5.
6. PROFIT!!!
Corporate Technologies USA, Inc. is offering hackers $250US and up as part
In the real world, a "consultant" would be charging $250 AN HOUR, at a bare minimum.
Wake up and smell the coffee, dudes. They're using you as slave labor.
Complete anonymity? An interesting idea. Let's talk about the practical ways you could "guarantee" somebody else's anonymity on the internet while still having the contest? I tried to make a list, but all I came up with pretty much amounted to "Dump all the logs." Which obviously makes it really difficult to study the attack patterns.
Obviously, the best way to remain anonymous is not to break into other people's networks, invited or otherwise. I mean, are they really going to destroy their data if the FBI calls? That would definitely be illegal (and unwise in our current "terrorism-freak-out") and publicly pre-meditated, at that.
If I had the kind of skillset these people are obviously recruiting for, I would be extremely leery of participating in this "competition." But I don't, and would have no interest.
"Lenny! Tell Mr. Burns I went home to work on the contest!"
Who did what now?
Even if I'm wrong about the government or marketing, I am certian that there are fancy pants involved.
A firewall can not protect you from yourself. Turn off what you do not need. Do not use the firewall to do your work.
Just do not try to hack it, or at least try not to succeed. That way M$ will think that their servers are safe and the REAL fun can begin.
Don't fight for your country, if your country does not fight for you.
And people who are doing that are called hackers and terrorists. Hopefully the elected General Ashcroft will put an end to this madness.
three primary goals on real Windows 2000 servers
./dcom 4 xxx.xxx.xxx.xxx
The servers are updated with fairly current Windows patches
Oh.. darn. I guess I just have to do it the easier way and send the administrators an email masquerading as a windows update.
Linus was right, you are smoking crack over at SCO....
From excellent karma to terible karma with a single +5 funny post...
How dare he suggest that hax0ring and crax0ring a Windows box is a challenging feat! This guy aughtta be strung up by his nuts and beat with the Windows-Sux-Stick for uttering such blasphemy!
"Ask not what your country can do for you." --John F. Kennedy
the Hacker Wargame Research Project. Participants are given sufficient time to hack three primary goals on real Windows 2000 servers
...
At least you know you have a chance to win with this platform. That might also explain why the prize is only 250 bucks, it might have be a lot more if participants were to hack a netbsd box for example.
Oh well, in any case, wargame research projects that don't involve a WOPR are just not worth the name I say
"A door is what a dog is perpetually on the wrong side of" - Ogden Nash
Get paid to sell what?!?!
How about saying what it does, so I wouldn't have to reinstall wmp? (for those who haven't clicked yet, it nukes wmplayer.exe)
Yeah yeah, don't click on a slashdot link etc, but still...
Hacking is much like tresspassing in that you are only guilty if you don't have permission from the rightful owner. For example, if you pick my lock and break in my house, you are guilty of breaking and entering and tresspassing, and will go to jail if caught. However, if I lock my self out of my hose, you are a locksmith and you pick the lock to let me in, then I invite you in for a beer, you've comitted no crime since you did everything at my behest.
Same goes for computer access. You are perfectly legal in hacking a system PROVIDED you have permission. If it belongs to you or if the rightful owner has gtiven you permisson, go nuts. It is only a crime when you do it without permission.
Well, they are explicitly giving you permissoin to hack their boxes if you want to play their game. Thus, no problem. Given the publicised nature of this, even if they decided to try and perjur themselves later and claim you did it without permission, it would be easy to prove otherwise (then they'd go to jail for falesly accusing you of a crime).
The servers are updated with fairly current Windows patches, so this is not necessarily an easy task. --Is this meant to reflect most Windows systems out there, without the most recent updated patches? The difficulty is part of the point. The Project is studying how hackers think, called cognitive research, in an effort to better understand how future IDSs might identify the target of an attack during it's early stages. --BS. Why didn't they choose a Unix system? Or a Linux System? I think they are just trying to prove a point other than "researching" how hackers "think". It's pretty obvious. Why don't people just come clean about their intentions? The Project guarantees complete anonymity for those that want to participate without pay, or complete privacy protection to those that choose to get paid." --Well, NOW should I really believe that? I am pretty sure if FBI or CIA are "interested in your hacking skills" your privacy is toast. Think b4 you act. Is it worth for a dirty $250? I don't think so. Over all, I think a lot of people will be getting paid (or arrested for hacking)
The phaomnneil pweor of the hmuan mnid. Fcuknig amzanig eh!
Make a building, I want to see if I can break a window and get in. Hey, that'd be damn fun! Even make a fake rent-a-cop police force (take from a local college) so we can say extremely silly things such as "4 minutes!" at the beginning of the break in as if we know the position of every single police officer..
You know I'm kinda trailing off here. I really just wanted to break a window.
I'd say you don't need a research project to find out "how hackers think".. Just understand the fact that hacking a microsoft box is nothing special, it's done everyday and the really good hackers wouldn't do this joke of a project anyway as it would expose the exploits they use so that Microsoft can fix those flaws.. Also, hackers use creative thinking and lots of social engineering - they can write that in the report and that's all there is to it.
And they think that this will reveal how hackers think.
So, what we end up with is a bunch of people getting paid a little bit of money to mess with statistics. How many are going to use obvious techniques, just to skew the results in a 'nobody thought of this so it must be safe from exploit' way?? How many are going to have a grand time hacking into their real system just for fun?
And for that matter, how many dumb wanna-bes are going to end up sharing their IP address with a company that might just duly record them, along with the name that they're writing the check out to, and hand it over to other investigators, saying, "Hey- these are the hackers who applied"?
I'm guessing that anyone who's willing to take the money but isn't up to a level where they can really accomplish anything is going to eventually get caught playing with someone else's network- i don't pay enough attention to hackers in the news, so i'm not up to speed on whether this constitutes admission of previous (potentially criminal) activity or not... but if the company has a list of people who registered to 'contribute,' to the effort, they could then give the list to anyone, right?
Somehow, the only way that this could look funnier to me is if they had to enter the system, install kazaalite, upload copyrighted music files to it, and make them available for download. At which point the RIAA would step in and prosecute, creating a net loss of approximately $14,750.00USD for the hacker.
Scenario two is the same, but they have to upload Gigli, and set it to play in a continuous loop until the machine explodes in a desperate move of self-preservation. (And the MPAA would be prosecuting.)
That is... if the hacker were dumb enough to give their real name and use their own (and static) IP address....
"I'd say 'Have a good time,' but arson is still illegal.
I'm going to take $250 to be put on a list of windoze crackers? No thanks. I don't care how fun it would be to look into how to do this kind of thing or how bad I need the money. Projects like this have the stink of an INS washing machine give away in a Mexican neghborhood.
Friends don't help friends install M$ junk.
Sure, they don't have to work for the government as such yet the men in black (insert TM at will) can quietly tap the lines.
They don't even have to pay you. Clever. So get that tin foil hat up right now.
just setting up a box to be hacked isnt really a good way to test hackers. 90% of "hacking" is sniffing passwords off a network and social engineering.
both of those aren't an option here on a box that isn't used by anyone, just sitting there.
What about studying these crackers so that they/we can determine how a cracker thinks, for the purpose of designing a better system in the first place? Say, design the system so that it's counter-intuitive to cracking attempts, at least at a security level (as opposed to a UI level).
~/ssh slashdot.org ssh: connect to host slashdot.org port 22: too many beers
how would they get an idea of hacker 'targets' when they set the goals themselves?
According to the FAQ
Q23: I'm too busy to do this right now, but I'd like to do it later. How long is this study going on?
A: We anticipate the study to be wrapping up at the end of 2003, but we will probably be done recruiting by mid-year at the latest, so don't wait too long. Sorry, no reservations accepted.
I'll go digging at archive.org now to find out how long they've been up.
Any sufficiently advanced libertarian utopia is indistinguishable from government.
and I was sure I saw the word "smoke" in there somewhere.
Isn't what they are asking the similar to that of the HoneyPot project? If they are using software you have to install to 'watch' your scripting/program use (which you later upload), then monitoring the server as well... then what's the point?
-- M
Artificial intelligence is no match for natural stupidity.
We're doing research like this at the Ecommerce Research Group at the Australian National University. We're focusing on software piracy, trying to work out why people do it if they don't then sell their cracked software (and could be using their coding skills in the workforce).
Our biggest problem has been getting crackers to participate. Most are so skeptical and wary that they are reluctant to take the survey (which we designed specifically so respondents don't have to admit to doing anything illegal).
Our second biggest problem has been getting the people who have elected to participate to take it seriously. It seems many respondents just treat it as a joke.
It's an interesting problem.
"You can justify anything by putting it in quotes, adding a famous name and making it a sig" - Albert Einstein
We want you to help us make money by making hacking harder you and others like you to do..uhhhh.......wtf? Ohh and by the way I am a middles aged loser who does vidoes on IT security.
Go to
http://www.corptech.net
and click on the link to the intranet demo..the message board on the intranet demo looks like its been hacked by some kiddie...
http://www.offsiteaccess.com/intranet/board/
Here is a more detailed version:
/log.txt" which will pipe everything from STDOUT and STDERR to a plain text file (adjust the logfile path to wherever you want). Hit CTRL+D when you are all done to close the logging. Check man script to learn more.
1. We will contact you by e-mail within 72 hours to let you know that we have received your application. This is not an automated mailing, it is a real response from a human being.
2. We will review your application within one week of application and decide if we will invite you to participate. You will again be personally notified, this time by e-mail or telephone, of our decision.
3. If you are not chosen to participate, we will tell you why, and we will destroy all records of your application and our communications with you. The only information we will keep is a paper list of who applied and was rejected, and why.
4. If you are chosen to participate, you will be sent more info on the wargame research project.
5. You will need to prepare yourself by following the instructions, and schedule a time with us to complete your hack. We will send you all of our direct contact information so you can talk to us directly to answer any questions that you might have.
6. If you intend to use any Windows box(es) during your hack, you will need to download the free demo version of the CamTasia screen recorder program (15.4MB) from our FTP server [ anonymous login to ftp.hackerwargame.org ] or from the author's commercial website if you prefer. Install the program ahead of time, and play with it a bit to ensure that you know how to use it. It's very simple, and the defaults will work, but you can optimize your output and file size by turning off hardware acceleration and setting your desktop resolution to 800x600 at 16bpp color. We don't recommend recording at 24-bit or 32-bit color since this will result in very large files in the Gig range rather than a few MB.
7. If you intend to use any *nix box(es) during your hack, you will need to start off by running the command "script -a
8. If you intend to use a Apple/Mac during your hacks, you're kind of on your own regarding how you're going to produce logs for us, but Snaps Pro X works well under OS-X, and a plain text file with a LOT of typing might work.
9. Prior to the hack, you will need to get your computer(s) ready for the hack. This includes downloading any tools you intend to use, checking your internet connectivity, and letting us know what IP address(es) you will be coming from. If you receive dynamic address(es) you can notify us of your address just before the actual hack time. To make it easier, you can also get a free account with a free dynamic IP tracking service like NO-IP.com (or any other that you prefer) which will give you a domain name that tracks your dynamic IP address, which we can use to set you up in our IP filter.
10. At your arranged date and time, you will need to synchronize all of your computer's times to our network so that we can match up logs. We will give you a webpage where you can do this easily, or you can use any standard NTP utility since our network is synchronized at Stratum 2 to the US Atomic Clock. You will then begin your hack by sending us an e-mail to a specific address telling us that you are starting. You will be notified of the wargame's IP address prior to your scheduled hack time.
11. During the hack, you will log which goal you are attempting to accomplish. This can be done quite simply by typing, for example:
10:21:42.15>echo SQL goal
SQL goal
10:21:42.15>
in a DOS box or on the *nix console. Note that your command prompt needs to show the time so we can synchronize our logs. On *nix this is done by setting PS1=$t> and on Windows boxes by typing prompt $T$G
It will also be helpful if you kept a notepad or plain text file open in which you can write notes, paste information that you have gathered, etc. The more loggi
The lunatic is in my head
Um, perhaps we shouldn't be modding people up who throw up links that remove software from other people's machines maliciously.
:)
I know, I know "only losers use IE", but last time I checked, there's no crime for using IE, and something like half of Slashdot uses it.
Perhaps we can have people post something like "hey, this is a cool link, it will delete media player from your system if you click here (don't say I didn't warn you)". Instead, we get something modded up that is far worse than that insipid goatse.cx picture.
Real way to make us look like a bunch of idiots.
And no, I'm not sitting here fuming at my own stupidity; Opera has no problem with that link at all
Endless arguments over trivial contradictions in books written by ignorant savages to explain thunder in the dark.
Perhaps you've missed the big business that has grown up surrounding slashdot's sale of $3 crack, but I assure you it is quite profitable and mutually beneficial. If you'd like to start selling $3 crack, please reply to this message with your credit card number and address.
pb Reply or e-mail; don't vaguely moderate.
Interesting. Seeing as many security tripwire programs shut out an IP as soon as they get suspicious, I can't see how this would replicate a realistic programming environment. One of a cracker's most important tools is being able to attack from unexpected (spoofed or rerouted) IPs. To come from every direction, as it were.
This reminds me of a similar study on Unix use I was in, that studied how people navigate a directory tree in a Unix shell and find relevant files and information quickly. The catch? No pipes or multi-command lines. But pipes are how a knowledgeable Unix user does things - the system is built up around it. So basically, the artificial limitations of the study cripple the performance of the participants.
-3Suns
~~~~
The Revolution will be Slashdotted
Once I get my trillion dollar Quantum-powered computer up and running, I'm gonna solve the crack and win me that $250! in no time flat.
Wierdness abounds...
{/script}{!--webbot BOT="GeneratedScript" endspan --}{form method="POST" action="_vti_bin/shtml.dll/prequal.htm" onsubmit="return FrontPage_Form1_Validator(this)" name="FrontPage_Form1" webbot-action="--WEBBOT-SELF--"}
{!--webbot bot="SaveResults" S-Email-Format="TEXT/PRE"
S-Email-Address="prequal@hackerwargame.com"
B-Email-Label-Fields="TRUE" B-Email-ReplyTo-From-Field="FALSE"
S-Email-ReplyTo="prequal@hackerwargame.com"
B-Email-Subject-From-Field="FALSE" S-Email-Subject="Prequal"
S-Date-Format="%m/%d/%Y" S-Time-Format="%H:%M:%S %Z"
S-Builtin-Fields="REMOTE_NAME REMOTE_USER HTTP_USER_AGENT Date Time"
U-Confirmation-Url="prequal2.htm" U-Validation-Error-Url="pqf.htm" startspan --}{input TYPE="hidden" NAME="VTI-GROUP" VALUE="0"}{!--webbot bot="SaveResults" endspan i-checksum="43374" --}
why not? rather than discontinue the whoreabull payper liesense BugWear(tm) from the felonious kingdumb, might as well get some kids to try to help fix it, for next to nothing. typical 'thinking' from the greed/fear based corepirate nazis/softwar gangsters. lookout bullow.
consult with/trust in yOUR creator....
Seriously... its been touched on but its a very important point. Users are the weakest link in any system. To ignore this element and the way cracker commonly exploit it, is to skew your research from the get go.
I'll tell you exactly how they think... goes something like this: 1)Wait for contest beginning 2)Go to bed 3)Check usual places for today's vulnerability 4)Exploit It doesn't matter how recent the patches are when truck-sized security holes are announced almost daily.
LilMikey.com... I'll stop doing it when you sto
Thats nothing, I once got root on a gibson. I stole the trash file. "Their trashing the planet man, Trashing it."!!
Read their 'how do you know we aren't working for the man' page? It basically says 'trust, we promise we aren't!' Also its a very condescending piece of work. I don't trust it. Perhaps their analyzing the hackers that do hack in so that when someone hacks into one of their systems a year or two down the road, they'll have a set of known hackers with what amounts to a behavioral study on each one. I can see it now: 'we just got hacked, run the characteristics of the attack through the database! hmm, it matches 's pattern of attack, Patriot act abuses here we come!'
There's a growing sense that even if The Future comes,
most of us won't be able to afford it.
-- Lemmy
This company seems to be a bit on the er...amateurish side. Checking out their website, I see that they apparently sell Axxis webcams as though it was some kind of high-end technology, and would love to sell me what looks like "Intranet in a can." Waaaaa hoo. Besides, while I don't go for the typical "it's not in Silicon Valley so it can't be for real" attitude, they are in Fargo, North Dakota. I don't think you have to be in the Valley to be serious, but jeez...it's as if it were meant to be parody!
For your security, this post has been encrypted with ROT-13, twice.
With the security record of Windows, a $250 cracking reward isn't cheap when you have to pay it out several thousands of times
..........FULL STOP.
At first I thought it said "Get paid to smoke crack." and figured they were talking about SCOs executives.
Outdoor digital photography, mostly in New Engl
Uh, actually it didn't kill anything on my machine. I think it's supposed to restore wmplayer afterwards (Which probably won't work for people who pull the plug in a panic). Sorry if that didn't work :(
I could care less, but not without a lobotomy
Hi, The Irish Government's Department of Health has a tender out for 'Security Consultants' to crack their network/servers as well. http://www.e-tenders.gov.ie/viewTender.asp?id=OCT0 20088
Tender expires on the 24th October.
I tell you what. I wouldn't trust these guys. Plus $250.. per hack isn't worth the money. And I bet if they cut you a check your name will be recorded in a database. Heck when I worked at a consulting company and they challenged me to hack into a system , I brought my linux laptop in, scanned the network (without being issued an IP. I had to crack that as well but as it turned out their DHCP server was open). I probed the network, broke into 5 NT Servers (It was 1999). From then on whenever there was a security breach they asked if I had anyting to do with it. So it's not worth the hassle.
A plumber filed suit today against Corporate Technologies USA, Inc claiming that he was successful in "cracking" while working on site at Corporate Technologies USA's headquarters.
"I walked in, bent over to set down my toolbox and Bang! cracked on the first try." said Master Plumber William Johnson.
Corporate Technologies USA has refused to comment.
"Computer Scientists can count to 1024 on their fingers" (non-mutant, non-mutilatated, human computer scientists)
Q9: Can you write me a letter absolving me from prosecution for things I might do to break in?
A: No! You are not to break any laws while doing anything for us, and if we find out that you do, we'll "fire" you. You should be able to complete the goals easily without the need to break any laws, so there's simply no reason to do so, and we don't want anyone bringing heat down on the project.
TODO: 753) write sig.
http://project.honeynet.org One difference: The hackers who hack a honey net didn't know about it, and didn't get paied. (perhaps worse when sent to jail)
Why, there's no telling who would fall for such a seductive sales pitch!
"Hackers, we'll give you $249.95 to display all of your best-kept secrets to our packet dumper so we can build it into our IDS product and nail your pasty white asses when you try it with our clients later! Buy now!"
Oh, crap. Was my sarcasm filter on?
trustedworlds.net - gaming, security, and the gunk that lives in between
Hacking is 20% coding, 20% luck, and 60% social engineering. If you throw up a compromisable machine and say, "Hack this" you're losing over half of the social engineering bit, and can expect to see the general rootkit.
What's going to happen, is with only $250 bucks as an offer, you're going to see a lot of pre-made scripts (and underground boards will have a lot of newcomers requesting new code) and rootkits that lack a lot of the more complicated tools hackers use.
In fact, one hack should always lead to another hack (it is part of the fun) and I don't think they are going to get much information or get any serious people interested in what would appear to be a "risky" 250 bucks.
It's always the goodie-goodie white hats that use apps they've seen the other hats use or create that end up winning these "contests" anyway.
Sounds like the simpsons episode where homer goes to get his free boat and winds up in jail.
Homer: Up and away in my beautiful my beautiful motor boat! Da da da da!
Bart: But we didn't enter any police raffle.
Homer: That doesn't matter, the important thing is we won.
[parks]
Marge: I don't know, there's something very peculiar about this!
Homer: Sheesh! You're the most paranoid family I've ever been affiliated with. [gets out]
If their intended purpose is what they say it is, why are they only interested in "studying" people trying to hack into windows computers?
They would probably get more of a response if they had other OSs to try to break into. Its the unix/linux computers that usually get compromised first in other challenges, no?
"Q21: What's gives with the "Howto" format of this site?
A: We felt that the simple, familiar and straightforward layout of the classic Mini-Howto was perfect for this, since there's no goofy graphics to slow you down, and it's easy to navigate. The alternative was a "modern" hacker site with unreadable tiny graphic text, more flash than the Macromedia site, loud blinking crap, and stupid can opener like sound effects on every link. (Sorry if this describes your site and I offended you, but remember, I'm old skewl and if I can't browse it in lynx I probably won't be browsing it -- Cobras)"
Oh, nothing at all like this then huh?
*laughs*
From the article:
"Q15: What will happen to the study results? Why are you doing this study?
A: In simplest terms, we are trying to figure out if we can spot the target of an attack based on the methods used so we can build a smarter IDS that thinks like a hacker does. Of course, to make something think like a hacker, we have to know how hackers think, so we study them. If we are successful, we intend to build such a box, market it commercially, make 100-Gazillion Dollars (muhaha!) and buy Microsoft and fire Bill Gates. OK, I made the last part up, but you get the idea."
Business Plan:
1. Set up atypical Windows 2000 servers that do not resemble anything in the wild and have no opportunities for social engineering since this is not part of the "wargame."
2. Pay "hackers" $250 to crack them.
3. ???
4. Profit!
[o]_O
Isn't this kind of like a deer volunteering to let hunters watch it run around so they can learn how to track them better?
Perhaps "complete privacy protection to those that choose to get paid" == a one way trip to Guantanamo Bay ?
I didn't rtfa. But it's a common trick with law enforcement agencies to post news about fake lottery prizes a suspect allegedly won - and when he shows up to collect the prize, he goes to jail instead.
And considering that hacking is totally outlawed in the US, this contest comes as no surprise. I mean, you don't get suspicious with a company name "Corporate Technologies USA, Inc"?
Nice try. Move along now.
Next!
To me, the "competition" seems to say, "We've been given $2,500,000 by Microsoft to find security vulnerabilities in Windows. Give us $25,000 worth of information about how to improve Windows and we will give you $250."
Okay, here is my contribution: Unpatched IE security holes -- 11 September 2003: There are currently 31 unpatched vulnerabilities. Okay, where's my money?
The usual reason someone becomes a destructive hacker is that he or she feels abused by adults. Isn't this more abuse?
It'd be like giving the police a list of things you've hacked, with your name and address, and then with a little explanation on how you do it, along with a list of all the other hackers you know and what they've hacked.
Comment: Yes I realise the username 'fuckfuck101' makes me sound intelligent, no you cannot buy it from me.
well according to their article you can refer people.. im referring everyone i know who has a pc(heck even those who dont have one i have a few extra lying around i could set up real quick on a 56k modem) then ill go to their houses and hack from there intiall 250+referral+250 at everyone elses house(minimal 20 guaranteed) thats over $5000.. you people who think you cant make any money are wrong ill write down all the questions they ask me and have responses for all my family and friends.. heck im sure i can make $10000 off this project. and i would have already had cracked it so its simple all the other times heck the require you to have a log so i can have a detailed report of everything i need to do next time... easy money people..easy money
The person that is running this research project also runs this website: http://www.rent-a-hacker.com/
Make sure and check this out as well: http://www.rent-a-hacker.com/cobras/
Yes it was designed with frontpage.
-whistleblower
Domain Name: RENT-A-HACKER.COM
Registrar: TUCOWS, INC.
Whois Server: whois.opensrs.net
Referral URL: http://www.opensrs.org
Name Server: NS1.CTUSA.NET
Name Server: NS2.CTUSA.NET
Status: ACTIVE
Updated Date: 04-apr-2003
Creation Date: 05-may-1998
Expiration Date: 04-may-2004
Hacking a website is the equivalent of breaking copy protection, except over the net. Instead of this, it might be better to get a bunch of wares crackers or reverse engineers in a room, and watch/listen to them work.
The only difference between net-based cracking and reverse engineering is the details...the thought process is the same.
Oh.. this is about computers...guess I'll put my pipe away.
boycott slashdot February 10th - 17th check out: altSlashdot.org
the whole thing smells of government involvement.
DofHS
NSA
FBI
CIA
DARPA
GCHQ
Take your pick but most likely one of the above is into it. Or monitoring it.
Tell that to Randal Schwartz. Because he did not obtain permission for each individual action, he was convicted of Computer Crime. You can email his perl bot for more info.
Beware people with benevolent intentions, as they usually become malevolent when they realize 1) you are smarter than they are, 2) they bought an insecure product, 3) they fear you. While this contest may be on the up and up, the information they are seeking is worth far more than $250 and could easily turn into criminal investigations whether they intend them to or not.
If someone can get my library records without my knowledge, sniffing some packets is child's play.
Someone asked if I had patched against MSBlast; I said yes, I installed Linux.
Mr. Gates don't you have some security holes to fix??? Please stop with your childish pranks.
And immediately assumed it was the daily/weekly Verisign or SCO article. My mistake... though I suppose cracking might apply to an RIAA article instead.
Ooops, it says get paid TO crack, not FOR crack. My bad.
Just think how many people you could pretend to be, with 250 bucks per identity you could clean these guys out.
If they put research on cracker psychology to good use, we'd probably wind up with dedicated corporate servers with a bottomless vault of porn, nethack maps, and Star Trek divx's that will keep a 15 year-old so distracted he'll never think of trying to break into the rest of the network.
Ergonomica Auctorita Illico!
From the FAQ:
...
:)
Q1: How much time is this going to take?
A: We're guessing around 5 hours, but a lot of that depends on you too.
Q18: How much time do I have to finish the goals? A: We are initially allotting two hours for your hack.
great study guys, you anticipate it to take 5 hrs, but you only give people 2 hrs, i'm sure you'll get lots of great results
yeah right. i'll give them a shot if they give the 250K to a third party to hold onto.
duh.
/. comments, and no one has picked up on this. this seems painfully obvious.
/. commentor that said $250 is slave labor is absolutely correct. anyone who works for $250 on this project has probably never had a real job before and has no idea what they are worth.
clearly they are going to sell the results of the contest to microsoft and/or microsoft affiliates - charge $100K's in "security consulting fees".
i've read through the
btw - the
"Learning is not compulsory... neither is survival."
--Dr.W.Edwards Deming
Honeypot
I thought cracking was reverse engineering, not hacking..
Probably won't be the most surprising findings in history.
250 bucks for networkdata that could lead to new attacksignatures, that is very cheap.
I've always wondered why Microsoft doesn't just pay people $10k - $25k to find software holes that can be exploited. The viruses going around now seem to cause millions of dollars in damage. Microsoft should take responsiblity and pay big money to people to report the holes they've found. Seems like it would be a lot cheaper in the long run, and save everyone else a lot of heartache.
Sounds like a honey pot to me :).
GPLv2: I want my rights, I want my phone call! DRM: What use is a phone call, if you are unable to speak?
I just think some ppl will open up an IRC channel where you can post your goals & your exploits/methods. easy way to make money... and it doesn't really help the study since everyone is using the same methods and such... of course you can only sign up once with your real address... but hey... inform your non-geek friends they will be getting 10% of the check if you can use their address & IP to bounce off. I'm a bit sceptic about how they'll react to such "abuse" of their system...
The best weapon of a dictatorship is secrecy, but the best weapon of a democracy should be the weapon of openness.
Careful people, nothing like telling the justice department your a cracker.
Hmm... how if you had, say 60 seconds to do it in, ... and a gun was to your head, .... and you were getting an expert hummer at the time, ...
Now THAT could be challenging.
I would strongly urge people to stay away from these "competitions." They are at best, simply a sham. An IDS company is sponsoring this contest so that they can study and dissect the thought process of a "hacker" so that they can develop better mousetraps based on that data. Essentially what you are doing by participating is giving these assholes a bunch of lab rats for free. Be the faster rat and stay away from this kind of shit, let them figure it out on their own. They are gathering information to produce a commercial product that some day you may want to exploit. "DON'T BELIEVE THE HYPE!!" Don't get sucked in by this bullshit.
"The parent" is neither troll nor moron. Redeem *your*self through suicide.
Read the material. Randal Schwartz did *not* have permission to do what he did.