Get Paid To Crack?

John Klein writes "Corporate Technologies USA, Inc. is offering hackers $250US and up as part of the Hacker Wargame Research Project. Participants are given sufficient time to hack three primary goals on real Windows 2000 servers on an internet connected wargame network. The servers are updated with fairly current Windows patches, so this is not necessarily an easy task. The difficulty is part of the point. The Project is studying how hackers think, called cognitive research, in an effort to better understand how future IDSs might identify the target of an attack during it's early stages. The Project guarantees complete anonymity for those that want to participate without pay, or complete privacy protection to those that choose to get paid."

Secret Methods ??

[MadX]

Does this not undermine a crackers "Trade Secrets" then ?? I am no cracker, but I have always been under the impression that if a cracker is going to get into a site, he is going to use his own methods (unless of course he is a script kiddie) .. which means that he is not going to give away his secrets .. no matter how much (little) he will be paid ..

Re:Secret Methods ??

You actually expect me to tell you? .....

This is what I do for a partial living. And you expect me to tell you just so it's disclosed? Come on.

What I do is illegal. I break into systems and gather information that suits my client. For me to release undisclosed holes is to make my job harder. Of course, Windows servers do make my job a bunch easier as you dont need to get in contact of anybody at the target site. A Unix box requires SE.

Wargame Servers

[sabNetwork]

Wargames are interesting, maybe even fun, but they shouldn't be used for cognitive research. You simply can't replicate the environment of a real corporate network.

Where is the poor tech support agent that I call to inform of the "new authentication procedures"? Where are the client boxes sending out cleartext FTP passwords over a compromised proxy server?

Seriously, this isn't a great way to study "cracker patterns". Most crackers aren't creative enough to gain access to a box that lacks the common weaknesses of a corporate server. It's easy to setup a server that no one is supposed to use, but the challenges (and weaknesses) come from the balance between security and usability.

Re:Wargame Servers

[KrispyKringle]

I don't know about that. You certainly have a point, but they did say they are working to develop more secure IDSs. Obviously, the best IDS won't tell you if your tech-support guys are morons who give out passwords, or if your CEO likes to download porn-dialers. But IDSs can, ideally, detect odd behavior on the network on hosts. So while their findings are definitely very limited, the application is just as limited, I think, and probably unaffected by the warped testing conditions.

Re:Wargame Servers

[ninthwave]

My problem with this is the time limits. When you do things like this you stake out the target. If they were truly interested in the cognitive side that information invovled in staking out the target is more valuable in the actual exploit. But a true stake out of the target would not fall within there time limits.

What about the DMCA?

[shadowxtc]

Isn't this a blatent violation of the DMCA?

IDS

[EinarH]

The Project guarantees complete anonymity for those that want to participate without pay,

How are they planning to monitor the servers with IDS without collecting IP's and MAC-addresses?

I wonder how far they are willing to go to protect a hacker that finds a rare vulnerability.

Re:IDS

[Frit+Mock]

Collect my IP an MAC address, you still won't find my identity!

I'm using old fashioned accoustic modem in a public telephne box, with an call-by-call provider.
Or, maybe I'am sitting in a car with a laptop and connect through an unsafely set up WLAN from "Joe Doe dentist".

You are obviously not a hacker, since you don't understand that IP and MAC-addresses are no trail to a hackers identity!
It is just too simple to disconnect your identity from the IP and MAC-addresses.

Unless you want to earn some money with that contest, a real man is safe.
And if you find a rare vulnerability and explain them this vulnerability, they are likley to kiss your ass, since they are buisnessman and can earn even more money with the hackers knowledge.

Dont trust this guy....

[watzinaneihm]

Dont let the "pstohtml"ish webpage con you. And dont let them convince you that they are not law enforcement.I'm sure they are in with Ashcroft.
Note the term Hacker in all the writeups, the incorrect use term the establishment uses to paint Linux hackers black ? Note the referral program ? Trust nobody!!
On a serious note, suppose somebody actually cracks their server, and they hold the information secret, will they be an accesory to crime ? Surely enough , just because nobody compained about a murder it does not become a non-crime. So with convictions for cracking being higher than manslaughter, what is to stop a third party from dragging everyone to court? Even if they dont cause any harm to these guys, they surely broke DMCA laws, by harming microsoft? No?

Mitnick Trick?

[dolo666]

This is a huge step compared to how society dealt with Kevin Mitnick. It used to be that they didn't care to know about vulnerabilities in systems, or that they would rather keep the vulnerabilities secret. Now John A. "Cobras" Klein of Corporate Technologies USA, Inc has some money to burn on people who crack, not to test systems, but to study devious minds. It's impressive, but what will this research be really used for?

I, for one, would be seriously surprised if anyone at Microsoft uses this to build a better system. I could see if this research was used for security outfits to track B&Es, but even that's a little loosey-goosey, IMHO.

This effort could be for the good, but crackers out there be warned that this could be a one stop ticket to FBI surveilance and eventual lockup. Come now, doesn't this remind you of the RIAA's amnesty offer?

Our research...

[DuranDuran]

We're doing research like this at the Ecommerce Research Group at the Australian National University. We're focusing on software piracy, trying to work out why people do it if they don't then sell their cracked software (and could be using their coding skills in the workforce).

Our biggest problem has been getting crackers to participate. Most are so skeptical and wary that they are reluctant to take the survey (which we designed specifically so respondents don't have to admit to doing anything illegal).

Our second biggest problem has been getting the people who have elected to participate to take it seriously. It seems many respondents just treat it as a joke.

It's an interesting problem.

These ppl are looking for someone to hire....

[floydman]

Here is a more detailed version:

1. We will contact you by e-mail within 72 hours to let you know that we have received your application. This is not an automated mailing, it is a real response from a human being.
2. We will review your application within one week of application and decide if we will invite you to participate. You will again be personally notified, this time by e-mail or telephone, of our decision.
3. If you are not chosen to participate, we will tell you why, and we will destroy all records of your application and our communications with you. The only information we will keep is a paper list of who applied and was rejected, and why.
4. If you are chosen to participate, you will be sent more info on the wargame research project.
5. You will need to prepare yourself by following the instructions, and schedule a time with us to complete your hack. We will send you all of our direct contact information so you can talk to us directly to answer any questions that you might have.
6. If you intend to use any Windows box(es) during your hack, you will need to download the free demo version of the CamTasia screen recorder program (15.4MB) from our FTP server [ anonymous login to ftp.hackerwargame.org ] or from the author's commercial website if you prefer. Install the program ahead of time, and play with it a bit to ensure that you know how to use it. It's very simple, and the defaults will work, but you can optimize your output and file size by turning off hardware acceleration and setting your desktop resolution to 800x600 at 16bpp color. We don't recommend recording at 24-bit or 32-bit color since this will result in very large files in the Gig range rather than a few MB.
7. If you intend to use any *nix box(es) during your hack, you will need to start off by running the command "script -a /log.txt" which will pipe everything from STDOUT and STDERR to a plain text file (adjust the logfile path to wherever you want). Hit CTRL+D when you are all done to close the logging. Check man script to learn more.
8. If you intend to use a Apple/Mac during your hacks, you're kind of on your own regarding how you're going to produce logs for us, but Snaps Pro X works well under OS-X, and a plain text file with a LOT of typing might work.
9. Prior to the hack, you will need to get your computer(s) ready for the hack. This includes downloading any tools you intend to use, checking your internet connectivity, and letting us know what IP address(es) you will be coming from. If you receive dynamic address(es) you can notify us of your address just before the actual hack time. To make it easier, you can also get a free account with a free dynamic IP tracking service like NO-IP.com (or any other that you prefer) which will give you a domain name that tracks your dynamic IP address, which we can use to set you up in our IP filter.
10. At your arranged date and time, you will need to synchronize all of your computer's times to our network so that we can match up logs. We will give you a webpage where you can do this easily, or you can use any standard NTP utility since our network is synchronized at Stratum 2 to the US Atomic Clock. You will then begin your hack by sending us an e-mail to a specific address telling us that you are starting. You will be notified of the wargame's IP address prior to your scheduled hack time.
11. During the hack, you will log which goal you are attempting to accomplish. This can be done quite simply by typing, for example:
10:21:42.15>echo SQL goal
SQL goal
10:21:42.15>
in a DOS box or on the *nix console. Note that your command prompt needs to show the time so we can synchronize our logs. On *nix this is done by setting PS1=$t> and on Windows boxes by typing prompt $T$G
It will also be helpful if you kept a notepad or plain text file open in which you can write notes, paste information that you have gathered, etc. The more loggi

where's the humanity!

[trianglecat]

Seriously... its been touched on but its a very important point. Users are the weakest link in any system. To ignore this element and the way cracker commonly exploit it, is to skew your research from the get go.

Buy now!

[Maradine]

Why, there's no telling who would fall for such a seductive sales pitch!

"Hackers, we'll give you $249.95 to display all of your best-kept secrets to our packet dumper so we can build it into our IDS product and nail your pasty white asses when you try it with our clients later! Buy now!"

Oh, crap. Was my sarcasm filter on?

Re:How do you guarantee anonymity?

[Karl+Cocknozzle]

I know someone who works for the FBI's "Computer Crime" section and honestly i find her intelligence lacking at the very most. She'd buy it.

My cousing works at the FBI and tried to recruit me for that. I was interested until I took the pre-qualification test wizard on their web-page. It asks three questions, the last of which was "Have you smoked marijuana more than three times in your life?"

So I was pretty much out. But frankly, that is the government's loss.

It's illegal if They say it's illegal

[brlancer]

Same goes for computer access. You are perfectly legal in hacking a system PROVIDED you have permission. If it belongs to you or if the rightful owner has gtiven you permisson, go nuts. It is only a crime when you do it without permission.

Tell that to Randal Schwartz. Because he did not obtain permission for each individual action, he was convicted of Computer Crime. You can email his perl bot for more info.

Beware people with benevolent intentions, as they usually become malevolent when they realize 1) you are smarter than they are, 2) they bought an insecure product, 3) they fear you. While this contest may be on the up and up, the information they are seeking is worth far more than $250 and could easily turn into criminal investigations whether they intend them to or not.

If someone can get my library records without my knowledge, sniffing some packets is child's play.

I thought the same

[phorm]

And immediately assumed it was the daily/weekly Verisign or SCO article. My mistake... though I suppose cracking might apply to an RIAA article instead.

Welcome to IRC

[MoreDruid]

I just think some ppl will open up an IRC channel where you can post your goals & your exploits/methods. easy way to make money... and it doesn't really help the study since everyone is using the same methods and such... of course you can only sign up once with your real address... but hey... inform your non-geek friends they will be getting 10% of the check if you can use their address & IP to bounce off. I'm a bit sceptic about how they'll react to such "abuse" of their system...