Slashdot Mirror
Get Paid To Crack?
John Klein writes "Corporate Technologies USA, Inc. is offering hackers $250US and up as part of the Hacker Wargame Research Project. Participants are given sufficient time to hack three primary goals on real Windows 2000 servers on an internet connected wargame network. The servers are updated with fairly current Windows patches, so this is not necessarily an easy task. The difficulty is part of the point. The Project is studying how hackers think, called cognitive research, in an effort to better understand how future IDSs might identify the target of an attack during it's early stages. The Project guarantees complete anonymity for those that want to participate without pay, or complete privacy protection to those that choose to get paid."
Will this one just get DOSed into oblivion too?
If they really want some competition, shouldn't they offer at least some TopCoder-scale money - for instance, how about $10k, but have tiered competitions, so that only the top 5 hackers are trying to get in? That would avoid the DoS issues.
stuff |
Wargames are interesting, maybe even fun, but they shouldn't be used for cognitive research. You simply can't replicate the environment of a real corporate network.
Where is the poor tech support agent that I call to inform of the "new authentication procedures"? Where are the client boxes sending out cleartext FTP passwords over a compromised proxy server?
Seriously, this isn't a great way to study "cracker patterns". Most crackers aren't creative enough to gain access to a box that lacks the common weaknesses of a corporate server. It's easy to setup a server that no one is supposed to use, but the challenges (and weaknesses) come from the balance between security and usability.
From the FAQ:
Q4: How do I know you aren't working for the man?
A: We're not, we promise.
Just do not try to hack it, or at least try not to succeed. That way M$ will think that their servers are safe and the REAL fun can begin.
Don't fight for your country, if your country does not fight for you.
Hacking is much like tresspassing in that you are only guilty if you don't have permission from the rightful owner. For example, if you pick my lock and break in my house, you are guilty of breaking and entering and tresspassing, and will go to jail if caught. However, if I lock my self out of my hose, you are a locksmith and you pick the lock to let me in, then I invite you in for a beer, you've comitted no crime since you did everything at my behest.
Same goes for computer access. You are perfectly legal in hacking a system PROVIDED you have permission. If it belongs to you or if the rightful owner has gtiven you permisson, go nuts. It is only a crime when you do it without permission.
Well, they are explicitly giving you permissoin to hack their boxes if you want to play their game. Thus, no problem. Given the publicised nature of this, even if they decided to try and perjur themselves later and claim you did it without permission, it would be easy to prove otherwise (then they'd go to jail for falesly accusing you of a crime).
And they think that this will reveal how hackers think.
So, what we end up with is a bunch of people getting paid a little bit of money to mess with statistics. How many are going to use obvious techniques, just to skew the results in a 'nobody thought of this so it must be safe from exploit' way?? How many are going to have a grand time hacking into their real system just for fun?
And for that matter, how many dumb wanna-bes are going to end up sharing their IP address with a company that might just duly record them, along with the name that they're writing the check out to, and hand it over to other investigators, saying, "Hey- these are the hackers who applied"?
I'm guessing that anyone who's willing to take the money but isn't up to a level where they can really accomplish anything is going to eventually get caught playing with someone else's network- i don't pay enough attention to hackers in the news, so i'm not up to speed on whether this constitutes admission of previous (potentially criminal) activity or not... but if the company has a list of people who registered to 'contribute,' to the effort, they could then give the list to anyone, right?
Somehow, the only way that this could look funnier to me is if they had to enter the system, install kazaalite, upload copyrighted music files to it, and make them available for download. At which point the RIAA would step in and prosecute, creating a net loss of approximately $14,750.00USD for the hacker.
Scenario two is the same, but they have to upload Gigli, and set it to play in a continuous loop until the machine explodes in a desperate move of self-preservation. (And the MPAA would be prosecuting.)
That is... if the hacker were dumb enough to give their real name and use their own (and static) IP address....
"I'd say 'Have a good time,' but arson is still illegal.
Here is a more detailed version:
/log.txt" which will pipe everything from STDOUT and STDERR to a plain text file (adjust the logfile path to wherever you want). Hit CTRL+D when you are all done to close the logging. Check man script to learn more.
1. We will contact you by e-mail within 72 hours to let you know that we have received your application. This is not an automated mailing, it is a real response from a human being.
2. We will review your application within one week of application and decide if we will invite you to participate. You will again be personally notified, this time by e-mail or telephone, of our decision.
3. If you are not chosen to participate, we will tell you why, and we will destroy all records of your application and our communications with you. The only information we will keep is a paper list of who applied and was rejected, and why.
4. If you are chosen to participate, you will be sent more info on the wargame research project.
5. You will need to prepare yourself by following the instructions, and schedule a time with us to complete your hack. We will send you all of our direct contact information so you can talk to us directly to answer any questions that you might have.
6. If you intend to use any Windows box(es) during your hack, you will need to download the free demo version of the CamTasia screen recorder program (15.4MB) from our FTP server [ anonymous login to ftp.hackerwargame.org ] or from the author's commercial website if you prefer. Install the program ahead of time, and play with it a bit to ensure that you know how to use it. It's very simple, and the defaults will work, but you can optimize your output and file size by turning off hardware acceleration and setting your desktop resolution to 800x600 at 16bpp color. We don't recommend recording at 24-bit or 32-bit color since this will result in very large files in the Gig range rather than a few MB.
7. If you intend to use any *nix box(es) during your hack, you will need to start off by running the command "script -a
8. If you intend to use a Apple/Mac during your hacks, you're kind of on your own regarding how you're going to produce logs for us, but Snaps Pro X works well under OS-X, and a plain text file with a LOT of typing might work.
9. Prior to the hack, you will need to get your computer(s) ready for the hack. This includes downloading any tools you intend to use, checking your internet connectivity, and letting us know what IP address(es) you will be coming from. If you receive dynamic address(es) you can notify us of your address just before the actual hack time. To make it easier, you can also get a free account with a free dynamic IP tracking service like NO-IP.com (or any other that you prefer) which will give you a domain name that tracks your dynamic IP address, which we can use to set you up in our IP filter.
10. At your arranged date and time, you will need to synchronize all of your computer's times to our network so that we can match up logs. We will give you a webpage where you can do this easily, or you can use any standard NTP utility since our network is synchronized at Stratum 2 to the US Atomic Clock. You will then begin your hack by sending us an e-mail to a specific address telling us that you are starting. You will be notified of the wargame's IP address prior to your scheduled hack time.
11. During the hack, you will log which goal you are attempting to accomplish. This can be done quite simply by typing, for example:
10:21:42.15>echo SQL goal
SQL goal
10:21:42.15>
in a DOS box or on the *nix console. Note that your command prompt needs to show the time so we can synchronize our logs. On *nix this is done by setting PS1=$t> and on Windows boxes by typing prompt $T$G
It will also be helpful if you kept a notepad or plain text file open in which you can write notes, paste information that you have gathered, etc. The more loggi
The lunatic is in my head
Interesting. Seeing as many security tripwire programs shut out an IP as soon as they get suspicious, I can't see how this would replicate a realistic programming environment. One of a cracker's most important tools is being able to attack from unexpected (spoofed or rerouted) IPs. To come from every direction, as it were.
This reminds me of a similar study on Unix use I was in, that studied how people navigate a directory tree in a Unix shell and find relevant files and information quickly. The catch? No pipes or multi-command lines. But pipes are how a knowledgeable Unix user does things - the system is built up around it. So basically, the artificial limitations of the study cripple the performance of the participants.
-3Suns
~~~~
The Revolution will be Slashdotted