Linux Server Break-in Challenge

Sujit writes "Are you an Internet security expert at heart or by profession? Ever thought of trying your skill at a professionally set up server? If you are ready, enter. The Linux Server Break-in challenge. You will have a server available on the Internet 96 hours without interruption starting from 9 March 2005 2 AM IST. However, the server's life on the Net is in your hands."

Isn't this illegal?

[harris+s+newman]

Even if it's with the system owner's permission, wouldn't this be considered illegal and prosecutable?

Re:Isn't this illegal?

Its just like corporations hiring security experts to attack their systems in order to find flaws (and strengthen their defenses)
----
Except there is no signed legal agreement in this case. The hired whitehat hacker is indemnified in writing against any legal action by the corporation who hires him.

Not the case with an open challenge. While it would be hard to prosecute if someone made a public announcement to "come hack my server", whether you would go to jail would depend on the cost of your legal team, local law, and the depth of your pockets, pretty much like any court case. The golden rule applies.

No thank you, not without a written, signed, and verified-by-a-bonafied-attorney contract/agreement.

This costs me money. Again, no thank you. The incentive simply isn't there.

Add to that that nowhere on this page does it say "We give you permission to comprimise our server and stop the network service". They describe the criteria for a successful breakin, but nowhere do they actually grant any permission to do anything.

You would be on shaky legal ground if they decided to come after you, whether for sport or to sue you for money.

L8,
AC

Selling some sort of hardened Linux, perhaps?

[rfc1394]

It might be this company is selling some sort of very hardened Linux. If they are, this is exactly the right way to go about it. They are publicly inviiting people to attack it, meaning that if there are any holes, someone is likely to find them. And anyone who hacks on the box can do so with impunity. And if they really can build a bulletproof box then they deserve the rewards they can get by selling one which, on an open and public basis, has taken the worst anyone could throw at it and survived.

Re:Selling some sort of hardened Linux, perhaps?

[sirket]

has taken the worst anyone could throw at it and survived.

Let me get this straight- 96 hours allows people to try "the worst anyone could throw at it?" In your wildest dreams perhaps. Furthermore how does this prove anything? Do you honestly think a real attacker would waste a 0-day exploit on such a lame contest? Why not wait until several banks have deployed this system and then make some money with such an attack :)

The hack contests are silly. Any admin with half a brain can set up a secure system and the only way to root it would be 0-day that no self respecting hacker would waste on this system.

If you are serious about security you pay for a full audit of the source code, professional penetration testing over a 2 week period, and you test for root exploits using a local account- on the assumption that somewhere down the line the system will be misconfigured and an attacker will gain non-root privileges.

-sirket

Re:Selling some sort of hardened Linux, perhaps?

[ryanvm]

The hack contests are silly. Any admin with half a brain can set up a secure system and the only way to root it would be 0-day that no self respecting hacker would waste on this system.


The assumption you're making is that all "self-respecting hackers" are only interested in farming zombies or stealing data. Have you considered the possibility that there may be skilled people out there who would like to demonstrate their skills, but do so without breaking any laws?

If you are serious about security you pay for a full audit of the source code, professional penetration testing over a 2 week period, and you test for root exploits using a local account

Nice know-it-all answer. Unfortunately, that's more of a gameplan if you're serious about pissing money away. The reality is that the vast majority of Internet security companies consist of SATAN tied to a web frontend. And a "full audit of the source code"? Do you have any idea how expensive (and fruitless) that would be?

I'm sorry, but what you've suggested is not a viable solution to most organizations that actually have to generate a profit. Furthermore, the simple fact that it all comes down to humans staring bleary eyed at thousands of lines of source code means that many bugs and exploits *will be missed*.

The best security practice is to assume that your company's security systems will be compromised and to have plans in place to mitigate the damage.

Re:Selling some sort of hardened Linux, perhaps?

"In the not too distant future they will be able to formally prove the correctness of a system."
- Have they solved the halting problem then?

Re:Selling some sort of hardened Linux, perhaps?

[HiThere]

If you can represent it as a first order predicate logic, then you are correct. If it's a full second order predicate logic, then you are wrong.

Most large programs are stronger than a simple first order predicate logic, though often with sufficient constraints that you can, indeed, prove them correct (or at least it hasn't been shown that you can't), but there are a large number of programs for which this isn't true. Perhaps more recent work has extended somewhat the domain of provable programs, but there's bound to be a very large number that aren't covered.

Note that proving correctness is "even harder" than the halting problem. You've not only got to show that it always comes to an answer, you've also got to show that the answer that it comes to is the correct answer.

Every specification language that I've looked at for specifying that the answer was correct was too complicated to know that it was, itself, correct. The best answers I've seen so far have been unit testing and Eiffel's "Design by Contract". Both of these tend to be sloppily done, but both could, in principle, provide a large measure of security...note that I'm not claiming proof!!..that the correct results are being produced.

OTOH, I'm certainly not in contact with anyone working on a automated code tester...but I doubt that such a person would claim that their work was a "proof of correctness" of arbitrary code. Possibly of some restricted subset, analogous to the Ada subset SPARK which restricts Ada to using a subset of features which results in programs that can be proven correct. Such would be much harder in C, but I can't see any reason why it would be impossible in principle. (I may have slightly misunderstood Ada SPARK, as I've never used it...but that's my understanding. It's usually referred to as a "High Integrity Subset", but I think that's from a book title.)

break-in challenges

These break-in challenges (for any OS) were interesting the first 50,000 times they were issued, but they're getting old now.

Re:Incentive?

[AArnott]

most people that are capable of doing this wouldn't want to. Agreed. Microsoft has pulled this stunt with their Windows servers repeatedly. Of course bringing either of these down would result in the hack being logged and eventually corrected. Hackers don't want to give up their secrets.

Rules

[3770]

The rules say:

You need to leave your mark at ``/''. It could be your email address, GPG public key or something else with which we can verify your identity.

The root partition could be on a read only media such as a CD-ROM, right? In which case nobody could ever win.

Re:Rules

[espo812]

Physical attacks are just as valid as network attacks. Now where did I put my Dell technician uniform...

Just a hacking challenge

[northcat]

So, this is just another hacking challenge. Like the hundreds of others out there (many/most of which are on Linux). What qualifies this to make it to slashdot?

Re:Just a hacking challenge

[tech_guru5182]

What would make a great challenge is to create a system and make a shell account public via telnet or ssh, to simulate an employee's account being obtained via social engineering, then having it tested. The system should have a typical set of programs runing that would be found on a production system. This would make for a great test of the system. You must remember taht at an orginization of any reasonable size there will be at least one or two accounts that can be accessed via social engineering the appropriate luser.

Reminds me of Red Hat EL

[svin]

First time they did something similar, they appearently got hacked in 45 seconds

But as the old slashdot article also states the 2nd generation was able to stay afloat.

Seems like a great way to learn how to secure a system though - let the best hackers/crackers out there have a go, and learn what went wrong.

give away valuable skills

[slartibart]

Apparently, linuxense is saying, "Hey we don't have enough resources to test our OS's security. Let's stroke the egos of the hacker community and maybe we can trick them into working for us, for free. Free labor, woohoo!"

They know damn well that the expertise they're looking for is very valuable, and yet they're not even offering a token prize. Pathetic.

I hope they don't even get a single packet. "Hey everyone! Try to break into our server! It'll be FUN!!!" "...."

Re:give away valuable skills

[vasqzr]

Apparently, linuxense is saying, "Hey we don't have enough resources to test our OS's security. Let's stroke the egos of the hacker community and maybe we can trick them into working for us, for free. Free labor, woohoo!"

I disagree. How is this different than releasing a beta test to the Internet?

As far as not having enough resources...having someone OTHER than the people who developed the system test it only makes sense.

You got it!

[Blitzenn]

It is specifically intended that the contest not attract those who are capable of breaking the server. All they want is some feeble attempts so that they can finish and say that they have the most secure distro out there, because nobody could break in when the posted the distro on a public server and invited attacks.

I have to agree that this is a lame ploy at getting publicity. Hopefully others can see through it too.

Why bother

[FyberOptic]

These kinds of things never work. I've seen many of them pop up over the years, from Windows boxes to Macs to Linux, and they all fail. The reasons of course, are:

a.) So many people will be trying, that the bandwidth available to do anything with the machine at all will be practically zero.

b.) Some "hax0r" will decide to just packet the machine to death, thereby making it impossible to even do anything to.

c.) The software will be up to date, limiting any vulnerabilities that can be taken advantage of, compared to your average server out there.

d.) The time limit to do it is never long enough, especially because of the above problems.

I've seen contests where they even turn on a firewall. Obviously whoever was in charge of those had no idea how anything works. Once that firewall goes up, there's not much of anything that can be done to the system solely from a remote position. It was even a default Windows install on the particular one I'm thinking of, and despite the vulnerabilities in a bare Windows XP install, nobody was ever able to do anything to it.

I know the Linux machine in this contest is said to have no firewall, but like I said, the software will be mostly up to date. Most servers that are broken into are done so because they're running older versions of things with known vulnerabilities. Many of these machines are also on the web, running vulnerable versions of PHP and forums and whatnot, which allow one to take advantage of flaws from there, not necessarily via direct TCP connections.

So while it's entirely possible to break into this particular Linux machine, I just don't think many "real hackers" will bother, for the reasons I mentioned above. It's fun to have challenges and all, but they're just not realistically implemented.

Re:Incentive?

[andrew_0812]

that is what will happen here as well. Screensavers hosted a hackers challenge a while back too. Before they were corrupted by G4. I can't remember for sure, but I think they had a windows default install, and a mac default install. or maybe linux. Anyway, the challenge was crap because the script kiddies started DDoSsing it as soon as they released the IP. You can't get a good public challenge like this just because of that.

This contest makes no sense.

[pclminion]

And neither do any contests of this sort. Break it down by the types of people who might enter the contest:

1. White hats. Why would they do it? If they're any good, it'll just be a waste of time, and you can always set up your own server to practice with. There's not even any prize!

2. Black hats (I mean real ones, not script kiddies). They wouldn't bother either. Why expose the contents of your secret toolbox for no good reason? Any hack attempts (and successes) will be fully logged, revealing your secret exploits. That's no good, is it?

3. Script kiddies. Maybe they'll try, but they won't get in, unless the server is embarrassingly badly configured. If they do manage to crack it, what does that prove? That it's possible to set up a Linux box with terrible security if you happen to be incompetent?

I'm having a hard time figuring out exactly WHAT this contest is for. The only thing I can imagine (which a few other people have mentioned in this discussion) is that it's meant to enhance the image of Linux as a secure platform. So what -- so you've shown that if you do a good job configuring your box, you can keep out script kiddies. To put it bluntly, no shit.

Re:Incentive?

[Dan+Ost]

Has anyone thought of doing this just to identify IPs of compromised machines
that are used in DDoS attacks? Generating a list of IPs and alerting ISPs
might go a long way of reducing the amount of zombie machines out there.

Just a (possibly naive) thought.