Slashdot Mirror

← Back to Stories (view on slashdot.org)

Linux Server Break-in Challenge

Posted by CmdrTaco on from the g3t-r3ady-to-p3wn3z0rzasdkja dept.

Sujit writes "Are you an Internet security expert at heart or by profession? Ever thought of trying your skill at a professionally set up server? If you are ready, enter. The Linux Server Break-in challenge. You will have a server available on the Internet 96 hours without interruption starting from 9 March 2005 2 AM IST. However, the server's life on the Net is in your hands."

8 of 327 comments (clear)

  1. Selling some sort of hardened Linux, perhaps? by rfc1394 · · Score: 4, Insightful

    It might be this company is selling some sort of very hardened Linux. If they are, this is exactly the right way to go about it. They are publicly inviiting people to attack it, meaning that if there are any holes, someone is likely to find them. And anyone who hacks on the box can do so with impunity. And if they really can build a bulletproof box then they deserve the rewards they can get by selling one which, on an open and public basis, has taken the worst anyone could throw at it and survived.

    --
    The lessons of history teach us - if they teach us anything - that nobody learns the lessons that history teaches us.
    1. Re:Selling some sort of hardened Linux, perhaps? by sirket · · Score: 4, Insightful

      has taken the worst anyone could throw at it and survived.

      Let me get this straight- 96 hours allows people to try "the worst anyone could throw at it?" In your wildest dreams perhaps. Furthermore how does this prove anything? Do you honestly think a real attacker would waste a 0-day exploit on such a lame contest? Why not wait until several banks have deployed this system and then make some money with such an attack :)

      The hack contests are silly. Any admin with half a brain can set up a secure system and the only way to root it would be 0-day that no self respecting hacker would waste on this system.

      If you are serious about security you pay for a full audit of the source code, professional penetration testing over a 2 week period, and you test for root exploits using a local account- on the assumption that somewhere down the line the system will be misconfigured and an attacker will gain non-root privileges.

      -sirket

    2. Re:Selling some sort of hardened Linux, perhaps? by ryanvm · · Score: 4, Insightful

      The hack contests are silly. Any admin with half a brain can set up a secure system and the only way to root it would be 0-day that no self respecting hacker would waste on this system.

      The assumption you're making is that all "self-respecting hackers" are only interested in farming zombies or stealing data. Have you considered the possibility that there may be skilled people out there who would like to demonstrate their skills, but do so without breaking any laws?

      If you are serious about security you pay for a full audit of the source code, professional penetration testing over a 2 week period, and you test for root exploits using a local account

      Nice know-it-all answer. Unfortunately, that's more of a gameplan if you're serious about pissing money away. The reality is that the vast majority of Internet security companies consist of SATAN tied to a web frontend. And a "full audit of the source code"? Do you have any idea how expensive (and fruitless) that would be?

      I'm sorry, but what you've suggested is not a viable solution to most organizations that actually have to generate a profit. Furthermore, the simple fact that it all comes down to humans staring bleary eyed at thousands of lines of source code means that many bugs and exploits *will be missed*.

      The best security practice is to assume that your company's security systems will be compromised and to have plans in place to mitigate the damage.

  2. Re:Incentive? by AArnott · · Score: 4, Insightful

    most people that are capable of doing this wouldn't want to. Agreed. Microsoft has pulled this stunt with their Windows servers repeatedly. Of course bringing either of these down would result in the hack being logged and eventually corrected. Hackers don't want to give up their secrets.

  3. Rules by 3770 · · Score: 5, Insightful
    The rules say:

    You need to leave your mark at ``/''. It could be your email address, GPG public key or something else with which we can verify your identity.


    The root partition could be on a read only media such as a CD-ROM, right? In which case nobody could ever win.
    --
    The Internet is full. Go Away!!!
    1. Re:Rules by espo812 · · Score: 5, Insightful

      Physical attacks are just as valid as network attacks. Now where did I put my Dell technician uniform...

      --

      espo
  4. Just a hacking challenge by northcat · · Score: 4, Insightful

    So, this is just another hacking challenge. Like the hundreds of others out there (many/most of which are on Linux). What qualifies this to make it to slashdot?

  5. This contest makes no sense. by pclminion · · Score: 5, Insightful
    And neither do any contests of this sort. Break it down by the types of people who might enter the contest:

    1. White hats. Why would they do it? If they're any good, it'll just be a waste of time, and you can always set up your own server to practice with. There's not even any prize!

    2. Black hats (I mean real ones, not script kiddies). They wouldn't bother either. Why expose the contents of your secret toolbox for no good reason? Any hack attempts (and successes) will be fully logged, revealing your secret exploits. That's no good, is it?

    3. Script kiddies. Maybe they'll try, but they won't get in, unless the server is embarrassingly badly configured. If they do manage to crack it, what does that prove? That it's possible to set up a Linux box with terrible security if you happen to be incompetent?

    I'm having a hard time figuring out exactly WHAT this contest is for. The only thing I can imagine (which a few other people have mentioned in this discussion) is that it's meant to enhance the image of Linux as a secure platform. So what -- so you've shown that if you do a good job configuring your box, you can keep out script kiddies. To put it bluntly, no shit.