Slashdot Mirror

← Back to Stories (view on slashdot.org)

Linux Server Break-in Challenge

Posted by CmdrTaco on from the g3t-r3ady-to-p3wn3z0rzasdkja dept.

Sujit writes "Are you an Internet security expert at heart or by profession? Ever thought of trying your skill at a professionally set up server? If you are ready, enter. The Linux Server Break-in challenge. You will have a server available on the Internet 96 hours without interruption starting from 9 March 2005 2 AM IST. However, the server's life on the Net is in your hands."

25 of 327 comments (clear)

  1. Alternately, . . . by Maradine · · Score: 4, Funny

    Post the IP address here. That'll compromise it.

    --

    trustedworlds.net - gaming, security, and the gunk that lives in between

    1. Re:Alternately, . . . by justforaday · · Score: 5, Funny

      It's 192.168.0.103. Let the hacking begin!

      w00t!!! I got in! They used the same root password as I use on my box...What do I win???

      --
      I'll turn into a supernova and burn up everything. Well I'll turn into a black little hole and you'll turn into string.
    2. Re:Alternately, . . . by Council · · Score: 4, Funny

      Use the credit card numbers hidden on the box to buy absolutely anything you want.

      --
      xkcd.com - a webcomic of mathematics, love, and language.
    3. Re:Alternately, . . . by theVP · · Score: 5, Funny

      I can see it now. A linux geek in front of his computer, putting his pokemon hat on, and getting his pokemon cards ready for battle. Then, with much hesitation, he makes his decision. As he types in the server's IP address on Slashdot, he cries out, "Slashdot Effect, I choose YOU!!!"

      --
      "No one is more miserable than the person who wills everything and can do nothing." -Emperor Claudius 10 BC - AD 54
  2. Challenge accepted! by c0l0 · · Score: 4, Funny

    Now I'll just have to find that Sub7-thingie for Linux somewhere on the net...

    --
    :%s/Open Source/Free Software/g

    YTARY!
  3. Selling some sort of hardened Linux, perhaps? by rfc1394 · · Score: 4, Insightful

    It might be this company is selling some sort of very hardened Linux. If they are, this is exactly the right way to go about it. They are publicly inviiting people to attack it, meaning that if there are any holes, someone is likely to find them. And anyone who hacks on the box can do so with impunity. And if they really can build a bulletproof box then they deserve the rewards they can get by selling one which, on an open and public basis, has taken the worst anyone could throw at it and survived.

    --
    The lessons of history teach us - if they teach us anything - that nobody learns the lessons that history teaches us.
    1. Re:Selling some sort of hardened Linux, perhaps? by sirket · · Score: 4, Insightful

      has taken the worst anyone could throw at it and survived.

      Let me get this straight- 96 hours allows people to try "the worst anyone could throw at it?" In your wildest dreams perhaps. Furthermore how does this prove anything? Do you honestly think a real attacker would waste a 0-day exploit on such a lame contest? Why not wait until several banks have deployed this system and then make some money with such an attack :)

      The hack contests are silly. Any admin with half a brain can set up a secure system and the only way to root it would be 0-day that no self respecting hacker would waste on this system.

      If you are serious about security you pay for a full audit of the source code, professional penetration testing over a 2 week period, and you test for root exploits using a local account- on the assumption that somewhere down the line the system will be misconfigured and an attacker will gain non-root privileges.

      -sirket

    2. Re:Selling some sort of hardened Linux, perhaps? by ryanvm · · Score: 4, Insightful

      The hack contests are silly. Any admin with half a brain can set up a secure system and the only way to root it would be 0-day that no self respecting hacker would waste on this system.

      The assumption you're making is that all "self-respecting hackers" are only interested in farming zombies or stealing data. Have you considered the possibility that there may be skilled people out there who would like to demonstrate their skills, but do so without breaking any laws?

      If you are serious about security you pay for a full audit of the source code, professional penetration testing over a 2 week period, and you test for root exploits using a local account

      Nice know-it-all answer. Unfortunately, that's more of a gameplan if you're serious about pissing money away. The reality is that the vast majority of Internet security companies consist of SATAN tied to a web frontend. And a "full audit of the source code"? Do you have any idea how expensive (and fruitless) that would be?

      I'm sorry, but what you've suggested is not a viable solution to most organizations that actually have to generate a profit. Furthermore, the simple fact that it all comes down to humans staring bleary eyed at thousands of lines of source code means that many bugs and exploits *will be missed*.

      The best security practice is to assume that your company's security systems will be compromised and to have plans in place to mitigate the damage.

  4. While I'm sure they're legit... by Xaroth · · Score: 4, Interesting

    ...this seems like it'd be a great way to try to take down your friend's (or enemy's) computer.

    "Oh, we're putting up a box for the hacking at such and such time. We swear it's ours. No, really! Trust us. "

    Few would be the wiser until it was too late.

    --
    That green slime had it coming.
  5. FTA by mr_z_beeblebrox · · Score: 4, Funny

    I thought it was a nice touch that they give directions on how to stop network services for someone who gets root. Most people who root linux boxes have trouble with those advanced administrative functions

  6. Re:Incentive? by AArnott · · Score: 4, Insightful

    most people that are capable of doing this wouldn't want to. Agreed. Microsoft has pulled this stunt with their Windows servers repeatedly. Of course bringing either of these down would result in the hack being logged and eventually corrected. Hackers don't want to give up their secrets.

  7. Rules by 3770 · · Score: 5, Insightful
    The rules say:

    You need to leave your mark at ``/''. It could be your email address, GPG public key or something else with which we can verify your identity.


    The root partition could be on a read only media such as a CD-ROM, right? In which case nobody could ever win.
    --
    The Internet is full. Go Away!!!
    1. Re:Rules by espo812 · · Score: 5, Insightful

      Physical attacks are just as valid as network attacks. Now where did I put my Dell technician uniform...

      --

      espo
  8. vanilla by jest3r · · Score: 5, Interesting

    I would like to see a challenge like this with vanilla installs of the top 10 Linux distros.

    As Linux gets closer to mainstream more and more people are installing without tweaks or recompiles. How well does Linux stand up without the expertise of a professional?

  9. Uh, ok. by bigtallmofo · · Score: 4, Interesting

    Break into a Linux server that has no services running presumably with some heretofore-unannounced buffer overflow in Linux's implementation of the ICMP protocol, all the while having every single packet sent to the system sniffed so that the sponsors of the challenge can know exactly how you did it.

    Such a feat and sharing of knowledge should be worth about $1,000,000. I'm sure they'll get a lot of contenders with their offer of $0.

    --
    I'm a big tall mofo.
    1. Re:Uh, ok. by bill_mcgonigle · · Score: 5, Informative

      See also Bruce Schneier's The Fallacy of Cracking Contests.

      Now there's probably a Marketing Department that put them up to it, and some PHB's may be impressed, but it sure announces to the security community, "Hey, we have no idea how to think about security - buy our stuff!"

      --
      My God, it's Full of Source!
      OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
  10. Just a hacking challenge by northcat · · Score: 4, Insightful

    So, this is just another hacking challenge. Like the hundreds of others out there (many/most of which are on Linux). What qualifies this to make it to slashdot?

  11. Re:Isn't this illegal? by LordEd · · Score: 5, Informative

    Hacking isn't illegal. Hacking without permission is illegal. The distinction is unauthorized access. The owner of the box is giving free license to everyone to attack it.

    Its just like corporations hiring security experts to attack their systems in order to find flaws (and strengthen their defenses)

  12. Social Engineering by Inkieminstrel · · Score: 5, Funny

    Dear Admin,

    I am currently working on a project sponsored by you in which I need to break into your computer. In order to do this, I will need the root password. Also, my SSH signature is attached to this message. Please add me to the list of valid signatures.

    Thank you,
    Inkieminstrel
    Social Engineer

  13. Re:very handy. *cough* by Council · · Score: 5, Informative

    The Fallacy of Cracking Contests (Bruce Schneier)

    Contests are a terrible way to demonstrate security. A product/system/protocol/algorithm that has survived a contest unbroken is not obviously more trustworthy than one that has not been the subject of a contest. The best products/systems/protocols/algorithms available today have not been the subjects of any contests, and probably never will be. Contests generally don't produce useful data. There are three basic
    reasons why this is so.     [see link for explanations]

    --
    xkcd.com - a webcomic of mathematics, love, and language.
  14. Take the easy way out by tsmithnj · · Score: 5, Funny

    All the posts thus far are technical in nature. The easiest way into that machine is through the front door. Find the server, grab it, and run. If these guys are stupid enough to allow you to break into their property-- take them up on the challenge. AFter all, they did lay down the challenge.....

  15. That's not what I heard... by jhigh · · Score: 5, Funny

    I was told that it's 127.0.0.1. Took me about five seconds to hack in. Morons didn't even have a firewall...

    --
    Social Engineering Expert: Because there is no patch for stupidity.
  16. Re:Isn't this illegal? by rfc1394 · · Score: 4, Informative
    Even if it's with the system owner's permission, wouldn't this be considered illegal and prosecutable?

    No. While I am not a lawyer, the statute on computer trespass are clear that access without permission and beyond one's authorization are illegal. If the access is within one's authorization or owner grants permission for access, it is not illegal.

    Permission can be implied. Anyone who puts up a website gives implied permission to access it (since the whole idea of posting a website is to get people to access it, presumably either to give them information - or get information from them - or to sell them something (or buy something from them).) If that were not the case, every person who accessed a website could be charged with the crime of computer trespass since they were not explicitly given permission to access that computer!

    If you go to a car dealer, ask to take a test drive, some will simply photocopy your license and hand you the keys, and it's reasonable you can borrow it for 5 minutes or so to drive around the block. (Some will send a salesperson along for the ride; depends on the dealer and the probability of theft.) But if you walked in, took the keys and did the same thing, they could prosecute you for grand theft auto.

    Where the owner has publicly given permission and in fact, has encouraged people to access the system as root, this would constitute explicit permission and thus no crime could occur for hacking their box.

    Paul Robinson

    --
    The lessons of history teach us - if they teach us anything - that nobody learns the lessons that history teaches us.
  17. Re:Social Engineering by hawk · · Score: 4, Funny


    From service@linuxsense.com Fri Feb 25 22:51:32 2005
    From: "linuxsense"
    To: root@linuxsense.com
    Subject: linuxsense Account Security Measures

    Dear linuxsense root,
    Your account has been randomly flagged in our system as a part of our routine security measures. This
    is a must to ensure that only you have access and use of your linuxsense
    account and to ensure a safe linuxsense experience. We require all flagged
    accounts to verify their information on file with us. To verify your
    Information at this time, please visit our secure server webform by
    clicking the hyperlink below [...]

  18. This contest makes no sense. by pclminion · · Score: 5, Insightful
    And neither do any contests of this sort. Break it down by the types of people who might enter the contest:

    1. White hats. Why would they do it? If they're any good, it'll just be a waste of time, and you can always set up your own server to practice with. There's not even any prize!

    2. Black hats (I mean real ones, not script kiddies). They wouldn't bother either. Why expose the contents of your secret toolbox for no good reason? Any hack attempts (and successes) will be fully logged, revealing your secret exploits. That's no good, is it?

    3. Script kiddies. Maybe they'll try, but they won't get in, unless the server is embarrassingly badly configured. If they do manage to crack it, what does that prove? That it's possible to set up a Linux box with terrible security if you happen to be incompetent?

    I'm having a hard time figuring out exactly WHAT this contest is for. The only thing I can imagine (which a few other people have mentioned in this discussion) is that it's meant to enhance the image of Linux as a secure platform. So what -- so you've shown that if you do a good job configuring your box, you can keep out script kiddies. To put it bluntly, no shit.