Slashdot Mirror

← Back to Stories (view on slashdot.org)

Network Computing Editor Wins RSA Hacking Contest

Posted by Zonk on from the hack-on-hack-off dept.

richkarpi writes "Network Computing's security editor won the recent RSA Interactive Testing Challenge. He has up a blow-by-blow description of the events at their site: 'The most important factor in the contest besides basic web exploitation skills (cross site scripting (XSS), SQL injection, cross site request forgeries (CSRF), etc.) was speed ... I squeaked out a win in the tie-breaking challenge the first day with only a few seconds to spare as my opponent was right behind in the hunt to combine three injectable fields into one long javascript function.'"

15 of 65 comments (clear)

  1. Meh by DavidHOzAu · · Score: 5, Funny

    A real hacker would've cracked open the server the day before and gotten the answers before entering the competition.

    1. Re:Meh by Anonymous Coward · · Score: 1, Funny

      I guess the biggest challenge is trying to keep the 'cheats' out :S

    2. Re:Meh by CrazyJim1 · · Score: 4, Funny

      A real hacker wouldn't have participated, but let's not get into a "definition of hacker" debate..

      You're right because real hackers are banned from the internet. You're not a real hacker til you get charged as one.

      --
      God spoke to me.
    3. Re:Meh by Spikeles · · Score: 4, Funny

      A real hacker would've cracked open the server the day before and gotten the answers before entering the competition.
      So James T Kirk is the ultimate hacker? He not only cracked the server, he modified the challenge so he would win!
      --
      I don't need to test my programs.. I have an error correcting modem.
  2. Knock on door from Homeland Security in 3..2..1 by Linker3000 · · Score: 1, Funny

    Elite Hackorz just keep quiet about these kind of things!

    --
    AT&ROFLMAO
  3. Time victory = valid? by glittalogik · · Score: 5, Funny

    Because typing speed is everything when you and your buddies are hacking the Gibson via a payphone.

    1. Re:Time victory = valid? by MarkRose · · Score: 4, Funny

      Fool! Real hackers sing baud straight into the mouth piece, bypassing the keyboard entirely.

      --
      Be relentless!
  4. Re:Wonder what the expense report looks like by Gazzonyx · · Score: 3, Funny
    • New keyboard - $23

    • Visine - $5

    • XSS'ing a site seconds before competitor - Priceless.
    --

    If I mod you up, it doesn't necessarily mean I agree with what you've said, sorry.

  5. 1m a 1337 h4x0r!!!!!1 by Anonymous Coward · · Score: 4, Funny

    I know this to be true because my friend in junior high said I am. Also I have this CD with Linux on it which when I put it in the CDROM drive and start one of the school's Dells it tells me how to reset the admin password and then I have r007!!!!!1 OMG p0n13zzzz!!!!111

    1. Re:1m a 1337 h4x0r!!!!!1 by Korin43 · · Score: 4, Funny

      If only you could rate posts +1 1337z0rz..

  6. That's Nothing by Anonymous Coward · · Score: 2, Funny

    The most important factor in the contest besides basic web exploitation skills (cross site scripting (XSS), SQL injection, cross site request forgeries (CSRF), etc.) was speed ... I squeaked out a win in the tie-breaking challenge the first day with only a few seconds to spare as my opponent was right behind in the hunt to combine three injectable fields into one long javascript function.
    That's nothing.

    This one time, I was hacking this really locked-up-the-wazoo Gibson. I'd set up a couple of IDS/IPS evasion bots, perimeter scanning came up clean. Small SQL injection issue merged with XSS showed that the backend database may have been either 768-bit encrypted or a simple 3DES matter, but I was running low on time and didn't get to check. Once the tables were writable to sa, I was able to jump in and jump out with no problem. One of their systems caught an early sniff, but was shut down with a smurf. Everything was PERFECT until their night noc ran a reverse udp traceroute back to one of the hosts I had set up after that, straight DOWNHILL. I got called twice by my isp asking about unusual activity, some other shit about access attempts to a federally monitored system, and they had everything in logs including the Schneier-level, rot-26 I thought would hide me. Fortunately I managed to find a reverse-folding routepath on their IIS Apache and I got out just in time while erasing the incriminating forum posts.

    Posted anonymously for obvious reasons.
  7. Re:Wonder what the expense report looks like by numatrix · · Score: 4, Funny

    You forgot the most important line item of all: mountain dew!

    And yes, I was drinking dew for the finals:

    http://www.rsaconference.com/2007/US/press/photos/ feb8/images/2007-02-08_12-41-10.jpg (hiding behind the monitor)

  8. Yeah, sure.... by d474 · · Score: 5, Funny

    "He has up a blow-by-blow description of the events at their site..."
    Ha Ha...I'm not falling for that one. One minute your innocently reading a post on Slashdot about some 1337 web hacker asking you to check out his website, the next minute he's robbing your grandma's bank account...

    Mitnick warned me about hacker tricks like that... I for one am not going to RTFA!
    --
    Authority questions you. Return the favor.
  9. Contest Requirements? by Ereshkegal · · Score: 2, Funny

    Hacking Contest Eh? 14 year old Finnish kids armed with Generalized Quadratic Sieves need not apply?

  10. Yeah, but how would he do against Chloe Sullivan? by mykepredko · · Score: 2, Funny

    This is half in jest, half wondering if any "pros" (ie NSA types) were in the competition? They definitely weren't listed in the TFA and I wonder if they'd be allowed to compete.

    Of course, their cover could be working for the Mormons...

    myke

    --
    Mimetics Inc. Twitter