Slashdot Mirror
Denial of Service bounty hunters
lightPhoenix writes "Get this, John Carmack, god of id & quake 3 arena, is offering a bounty for exposure of game server exploits. Check it out. " It's down the page a bit-but it's there. That's a cool idea.
← Back to Stories (view on slashdot.org)
It's fine to offer a 'bounty' like this, but I'd really like to see it hit the open market. Something like people who know of an exploit putting the info on ebay for open bidding. I'm sure there are people out there who'd pay more than Carmack, just for the fun of the hack.
It's kinda like back when Netscape was offering a cheesy free t-shirt to people who found bugs in the code. I mean, it's gotta be worth more than a t-shirt. Some private entity should have outbid them, because that sort of info is worth a LOT more than a t-shirt to the right interests.
Then again, the government has floors full of people at the NSA pounding away at anything and everything to find useful exploits to use in spying. So many more exploits are known by them than will ever be revealed.
That's dumbest idea I ever heard of.. think about it.
Would you appreciate if I found keys to your car and sold them in e-bay? I'm sure there are people out there who'd pay more than you.
Carmack is offering a small finders fee, just like you would for your car keys.
Doesn't quake use UDP?
Stands to reason that you wouldn't be able to connect to it via TCP then...
/AE
The default ports are:
Quake: 26000
QuakeWorld: 27500
Quake2: 27800(?)
Quake3: 27960
-Yarn - Rio Karma: Excellent
There is a Perl module that can do this; I just forget it's name, check CPAN. I had made a small program that would send out packets, for a sniffer program I was working on. The trouble I ran into was that since the kernel wasn't aware of these packets, it kept sending back reset packets. So I could send out one or two before the other server caught them and ignored everything else...
Donald Knuth has been paying people to find bugs in his software and books for a long time now. As the software matures and most bugs are fixed, the bounty goes up! Economics in action.
10^6 = million
10^9 = billion
10^12 = trillion
10^15 = quadrillion
10^18 = quintillion
10^21 = sextillion
10^24 = septillion
Assuming you're American. Elsewhere, YMMV.
Well, if it was to accomplish anything useful, they'd pretty much have to open their code... it's hard to fix bugs in software you don't have the source for.
If you meant "find", rather than "fix"... I'm still not sure it would accomplish much of anything. I mean, there are enough MS users out there that someone has got to be reporting the bugs... They _have_ to know about them. They just aren't fixing them.
As Bill Gates said, there are no significant bugs in Microsoft's software. Everyone's just using it wrong...
(Methinks someone's in denial...)
I don't remember any DOS attacks against Quake 1 servers. Was it just a bitchin' protocol? Or was the net a kinder, gentler place then? Quake 2 did get hard though.
:)
It's kind of sad to see that there is even a need for this kind of bounty. I mean, what kind of loser takes down a game server? It's not like you're gonna get root and be l88T. You're just gonna cause inconvenience to people trying to have fun, and to a company that has a pretty shining record of being all-around good guys.
(although I bet if Romero find a good one he's not going to send it in...
Screw everyone hiding their flaws and prosecuting those who try to help them by showing where their software is wrong! Carmack has the EXACT RIGHT idea on how you go about making something safe and secure.
First you do your best to make sure there is nothing obvious or dumb. Then you basically offer a prize (money, recognition, hardware, etc.) to those who show you where your weaknesses are!
Bravo! I wish more people took after this methodology. Encourage, don't discourage the young minds!
I think it's a "Grillion."
This makes sense. If you push data at his port all day long, tehre's not so much he can do about it.
Heh. I suppose now would be an interesting time for me to bring up a Request For Software. I'd like something that does the opposite of tcpdump, i.e. given input of packets, say, FROM tcpdump, shove them onto the wire. There are a *large* number of *non*-hacking applications out there for something like this, mainly because the datastream can be tampered with using standard tools before it's piped back onto the wire. Of course, the key thing is against the servers, we can play lots of "here are a bunch of 'almost correct' packets--have fun!" games.
Think you can code this? Email me. I'll tell ya what other *major* functionality a tool like this would bring.
Yours Truly,
Dan Kaminsky
DoxPara Research
Once you pull the pin, Mr. Grenade is no longer your friend.
Ummm, he is offering a bounty, but not for OS targeted and some Denial of Service type attacks.
.plan:
Here's the exact quote from his
Operating system level attacks don't count -- only things that I can actually
fix or protect against in my code.
Denial of service attacks don't count if they require upkeep, but if there is
a fire-and-forget DOS attack, it will still count.
On a tangent from this, here's the big list of metric prefixes:
10e-24 yocto- y
10e-21 zepto- z
10e-18 atto- a
10e-15 femto- f
10e-12 pico- p
10e-9 nano- n
10e-6 micro- u
10e-3 milli- m
10e-2 centi- c
10e-1 deci- d
10e1 deka- da
10e2 hecto- h
10e3 kilo- k
10e6 mega- M
10e9 giga- G
10e12 tera- T
10e15 peta- P
10e18 exa- E
10e21 zetta- Z
10e24 yotta- Y
The Jargon file mentions a few proposed additional SI units based on the SI-friendly names of the Marx Brothers, and the IEEE wants to create new, different SI multiples for powers of 2, so that we computer folk will quit screwing up the regular decimal system. Yeah, like that's going to happen. Next we'll all be on metric time. ;)
-- This and all my posts are in the public domain. I am a lawyer. I am not your lawyer, and this is not legal advice.
Anyone know this...before I start the port scanner. :-)
But I have what perhaps is a flame-ready topic:
What if Microsoft offered a similar bounty for fixing security holes in their software?
What would you say then?
(Besides the completely obvious joke about how they would shortly find themselves bankrupt...)
$asbestos = 1;
wait;
Check my Go-related blog for beginners: DGD
A) Something positive for hackers to get a hold of, and actually get attention for their exploits, and even get them fixed!
B) Positive feedback from the developer of the software, and appriciation.
C) A final product that would be far superior in security from DoS then if it had been released without this testing.
Definitely makes everyone happy.
-- Give him Head? Be a Beacon?
-- Give him Head? Be a Beacon? :P)
(If you can't figure out how to E-Mail me, Don't.
This patch was fixed in version 3.17 of Quake2 and all following releases and in version 2.1 of QuakeWorld and all following releases.
It was a piece of test code that got left QuakeWorld (and Quake2 inherited in the code base). QuakeWorld was never an "official" prouduct--it was only a test platform for new networking ideas such as prediction. As soon as it was identified, both games were patched and new versions were made available.
The exploit page you cite lists Quake1 (regular Quake) as vulnerable, which is bogus since Quake1 doesn't even have rcon facilities. It also states it isn't logged which is false since every rcon prints out on the console with the address it came from.
Root compromise? Any decent sysadmin would never run a Quakeworld or Quake2 server as root to begin with (the servers do not need special privledges).
This issue was dealt with quickly and appropriately.
/// Zoid.
How about the network-wide denial-of-service attack perpetrated by 6.02E23 people attempting to download the demo at once???
:-)
i just want the "misc bit of Q3A paraphenalia". ahh, what a damn cool company id is.
Sounds cool man. I guess if you can get the big exploits out fothe way now, playing ought to be a bit more reliable. BTW, hows that linux q3demo from yesterday? I never got a chance to dl it.
-earl
There's a name for 6.02e23 - Avogadro's Number, IIRC.
--Corey
Not only will they not deserve liberty or safety, Mr. Franklin, they will be DENIED both!
It's true that American!=english speaking,
but the former British world uses a system like this:
10E6=million
10E9=thousand million
10E12=billion
etc. which is quite different from the US system (but in line with the system used in continental europe.)
'Q2 had several releases forced out because of malicious attacks on all the public servers'.
Uh, maybe this was because 'ID software blatantly put a backdoor in Quake 1/2 and QuakeWorld including both the Linux/Solaris Quake2. RCON commands sent from the subnet 192.246.40.0/24 and containing the password "tms" are automaticly executed on the server without being logged.'
'Vulnerable Systems: Those running Quake 1, QuakeWorld, Quake 2, Quake 2 Linux and Quake 2 Solaris, all versions. Thus many Windows and UNIX boxes are affected.'
'Compromise: root (remote).'
'Notes: Quake was always a horrible security hole, but I never thought Id would stoop to introducing an intentional backdoor to allow them access to systems running Quake. I am surprised this didn't get more publicity.'
The exploit was discovered by Mark Zielinski and is documented at www.insecure.org. You can find the fix here, but if you're looking for a patch, dream on...
Carmack has awarded the first bug. Apparently to do with an message passed from the server to the client with a %s embedded that chokes up vsprintf.
More likely, telnet service is just disabled. I get the same response if I try to telnet to my box on that port while running Q3 in dedicated mode.
The point was that those numbers would be different for non-americans. To Americans, a billion is a thousand million, but a British billion is quite a lot larger.
You were right that Avagadro's number has something to do with volumes of gases. Specifically, one mole of ANY gas at 1 atmoshpere of pressure and 273K (0 Celsius for those who had chemistry a while ago) occupies 22.4 Liters. -G. (And if i am wrong... well, that'll teach me to open my mouth...)
>>Sami Tammilehto wins the second prize. Some large connectionless packets can cause crashes.
>So! Who else recognizes that name? Does the name 'Future Crew' ring a bell? ^_^/
>Hehe. It's nice to see that those guys are still hanging in there.
Shit the name sounds right. Would that be possible? I loved they're second reality demo so much (because of the soundtrack)... And screamtracker!
Hey Sami! Maybe you're even reading this! Yes you! What happened?
aaaanyway, nostalgia...
I strongly believe that trying to be clever is detrimental to your health. -- Linus Torvalds
>Sami Tammilehto wins the second prize. Some large connectionless packets can cause crashes.
So! Who else recognizes that name? Does the name 'Future Crew' ring a bell? ^_^/
Hehe. It's nice to see that those guys are still hanging in there.
Cryptic Allusion - New Mac and Dreamcast Games!