Microsoft /asks/ "Crack this machine"

zealot writes "Apparently Microsoft wants people to try breaking the security on this site, which is running Win2k w/ IIS. There are some "rules" of engagement. " Basically, because it's not behind a firewall, it doesn't count to throw huge numbers of packets at it, but there are multiple users accounts-change stuff, look for hidden messages, or "get something you shouldn't have".

Javascript Dies in Netscape

[ChiefArcher]

I guess that want to leave the UNIX crackers out of this... Javascript dies in Netscape for me..
=(

Anyone else experience this?

Chief Archer

Re:Javascript Dies in Netscape

[Syslevel]

They can't fire the guy who wrote Netscape.

Re:Javascript Dies in Netscape

[theCoder]

I don't have a copy of Netscape here (I'm at work), so I can't confirm this, but in looking at the source code I would suspect that Netscape is dying in the function "done()" at line 89. That function tries to access the object "Windows" which seems to be a DIV declared on line 96. This function is being executed from the "onload" attribute of the BODY tag on line 55.

It seems that netscape is trying to execute this function before loading the DIV, while IE (and Mozilla) has either loaded it already or scanned the file to find that object.

As for what is correct in this situation, it would have to depend on when the "onload" function should be called -- before the page is fully loaded or after. IMHO, I'd probably have to say that IE and Mozilla are probably doing it right (no error vs. error).

I don't know why there is a spacing problem in Netscape (but I wouldn't be too surprised if it's intentional). Anybody know if Netscape or IE is interpreting the HTML "wrong" (please don't define "right" as what netscape does -- define it as you'd expect a browser to behave)?

Re:Javascript Dies in Netscape

I run linux and I'm gonna hack it. And when the interview me for the article, I will use the word hack just to piss you off.

Re:Javascript Dies in Netscape

[dattaway]

I won! Where's my prize? I broke its Java! I couldn't even see the rules, now what were they? Microsoft can't seem to write HTML worth a damn.

m$ comments about javascript problem

[Numeric]

this was posted on their

message board

We have disabled the abilty of the Netscape browser to view our page for specific reasons. Please do not flame the messege board with comments pertaning to the inabilty to view the page in Netscape. Any comments relating to this should be directed at the Webmaster in charge of this page: jsmith@microsoft.com

Re:m$ comments about javascript problem

[dillon_rinker]

...specific reasons...

Sounds more like high specific gravity to me...

Re:m$ comments about javascript problem

[knuth]

Top Ten Specific Reasons Why Only MSIE Users Can View Microsoft Cracking Challenge

10. If you're doing lame browser detection, MSIE is fewer letters to type than Netscape, Mozilla, or even Opera.

9. Similarly, "JScript" is shorter than "JavaScript".

8. AOL^H^H^HMicrosoft is the Internet.

7. We left our copy of FrontPage at the default settings. But don't worry, it will all be fixed in FrontPage 2005.

6. We fear the mighty /. effect, and those fanatics wouldn't be caught dead using Exploder.

5. VisualBasic is more powerful and efficient than C++.* Likewise, Internet Explorer has that comforting familiar Microsoft Windows interface, so you don't have to learn that arcane, complicated Netscape setup.

4. You can't crack our powerful enterprise-level Microsoft(tm) Windows(tm) server if you can't read the rules we made up, nanny nanny boo boo.

3. We're weenies. We couldn't write "Hello world" in HTML, let alone use scripting languages.

2. 3l337 hAx0r d0oDz swear by MSIE.**

And the number one reason why only MSIE users are permitted to view the Microsoft cracking challenge is... drumroll, please...

1. Somehow the demo site was interfered with. Give me another chance, your honor.

*Editor's note: Microsoft actually says this on another page.

**Editor's note: swear at, more likely.

A dreadful way to "prove" security

[davew]

Gene Spafford (co-author of the O'Reilly book on security, many seminal papers on Computer security, and minder of such tools as Tripwire - the man knows what he's talking about) had this to say some years ago on security challenges:

http://www.netsys.com/fire walls/firewalls-9511/0743.html

He lists so many good reasons (eight) to distrust this sort of challenge that it is difficult to summarise the message here. Best to click and read it yourself.

The point goes for every package where the author tries to "prove" security in this way - be it Sidewinder, Qmail or Microsoft. In many cases, the only result is to damage security by giving miscreants some "free time" to try and crack the system, for free, without fear of punishment.

Tiger teams have their place in a properly designed, properly managed security audit. Using unpaid tiger teams as the principal means is useless and dangerous. Will Microsoft move to assure its customers that this is simply a small part of a large, thorough security audit?

Dave

--

I'm surrounded by hypocrites.

[Wonko42]

You'd think, given the general nature of Linux development and the open-source community as a whole, that Slashdot readers would be open to this rather intriguing challenge. But, instead of praising Microsoft for "putting their code where their mouth is," so to speak, the general response to this (judging from Slashdot comments) seems to be "I don't want to crack Microsoft's site because I can't read it and they won't pay me. And besides, if I do crack it, Windows will get better as a result, and that's scary!"

Do you get paid to find and report holes in Linux? Huh? Unless you work for a company that sells their own distribution and therefore it's your actual job, then no, the majority of you don't. So just what is the source of this stuck-up, arrogant, anti-Microsoft attitude? So what if Netscape won't read the page? I'd think that would be Netscape's fault, but no, you insist that the blame is to be placed on Microsoft. My Microsoft web browser doesn't choke on Javascript. Netscape's browser does. Netscape is the obvious problem here.

The open-source community has been calling for Microsoft to do something like this for a long time now. Microsoft is begging for you guys to show them what you're talking about when you say "Windoze sux". If Windows sucks so much, it shouldn't be any trouble to knock out that IIS box, should it? Huh? Then why are you wasting time complaining? Get over there and kill that sucker! And while you're at it, if you want an even easier challenge, you're more than welcome to try and kill my own Windows 2000 beta 3 web server. I haven't optimized it for security, because I don't see any need to. It's on a tiny pipe, and it'd probably be a snap to wipe that sucker out. Go for it! Go kill http://wonko.com/ and then let me know about it! Tell me how lame my system was and how easy it was for you to crack it. Go on! I dare you. :)

--
Wonko the Sane

LinuxPPC asked crack this machine!

[jcarr]

Ok. Here is a stock LinuxPPC 1999 Installed machine: crack.linuxppc.org (aka micrsoft.is.lame.linuxppc.org)
It's running apache only. If no one gets in for awhile, we will start adding services( sendmail is first)
(You might have to wait for DNS to update in an hour - the IP is 169.207.154.108

Hilites from the hacked page source

[Kerg]

For those who don't want to be bothered to download MSIE...

Hahaha! I love the auto-load of www.redhat.com.
I used to like MS DOS, and you had to go mess it
up with this bulky bloatware called windows.
win2000 needs /dev device management. Youre
registry editor SUCKS! Whats with all the HEX
strings/keys? Cant you use english? I dunno
where to even start messing with that.

...

Is there a problem with Chardonnay That used to
get beeped by spell checkers a lot.?

...

Nice IE only site. Like anyone who interested in
bustn in would use a machine that could run ie
:-). YOu guysll probably put this little site up
for a week then claim its hack proof. Good luck
post-release.

...

Would someone please
crash this [beep] server already so that I can get
back to work...

...

And you cant even say S C R A P!

MS filtering at its finest :)

...

For what its worth, the site works just fine with Opera; if not with Netscape! And Kudos to whoever put the freebsd link in the guest book!

---ZahrGnosis

...




linux!
linux!
linux!


...

Is there a problem with [beep]?

...

No - we cracked the admins - not the OS :)

...

do[beep]ent.location=http://linux.org/

...

http-equiv=refresh
content=0;url=http://www.freebsd.org

...

Im having javascript errors running ie 4.02
(sp2) on nt4.5. does html work on this
window.location=http://www.microsoft.com

...

META HTTP-EQUIV=refresh CONTENT=1;
URL=http://www.menonthenet.com/

...

Maybe MS should have thought a bit more before
taking to doing something of this calibre...

S[beep] windows and start again at DOS. MSs only
stable OS...

...

It's just too funny! :)

Re:They're asking the Internet to debug for them !

[ThePlague]

No, it improves a product that many of us will have to deal with, for good or ill. The idea is peer review, correct? Granted, MS is asking for black-box (i.e. not giving access to code) peer review, but it is still a request in tune with the ideals often espoused in this forum. But I guess since MS does it, it's evil by definition. How hypocritical.

Step into reality

[gatech]

Some of the comments about this challenge have really amazed me. People have said that we should not try to crack the server because of a lot of different reasons, but they have all been selfish.

For instance:
1)why should anyone want to help micro$oft audit the security of win2k? wait till we can get a copy of it, then we'll start looking for security holes.

2)why should anyone want to help micro$oft audit the security of win2k? wait till we can get a copy of it, then we'll start looking for security holes.

3)Maybe the crackers should avoid the site, or break it and NEVER tell Microsoft how they did it. We certainly do not want to help improve products of particular company.

What is it with you guys? You constantly complain about how unsecure Windows is and how much better Linux is. Then Microsoft gives you a chance to show them some of these security problems that Windows has and you say "Wait, don't help Microsoft then they might have a better product!!" Are you afraid that by showing them some of their security holes that Windows 2000 might actually, heaven forbid, be a good product and make Linux work keep its edge?

From most of the posts I read it seemed that people were afraid that they might actually help Microsoft release of good product and I don't understand how you can see the release of a more secure and better product as a bad thing regardless of who makes it.

Rich

Re:Step into reality

[gatech]

No I am not an employee of Microsoft. I am a CS student and a programmer\sys. admin assistant at a company in Atlanta.

But then does it really matter what company I work for? The point is that as a programmer you should work to help people release good code, not avoid helping someone just because you don't like their previous products.

That is only narrow minded and immature.

Rich

What is it supposed to do?

[pb]

Are there any ports open besides port 80?

And why does queso identify it as a Cisco/HP/Baystack switch?

It says it's running IIS 5.0, now that I'll believe.

"Rules of Engagement"?? WTF?

[jabber]

You are free to break our system provided that:

0) You don't do anything unexpected.
1) You don't use a valid account to get in.
2) You only use ports 19, 24, 88 and 666.
3) You only use Microsoft products to do it.
4) You don't tell anyone.
5) You tell us (see rule #4)

Are they kidding?? The first thing a hacker/cracker would do is something unorthodox. Where do they get off thinking that you can test the security of a system by imposing rules of engagement.

That's what you get when you let your lawyers dictate procedure to your techies.

Javascript error "Windows is not defined" (!)

[Sun+Tzu]

Running Netscape from my Solaris 7 Sun 10, that is what I get. It turns out to be an error. And I thought it was a congratulatory message! ;)

Re:Anti-Microsoft for no good reason?

[tgd]

The difference is that the results are being used for their corporate benefit and no one else's. They patch their system, you better believe they're not going to give me the sources for that patch.

They're just grandstanding and posturing, trying to prove that Windows 2000 is secure. Its win-win for them -- free high-level security testing (which unlike Beta testing, is something that is generally VERY expensive to contract out for), if it gets cracked, then they get an early warning and time to fix the problem, and if they don't their marketroids will have that nugged to get their paid-off "independant" columnists to write about.

All while people are wasting time to save Microsoft money developing a product that they're going to charge exorbanant licensing fees for.

Seems kind of stupid for anyone to waste their time on it. Get your own copy of Windows 2000, crack THAT, and post THAT exploit all over the net. That puts Microsoft in their place, and doesn't help them screw people over even more.

Why this is BS

[Ex+Machina]

Here's what is going to happen. 1) People will try to get into site unsuccessfully, aside from discovering a few neat weird ports and services open that they can do nothing with. Maybe someone will be able to crash it but constructing a successful buffer overflow would be impossible. 2) MS claims win2k is secure and releases it. 3) People, with access to a real machine find tons of holes. 4) Script Children own the win2k machines. If they want a real fight they should give out copies of win2k to l0pht and other skilled peoples.
xm@GeekMafia.dynip.com [http://GeekMafia.dynip.com/]

Re:Why this is BS

[IntlHarvester]

Of course, what you say is true for any product, whether it's Linux/Apache or Windows 2000. Holes are going to be found that no one bothered to think of before. Linux servers were exploit city about a year ago, despite all the open sourcey stuff.

For example, a serious IIS 4.0 exploit (in 'Remote Data Services') was just found a few weeks ago. This is after the product being out for more than a year.

Also, I'm sure L0pht and others have Windows2000 betas. You can buy it mailorder, if MS hasn't sent it to your company.

--

Oops

[drwiii]

I accidently redirected the guestbook to freebsd.org. Sorry, Bill. Really.

Re:Smart move for Microsoft

[eponymous+cohort]

Outcome 2 - we break it. they fix it. This would be a GOOD THING. The more secure a system is, the better. It doesn't conflict with our goal of Total World Domincation....it just gives people a viable choice

But Microsoft doesn't believe in choice, oh wait, yes they do, "Workstation or Server edition?"

A Stronger W2K means that MS will be in a stronger position to push their "Windows Everywhere" agenda

*sigh8 EXPLANATION: Login Failure

[cswiii]

uh, d00dz and kiddi3z, they announced this earlier...around 9:55 Pacific time, a message was posted regarding something to the effect of "because of the obscene nature of this board, it will be shut down in one hour".

You didn't take anything down.

Re:Real security for 2000 and beyond?

[BuBu_]

The Slashdot effect? What are you planning to do? get a bunch of your friends around then go and flame the hell out of them? By saying something like "YOUR 0S SUCKS! USE LINUX WOOOOOOO!" Yeah, great idea.

Re:What an ugly site

[eponymous+cohort]

It's nice to know that these people don't have the brains to make their web pages compliant for all browsers

Why would they? This is MS, to them there is only one browser. When they released IE for Unix, they proclaimed, "Finally, a graphical alternative to lynx!"

Re:Illegal?

[remande]

While you cannot kill (or perhaps injure) a person just because you give them permission, you can abuse or take someone's property if they give you permission. If I put widgets in a box saying "Free sample", I can't have you arrested for "stealing" one. Indeed, there was one case where a car dealership put up a billboard in the shape of a coupon, saying to bring it in for a free car. Somebody dismantled the billboard and trucked the whole thing into the dealership. Not only could they not be sued or arrested for dismantling the billboard (it asked them to, thus implying permission), the courts ruled that the dealership owed them a car!

In the same way, this sort of B&E by permission is legit. This has been done by private "tiger teams" numerous times, in the private biz and the military. Microsoft has simply given B&E permission (to that one site) to the world, using the entier net.population as one honkin' huge tiger team.

Re:Anti-Microsoft 'cause no reason to support 'em

[poopie]

Yeah, it's a step in the right direction, but... they *assume* that the linux hacker community is interested in helping to secure Windows.

To a certain extent, the participation of the Opensource community is driven by intangibles, and that force hasn't been able to be successfully co-opted by any corporation yet. Look at some examples:

- Netscape fails to engage thousands of kernel hackers in redevolping their browser
- Redhat starts becoming a "brick and mortar" business, and the linux community starts to diss them and fight for disto agnosticism
- For every major corporate announcement of plans for a Linux port, there's an effort underway to develop a free replacement.

I don't think that many hackers are really interested in helping Micros~1 make better products -- since we don't use 'em, we don't promote 'em, and we stand to gain *NOTHING* by improving IIS 5.0 or Windows2001 - A Wasted Disk Space Odyssey.

There's no portable code being release for peer review. There's no public API. There's nothing of interest for the linux hacker other than saying, "look, I hacked another Windows box!"

Thoughts from a grey-hat

[anticypher]

Microsoft has slapped a packet sniffer on the local network feeding the contest machine. Probably several sniffing machines, with different filter criteria. Gives them some idea of what the script kiddies consider useful for cracking an M$ site.

If any of the attacks succeed, they have a trace of the crack, and can build better security for the final release of NT2000. This is good, because I'll have those pieces of shit installed all over my networks soon enough.

They also get to harvest IP addresses of everyone stupid enough to try even looking at this machine. Even a simple traceroute will give them a source IP address. Toss them all into a big database at a later date, couple it in with some other data about the attack type, and wait to use it later to track crackers. Offline analysis is a powerful tool, couple it with automated lookups and a simple knowledge based system, and you could populate a DB with some dangerous data.

For the paranoid, perhaps there has been a nasty break-in by some sophisticated infocriminals (love that new word, see HNN), and the FBI are also sitting in the room with their own analyzers, waiting for someone to try a similar attack. Assuming the crackers are just some misguided wanna-be scripties, this could help the FBI to back track to them. The cracking contest is just a combination of marketing fiasco and FBI clue gathering mission. The FBI are probably not even looking for anything they could use in court, just some leads to track down.

Given the lack of any other services on the machine, and the simplicity of the web pages (no DB or useful cgi-bin), and the quickly hacked together javascript errors, I would say this is mostly a marketing exersize. No matter what the outcome, they can spin it into some hype and a FUD campaign.

the AC

Conspiracy Theory...

[Menneg]

Just a thought here, but looking at some of the scan data that was posted earlier on /., it would appear to be a Linux box!!! This leads to 3 posibilities;

1) They are tricking us into hosing a Linux box,
2) They have ported IIS to Linux and are testing that configuration, or
3) The scans are coming back incorrect.

I hope for the sake of the Linux comunity that it is (3) rather than the first 2. Man, think of the bad press for Linux!

IP addy

[tweek]

YOu can looked up a cached response of the ip addy on the MS nameservers at 131.107.1.7. Earlier in looking around I had noticed that this redirects to another box known as ntbeta.microsoft.com I think or what not. This is all old info I think though.


The interesting point that everyone keeps reitterating is that the site has been constantly down all day. I keep wondering what spin MS is going to put on this. They put out this box to be cracked, which cant even stay online. They use a non real world example by not running any services. The sad part is due to all the lame posts, they will attribute this to the opensource community in some way and attempt to make us look bad. And all this when I was just remarking that Bill Gates has done something good for once by donating some of his fortune to a really good charitable cause. *sigh*

Smart move for Microsoft

[EngrBohn]

Two possible outcomes:
- Nothing breaks it, and this becomes a marketing high-point for Microsoft - It gets broken, and Microsoft engineers now have solid data (vice anecdotal) as to where the problems are. Especially if this was compiled with the debug option switched on.
Christopher A. Bohn

Re:Smart move for Microsoft

[Suydam]

YEP

Outcome 1 - nothing breaks it. THis would be a bad thing. Arrogance and "we're unstoppable" would be their attitude.

Outcome 2 - we break it. they fix it. This would be a GOOD THING. The more secure a system is, the better. It doesn't conflict with our goal of Total World Domincation....it just gives people a viable choice.

You forgot Outcome 3 though - we break it. they deny it for 6 months and then release a Service Pack that fixes the problem that "doesn't exist". This seems the most likely to me.

Re:Smart move for Microsoft

[vt@office]

Yes, but what about the case when noone (flexibly defined) CARES to break it? Serious people have more important work to do rather than break the thing which is broken by design...

Re:Smart move for Microsoft

[Signal+11]

No, there is another outcome. Nobody takes the challenge. Challenges like this are generally dismissed in the security industry for a variety of reasons. Some of them are as follows...

- Real Crackers aren't going to spend their time trying to get caught on a high-profile site.
- Script kiddies don't have any scripts for the "new" OS yet.
- It's new - so of COURSE it's going to take time to find the vulnerabilities. You think "one stunt, and that's it" is going to fix all their problems? You're more naive than I thought.
- Past record. How long does Microsoft take to acknowledge, let alone fix, the problems they find? W2K *will* have bugs. All major programs have bugs. The question is - will they efficiently and quickly inform their customers, and provide comprehensive support to them - like the 4-color glossies they distribute say?
- Many vulnerabilities are discovered at the console - and by looking at the source. It could be wide open, but you'd never know that from a remote perspective. Breaking into a system you've never seen or used remotely has about as much of a chance of success as me getting away with being called Rob Malda in this post.

That's just what I can think of off the top of my head. Use your imagination. And most importantly: dismiss yet another one of Microsoft's tricks to get you to do their bidding. Clever Microsoft, but I thought you'd have learned by now that the 'net dispels FUD faster than a speeding salesman.

--

Wow! This server is BULLETPROOF!

[Redwire]

We're witnessing the ultimate in internet security! Not only is it impossible to hack/crack/smack this box, but they've tightened things up sooooo much that I can't even ping it! Heck, I can't even resolve the name to an IP address.

My next challenge is for all you /.'ers to hack into my old 486. It's sitting in the corner of my office unplugged and collecting dust. Now THAT's security!

What an ugly site

[Gleef]

To "show off Windows 2000", I would think they could do with a better designed web page. I get about 250 pixels (vertically) of broken-looking header, followed by about 800 pixels of whitespace, followed by the actual text. I have to scroll down more than a screenful just to read anything. And a Javascript error to boot. I mean, if they still can't even design a competent website, what makes them think they can design a whole OS?

----

Re:What an ugly site

[Bob-K]

Maybe the site is designed so you can only crack it using Internet Explorer.

Refresh hack

[drwiii]

The key was to put the refresh at 0. It stopped IE people from adding new entries, and kept the refresh on the guestbook page.

With all the people hammering the server though, I'm surprised nobody tried a meta refresh before my redhat.com and freebsd.org tests. :P

Why Hackers might be kvetching...

[DLG]

Microsoft offers a server and asks that folks take a shot at gaining access to things Microsoft wouldn't want folks to have access to in a commercial product.

Some people yelp, "Screw Microsoft, let em do their own dirty work."

Others tut tut, "This is just like Open Source! This is a step in the right direction."

What to do!?! Is Microsoft challenging us to stick by our Morals? Or are we being "used" by a corporate entity. Even worse, are the logs of this attempt at hackign the system going to represent evidence?

#1. If you can't avoid a simple tcp/ip packet sniffer from tracking you down, then you are unlikely to be the ones the FBI cares about.

#2. If you believe that this is closer to open source than before, try a breath deep too. Oxygen is good. Yes.. It burns stuff... Anyone can torture test any product they buy. There is nothing open source about that. The issue of Open Source is that modifications we as hackers might make after finding bugs, are owned by the community, as is the original software to some extent. The notion that this method of security analysis is any different than normal practice of Microsoft is laughable. The question is HOW the software is being tested, not WHO is testing it.

#3. I will note that it is rare for a Linux machine to HAVE to be advertised to be crashed. That is because if you want to test out a security flaw you can create your own test machine with no cost. Thats the joy of OPEN SOURCE. You can truly know what you are getting, try it before spending money, and even fix problems yourself rather than having to wait for a company to respond to your bug report.

#4. I still have doubts that this product ever will exist. The fact is that if no one hacks the software, then Microsoft can claim their non-released software that probably will not be really implemented before some serious bug fixing, is secure within the context of 1999's security issues and protocols. With new services being added regularly and custom software being thrown into the mix, this is relatively vapor ware benchmarking...

Whatever,
dlg

Contest?

[Mignon]

How about making this a contest? Maybe those Linux users disillusioned by their crippled SETI@Home client could put their idle time to use. Now that would be a Slashdot effect...

I haven't read the "rules", but I wonder if everyone will follow them.

A ploy to get crackers to use IE4-5!!!

[|DaBuzz|]

The site is already fubar if you use NS or IE 3 so to even read the text you'll need IE 4 or 5. This is Microsoft's evil plan since any cracker out there who installs IE 4 or 5 will have their name and SSN sent to the FBI. *grin*

Nonsense.

[jtgold]

Exactly how is this "challenge" intriguing? Cracking contests are a dime-a-dozen these days, which is interesting because they demonstrate almost nothing about security. (See this essay to undestand why.) If you believe that the nature of the open-source community is to fall for tricks like that then you have drastically underestimated this community. Most of the audience here doesn't get paid to find and report security holes in Linux or NT. However, if you find a security hole in Linux the result of your work will be made available to you and everyone in the Linux community at no charge through the efforts of volunteers like Torvalds and Cox. If you make the same effort for NT on the other hand, Gates is sure to offer you the opportunity to pay for the improvement whenever Win2K manages to surface without seeing it's own shadow.

I'm not sure what you mean when you say, "The open-source community has been calling for Microsoft to do something like this for a long time now." As far as I can tell, no one has asked for Microsoft to offer us an opportunity to allow us to support their development and marketing efforts without compensation. Sorry, but now that the opportunity is here, I'm still not impressed. It probably would be easy to knock down the Win2K test server (I can't seem to get through to it so perhaps someone already did), and yours as well -- but I don't much care. I use Linux because it is the most stable and effective operating system that meets my computing needs, not as a protest against some other system. I choose to direct my attention to constructive activities -- attacking a system that isn't even in production without source code or specifications doesn't qualify.

Don't bother

[Megaweapon]

All you are doing is allowing them to test their software using your efforts. Don't waste your time. Let them test their own crap.

Re:It is already borked.

[eponymous+cohort]

M$ = $$$ (for more staff & admins)

2 staff/admins per mainframe
3 staff/admins per NT server + good technical support contract ;)

Yes but those 3 staff are much cheaper since NT is so easy that anyone can admin it.***

*** Not my own view, but it seems to be a prevalant view among some PHBs. MS themselves seem guilty of pushing this notion in some form.

Re:Thoughts - Pebkac Networks

[anticypher]

Ha! I knew that acronym sounded familiar. Thanks for reminding the /. community. Pretty funny they are using that.

Seems to be a class C block of IP addresses from right in the middle of the Class B that M$ uses. Claims to be an ISP, but they have just one static web page on their server.

the AC

Re:Real security for 2000 and beyond?

[MindStalker]

Obviously your a new user here, or just haven't been paying attention. The slashdot effect, is a semi-natural phenomenon, in which a article/url is posted on slashdot that everyone wants to checkout/read. The server holding that article is generally not prepared for an increase in hits of several thousand people within an hours time, crashing the server. The server is then known as being slashdotted. Every once in a while even slashdot gets slashdotted, when other news agencies link to slashdot, but in general the effect is named after slashdot as we tend to create such an effect more often than most other news sites.

And what does the Cracker get out of it?

[Quack1701]

I can see all the benifiets MS will get out of this site.

1) Noone breaks in. Claim the most secure 0S in the world.
2) People break in, MS fixes the bugs, downplays the seurity risk, and makes money off of a better product.

What do the crackers get?

1) They don't break in, Nothing.
2) If they break in, Nothing.

Humm... What a deal.

Who is going to waste thier time trying to get into a system they have no idea whats behind? Where are the security holes? I would hope MS has fixed all the Known problems. And until they release thier software, it will be hard to see what new is broken.

Quack

Microsoft

[drwiii]

There are hidden messages sprinkled around the computer. See if you can find them.

Do GPFs count as "hidden messages"?

The goal is to see how a properly secured machine will stand up to attack. These machines are configured to prevent known attacks.

With a cookie-cutter operating system like Windows, you'd think they'd make the default configuration as resistant as possible to known attacks.

Stock install secure damnit! Crack in: win machine

[jcarr]

I must respond to the previous poster as to the security issues of a stock install( of LinuxPPC anyway.) A default install is much more secure than the crack.linuxppc.org machine is. And more stable from the looks of it as the windows machine looks like it has been rebooted already :)

So here is an additional challange:
Be the first to change /etc/motd on crack.linuxppc.org in a reproducable manner and we give you the machine crack.linuxppc.org.

Goodluck!

software firewalling??

[austad]

Even though this machine is outside a firewall (supposedly), it must have some sort of software firewalling running on it. When I did a portscan, I noticed it taking an unusually long time, and when it tries to connect to a port, it's not even getting the response that it cannot connect. Connections are being ignored on these ports. Does win2k have software firewalling built in (like Linux)?

Anyway, that was as much effort as I'm going to put into it. If MS wants to pay me a normal consulting rate, I'll be happy to mess with it some more. I've got better things to do on my Linux box...

It's waaayyyy down.

[Sangui5]

Not only is 207.46.171.196 (windows2000test.com) not responding, but 207.46.175.250 (the maching to which windows2000test.com appears to route all of its traffic) is also down. I e-mailed the MS ppl. if 207.46.175.250 is fair game, but I imagine that they are a little busy at the moment.

Has ANYBODY been able to get into ANYTHING at ANY time other than http ports? Some guy said everyone had download access to some msdca directory or something, but I haven't heard of anybody else getting in. If no ports are open then whats the point?

Anti-Microsoft for no good reason?

[rlm]

Why do I see so many posts on here complaining because Microsoft is trying to get "free auditing" by asking everyone to attack their machine? Doesn't this fit entirely with the concept of Open Source? They're requesting assistance and criticism from the community rather than keeping it entirely closed. I mean, it's not handing out the source code, but it is a step in the right direction. I mean, shouldn't we all be happy that Microsoft is at least TRYING to improve their product before they release it rather than just giving us another piece of crap?

If you don't want to help Microsoft out, that's one thing, but you can't deny that this is better for the hoards of people who will be running this thing.

Need Specs

[drudd]

I applaud Microsoft's intentions behind this test, but it really won't benefit its end customers.

Howabout releasing some specs as to what hardware this machine is on, and what security settings they are using.

We're not even certain they haven't made unfair modifications to their code (say randomly changing usernames and passwords if someone brute hacks them). Is this a realistic level of security which can be maintained by the average sysadmin, or will you need to hire half the NT 5.0 development team.

Say someone does crack this system. Or everyone fails? Then what? Are we going to recieve detailed data on what people tried and succeeded/failed? If not we have no assurances that Microsoft will even attempt to fix any security holes they find.

Essentially Microsoft has created a marketing gimick, nothing more.

Doug

The Fallacy of Cracking Contests

[Brent+Nordquist]

An article in Bruce Schneier's excellent "Crypto-Gram" monthly newsletter. Now this will probably make next month's newsletter too. :-)

The Fallacy of Cracking Contests
--

It's dead as a door nail

[WestonP]

I was screwing with it and it looks like I killed it with a cheap and easy buffer overflow. It stopped responding right after I sent it a ton of ASCII code 255 characters. Time of death: Approx. 1:45PM MST 8/3/99

Comparison with Apple Contest

[stevenj]

Apple ran a contest much like this a couple of years ago; it was open for about a month or so and offered a cash prize to break-ins (but not DoS attacks). In the end, no one was able to claim the prize and Apple gained lots of bragging points. It became an instant selling point for Apple PR and Mac advocates.

When the contest ended, Mac advocates took it up and sponsored their own contest. This ran for some time and again wasn't claimed; more bragging rights. Then, they ran another contest and upped the prize...this time, someone was able to break in using a security hole in a webserver plugin (that linked to a database--to their credit, they had set up the server to do something real, not just serve static pages). The prize was claimed, the hole was fixed, and then the contest started up again...and was quickly hacked via yet another plugin bug, as I recall.

After this, there were no more contests, and you didn't hear people touting the security so much anymore.

The moral of this story is that if someone claims their prize, Microsoft will lose more than they gain. It fixes one security hole, but there will always be others. And, their webserver got cracked--no bragging rights, and embarrassing no matter how they spin it.

The life of www.windows2000test.com

[Sangui5]

We are gathered here today to today to mourn the passing of www.windows2000test.com.

www.windows2000test.com led a short life, but one full of activity. It is this action that we should remember, how pleasantly he served those static web pages, and the cute manner in which he [beep]ed out naughty words, like compe[beep]ion. We should remember how he went missing for a while, and then came back, opening up to us with several ports. We should focus on these positive things, not that somebody stuck a knife in those ports and twisted it with 30 minutes, but on how trustingly www.windows2000test.com invited us in.

I know that many of you will find his passing difficult to cope with, and I only wish I could do more to ease your grief.

The site will remain uncrackable...

..mainly because it _IS_ behind a firewall.

Let me paste the text from my initial scans.

The following is a traceroute from my hosts to windows2000.com as if I _would_ leave in my
peers ;)


8 199.ATM7-0.XR1.SEA1.ALTER.NET (146.188.200.101) 143.469 ms * 252.588 ms
9 195.ATM4-0.GW3.SEA1.ALTER.NET (146.188.201.25) 148.365 ms 149.046 ms 149.636 ms
10 157.130.177.154 (157.130.177.154) 148.690 ms 150.032 ms 248.992 ms
11 207.46.190.82 (207.46.190.82) 148.777 ms 149.989 ms 149.094 ms
12 iuscb11ixc7501-a0-00-1.cp.msft.net (207.46.129.7) 216.968 ms * 256.297 ms
13 * iusd27nt5c7201-a2-0-1.cp.msft.net (207.46.168.68) 144.507 ms *
14 207.46.175.250 (207.46.175.250) 148.849 ms * 163.483 ms
15 * * *
16 * * *
17 * * *
18 * * *
19 * * *
20 * * *
21 * * *
22 * * *
23 * * *
24 * * *
25 * * *
26 * * *
27 * * *
28 * * *
29 * * *
30 * * *

Right there in black and white...line 14 returns no udp/tcp info. All ack's on echo replies are being denied.

This means that Microsoft is implicitly denying tcp packets. I thought this host was wide open. Hmm let me try something else.

Next pasting-------------------------------------

This is a simple scan from saint formerly satan
against www.windows2000test.com (207.46.171.196)

[root@nessus saint-1.4]# ./saint
Security Administrator's Integrated Network Tool
Portions copyright (C) 1998 World Wide Digital Security, Inc.
Portions copyright (C) 1995 by Satan Developers.
SAINT is starting up...
*** xxxxx.xxx.adelphia.net can't find 207.46.171.196: Server failed
bin/udp_scan: are we talking to a dead host or network?
Usage: ostype.saint target


Obviously Targeted info has been redirected....


The machine just before this win2000 box is definately the router for that subnet.

Pasted Text--------------------------------------

[skippy@nessus skippy]$ telnet 207.46.175.250
Trying 207.46.175.250...
Connected to 207.46.175.250.
Escape character is '^]'.
Copyright (C) 1998 Extreme Networks
WINISP EXTREME!
By John Hollowell
And
The WINISP Team!
TAKE THE HIT FOR THE TEAM!
login: anonymous
password:

login:


Simple telnets and ftps to the box are rejected. Services not running or being discrarded at the firewall.

I am scanning various TCP ports for activity.

Using nmap to discover destination services...

I find that the following information is very _interesting_ to say the least.

I think that other /.'ers can appreciate any words that come from the mouth of Saddam Gates...

"Apocalypse now..."

Pasted text----------------------------------

[root@nessus src]# nmap -sT -P0 -o ./windows2000.txt -v -e ppp0 207.46.171.196

Starting nmap V. 2.12 by Fyodor (fyodor@dhp.com, www.insecure.org/nmap/)
Initiating TCP connect() scan against (207.46.171.196)
Adding TCP port 56 (state Firewalled).
Adding TCP port 794 (state Firewalled).
Adding TCP port 362 (state Firewalled).
Adding TCP port 719 (state Firewalled).
Adding TCP port 1495 (state Firewalled).
Adding TCP port 310 (state Firewalled).
Adding TCP port 409 (state Firewalled).
Adding TCP port 415 (state Firewalled).
Adding TCP port 1509 (state Firewalled).
Adding TCP port 1019 (state Firewalled).
Adding TCP port 254 (state Firewalled).
Adding TCP port 2023 (state Firewalled).
Adding TCP port 2043 (state Firewalled).
Adding TCP port 7005 (state Firewalled).
Adding TCP port 1015 (state Firewalled).
Adding TCP port 1545 (state Firewalled).
Adding TCP port 5530 (state Firewalled).
Adding TCP port 1513 (state Firewalled).
Adding TCP port 5191 (state Firewalled).
Adding TCP port 126 (state Firewalled).
Adding TCP port 116 (state Firewalled).
Adding TCP port 1666 (state Firewalled).
Adding TCP port 909 (state Firewalled).
Adding TCP port 135 (state Firewalled).
Adding TCP port 222 (state Firewalled).
Adding TCP port 549 (state Firewalled).
Adding TCP port 394 (state Firewalled).
Adding TCP port 184 (state Firewalled).
Adding TCP port 502 (state Firewalled).
Adding TCP port 140 (state Firewalled).
Adding TCP port 1473 (state Firewalled).
Adding TCP port 678 (state Firewalled).
Adding TCP port 844 (state Firewalled).
Adding TCP port 1550 (state Firewalled).
Adding TCP port 874 (state Firewalled).
Adding TCP port 572 (state Firewalled).
Adding TCP port 825 (state Firewalled).
Adding TCP port 605 (state Firewalled).
Adding TCP port 1528 (state Firewalled).
Adding TCP port 1397 (state Firewalled).
Adding TCP port 157 (state Firewalled).
Adding TCP port 735 (state Firewalled).
Adding TCP port 920 (state Firewalled).
Adding TCP port 295 (state Firewalled).
Adding TCP port 23 (state Firewalled).
Adding TCP port 165 (state Firewalled).
Adding TCP port 541 (state Firewalled).
Adding TCP port 104 (state Firewalled).
Adding TCP port 490 (state Firewalled).
Adding TCP port 393 (state Firewalled).
Adding TCP port 61 (state Firewalled).
Adding TCP port 2064 (state Firewalled).
Adding TCP port 73 (state Firewalled).
Adding TCP port 7326 (state Firewalled).
Adding TCP port 424 (state Firewalled).
Adding TCP port 5190 (state Firewalled).
Adding TCP port 967 (state Firewalled).
Adding TCP port 1026 (state Firewalled).
Adding TCP port 118 (state Firewalled).
Adding TCP port 229 (state Firewalled).
Adding TCP port 1669 (state Firewalled).
Adding TCP port 49 (state Firewalled).
Adding TCP port 927 (state Firewalled).
Adding TCP port 998 (state Firewalled).
Adding TCP port 1542 (state Firewalled).
Adding TCP port 609 (state Firewalled).
Adding TCP port 834 (state Firewalled).
Adding TCP port 10082 (state Firewalled).
Adding TCP port 478 (state Firewalled).
Adding TCP port 904 (state Firewalled).
Adding TCP port 1482 (state Firewalled).
Adding TCP port 237 (state Firewalled).
Adding TCP port 912 (state Firewalled).
Adding TCP port 2401 (state Firewalled).
Adding TCP port 403 (state Firewalled).
Adding TCP port 1241 (state Firewalled).
Adding TCP port 367 (state Firewalled).
Adding TCP port 3086 (state Firewalled).
Adding TCP port 805 (state Firewalled).
Adding TCP port 303 (state Firewalled).
Adding TCP port 766 (state Firewalled).
Adding TCP port 944 (state Firewalled).
Adding TCP port 169 (state Firewalled).
Adding TCP port 1399 (state Firewalled).
Adding TCP port 1987 (state Firewalled).
Adding TCP port 6148 (state Firewalled).
Adding TCP port 1178 (state Firewalled).
Adding TCP port 901 (state Firewalled).
Adding TCP port 654 (state Firewalled).
Adding TCP port 469 (state Firewalled).
Adding TCP port 9535 (state Firewalled).
Adding TCP port 668 (state Firewalled).
Adding TCP port 1421 (state Firewalled).
Adding TCP port 75 (state Firewalled).
Adding TCP port 5300 (state Firewalled).
Adding TCP port 706 (state Firewalled).
Adding TCP port 78 (state Firewalled).
Adding TCP port 338 (state Firewalled).
Adding TCP port 813 (state Firewalled).
Adding TCP port 1009 (state Firewalled).
Adding TCP port 625 (state Firewalled).
Adding TCP port 7 (state Firewalled).
Adding TCP port 1505 (state Firewalled).
Adding TCP port 1490 (state Firewalled).
Adding TCP port 506 (state Firewalled).
Adding TCP port 1470 (state Firewalled).
Adding TCP port 1499 (state Firewalled).

And the list goes on...

# Log of: nmap -sT -P0 -o ./windows2000.txt -v -e ppp0 207.46.171.196
Interesting ports on (207.46.171.196):
(Not showing ports in state: filtered)
Port State Protocol Service

None because they all _HAVE_ definately been firewalled off.

Should I scan behind the firewall?
Now this is a question of morals and ethics...
Right Bill?

What the fsck I think I am in the mood for a little challenge...

Heh, heh, heh...oops!

They must have active firewall admins at the console...All acks to my source address are being denied now. I could come from different hosts until I finally get through but I think I'll just leave it alone. As everyone can see from the info above I have used no scripts to attempt to crack the workstation. I was merely just accepting the invitation to look and try.

Thanks Hemos, TACO, Cowboy and the gang...


Any comments or suggestions can be sent to

attempted by portslider at
mercenary_4_hire@hotmail.com

I will try to answer as many as I can.

Sorry in advance but I do not provide hacking/cracking information to anyone. So don't ask.