Slashdot Mirror
Yet Another Crack-This-Box Challenge
Sand_Man wrote to us with the latest public relations stunt
with crack-a-machine trials. This is a month long trial, pitting Linux vs. NT boxes against each other. Details are in the story, but does this whole thing strike everyone else as tired PR stunts now?
In case you didn't notice all the comments, it turned out to be user error by the /. admin posting the story (she posted it before she had finished editing it). /. is still in a "beta frame of mind", things happen. Bad things happening are often not the result of malice but rather of mistakes.
"You can never have too many elephants on your team."
Ok, which site is running Linux?
What better way to get a hacker profile database then offer a huge carrot to them to attack a system?
Next it'll be "Win $1,000,000 if you can assassinate [insert public official's name here]", Sponsored by Wal-Mart.
Seems the Linux app isn't filtering input very well. Whups. It is really funny if you look at it using IE - you get all sorts of popups.
I sent the following e-mail to the test manager at ZD:
I've read numerous comments on various Linux news sites suggesting this is an utterly meaningless test. As a consultant who has done some security work, I must say I do not agree that this test is completely valueless, but it most emphatically is not a test of the relative security of either operating system. This is much more a test of the quality of the firewall product and the completely different web applications running on each server.
Because the most common exploits revolve around poorly written web applications (vulnerable to buffer overruns and so forth), this quite simply is, while not valueless, a totally dishonest test.
You should be using the same web application on both machines, with full source code disclosed. Ideally, you would even be running the same web server with full source code (Apache? Although they really aren't the same code when compiled for the differing OSes).
As I said, I think the test might well be very interesting, but to cast it as a contest between NT and Linux is intellectually dishonest. No meaningful conclusions about OS selection can be made on the basis of this test.
"And guess what? It failed miserably."
It didn't fail miserably, it got DoS attacked to hell the first couple days it was up. That's not proving its security's bad. If you get a band of hackers DoSing ANY site it'll take it down.
same year! Coincidence? I think not!! :)
Read my sig if you like, but I'll never see yours, thanks to Discussions, Viewing, Disable sigs...
There is definately something fishy here. Both boxes are behind a firewall unidentified by nmap. Translation is that they have some kind of routing firewall to prevent certain ports from being attacked. What kind of contest is this if the ports that are "open" are sitting behind a firewall that won't allow anything more than a 3-way handshake? This is to show NT is secure. I have no doubt anymore. Someone is playing a foul game here.
/root]# nmap -sT -O securent.hackpcweek.com
/root]# nmap -sT -O securelinux.hackpcweek.com
[root@kevlar
Starting nmap V. 2.2-BETA4 by Fyodor (fyodor@dhp.com, www.insecure.org/nmap/)
Interesting ports on securent.hackpcweek.com (208.184.64.171):
Port State Protocol Service
21 open tcp ftp
23 open tcp telnet
25 open tcp smtp
70 open tcp gopher
80 open tcp http
119 open tcp nntp
139 open tcp netbios-ssn
420 filtered tcp smpte
443 open tcp https
TCP Sequence Prediction: Class=truly random
Difficulty=9999999 (Good luck!)
No OS matches for host (see http://www.insecure.org/cgi-bin/nmap-submit.cgi).
TCP/IP fingerprint:
TSeq(Class=TR)
T1(Resp=Y%DF=Y%W=2017%ACK=S++%Flags=AS%Ops=M)
T2(Resp=N)
T3(Resp=Y%DF=Y%W=2017%ACK=S++%Flags=AS%Ops=M)
T4(Resp=Y%DF=N%W=0%ACK=S++%Flags=AR%Ops=)
T5(Resp=Y%DF=N%W=0%ACK=S++%Flags=AR%Ops=)
T6(Resp=Y%DF=N%W=0%ACK=S++%Flags=AR%Ops=)
T7(Resp=N)
PU(Resp=N)
[root@kevlar
Starting nmap V. 2.2-BETA4 by Fyodor (fyodor@dhp.com, www.insecure.org/nmap/)
Interesting ports on securelinux.hackpcweek.com (208.184.64.170):
Port State Protocol Service
21 open tcp ftp
23 open tcp telnet
25 open tcp smtp
70 open tcp gopher
80 open tcp http
119 open tcp nntp
139 open tcp netbios-ssn
420 filtered tcp smpte
443 open tcp https
TCP Sequence Prediction: Class=truly random
Difficulty=9999999 (Good luck!)
No OS matches for host (see http://www.insecure.org/cgi-bin/nmap-submit.cgi).
TCP/IP fingerprint:
TSeq(Class=TR)
T1(Resp=Y%DF=Y%W=2017%ACK=S++%Flags=AS%Ops=M)
T2(Resp=N)
T3(Resp=Y%DF=Y%W=2017%ACK=S++%Flags=AS%Ops=M)
T4(Resp=Y%DF=N%W=0%ACK=S++%Flags=AR%Ops=)
T5(Resp=Y%DF=N%W=0%ACK=S++%Flags=AR%Ops=)
T6(Resp=Y%DF=N%W=0%ACK=S++%Flags=AR%Ops=)
T7(Resp=N)
PU(Resp=N)
Nmap run completed -- 1 IP address (1 host up) scanned in 24 seconds
This pretty much invalidates the whole thing for me. It is probably filtering everything but web traffic ( i would verify but the whole thing is so slow right now I can't deal.)
They say that if a machine isn't behind a firewall it doesn't have anything worth securing. While this may be true this has nothing to do with testing the security of the machine behind the firewall. The firewall is what you are testing at this point. I've pretty much discarded this whole thing. Anyone can close everything but port 80 and 443. What a joke.
"Fighting the underpants gnomes since 1998!" "Bruce Schneier knows the state of schroedinger's cat"
The very quote you cite,
sounds to me like this is going to be result in "with our ultra-scientific testing results, we've determined that MS Windows NT is without a doubt more stable, reliable, user-friendly, and lower in total cost of ownership than Linux." I've seen it too many times before.
Also, when they mention several sites that have been recently hacked, such as ABCnews and the Drudge Report, they say that some were running NT and some were running linux, but Netcraft results indicate that they were all running some flavor of NT and IIS. Already the facts aren't completely straight.
Finally, it all comes down to how the boxes are administered. I don't know anything about the additional software they are putting on it for serving classified ads, but it could be wide open to hackers, especially if it runs as root (don't put it past them). Furthermore, Redhat is not the most secure linux distro out of the box. When Redhat makes a corporate sale with service packages, I'm sure they tweak the post-installation for security.
I just went to check it out. http://www.hackpcweek.com/ is already down, adding to the lameness of this contest...
"I can be self-referential if I want to," said Tom, swiftly.
> Details are in the story, but does this whole thing
> strike everyone else as tired PR stunts now?
Yes.
No
Yep, and the converse is true too. If Linux is hacked, then MS will say, "See, trust your servers with us." But if NT is hacked, they will say "The admins weren't competent".
It has been said already. Crack challenges prove squat. If one OS or the other gets cracked, it won't prove that either is more secure. It'll just prove that a one point in time, one script kiddie cracked one server. And nothing more.
Also, security depends more on how the server was configured then just the OS used. Mindcraft anyone? When I first saw this I thought, "Sure MS could pay PC Week to 'misconfigure' Linux". But back to the presumption that PC Week is independent and hasn't been paid by MS, how competant were the admins that configured these servers? Probably the MS admin was MCSE certified. Perhaps the Linux admin has taken the Red Hat certification, at minimun?
-Brent--
Starting nmap V. 2.3BETA5 by Fyodor (fyodor@dhp.com, www.insecure.org/nmap/)
Interesting ports on securelinux.hackpcweek.com (208.184.64.170):
Port State Protocol Service
21 open tcp ftp
23 open tcp telnet
25 open tcp smtp
70 open tcp gopher
119 open tcp nntp
139 open tcp netbios-ssn
420 filtered tcp smpte
TCP Sequence Prediction: Class=truly random
Difficulty=9999999 (Good luck!)
Remote operating system guess: AXCENT Raptor Firewall running on Windows NT 4.0/SP3
Nmap run completed -- 1 IP address (1 host up) scanned in 37 seconds
I wonder if similar IP's will get cracked as well this time.
But seriously, i think that these don't really help anybody very well. I'm mean what can they really tell us?
-- Moondog
I have a 386 sx/25 running DOS 6.22, clean install, if you crack it you get it... okay... now go for it!
Yeah! But this one lets you watch the logs.
Easy solution. Name one wrestler Linux, the other NT. Let them go at it on pay-per-view for $29.95. Hell, I'd pay.
Of course, that doesn't help if it's PC Week that /.'ed :-)
Good Luck!
-Brent--
Linux will win this round. You know most hackers who go there to break into the boxes are probably going to attack the NT box just to show Linux is more stable than NT.
I'm seeing:
Clear! Bzzzzt!
dragonhawk@iname.microsoft.com
I do not like Microsoft. Remove them from my email address.
From the article: "Taschek also noted that, in recent weeks, the Nasdaq/Amex, the Drudge Report and ABC sites were all hacked in someway. Each of these three web sites runs either Windows NT with IIS or Linux as their front-line web servers. " From Netcraft: www.nasdaq.com www.nasdaq.com is running Microsoft-IIS/4.0 on NT4 or Windows 98 www.abc.com www.abc.com is running Microsoft-IIS/4.0 on NT4 or Windows 98 and finally (the worse yet!) www.drudgereport.com www.drudgereport.com is running Microsoft-IIS/5.0 on Windows NT5 beta We all know that both OSes are only as good as the person who administers them. This is an absolute joke. How much says Microsoft is sponsering this?
I mean, what's the point. I just read the Seattle P-I business section this morning where they regurgitate the Mindcraft study as if it were valid, with no negative comments, in an article on Java and Red Hat.
So, seriously, what's the point? PC Week is not unbiased, as any longtime reader knows, and it's pretty obvious that they'll just feature whatever positive spin they can make as to "why IIS and NT is a better choice for your average user who uses ASP" or some such comment.
I've got work to do.
Will in Seattle
It seems like hackpcweek.com is already down :) Slashdotted or hacked? I dunno...
--------
Oscarfish.com: tropical fish with attitude. Way t
I think the big question we need to ask at this stage; WHO benefits from this? Will the problems found be fixed and passed along for the gratification of the community. If the answer is no then this is definately a "Tired PR Stunt" ..
Being that this is a "hack" contest from a 3rd party, it will have more meaning. (in the real business world anyway). At the place I work (a Community College) they worship PC-Week
Good test.. says something for BOTH operating systems.
This will be interesting
This is just MS' ploy to find the hole in NT. They know that someone out there has an exploit for a serious security hole in NT, and they want it. I have no doubt that they are sponsoring it, and the bounty of $1000 is to get the people who have the exploit to use it on the machine. This would explain the firewall. Not only is there a firewall, but they're piping all information to another machine which logs the packets. Try a traceroute, you'll make it to the firewall, but not past it. However you can ping it and get a response. Whoever has the exploit, don't use it unless you feel like giving it up, because the second you use it on the machine, you'll be giving MS the precise location of the security hole.
*pop* Thanks for bringing me back to reality. I was really trying hard to be positive. But I know deep down inside that you are (probably) right.
And I thought Linux was strong in all those areas. But you are right. The test results don't depend on how the OS's themselves hold up, but more on the biases of the testor's.
Well, PC Week has said there will be a series of tests, so I guess the best thing to do would be to watch the tests carefully, and be sure to point out all the problems, the best we can.
-Brent--
This is ridiculous. It's not our job to find the security holes in OS's.
This is probably where you'll see the difference between programmers who love what they do (Open-Source) and programmers who live by a punch-clock (Microsoft).
May the better OS win!
unfortunately, it's much easier for millions of script kiddies to simply flood the connection and ruin it for everyone else.
Maybe this sort of thing should best be done on isolated networks, monitored by judges, like a sport.
Or maybe I'm just depressed because it's Monday.
"The number of suckers born each minute doubles every 18 months."
These are my friends, See how they glisten. See this one shine, how he smiles in the light.
Before Hackpcweek went down (uh, I think it's down, my proxy comes back with a "could not be loaded" error in a split second...) I had a look at their log page. Apparently they log all attacks on the NT box, linux box, and the main web server for the trial. The attack split was something like 15% against NT, 10 % against linux, and 75% against the main web server. And now it's down. Go figure.
;)
/. Therefore, if the bad thing happened becuase of their setup (*cough*apachetest*cough*), so many people will complain that will hopefully be forced to fix the problem (see #1). Like this whole firewall arguement thats brewing.
I must say I like the test so far:
1) they're doing it over a month so they should be able to modify the test as it goes on.
2) they allow everyone to see the process of what's going on.
3) I have no knowledge of system security whatsoever. PR stunt aside, I think that this test will be very informative for myself, and others like me who are looking to learn about how this type of thing goes down. Not everything is contained in man and info pages.
As to #2: Therefore, if something bad happens to one of the servers, it'll get put up on
Sig:
Barbeque is a noun. Not a verb.
... rather than the intrinsic vulnerabilities of the systems. A strong system can be badly configured.
This is interesting, but does ZD really have the Linux expertise to configure the RH box properly? Or is this going to be another thinly disguised Microsoft PR stunt like the Mindcraft benchmarks?
That's real, honest-to-God, cutthroat competition.
- A.P.
--
"One World, one Web, one Program" - Microsoft promotional ad
"Remember when the U.S. had a drug problem, and then we declared a War On Drugs, and now you can't buy drugs anymore?"
Are these boxes dead already? I can't get a connection and my pings all time out, we're talking 100% packet loss. The contest has started, so I don't know what the excuse is. Probably the same as Microsoft's for their windows2000test machine: the router or the ISP. But Linux is on one of them so there must have been a catostrophic fire or flood perhaps...
It's not a tired PR stunt...we've never really had closure on this one. None of the previous hack-in-the-box contests were "won" officially, so I hope this one plays fully out.
Dan
Somehow, though, I suspect people will put a lot more energy into cracking NT than cracking Linux. So Microsoft won't be using this "benchmark" as FUD. Good, cause that would have been annoying.
"There is no surer way to ruin a good discussion than to contaminate it with the facts."
At least if the machines are on the same network, "router failure due to inclement weather" should at least affect both machines equally.
it strikes me as a little ridiculous that people think that this is a real good metric by which one can judge the security of an operating system. I would guess (and I could be wrong) that the only people who are really going to attempt to break into these machines are the script kids; experienced, skilled hackers would probably steer clear of breaking into a site which was set up for the express purpose of attracting attacks.
if I had some exploit that was useful against these machines, and I knew that the only purpose of these machines even being there was to find out how they can be compromised, I would never, ever use my attack on them. besides, whats the prize? several hundred bucks worth of gift certificates? and instant notoriety? thanks, but no thanks.
Why play into M$'s hands by helping them debug W2K? Save our best cracks for the real release. Of course, only on servers that challenge us to do so ;)
Religion is the opium of the people. Evolution is the opium of scientists.
... then stop sending stories about them to Slashdot.
Yeah, they are tired PR vehicles. And there was a great essay from an earlier "crack this machine" Slashdot thread talking about why such stunts could actually harm a company's reputation (maybe someone can find it?)
Jay (=
it strikes me as a little ridiculous that people think that this is a real good metric by which one can judge the security of an operating system. I would guess (and I could be wrong) that the only people who are really going to attempt to break into these machines are the script kids; experienced, skilled hackers would probably steer clear of breaking into a site which was set up for the express purpose of attracting attacks.
if I had some exploit that was useful against these machines, and I knew that the only purpose of these machines even being there was to find out how they can be compromised, I would never, ever use my attack on them. besides, whats the prize? several hundred bucks worth of gift certificates? and instant notoriety? thanks, but no thanks.
I've never tried. Maybe this would be
a learning experience for me, and not
tick anybody off doing it.
Or are they watching who tries?
Goods Points..but perhaps it is already working. Suppose you were charged with fielding a machine in a national ( international ? ) contest such as this?...the biggest problem so far seems to be keeping ANY machine up and running under an onslaught of attention..regardless of the stated purpose or OS. So what's a hot administrator to do to prove his worth? Maybe he bets another guy he can keep his box going longer than any body else can. The Web itself won't be robust until MOST servers can withstand this type of scrunity and traffic. BTW..If you are paranoid about masking your identity on a box you can't get busted for..get another trade.
The techs shorted out the IIS server by walking on the carpeting in a scuffing kind of way. This knocked out the server.
After all, noone needs a UPS, do they?
Will in Seattle
Geez. Don't people get tired of having these tests last only a few minutes before something goes wrong.
The main site www.hackpcweek.com isn't responding.
the site seems to be down :(
Now that the site is back up, I thought I would poke around the website and see some info on the hardware and what not..I came across this on each OS.
;)
about Redhat:
We used the latest distribution from Redhat, along with Apache. Much thanks
to the open source community for help in securing the server.
okay..sounds cool. I'm curious as to WHO helped out.
about Microsoft:
Microsoft pitched in by modifying their guestbook application to a classified ad
application. They also helped with the myriad configurations of Nt,
IIS,SQLServer, and MTS.
Look who decided to get thier hands into things. Not only did they "help" by rewriting the guestbook app, but they also did mods to NT,IIS,SQL server and Transaction Server.
-- Like many have said earlier, It's not going to look good for linux. I could be wrong, but I was only wrong once and that was becasue I *THOUGHT* i was wrong
I mentioned before the use of the firewall throws out all the real world usage issues for me. This is a test of raptor if anything.
On a funny note, notice that they were able to get MS to help with the detailed tweeking. I wonder If I could get them to do that for OUR IIS server? heheheh
"Fighting the underpants gnomes since 1998!" "Bruce Schneier knows the state of schroedinger's cat"
Hmm.....maybe we could use the /. effect as a DoS attack???
All I get is connection refused :-)
hmm.....this maybe everybody trying to crack the NT box, but, my portscanner ran about 1/3 faster on the Linux box.
Also - the Netcraft results for securelinux.hackpcweek.com are:
securelinux.hackpcweek.com is running Apache/1.3.6 (Unix) (Red Hat/Linux) on NT3 or Windows 95
Anybody see anything wrong?
That's my 1/50 of $1.00 US
JM
--Justin Mitchell
"2nd Place is a fancy word for losing" --Bender (Futurama)
Has anyone else noticed that the nt posting form thinks you are comming from 10.0.0.1 or somthing like that and will only let you(everyone) post 5 messages in 24 hours?
Could this could be a loop hole for MS to say NT wasn't properly configured?
Could it be a problem with the firewall?
Could PC Week be trying to screw us?
Could I just be paranoid?
Dr_Funk
------- Assumption is the mother of all f$#@ ups.
Not just Linus and Alan. The entire Linux community. We are open-source after all.
I wanna see the server configs... there might be something a lil fishy there.
First Post?
The server is already refusing connections. That sure didn't take very long. The article does not mention which platform the main webpage would be using.
John Taschek from PCWeek says that the reason they're doing this is for an article on web server security.
"We don't care which operating system (if any) is broken into first. We want to establish the basis for a story on the best practices for implementing security. Additionally, PC Week wants to open up our test labs to the community for these kinds of tests."
The problem with that statement is the "test" will end when the first box is broken into. If they wanted to do an article on the "best practices for implimenting security, wouldn't they fix the security leak and keep the test up?
It isn't stated whether the systems have been hardened or are just standard installs, but it'd be bunk if the NT system had all the latest service packs and the Linux box was a straight install of RedHat 6.0 with everything enabled and wide open.
Hmm... I dont know what they are running their website on but, it has already gone down for one reason or another. If you ask me it's just like everything else. I do something really great, make alot of money, and draw alot of attention to myself, and someone turns around a month later and does the same thing. It's outrageous. I feel as though I have returned to third grade on recess yelling, "Copy Cat, Copy Cat, Copy Cat!" Pete
What's a sig? Pete Brubaker
That's basically all it can be.
There's no way you can actually prove anything simply by saying "Yeah, well, I had my NT box online, asked people to crack it, and no one managed to. Yet, BillyJoeBob's Linux box got cracked! So ha!"
First off, you have to monitor how many break in attempts there are. There could easily be double on the NT box because more anti-NT people heard about it than anti-Linux people.
Second, you have no idea if the people trying to crack into the boxes are of equal skill level.
Third, Linux is *way* too customizable. Sure, you could claim to install it with default settings and such, but that's not really proving anything, since that would just make the distribution's default settings at fault if somone cracks in, not Linux.
I have a feeling that we'll be seeing more of these as time goes on.
Julian
--
Every time they use the word "Linux" in the article, it's highlighted in red. That's pretty shameless, really, since there appears to be no other reason for this (it's not a link) than "Hey, we used the word 'Linux'!"
Linus vs. Bill
you seem to think that that's a lot.
Get a clue, 8 is more than enough. The LinuxPPC crack server (which since has been taken down) only had two ports open.
i agree fully. moderators, do your job!
This just in!!!! Major motherboard and BIOS manufacturers are now holding a crack this bios password competition!!! The winner gets $1000 and a job redesigning the BIOS password code.
We keep hearing that the reason why good hackers/crackers practice their trade is to expose vulnerabilities. If that's true, I expect them to take up the challenge. Personally, I believe that all the talk about how good crackers have good intentions is really BS, and I don't expect to see any unconventional attempts in these contests.
I am sick of all this. I am just going to find out where these damn servers are and break into the server room (physically with a crowbar), and crack the computers (physically with a crowbar), then when I go to claim my prize I will crack the people who thought they should get on the bandwagon by doing thier own competition (physically with a crowbar).
This is dumb! They have the boxen on the other side of a firewall. And did I read right? The $1000 isnt in CASH? Maybe they will give the winner $1K in MS software. They must be loggin all the packets. So be sure to use your best tricks so MS can learn them!
They say right on the website that MS fixed some parts of NT...so they arnt even running a NT install that you or I could buy. Next week they will put the Linux box outside the f/w and put a username and root password in the issue.net. Screw them.
I have to return some videotapes...
If you look at it, you'll see that there are about 6-7 IPs that all seem to answer on the same ports. If you look a little more closely, you see that error messages are returned by the FIREWALL, not the OS. What we've got here is a firewall that is proxying certain ports - but that doesn't mean that all those ports are really listening on the machine that is behind the firewall.
the site is Microsoft.com
What happened to predictions that windows2000test would be cracked in minutes? 8 open ports and no successful attempts? Last reboot almost a month ago? C'mon people!
If http://securelinux.hackpcweek.com is really linux, why is it coming up as nt3 or 95 box on http://www.netcraft.com/whats? Strange... Even if the "linux box" is really 95, the NT will get cracked more, just because more capable people hate Microsoft.
If you, yes you, hack www.fbi.gov and put up porn, instructions for building nuclear weapons, and your actual home address, you will win the following:
Free housing for 10-30 years!
Free "food" for 10-30 years!
Free sex for 10-30 years!
Free training in a useful trade!
Who can resist!
Do we trust them to know how to set up a machine? Linux or Windows, thier lab people seem kind of out of it.
This is whats wrong with the open source community -- we have the attention span of a, um, something with a short attention span.
What if cryptographers got bored with peer review of algorithms? What if bio companies were accused of a PR stunt when they decide to leave their new formula in testing for a few more months?
We can laugh all we want about lighning storms (which may or may not have brought W2k down, it doesn't matter), but until random anomalies such as that can be rendered statistically insignificant (only through a long-term, public, peer reviewed cracking project) can the results be considered meaningful.
This and the other "contests" are just attempts by the FBI to catch one of the ULG or other groups in the act.
Do really dense people warp space more than others?
But why is there no 'Contact us' button the slashdot front page? I was going to complain about all of the comments suddenly disappearing...
And speaking of which, why are all of the articles knocked down to 50 or less comments now?
Kintanon
Check out their Why We're Doing this page.
It's nice to see tests from high visiblity labs focusing more important things then whether a "car" can do 350 miles an hour, or 195 miles an hours, when the speed limit only lets the "car" go 85 mph.Sure, the PHB's might be awed by a server the can pump out static data 4 times faster then the bandwidth of a T1, but there are more important details to look at.
When I look at buying a new car, I do more then just check how high the speedometer goes. Handling, braking, comfort, a great stereo system. Top speed in a car, unless you a racing, is largely insignificant when deciding on a car. A company that relies on the top speed of a car to selling it, will find that they have a niche market.
Microsoft relies on "optimising" it's servers to be fast on high end hardware. This is impressive to PHB's, but lacks the real important details needed in servers in production. It won't be long until the PHB's learn that speed isn't the most important thing in a server and they'll have knowledgable admins put servers in production that have real "features".
Or maybe I'm just giving PHB's too much credit. Maybe they'll never learn. But it sounds like PC Week, at least has gotten the idea. Good for them
-Brent--
Any chance this could be a trap? Y'know, like
the police department that sends out sweepstakes
winnings announcements, waits for the criminals
to show, and nabs 'em? Perhaps the FBI is in
cahoots and this is an attempt to get those
guys from Unified Lone Cowboys (or whatever
the heck they're called). The money's the
attraction... and since they know they're comin',
they can have all the traces set up. And they
could gather evidence by examining the cracking
techniques used.
Naahhh. Stupid thought.
Honestly, security is a nice issue and all, but there are so many other areas that both operating systems need improvement in. Security is such a function of administration that these contests show very little of the capabilities of the operating system. Try combining them with other aspects, like setup, administration, use, and scalability, and then your contest will really say something about the operating system.
Most of the naysayers here claim that this won't work because the the REAL crackers wouldn't touch it for fear of giving up their fav. exploit(s). A cracking contest could work if a credible source put up a contest with the explicit promise (& proof) that they wouldn't log traffic (& thus can't reveal exploits).. they'd simply reboot/reinstall when needed & only keep stats on uptime.
Nah, RMS and ESR are the guys we want for AI. They're ye olde Lisp hackers.
The webpage says cash but the rules say
"To win the 1000 gift certificate you must mark up the home page or steal a file called top secret."
hmmm....
I have to return some videotapes...
First telnetting into port 80 on both secure{nt,linux}.hackpcweek.com shows they're running identical server software. Then I try telnetting into the SMTP port and at both IPs I get "421 stopper.hackpcweek.com is not accepting new connections. Please try later". (Emphasis added).
What an effing waste of time. I think only thing this "challenge" will prove is that nobody bothered.
-- Alastair
Looks like they killed their ISP...
traceroute to securent.hackpcweek.com (208.184.64.171), 30 hops max, 40 byte packets
1 [withheld] 18.383 ms 1.090 ms 0.842 ms
2 [withheld] 10.705 ms 3.111 ms 3.039 ms
3 [withheld] 13.116 ms 5.237 ms 5.465 ms
4 rc8.nw.us.psi.net (38.1.43.8) 12.129 ms 7.368 ms 8.847 ms
5 rc1.nw.us.psi.net (38.1.23.193) 11.181 ms 6.788 ms 6.599 ms
6 leaf.net228.psi.net (38.1.10.7) 38.860 ms 10.135 ms 10.055 ms
7 pb-nap.above.net (198.32.128.48) 94.023 ms 91.703 ms 96.266 ms
8 core5-core2-oc3.sjc.above.net (216.200.0.118) 96.669 ms 95.239 ms 97.366 ms
9 core1-core5-oc48.sjc2.above.net (216.200.0.178) 109.096 ms 90.146 ms 96.762 ms
10 * * *
11 * * *
Re: "Man didn't really land on the moon...NASA programmers simply produced a simulation on a Un*x system."
.sig, but of course you know the first couple of landings pre-date Unix.
Cute
-- Alastair
I don't mean to belittle your effort, but if you check the front page of www.hackpcweek.com, you will find they prominately list AboveNet as their host ISP for this test. :-)
dragonhawk@iname.microsoft.com
I do not like Microsoft. Remove them from my email address.
Maybe its just me here, or maybe not. But an nmap scan of all ports literally returned almost every port open. Now, not even redhat ships with that many daemons running by default, so its either the firewall (got my vote) or they went out of their way to make each box more insecure.
If it is, in fact, the firewall at fault here, what is the point of having such an event, is the whole contest not pointless here? Wouldn't one have to be able to bypass this firewall first, making it a crack this firewall, and THEN crack this box contest? How do these results verify one OS more secure than the other. More importantly, how do ANY of these tests check up on OS security, since buffer overflows occur across almost all os's, and in fact its usually daemons that are exploited.
-mike
--- Stampede linux for me! I play with fire to break the ice..
It hardly stops there.
The "Site Diary" link at the top of the page is broken.
The "We'll be updating..." (/schedule) link on the front page is also broken.
The "Home Office-Online" link in the sidebar under "Equipment Used" gives you the write-up for the H/P server.
The "IIS on NT vs. Apache on Linux..." (/backgrounder.html) link has bogus characters in it (a target for the "Demoroniser" Perl script).
This is supposed to make us believe the server admins know what they are doing? Please. Why not just have some high school students setup the site? I have a feeling that would be about as valid.
dragonhawk@iname.microsoft.com
I do not like Microsoft. Remove them from my email address.
the fact that we can read the logs is pritty cool
And where can we read said logs?
No Text
---
END OF LINE
But just because a system hasn't been cracked, doesn't guarantee it is secure.
In fact, if I were a malicious cracker, and found a hole in the security of either of these systems, I wouldn't tell a soul how I did it. I'd keep the knowledge to myself, and wait for some juicy targets running (insert least favorite OS here). Say, the next potential amazon.com.
this is supposed to be a contest between NT/IIS and Linux/Apache, right? but there is only one domain (www.hackpcweek.com). if they are allowing both servers to serve the same site (if that's in fact possible) how do they have two servers running the same site and how do would-be hackers differentiate between hacking the NT box and the linux box. i am thouroughly confused.
It's obvious that the administration of servers has a major impact on their security. I wonder if the NT admins at pc-week are equally skilled as the Linux admins, or vice versa. It was shown before that difference in skill can give hard to swallow results. (mindcraft anyone?)
it can tell us a lot and help us
.ed , we are strong and will over come any thing.
mainly it is pr , and free pr is good some times as long as us the ppl in the community have a say and can set the records strait now and then and not let linux promise something it cant deliver (at the moment) . but this kinda tries when done right can get the message out that yes linux is a great os and an oss . to dispell myths that certian oses are the only way to go . mainly there is going to have to be some ethical discustions set down
the fact that we can read the logs is pritty cool if it isnt always / and
free speach as long as you dont lie is the way to go. lets back up our arguments
Wonder if it's because /. effect, DoS attacks or both.
http://www.netcraft.com/whats/?host=www.hackpcweek .com
Shows.
www.hackpcweek.com is running Microsoft-IIS/4.0 on NT3 or Windows 95
NT3 or Windows 95????
Come on, i think the idea is getting old. I mean, basically, its been done already. The origional concept with micro$oft and LinuxPPC was a good concept, but now its just copycats.
Dan Noe http://resonator.physics.sunysb.edu/dan/
In this article, John Taschek implies that one of the recently cracked sites was running Linux. For those who are interested, there is a running debate about this article on Linux Today in which Mr. Taschek has been participating. The article is at
http://linuxtoday.com/talkback/38904.html
In the discussion, I challenged him to defend his position about why he implied that Linux had been cracked. He responded by saying that Matt Drudge's main page (www.drudge.com) runs Linux. Of course, the page that was cracked was www.drudgereport.com which runs IIS on NT.
In short, John Taschek is a liar who has no credibility WRT Linux, and the purpose of this test, it is clear, is to either damage Linux's reputation or try to repair NT's.
Of course, I think we all knew that already!
Aaron
Im basically on a punchclock. But I dont work for mickysoft. Brad
you might attract the most highly proficient hacker such as the kiddie on MTV. he didnt mind telling the world what an amazing hacker he was. by the way, that was sarcasm brad
Hey, what's wrong with flooding servers? Oh, you mean in real life they have a firewall that filters packets?? Ohhh..... Since was c++ a scripting language??
Since they have a firewall with ACLS on all ports except 80 I think we are testing a firewall instead.
Microsoft aggravates my tourettes syndrome.
By my estimates, this means you have to access by 5:00am to test this route for hacking in. The Linux server was correctly configured to allow more posting access and to time-out ads based on user-selected options.
D. Keith Higgs
CWRU. Kelvin Smith Library
My office has been taken over by iPod people.
Jimmy Hart in the Bill Gates costum. I would pay for that. -AC's rule the world
I want to see Linus and Alan get together and write an AI for Linux, which will do battle with a Microsoft-written AI for Windows. Put them on their own private subnet, and see which AI cracks the other one first (and cracking the other's monitor with a robotic hammer doesn't count)
Juiced? Or Not?
This test will prove nothing. If the NT box is cracked/hacked/took down everyone on /. will say. Microsoft sucks, NT sucks, it got cracked etc. etc. If the linux Machine is hacked someone will cry that whoever did whatever did not tighten the security enough.. Either way it proves nothing.. So whats it matter.. What a silly contest
The impression I got from Garfinkel and Spafford's fairly-accessible book "Practical Unix and Internet Security, 2e" (O'Reilly) was that, even if everything else in the book went completely over your head, you should at least understand that crack-this-box contests don't prove @!$%#$.
So why bother with them?
Breakfast served all day!
AND a visit from a large group of FBI and NSA agents with really big guns...
you seem to think that that's a lot.