Slashdot Mirror
Yet Another Crack-This-Box Challenge
Sand_Man wrote to us with the latest public relations stunt
with crack-a-machine trials. This is a month long trial, pitting Linux vs. NT boxes against each other. Details are in the story, but does this whole thing strike everyone else as tired PR stunts now?
I sent the following e-mail to the test manager at ZD:
I've read numerous comments on various Linux news sites suggesting this is an utterly meaningless test. As a consultant who has done some security work, I must say I do not agree that this test is completely valueless, but it most emphatically is not a test of the relative security of either operating system. This is much more a test of the quality of the firewall product and the completely different web applications running on each server.
Because the most common exploits revolve around poorly written web applications (vulnerable to buffer overruns and so forth), this quite simply is, while not valueless, a totally dishonest test.
You should be using the same web application on both machines, with full source code disclosed. Ideally, you would even be running the same web server with full source code (Apache? Although they really aren't the same code when compiled for the differing OSes).
As I said, I think the test might well be very interesting, but to cast it as a contest between NT and Linux is intellectually dishonest. No meaningful conclusions about OS selection can be made on the basis of this test.
There is definately something fishy here. Both boxes are behind a firewall unidentified by nmap. Translation is that they have some kind of routing firewall to prevent certain ports from being attacked. What kind of contest is this if the ports that are "open" are sitting behind a firewall that won't allow anything more than a 3-way handshake? This is to show NT is secure. I have no doubt anymore. Someone is playing a foul game here.
/root]# nmap -sT -O securent.hackpcweek.com
/root]# nmap -sT -O securelinux.hackpcweek.com
[root@kevlar
Starting nmap V. 2.2-BETA4 by Fyodor (fyodor@dhp.com, www.insecure.org/nmap/)
Interesting ports on securent.hackpcweek.com (208.184.64.171):
Port State Protocol Service
21 open tcp ftp
23 open tcp telnet
25 open tcp smtp
70 open tcp gopher
80 open tcp http
119 open tcp nntp
139 open tcp netbios-ssn
420 filtered tcp smpte
443 open tcp https
TCP Sequence Prediction: Class=truly random
Difficulty=9999999 (Good luck!)
No OS matches for host (see http://www.insecure.org/cgi-bin/nmap-submit.cgi).
TCP/IP fingerprint:
TSeq(Class=TR)
T1(Resp=Y%DF=Y%W=2017%ACK=S++%Flags=AS%Ops=M)
T2(Resp=N)
T3(Resp=Y%DF=Y%W=2017%ACK=S++%Flags=AS%Ops=M)
T4(Resp=Y%DF=N%W=0%ACK=S++%Flags=AR%Ops=)
T5(Resp=Y%DF=N%W=0%ACK=S++%Flags=AR%Ops=)
T6(Resp=Y%DF=N%W=0%ACK=S++%Flags=AR%Ops=)
T7(Resp=N)
PU(Resp=N)
[root@kevlar
Starting nmap V. 2.2-BETA4 by Fyodor (fyodor@dhp.com, www.insecure.org/nmap/)
Interesting ports on securelinux.hackpcweek.com (208.184.64.170):
Port State Protocol Service
21 open tcp ftp
23 open tcp telnet
25 open tcp smtp
70 open tcp gopher
80 open tcp http
119 open tcp nntp
139 open tcp netbios-ssn
420 filtered tcp smpte
443 open tcp https
TCP Sequence Prediction: Class=truly random
Difficulty=9999999 (Good luck!)
No OS matches for host (see http://www.insecure.org/cgi-bin/nmap-submit.cgi).
TCP/IP fingerprint:
TSeq(Class=TR)
T1(Resp=Y%DF=Y%W=2017%ACK=S++%Flags=AS%Ops=M)
T2(Resp=N)
T3(Resp=Y%DF=Y%W=2017%ACK=S++%Flags=AS%Ops=M)
T4(Resp=Y%DF=N%W=0%ACK=S++%Flags=AR%Ops=)
T5(Resp=Y%DF=N%W=0%ACK=S++%Flags=AR%Ops=)
T6(Resp=Y%DF=N%W=0%ACK=S++%Flags=AR%Ops=)
T7(Resp=N)
PU(Resp=N)
Nmap run completed -- 1 IP address (1 host up) scanned in 24 seconds
This pretty much invalidates the whole thing for me. It is probably filtering everything but web traffic ( i would verify but the whole thing is so slow right now I can't deal.)
They say that if a machine isn't behind a firewall it doesn't have anything worth securing. While this may be true this has nothing to do with testing the security of the machine behind the firewall. The firewall is what you are testing at this point. I've pretty much discarded this whole thing. Anyone can close everything but port 80 and 443. What a joke.
"Fighting the underpants gnomes since 1998!" "Bruce Schneier knows the state of schroedinger's cat"
The very quote you cite,
sounds to me like this is going to be result in "with our ultra-scientific testing results, we've determined that MS Windows NT is without a doubt more stable, reliable, user-friendly, and lower in total cost of ownership than Linux." I've seen it too many times before.
Also, when they mention several sites that have been recently hacked, such as ABCnews and the Drudge Report, they say that some were running NT and some were running linux, but Netcraft results indicate that they were all running some flavor of NT and IIS. Already the facts aren't completely straight.
Finally, it all comes down to how the boxes are administered. I don't know anything about the additional software they are putting on it for serving classified ads, but it could be wide open to hackers, especially if it runs as root (don't put it past them). Furthermore, Redhat is not the most secure linux distro out of the box. When Redhat makes a corporate sale with service packages, I'm sure they tweak the post-installation for security.
Yep, and the converse is true too. If Linux is hacked, then MS will say, "See, trust your servers with us." But if NT is hacked, they will say "The admins weren't competent".
It has been said already. Crack challenges prove squat. If one OS or the other gets cracked, it won't prove that either is more secure. It'll just prove that a one point in time, one script kiddie cracked one server. And nothing more.
Also, security depends more on how the server was configured then just the OS used. Mindcraft anyone? When I first saw this I thought, "Sure MS could pay PC Week to 'misconfigure' Linux". But back to the presumption that PC Week is independent and hasn't been paid by MS, how competant were the admins that configured these servers? Probably the MS admin was MCSE certified. Perhaps the Linux admin has taken the Red Hat certification, at minimun?
-Brent--
Of course, that doesn't help if it's PC Week that /.'ed :-)
Good Luck!
-Brent--
Linux will win this round. You know most hackers who go there to break into the boxes are probably going to attack the NT box just to show Linux is more stable than NT.
From the article: "Taschek also noted that, in recent weeks, the Nasdaq/Amex, the Drudge Report and ABC sites were all hacked in someway. Each of these three web sites runs either Windows NT with IIS or Linux as their front-line web servers. " From Netcraft: www.nasdaq.com www.nasdaq.com is running Microsoft-IIS/4.0 on NT4 or Windows 98 www.abc.com www.abc.com is running Microsoft-IIS/4.0 on NT4 or Windows 98 and finally (the worse yet!) www.drudgereport.com www.drudgereport.com is running Microsoft-IIS/5.0 on Windows NT5 beta We all know that both OSes are only as good as the person who administers them. This is an absolute joke. How much says Microsoft is sponsering this?
I mean, what's the point. I just read the Seattle P-I business section this morning where they regurgitate the Mindcraft study as if it were valid, with no negative comments, in an article on Java and Red Hat.
So, seriously, what's the point? PC Week is not unbiased, as any longtime reader knows, and it's pretty obvious that they'll just feature whatever positive spin they can make as to "why IIS and NT is a better choice for your average user who uses ASP" or some such comment.
I've got work to do.
Will in Seattle
This is just MS' ploy to find the hole in NT. They know that someone out there has an exploit for a serious security hole in NT, and they want it. I have no doubt that they are sponsoring it, and the bounty of $1000 is to get the people who have the exploit to use it on the machine. This would explain the firewall. Not only is there a firewall, but they're piping all information to another machine which logs the packets. Try a traceroute, you'll make it to the firewall, but not past it. However you can ping it and get a response. Whoever has the exploit, don't use it unless you feel like giving it up, because the second you use it on the machine, you'll be giving MS the precise location of the security hole.
That's real, honest-to-God, cutthroat competition.
- A.P.
--
"One World, one Web, one Program" - Microsoft promotional ad
"Remember when the U.S. had a drug problem, and then we declared a War On Drugs, and now you can't buy drugs anymore?"
it strikes me as a little ridiculous that people think that this is a real good metric by which one can judge the security of an operating system. I would guess (and I could be wrong) that the only people who are really going to attempt to break into these machines are the script kids; experienced, skilled hackers would probably steer clear of breaking into a site which was set up for the express purpose of attracting attacks.
if I had some exploit that was useful against these machines, and I knew that the only purpose of these machines even being there was to find out how they can be compromised, I would never, ever use my attack on them. besides, whats the prize? several hundred bucks worth of gift certificates? and instant notoriety? thanks, but no thanks.
If you, yes you, hack www.fbi.gov and put up porn, instructions for building nuclear weapons, and your actual home address, you will win the following:
Free housing for 10-30 years!
Free "food" for 10-30 years!
Free sex for 10-30 years!
Free training in a useful trade!
Who can resist!
Check out their Why We're Doing this page.
It's nice to see tests from high visiblity labs focusing more important things then whether a "car" can do 350 miles an hour, or 195 miles an hours, when the speed limit only lets the "car" go 85 mph.Sure, the PHB's might be awed by a server the can pump out static data 4 times faster then the bandwidth of a T1, but there are more important details to look at.
When I look at buying a new car, I do more then just check how high the speedometer goes. Handling, braking, comfort, a great stereo system. Top speed in a car, unless you a racing, is largely insignificant when deciding on a car. A company that relies on the top speed of a car to selling it, will find that they have a niche market.
Microsoft relies on "optimising" it's servers to be fast on high end hardware. This is impressive to PHB's, but lacks the real important details needed in servers in production. It won't be long until the PHB's learn that speed isn't the most important thing in a server and they'll have knowledgable admins put servers in production that have real "features".
Or maybe I'm just giving PHB's too much credit. Maybe they'll never learn. But it sounds like PC Week, at least has gotten the idea. Good for them
-Brent--
Honestly, security is a nice issue and all, but there are so many other areas that both operating systems need improvement in. Security is such a function of administration that these contests show very little of the capabilities of the operating system. Try combining them with other aspects, like setup, administration, use, and scalability, and then your contest will really say something about the operating system.
Maybe its just me here, or maybe not. But an nmap scan of all ports literally returned almost every port open. Now, not even redhat ships with that many daemons running by default, so its either the firewall (got my vote) or they went out of their way to make each box more insecure.
If it is, in fact, the firewall at fault here, what is the point of having such an event, is the whole contest not pointless here? Wouldn't one have to be able to bypass this firewall first, making it a crack this firewall, and THEN crack this box contest? How do these results verify one OS more secure than the other. More importantly, how do ANY of these tests check up on OS security, since buffer overflows occur across almost all os's, and in fact its usually daemons that are exploited.
-mike
--- Stampede linux for me! I play with fire to break the ice..
It hardly stops there.
The "Site Diary" link at the top of the page is broken.
The "We'll be updating..." (/schedule) link on the front page is also broken.
The "Home Office-Online" link in the sidebar under "Equipment Used" gives you the write-up for the H/P server.
The "IIS on NT vs. Apache on Linux..." (/backgrounder.html) link has bogus characters in it (a target for the "Demoroniser" Perl script).
This is supposed to make us believe the server admins know what they are doing? Please. Why not just have some high school students setup the site? I have a feeling that would be about as valid.
dragonhawk@iname.microsoft.com
I do not like Microsoft. Remove them from my email address.
It's obvious that the administration of servers has a major impact on their security. I wonder if the NT admins at pc-week are equally skilled as the Linux admins, or vice versa. It was shown before that difference in skill can give hard to swallow results. (mindcraft anyone?)
Good grief! We've got real issues to work with other then spending the next three months playing with Microsoft's beta OS.
When Microsoft announced the challenge we did our duty and "checked out" the server. And guess what? It failed miserably. Having proved that we went back to playing with our toys.
Perhaps if MS wants any more testing they can go out and pay a real security company to test their OS. We're just tired of knocking their poor server down, enough is enough.
Its ran for a month without reboot? If so, good for them. Goes to show that MS can develop a server that runs great - when no one uses it.
-Brent--
Well, a telnet to port 80 says it's Linux:
>$ telnet securelinux.hackpcweek.com
>Trying 208.184.64.170...
>Connected to securelinux.hackpcweek.com.
>Escape character is '^]'.
>HTTP/1.1 200 OK
>Date: Mon, 20 Sep 1999 18:39:01 GMT
>Server: Apache/1.3.6 (Unix) (Red Hat/Linux)
But even stranger... queso reports it as neither!
>$ queso securelinux.hackpcweek.com
>208.184.64.170:80 * HP/JETdirect Printer (old model)
So this begs the question... are they running behind some kind of firewall/load balancing proxy?