Yet Another Crack-This-Box Challenge

Sand_Man wrote to us with the latest public relations stunt with crack-a-machine trials. This is a month long trial, pitting Linux vs. NT boxes against each other. Details are in the story, but does this whole thing strike everyone else as tired PR stunts now?

Something Fishy

[kevlar]

There is definately something fishy here. Both boxes are behind a firewall unidentified by nmap. Translation is that they have some kind of routing firewall to prevent certain ports from being attacked. What kind of contest is this if the ports that are "open" are sitting behind a firewall that won't allow anything more than a 3-way handshake? This is to show NT is secure. I have no doubt anymore. Someone is playing a foul game here.


[root@kevlar /root]# nmap -sT -O securent.hackpcweek.com

Starting nmap V. 2.2-BETA4 by Fyodor (fyodor@dhp.com, www.insecure.org/nmap/)
Interesting ports on securent.hackpcweek.com (208.184.64.171):
Port State Protocol Service
21 open tcp ftp
23 open tcp telnet
25 open tcp smtp
70 open tcp gopher
80 open tcp http
119 open tcp nntp
139 open tcp netbios-ssn
420 filtered tcp smpte
443 open tcp https

TCP Sequence Prediction: Class=truly random
Difficulty=9999999 (Good luck!)
No OS matches for host (see http://www.insecure.org/cgi-bin/nmap-submit.cgi).
TCP/IP fingerprint:
TSeq(Class=TR)
T1(Resp=Y%DF=Y%W=2017%ACK=S++%Flags=AS%Ops=M)
T2(Resp=N)
T3(Resp=Y%DF=Y%W=2017%ACK=S++%Flags=AS%Ops=M)
T4(Resp=Y%DF=N%W=0%ACK=S++%Flags=AR%Ops=)
T5(Resp=Y%DF=N%W=0%ACK=S++%Flags=AR%Ops=)
T6(Resp=Y%DF=N%W=0%ACK=S++%Flags=AR%Ops=)
T7(Resp=N)
PU(Resp=N)

[root@kevlar /root]# nmap -sT -O securelinux.hackpcweek.com

Starting nmap V. 2.2-BETA4 by Fyodor (fyodor@dhp.com, www.insecure.org/nmap/)
Interesting ports on securelinux.hackpcweek.com (208.184.64.170):
Port State Protocol Service
21 open tcp ftp
23 open tcp telnet
25 open tcp smtp
70 open tcp gopher
80 open tcp http
119 open tcp nntp
139 open tcp netbios-ssn
420 filtered tcp smpte
443 open tcp https

TCP Sequence Prediction: Class=truly random
Difficulty=9999999 (Good luck!)
No OS matches for host (see http://www.insecure.org/cgi-bin/nmap-submit.cgi).
TCP/IP fingerprint:
TSeq(Class=TR)
T1(Resp=Y%DF=Y%W=2017%ACK=S++%Flags=AS%Ops=M)
T2(Resp=N)
T3(Resp=Y%DF=Y%W=2017%ACK=S++%Flags=AS%Ops=M)
T4(Resp=Y%DF=N%W=0%ACK=S++%Flags=AR%Ops=)
T5(Resp=Y%DF=N%W=0%ACK=S++%Flags=AR%Ops=)
T6(Resp=Y%DF=N%W=0%ACK=S++%Flags=AR%Ops=)
T7(Resp=N)
PU(Resp=N)


Nmap run completed -- 1 IP address (1 host up) scanned in 24 seconds

Re:Proves Nothing

[bmetzler]

This test will prove nothing. If the NT box is cracked/hacked/took down everyone on /. will say. Microsoft sucks, NT sucks, it got cracked etc. etc. If the linux Machine is hacked someone will cry that whoever did whatever did not tighten the security enough.. Either way it proves nothing.. So whats it matter.. What a silly contest

Yep, and the converse is true too. If Linux is hacked, then MS will say, "See, trust your servers with us." But if NT is hacked, they will say "The admins weren't competent".

It has been said already. Crack challenges prove squat. If one OS or the other gets cracked, it won't prove that either is more secure. It'll just prove that a one point in time, one script kiddie cracked one server. And nothing more.

Also, security depends more on how the server was configured then just the OS used. Mindcraft anyone? When I first saw this I thought, "Sure MS could pay PC Week to 'misconfigure' Linux". But back to the presumption that PC Week is independent and hasn't been paid by MS, how competant were the admins that configured these servers? Probably the MS admin was MCSE certified. Perhaps the Linux admin has taken the Red Hat certification, at minimun?

-Brent
--

Errors in the Article!

From the article: "Taschek also noted that, in recent weeks, the Nasdaq/Amex, the Drudge Report and ABC sites were all hacked in someway. Each of these three web sites runs either Windows NT with IIS or Linux as their front-line web servers. " From Netcraft: www.nasdaq.com www.nasdaq.com is running Microsoft-IIS/4.0 on NT4 or Windows 98 www.abc.com www.abc.com is running Microsoft-IIS/4.0 on NT4 or Windows 98 and finally (the worse yet!) www.drudgereport.com www.drudgereport.com is running Microsoft-IIS/5.0 on Windows NT5 beta We all know that both OSes are only as good as the person who administers them. This is an absolute joke. How much says Microsoft is sponsering this?

Sick of "crack this box" contests.

[Wakko+Warner]

What we need now is a "box this crack" contest: drive through Harlem and pick up a few dealers and have them compete to see how fast they can get a shipment packed, false-bottomed, filled with Beanie Babies, and sent out via UPS.

That's real, honest-to-God, cutthroat competition.

- A.P.
--

"One World, one Web, one Program" - Microsoft promotional ad

is this even realistic?

[vyesue]

it strikes me as a little ridiculous that people think that this is a real good metric by which one can judge the security of an operating system. I would guess (and I could be wrong) that the only people who are really going to attempt to break into these machines are the script kids; experienced, skilled hackers would probably steer clear of breaking into a site which was set up for the express purpose of attracting attacks.

if I had some exploit that was useful against these machines, and I knew that the only purpose of these machines even being there was to find out how they can be compromised, I would never, ever use my attack on them. besides, whats the prize? several hundred bucks worth of gift certificates? and instant notoriety? thanks, but no thanks.

[sarc] The Ultimate "Hack This Machine" Challenge

[Pont]

If you, yes you, hack www.fbi.gov and put up porn, instructions for building nuclear weapons, and your actual home address, you will win the following:
Free housing for 10-30 years!
Free "food" for 10-30 years!
Free sex for 10-30 years!
Free training in a useful trade!

Who can resist!

Real Contests/Tests

[Hrunting]

1. Give the box to your average Joe Schmoe luser and let him set it up on a relatively bandwidth-capable link. Then have someone hack that. See what happens.
   
2. Give the box to your average Joe Schmoe luser and see how long it stays up during average use (word processing, standard updates). Make sure to log how they use it.
   
3. Give a Linux box to a bunch of Windows NT techs and see if they can set it up for (input server type here). Time how long it takes. Repeat task with Windows NT box and Linux admin.
   
4. Setup a kiosk with with two boxes, one NT and one Linux running a Window Manager of choice. Give them passersby the choice of looking at Netscape on one or looking at Netscape on the other. See which one people use the most. Ask them why they don't use the other.
   

Honestly, security is a nice issue and all, but there are so many other areas that both operating systems need improvement in. Security is such a function of administration that these contests show very little of the capabilities of the operating system. Try combining them with other aspects, like setup, administration, use, and scalability, and then your contest will really say something about the operating system.

Errors in the WEBSITE!

[DragonHawk]

It hardly stops there.

The "Site Diary" link at the top of the page is broken.

The "We'll be updating..." (/schedule) link on the front page is also broken.

The "Home Office-Online" link in the sidebar under "Equipment Used" gives you the write-up for the H/P server.

The "IIS on NT vs. Apache on Linux..." (/backgrounder.html) link has bogus characters in it (a target for the "Demoroniser" Perl script).

This is supposed to make us believe the server admins know what they are doing? Please. Why not just have some high school students setup the site? I have a feeling that would be about as valid.