Slashdot Mirror
PCWeek "Hack This Page" Cracked
mrflip writes "On September 20th, PCWeek announced a $1000 contest to be the first to hack either the linux or the NT server they set up. Well, four short days later, the linux box seems to have been compromised. The winner states "Hi guys, It's been a nice challenge, now send me the cash :)." He explained that the exploit was not a linux feature but was due to a closed source CGI script with improper security checks. " Going to require Solomonic ruling - the intent was to test the two OSes, and this is obviously not an OS test.
That rant of yours in very funny. Let me explain that securent.hackpcweek.com IS vulnerable. The problem isn't NT however, its in the HTML code on the server. Similarly, the Linux wasn't vulnerable, but the CGI script was. YES, SECURENT CAN BE HACKED. You heard it here first. The rules state: break into the system, modify pages, and/or steal user information. Well, according to those rules it can be broken. Let me explain. I examined the SECURENT html source and noticed several links to "www.hackpcweek.com.com" (notice the extra .com). Then I contacted Curt Connell with EDS who is Administrative contact for COM.COM. (Please don't call or bother him anymore). A simple 'A' record in the .com.com DNS server refering 'www.hackpcweek.com.com' to my own web server would allow me to steal user information. Whats more, the user would believe they were still on a real "pcweek" server seeing valid pcweek documents, allowing me to send malicious code, request confidential information, etc. Curt was unable to get "official" EDS permission to create the 'A' record, but the hack is valid and does exist. (Again, please do not bother Curt anymore). A simple goof in the HTML code renders the NT box 'hackable'. A side benefit is we circumvent the Firewall, IDS and other security features by just directing to another site. Oops. The NT 'IS' vulnerable to attack. In closing, don't consider an operating system insecure based on the applications (or HTML) thats on it. -Alascom alascom@dc2600.com
That rant of yours in very funny. Let me explain that securent.hackpcweek.com IS vulnerable. The problem isn't NT however, its in the HTML code on the server. Similarly, the Linux wasn't vulnerable, but the CGI script was. YES, SECURENT CAN BE HACKED. You heard it here first. The rules state: break into the system, modify pages, and/or steal user information. Well, according to those rules it can be broken. Let me explain. I examined the SECURENT html source and noticed several links to "www.hackpcweek.com.com" (notice the extra .com). Then I contacted Curt Connell with EDS who is Administrative contact for COM.COM. (Please don't call or bother him anymore). A simple 'A' record in the .com.com DNS server refering 'www.hackpcweek.com.com' to my own web server would allow me to steal user information. Whats more, the user would believe they were still on a real "pcweek" server seeing valid pcweek documents, allowing me to send malicious code, request confidential information, etc. Curt was unable to get "official" EDS permission to create the 'A' record, but the hack is valid and does exist. (Again, please do not bother Curt anymore). A simple goof in the HTML code renders the NT box 'hackable'. A side benefit is we circumvent the Firewall, IDS and other security features by just directing to another site. Oops. The NT 'IS' vulnerable to attack. In closing, don't consider an operating system insecure based on the applications (or HTML) thats on it. -Alascom alascom@dc2600.com
A system's security is only as good as it's administrator.
The test has some flaws. They should pay the winner, fix the faulty CGI script, and try again.
Unless both systems were running the same web server, and the same set of scirpts, the whole contest is really irrelivant. Until they install Apache on both boxes and choose a common scripting platform, they are wasting everyone's time.
Don't you think it's time to start communicating?
... It's the responsibility of the Operating System to ensure security. blah blah blah.. It is obvious that linux does not have Enterprise-level reliability. blah blah blah... blah blah.. IIS is better than Apache... blah blah... The problem here is that the user doesn't have access to a GUI, and thus can't see problems like this... blah blah blah... Of course Microsoft would have released a service pack by now - what does the Linux offer? A cryptic "patch" option. They should have an easy-to-upgrade "click here to compromise your security" feature like NT does... blah blah blah...tune in next week for 'Why I'm so cool, and you're so not.'
--
2 Things:
#1, Absolutely nothing about NT or Linux itself.
#2, A chain is only as strong as it's weakest link. In this case, the weakest link was a poor CGI.
So where from here? Lets try it with a better CGI, maybe let everyone see the conf files or something.
Or maybe PC Week should release all the conf files to the cracked box, so the Community can comment on what should/shouldn't be in there.
Referring to a single person of unknown gender as "they" is common slang but is not correct english. "They" is always plural when used correctly.
:-)
Many people argue that anything used widely enough becomes correct. This is true but I don't like it (although I don't have time to learn Latin...
From a practical standpoint, using "they" as singular makes a correctly singular noun sound incorrect, e.g. "Everyone was blowing their nose" vs. "Everyone was blowing their noses" - borrowed from the alt.english.usage FAQ. "Everyone" is singular, requiring the singular "nose", but "their nose" sounds strange...
For information than you ever wanted on the topic of gender-neutral pronouns, see The Gender Neutral Pronoun FAQ.
/* The beatings will continue until morale improves. */
On what theory does an OS never allow anything to be done? Someone's got to be able to bring the system down so that someone can do something with the system. If that person is irresponsible, they're a problem. Handcuffing your users so that they can't do anything is not the solution.
I'm not sure what happened, and the sight doesn't seem to say, but if they were running CGI input without checking it they're:
a) Dumb
b) Limited to what that CGI can do.
If they configured their machine so that their CGI can do security leaks, what is the OS supposed to do, say "No, you can't do what you want. Go away and stop trying to be creative?"
As many people have pointed out, an OS is only as secure as its weakest link. The person at the keyboard is a necessary link, so if they're your weakest link, you're in trouble. The same would go if this was just a bad asp script.
You might be able to make an argument that the same sort of flexibility doesn't exist on NT and thus you can't do this sort of stuff. While that may be true, do remember that walking is generlaly safer than driving. When you can do more, you can also go wrong in more ways.
It all boils down to know what you're doing. I forget who said it, but "If you make a device idiot-proof, nature will make a better idiot."
They laughed at Einstein. They laughed at the Wright Brothers. But they also laughed at Bozo the Clown. -- C. Sagan
Well, if you're actually running your CGI scripts as root you're just asking someone to break you. By default, CGI scripts are run as the user nobody. Nobody owns no files, is part of no group, and has no login shell. In short, if they compromised a normal cgi script they shouldn't be able to do much more than fill /tmp up. That and read publically available files.
And as soon as you can break into some code running as administrator (or the OS itself, that is something like a third of the code, isn't it?), you can just install BO or something like that and get some decent remote-administratability options.
NT is no more inherently secure in a full security-breach than Linux is. In either case you're screwed if someone can compromise the superuser. And NT has plenty of services either running as administrator or in kernelspace. Can you even run a daemon-like service as a regular user under NT?
They laughed at Einstein. They laughed at the Wright Brothers. But they also laughed at Bozo the Clown. -- C. Sagan
Since vanilla NT has virtually no remote administration or remote anything capabilities, it had a natural advantage in this test. Turn off NT File Serving, and you have to put machine code on the stack to change files (annoying and not worth $1000). On Linux, I could just root the machine and then enable telnet, configure the shell of my choice, set all my little aliases, and it would be just like home.
IMHO, NT is more secure out of the box than most Linux distros. If you want perfect security, may I recommend a piece of wood (not as much functionality as NT, but very very secure).
The rules state:
:) didn't exploit an OS-specific hole, the rules didn't say s/he had to, so it looks like PCWeek is out a grand on the deal. Oh well.
:)
The only fair targets are the securelinux.hackpcweek.com, and securent.hackpcweek.com sites. To win the 1000 gift certificate you must mark up the home page or steal a file called top secret. Denial of Service attacks spoil it for everyone, and get nothing accomplished.
That's it. If that's all they have for official rules, then this guy should get the cash. While s/he (so as not to offend all those female crackers
Looks to me like next time they need to include some fine print like every other contest does
-mike kania
In the immortal words of Grimjack:
"I only believe in a fair fight when I can't rig it in my favor."
"The number of suckers born each minute doubles every 18 months."
These are my friends, See how they glisten. See this one shine, how he smiles in the light.
but just more worthless speculation.
"Absurdly complex" appears to be quantifiable when one OS has something like 20 million lines of code and the other something on the order of 2 million.
One advantage Linux has is that it is relatively easy for a competent user to configure it the way he/she wants to. This appears to be much more difficult under NT. The "lots of little tools" philosophy isn't there -- a complex aggregate which cannot be broken down into simpler pieces is harder to understand and analyze than one that can.
In any event, anything worth doing is usually pretty tough. There's no competitive advantage in offering a service Just Like Everyone Else's, and doing easy, fully understood things isn't much fun. This goes far beyond OSes and webservers.
/Life/ is absurdly complex. Get used to it.
Remember that what's inside of you doesn't matter because nobody can see it.
Everyone so far has missed the point. This isn't (or shouldn't be) a one time thing. Both servers should be left there forever, subject to ongoing attacks. No need to pay anyone anything (maybe a T shirt or something). I think there'll be plenty of entrants without any big reward being needed.
NT gets better, Linux gets better. I don't have any axe to grind, and this outcome would please me. Better operating systems; who can be against that?
If the web server is running as nobody, then shouldn't the CGI script be running as nobody too? No competent web server admin would allow the root docs directory to have 666 permissions or run the web server as root. Was this CGI script 4755, or was the directory set up with bad permissioning?
I could see exploiting a CGI script to get it to email you a sensitive file or display sensitive information, but they must have had the web server misconfigured to make it that easy to change a page in the doc root.
If someone had broken into NT via IIS would we still be saying "it's not the OS's fault"? I doubt it.
... if so, that's part of the OS in my book just as IIS shipping with NT is part of the OS when used in that fashion.
What I would like to know is, did the CGI ship with the RH distro they used
Linux Administrator's Security Guide http://www.securityportal.com/lasg/
All of these contests are designed for Linux to lose. Although PC Week has been expanding their coverage of Linux, what is PC Week? It is a magazine oriented towards Windows users. Look through their ads. 99% of their ad revenue are for products for Windows.
The way I see it, there is no real way to test the two operating systems against each other. Somebody will always find something wrong with the test criteria, someone else will scream conspiracy and the whole thing starts over again. Who cares if Linux got hacked first. It doesn't matter. I use Linux because I enjoy it, not because it is "hack-proof". I find it easier to get the things done that I do.
There is no such thing as a 100% secure server. Somebody is always going to find a way to get in. These tests are designed to convince corporate big shots to use one or the other. Its going to come down to CIOs actually listening to what their Sys Admins real world tests showed for their business, not somebody elses. Your business and systems are completely different than mine. I'm not going to use NT or Linux just because it works for you.
This is not intended as flamebait. I'm just tired of this. It's like all of the sudden Linux and NT need to be on the cover of Consumer Products magazine or something.
My name is Matt and I'm a LinuxholicAll right that's the final straw! I'm switching back to NT right now!
Try going to the server configs page at www.hackpcweek.com. Note that there are configs solely for securent, none at all for securelinux. Far be it from me to be paranoid, but this lack of information leads me to suspect that the configuration of the linux server was far from optimal (even if it was hacked via a faulty closed-source CGI script). After all, if the linux box had been secured, the maintainers would know which config files had been modified, what patches needed to be applied, etc. Instead we get "reinforcement" of how "well-documented" everything in NT is, and how "poorly documented" linux is.
Also, if anyone happened to nmap the two boxen, they probably found the same thing I did...both are behind a firewall and return *identical* scans (aside from hostname):
Starting nmap V. 2.3BETA6 by Fyodor (fyodor@dhp.com, www.insecure.org/nmap/)
Interesting ports on securelinux.hackpcweek.com (208.184.64.170):
Port State Protocol Service
21 open tcp ftp
23 open tcp telnet
25 open tcp smtp
70 open tcp gopher
80 open tcp http
119 open tcp nntp
139 open tcp netbios-ssn
420 filtered tcp smpte
443 open tcp https
1080 filtered tcp socks
TCP Sequence Prediction: Class=truly random
Difficulty=9999999 (Good luck!)
Remote operating system guess: AXCENT Raptor Firewall running on Windows NT 4.0/SP3
Nmap run completed -- 1 IP address (1 host up) scanned in 9 seconds
What's this? These machines are so secure that they need to be protected by a firewall? Why? Are there possibly ports on one of them that can't be disabled any other way? This is mere speculation, but if you're running a contest to show the security of a specific box, do you add external security on top of it?
"The urge to save humanity is almost always a false front for the urge to rule." --H.L. Mencken
Well, assuming they could find two equally knowledgable sysadmins (each relative to his/her platform - yes, this is difficult) and assuming each was allowed to choose the server, scripts, etc. to be used on that platform it's a worthwhile test. It doesn't have to be the same software to be valid.
If you had a flawless operating system but the only applications available for it were crap you would have a bad server platform. In other words, there's a difference between testing an OS and testing a platform.
(Note: I'm not arguing that the case I described is the case with the linux box in the contest - linux is not flawless and apache is not crap. I know it was a bad script and this reflects badly on almost nothing else. I'm just making a point about the hypothetical validity of this kind of testing)
/* The beatings will continue until morale improves. */
Not only is it fair but maybe its important to note. Too many people, including security authorities within many companies, fail to recognize how rigorous you have to be to maintain security. You can apply every patch against every line of code on your system and still be insecure. What's worse is that because so many people rely on specialized tools, such as SATAN, to audit security they become trusting and complacent. They're a good first step but they shouldn't be the only step for mission critical equipment.
Suppose the white hat community is fully caught up with the black hat community, or maybe even a few steps ahead. Any standard script attacks against the infrastructure of your network will fail but there's still a glaring problem.
What about user software? Users like to run software. Some of the software interacts over the internet at large, such as games. Most of it is not designed by people overly concerned with security. People run poorly written CGI scripts. All of this provides the ability to get into whatever account the application was running from. Smart intruders will remain very quiet (dumb ones will post things like "Y3R 0WN3D") and bide their time. Eventually with enough patience and/or intelligence the sytem can be compromised further.
There's a lot of things that are secured dumbly. People are smart enough not to run web servers as root anymore. They run them as 'nobody', which is fine, but they leave 'nobody' with a valid shell which is dumb.
The only truly secure system is one that is turned off, encased in concrete and sunk in the deepest trenches in the ocean. Unfortunately that isn't terribly useful, but you can increase security by conducting 'what if' thought experiments.
Just lurking in all the stories about linux vs NT security challenges, and it seems like most slashdotters are incredibly one-sided in their views, driven more by a sense of rebellion than anything else.
When somebody challenges people to break into their linux box, somebody eventually does, and all kinds of excuses are offered.
When somebody challenges people to break into their NT box, the linux sneetches with stars upon thars scoff, "Us? Condescend to help Microsoft by breaking into their pitiful OS? The very idea!"
If linux is so secure and Windows anything is not:
If linux advocates want any credibility, they will have to stop giving knee-jerk, "heads-I-win tails-you-lose" excuses and begin to demonstrate their claims.
Joel Dueck
Well, yes, you're right. perfectly. That should be the point. Better operating systems... of course. Makes a lot of sense. But (and this is the kicker)...
... That is never going to be the point. CrackThis!(tm) challenges are always going to be about ego. The ego of the cracker. The ego of the OS community. Ego. It sounds childish and silly, but that's what it is. These contests, which seem to be common lately, are not about testing the system, really. Sure that is often a nice side effect, but really, it seems that it's more a way to "prove" that such-n-such OS is better than this-n-that OS.
Sad, but true. It should be about improving the OS, but until these contests are restructured to be less inflammatory, people are going to use them as proof for their particular OS fanaticism. That's human nature and will have to be expected in such a setting.
Now, I personally don't have anything against these contests, they do have useful results. But I don't think we can ever, realistically, expect them to be purely for improving the OS in question.
---
I hope you're not pretending to be evil while secretly being good. That would be dishonest.
But regardless of if they were careless or not, thats really a non-issue, the issue is that cgi script was at fault. I'm sure that if this script was running on the NT server, it could also have been cracked.
Fact is, we all know that Linux can squish NT flat. Let's set up a test that proves that.
See the linux user in his native habitat, he's tensed, poised, awake, and banging at his keyboard in anger that someone may have cracked his sacred linux, even if it was a cheap shot. He's letting his real skin show, and it's as ugly as the linux command prompt or the blue screen of death. He wants to set up a test that proves that linux is better. The linux user is unaware that such a test is stupid and proves nothing.
This is an interesting speciman, of course. But the average Linux or NT zealot would all speak the same way. "They know they are the best, so let's set up a test that proves it." It shows everyone that the truth is hard to deal with no matter which side of the fence you are on. They don't want security, they want their way.
Oh no! Here comes Demons and TAO, "the ultimate OS" representatives! Amiga and BE! OH! The humanity, they're squabbling for leftovers! Oh, the elephant of NT is here, trying to trample them all! Penguins are being smashed by the dozens, more and more are pecking furiously at the the elephent. It's getting too much for the pachdyrm, it slumps down and dies. The demon rips off the trunk of the dead evil NT elephant, and the penguins keep pecking and sqwaking, sure of their superiority.
Is that movement in the bush? Oh, indeed it is! I can't quite make it out, but it's grabbing everything and eating them alive! Oh! The humanity!
They never saw what hit them. They were just standing there, all quacking and whatever else they might do, and something ate them all! Oh, my Lord! What predator can do such a thing? Obviously it must be higher on the evolutionary ladder!
We had best get out while we can!
Signing off, and remember, don't ever stand still and gloat and assume your're safe, or you'll get eaten.
Dan
"and this is obviously not an OS test."
/. Linux/NT flamewar, pause and reflect for a moment that maybe there might possibly be a beter way...
If you take 100 users and tell them to set up a challenge like this, and in more cases the Linux box ends up getting cracked and the NT box does not, then Linux "system" is clearly less secure, regardless of whether it is the Kernel, a subsystem, an add-on package, the documentation, the ease of use, or the user's own idiocy that results in the break.
These days systems like Linux and NT are so absurdly complex that you can't talk about the
security of "the operating system" in isolation.
And before you label me a MS troll, let me say that I think both NT and Linux are really lousy operating systems. They are like the left and right extremes of the political spectrum. On one hand you have the totalitarian Microsoft OS ("You *will* use it the way we tell you to") and on the other you have Linux (i.e. Unix) where everyone can have everything any way that they like, and as a result nobody can agree on what the functionality should be for any component that's higher up the evolutionary ladder than a Lego Brick.
Unfortunately most of you reading this will have grown up knowing only these two extremes, and probably have never seen an operating system that is really there to help you get the job done quickly and efficiently. Unfortunately most of these elegant and effective OS products have all but died out today because of all the foaming, heat-seeking, lusers drooling over the latest trend they read in Computerworld.
One day there *will* come a Great Operating System(tm), but it's not going to be Windows (and Microsoft probably won't write it), and it isn't going to be Linux, and it isn't BeOS, and it isn't MacOS, or any of the other current options, so as you wipe the spittle from your mouth after your latest
G.
My webadmin experience is limited to Apple's Personal Web Sharing (only serves 10 connections at once but it's perfect for testing your personal site's HTML links), a default Red Hat 6/Apache combo at work that pretty much only serves two pages (three if you count the default "It worked!" page), and a just-installed copy of Mac OS X Server on my iMac at home; obviously, I'm not what you'd call a fully-qualified expert on the subject. But even I know there's much more to webadmin than what these tests show. It's an ongoing process, not something that can be decided in a week's worth of testing. Anybody basing their webserver or OS decisions on these tests doesn't deserve their own parking space and thousands in stock options, because they're not doing their job.
That said, if PC Week was out to prove which OS can be hacked easiest, X Server would have been an interesting third choice. It ships with almost every service disabled by default, forcing admins to explicitly choose which ones they activate, and it does a fair job of warning when something isn't secure (like storing your server on an HFS+ disk instead of UFS or something equally silly). Hell, if WebStar on plain old Mac OS is good enough for the US Army, BSD-based X Server should have at least been mentioned. Then again, as others have pointed out, the magazine's name is PC Week, not OS Week.
Testing this stuff isn't like running Whetstone on two different versions of the same chip. It involves more work than picking the winner of an artificial and impossible-to-quantify "test".
Or am I just bitter because I work in the black hole of the seventh hell that is tech support and not on the thirty-eighth floor as a golden child of the IS department with a window, a phone that never rings, and a job that involves nothing more than reading PC Week? :-]
I use Macs for work, Linux for education, and Windows for cardplaying.
Already we're seeing posts like "why don't the hackers leave the Linux box alone and go for the nt machine". My god how could anyone post this here at Slashdot? Think of the quote you just gave Microsoft:
"Users at the respected Linux website, Slashdot, plead with hackers to pick on NT and to leave their Linux server alone"
And how about this one. "it was a third party closed source script and not the os's fault".
Here's the headline
"Security Update: CGI-script designed to run on Linux/Apache server allows root access" (I don't think that's what happened but hey once it's in print who cares)
This article would go on to read:
A cgi-script written for the free Linux operating system and the free Apache found faulty. Sources won't reveal the name of the script and no attempt has been made to correct this problem.
Guess you get what you pay for.
written by our fav
Jessie B
We can't stop these stupid contests from going on but we can use some of the tools that the "man" uses to our benefit. Ignoring them comes to mind.
Slashdot has to walk a fine line... they are a news page first and foremost and they happen to like Linux a lot. Slashdot has an obligation? to report and no one is paying them to kill a story unlike, I'm sure, some of the other news sites/journals.
Please Slashdot just say no(tm) to stupid hype and don't post every friggin contest that comes down the pike. These articles may make for interesting/inflammatory reading but they're doing a disservice to the Linux community, nay the entire computing public.
my experience with Red Hat in particular is that the default install is ridiculously insecure
Then your gripe is with Redhat. Linux didn't lose, poor CGI administration lost. Linux just executed their insecure code.
I'm sure "SlashdotMedia" will improve on all the wonders that Dice Holdings blessed us all with
will buy the guy a decent computer to run Linux on and run a web site.
It won't pay for the same system if he wanted to install NT Server on it.
That's me.. always thinkin...
___
"I know kung-fu."
guns kill people like spoons make Rosie O'Donnell fat.
That's why it's important for some people to at least contest this sort of blatant falsehood publically. But how?
Werd.
I don't know.
I guess I've just always been of the belief that it's a Really Bad Idea to have your firewall hit unnecessarily. IOW, put the web server outside the firewall, probably on its own subnet off the incoming connection. That way, if the machine IS cracked, you don't suddenly have to worry about all your non-hardened hosts being hit from a supposedly trusted machine.
After all, once you're through the firewall, you're through the firewall, and it won't protect you anymore. If you happen to be running bad CGI, or ColdFusion, or somesuch which just screams "Crack me!", you're probably in for a much larger world of hurt if you think everything is already protected.
I know I didn't come up with that idea myself, so I must have read it someplace and it made sense. Of course, I tried proposing this at the last place I worked, and ran into a lot of resistance. They didn't want to use an old Pentium/MMX 166 for that, even though they were replacing all the secretaries' machines with PII/400s. So this probably WAS a real-world scenario.
I still contend though that the best security policy is to trust nothing, not even the firewall.
"The urge to save humanity is almost always a false front for the urge to rule." --H.L. Mencken
Linux is not that easy to setup securely. And obviously, looking at the LONG list of non-standard changes made to the NT box, neither is NT.
The point of this test is moot, since really neither OS was compromised. It was a flawed CGI script, just like the one that brought down Hotmail.
Like many others have said already. Pay up to the guy that got in. Then fix the flawed CGI (or release the source so that somebody who's competant can), and run it again. Once all the bugs are gone from the "add-ons" on both servers, then maybe we'll begin to see which is the more secure and stable OS.
I admin both NT and Linux boxes at work. I know which of the two I can rely on to stay running and keep unwanteds out. I don't think it makes me a "Linux Zealot", perhaps it just means I find Linux easier and more intuitive to admin. If somebody else finds NT to be more stable and secure for them, more power to them.
john
First, I agree, they really needed to have put up the RH config info.
Second, as to the firewall, they specifically stated that it was meant to approximate a "real world" situation. Thus, they used a firewall to prevent "stupid" attacks, like DOS. How many real world servers are all alone in the night? Not that many. Most (smart) admins put some kind of firewall in the way. That is what PCW did.
As to their apparent lack of Linux-saavy? Well, I would have liked it better if:
Remember, for a real world test, you should have a real world configuration, not an artificially extra secure one, or one that takes so many tweaks that no professional sysadmin would spend the time applying all of them. I, for one, would rather spend an hour configuring a mostly secure NT box than spend two days configuring a perfectly secure Linux box. (Or vice versa, whichever happens to be true at the time.)
Remember, time is money too. My boss lets me play with Linux all I want during spare time, but when I have to make the server work now, he doesn't want to wait the extra three hours while I get the Linux box perfect. He'd rather have the NT box "good enough" now. Admitedly, I'm an NT-guru, and I'm fairly new at Linux (only 3 years of experience, but I'm geting better. I've had my home server running flawlessly for multiple months now) but I think I know enough that it shouldn't take me 10 times as long to do the same tasks.
And just so you don't think I'm too GUI-happy, I loved my DOS box, and still use the command line all the time in NT. (I have the services for UNIX installed to make it a really happy NT box.)
Okay, <rant mode off>
Another non-functioning site was "uncertainty.microsoft.com."
The purpose of that site was not known.
"linux" is the kernel; Redhat, Debian, Slackware, SLS (*grin*), SuSe, etc. are OSen.
NT "out of the box" (read: straight off the CD) is far more problematic than most Linux distributions "out of the box". How many service packs and/or hotfixes are required to keep NT 4.0 from walking off a cliff? [Redhat is a bad example, but I'll use it anyway.] How many updates are required to keep Redhat 4.2 from jogging into on-coming traffic? In both cases, you will need to turn a few things on or off depending on what you selected during installation. (And in the NT 4.0 case, you need to install the 70M IE4 to get it near usable -- it shipped with IE3 which cannot be used to access even Microsofts download section(s). I find that damned annoying.)
Kernel to Kernel, linux and NT are too close to call. Just look at how often kernel related defects for both systems turn up. Which is more secure? Neither. Both systems can be compromised -- it's generally easier on a linux system due to the ease of (nearly) replicating the system and the availablity of code to thumb through. (It's hard to break into a black-box.)
Givin a choice, I'll take any UNIX over Windows. I like having a command line; I hate having magic hidden behind GUI buttons; And I _like_ being able to "telnet" into my UNIX server that has no video device at all.
"I don't care if a pair of gerbals could break into it; I'm gonna use linux."
The NT box is still up, and CAN be hacked. I know, I already found a workable hack to steal user information from the NT server. Of course, will I still get $1000 for being the first to compromise the NT Server or is the "contest" officially over... Anyone know if it still going on? or should I just post how to hack it. -Alascom
I think it's only fitting that the Linux box got cracked first, even if it was sort of a cheap way to do it - not because NT is a better designed or more secure OS (yeah, right), but because of all the fire-breathing anti-MS fanatics who think that even in the hands of a newbie administrator Linux servers are more secure than Fort Knox. (I refer any readers back to some of the
The best aspects of open source movement are its emphasis on choice and community - contests like this make some of the open source folks look like the same kind of supercompetitive, manipulating people they usually bash.
what is PC Week? It is a magazine oriented towards Windows users.
Actually, it's a magazine for managers of PC networks, not "Windows users". Maybe you are thinking of "PC Magazine".
This means lots of Novell, NT, and Linux coverage. Those are pretty much the most popular PC server platforms right now. Most of the advertising in PC Week seems to be for network hardware and software. There are very few straight Windows user applications being advertised.
Of course, the #1 vendor for these folks is Microsoft, so there is a huge amount of MS coverage. (But contrary to Linux paranoia, not every PC network manager is a MS drone. Simply that most IT shops have a vested interest in MS's plans and legal problems.)
Business. Numbers. Money. People. Computer World.
For those unfamiliar with the term DMZ, it stands for De-Militarized Zone. The notion here is that you have:
Additional good ideas are:
/* MAGIC THEATRE
ENTRANCE NOT FOR EVERYBODY
MADMEN ONLY */
Hey, it's a valid test. After four days if merciless attempts to compromise the system, they've determined beyond a reasonable doubt that nobody at PC Week has a clue when it comes to Linux.
:)
This is news?